Automatic verification of cryptographic protocols : privacy-type properties. (Vérification automatique des protocoles cryptographiques : propriétés d'équivalence)

Plusieurs outils ont ete developpe pour verifier automatiquement les proprietes de securite sur des protocoles cryptographiques. Jusqu'a maintenant, la plupart de ces outils permettent de verifier des proprietes de trace (ou proprietes d'accessibilite) tel que le secret simple ou l'authentification. Neanmoins, plusieurs proprietes de securite ne peuvent pas etre exprimes en tant que propriete de trace, mais peuvent l'etre en tant que propriete d'equivalence. L'anonymat, la non-tracabilite ou le secret fort sont des exemples classique de propriete d'equivalence. Typiquement, deux protocoles P et Q sont equivalent si les actions d'un adversaire (intrus) ne lui permettent pas de distinguer P de Q. Dans la litterature, plusieurs notions d'equivalence ont ete etudies, par exemple l'equivalence de trace ou l'equivalence observationnelle. Neanmoins, ces equivalences se relevent etre tres difficiles a demontrer , d'ou l'importance de developper des outils de verification automatique efficaces de ces equivalences. Au sein de cette these, nous avons dans un premier temps travaille sur une approche reposant sur des techniques de resolution de contraintes et nous avons cree un nouvel algorithme pour decider l'equivalence de trace entre deux protocoles pouvant contenir des conditionnelles avec branches "else", et pouvant egalement etre non-deterministe. Cet algorithme a ete applique sur des exemples concrets comme le "Private authentification protocol" ainsi que le "E-passport protocol". Cette these propose egalement des resultats de composition pour l'equivalence de trace. En particulier, nous nous sommes interesse a la composition parallele de protocoles partageant certains secrets. Ainsi dans cette these, nous avons demontre que, sous certaines conditions, la composition parallele de protocoles preserve les proprietes d'equivalence. Ce resultat fut applique au "E-passport protocol". Enfin, cette these presente une extension a l'outil de verification automatique ProVerif afin de demontrer automatiquement plus de proprietes d'equivalence. Cette extension a ete implemente au sein de ProVerif ce qui a permis de demontrer la propriete d'anonymat pour le "Private authentification protocol" .

[1]  Stéphanie Delaune,et al.  Transforming Password Protocols to Compose , 2011, FSTTCS.

[2]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[3]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[4]  Yannick Chevalier,et al.  Decidability of Equivalence of Symbolic Derivations , 2012, Journal of Automated Reasoning.

[5]  A. N.A.DurginP.D.LincolnJ.C.Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[6]  Véronique Cortier,et al.  A Method for Proving Observational Equivalence , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[7]  Mathieu Baudet,et al.  Sécurité des protocoles cryptographiques : aspects logiques et calculatoires. (Security of cryptographic protocols : logical and computational aspects) , 2007 .

[8]  Cas J. F. Cremers Unbounded verification, falsification, and characterization of security protocols by pattern refinement , 2008, CCS.

[9]  Adriano Valenzano,et al.  Automatic testing equivalence verification of spi calculus specifications , 2003, TSEM.

[10]  Véronique Cortier,et al.  Decidability and Combination Results for Two Notions of Knowledge in Security Protocols , 2012, Journal of Automated Reasoning.

[11]  Sebastian Mödersheim,et al.  Secure Pseudonymous Channels , 2009, ESORICS.

[12]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[13]  Somesh Jha,et al.  Partial Order Reductions for Security Protocol Verification , 2000, TACAS.

[14]  Ralf Küsters,et al.  Composition theorems without pre-established session identifiers , 2011, CCS '11.

[15]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[16]  Joshua D. Guttman,et al.  Protocol independence through disjoint encryption , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[17]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[18]  Stéphanie Delaune,et al.  From One Session to Many: Dynamic Tags for Security Protocols , 2008, LPAR.

[19]  Mark Ryan,et al.  Symbolic bisimulation for the applied pi calculus , 2007, J. Comput. Secur..

[20]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[21]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[22]  Stig Fr. Mjølsnes,et al.  A framework for compositional verification of security protocols , 2006, Inf. Comput..

[23]  Christoph Weidenbach,et al.  Towards an Automatic Analysis of Security Protocols in First-Order Logic , 1999, CADE.

[24]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[25]  Hubert Comon-Lundh,et al.  Equational Formulae with Membership Constraints , 1994, Inf. Comput..

[26]  Stéphanie Delaune,et al.  Constraint solving techniques and enriching the model with equational theories , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[27]  Luca Viganò,et al.  Automated Security Protocol Analysis With the AVISPA Tool , 2006, MFPS.

[28]  Jia Liu,et al.  A Proof of Coincidence of Labeled Bisimilarity and Observational Equivalence in Applied Pi Calculus , 2011 .

[29]  Véronique Cortier,et al.  Safely composing security protocols , 2009, Formal Methods Syst. Des..

[30]  Yannick Chevalier,et al.  Combining Intruder Theories , 2005, ICALP.

[31]  Véronique Cortier,et al.  Deciding Key Cycles for Security Protocols , 2006, LPAR.

[32]  Jerry den Hartog,et al.  Formal Verification of Privacy for RFID Systems , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[33]  Véronique Cortier,et al.  Protocol Composition for Arbitrary Primitives , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[34]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2004, Theor. Comput. Sci..

[35]  Witold Charatonik,et al.  On Name Generation and Set-Based Analysis in the Dolev-Yao Model , 2002, CONCUR.

[36]  Stéphanie Delaune,et al.  Decision Procedures for the Security of Protocols with Probabilistic Encryption against Offline Dictionary Attacks , 2005, Journal of Automated Reasoning.

[37]  Mark Ryan,et al.  Composition of Password-Based Protocols , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[38]  Martín Abadi,et al.  Just fast keying in the pi calculus , 2004, TSEC.

[39]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[40]  Bruno Blanchet,et al.  Automatic proof of strong secrecy for security protocols , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[41]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[42]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[43]  Jean-Pierre Jouannaud,et al.  Rewrite Systems , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[44]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[45]  Franz Baader,et al.  Unification in the Union of Disjoint Equational Theories: Combining Decision Procedures , 1992, CADE.

[46]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[47]  Véronique Cortier,et al.  New Decidability Results for Fragments of First-Order Logic and Application to Cryptographic Protocols , 2003, RTA.

[48]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[49]  Joshua D. Guttman,et al.  Strand Spaces: Proving Security Protocols Correct , 1999, J. Comput. Secur..

[50]  Claude Kirchner,et al.  Solving Equations in Abstract Algebras: A Rule-Based Survey of Unification , 1991, Computational Logic - Essays in Honor of Alan Robinson.

[51]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[52]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[53]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[54]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[55]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[56]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[57]  Véronique Cortier,et al.  Deciding security properties for cryptographic protocols. application to key cycles , 2007, TOCL.

[58]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[59]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[60]  Véronique Cortier,et al.  Computational soundness of observational equivalence , 2008, CCS.

[61]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.