Formal Analysis of a TTP-Free Blacklistable Anonymous Credentials System (Full Version)

This paper firstly introduces a novel security definition for BLAC-like schemes (BLAC represents TTP-free BLacklistable Anonymous Credentials) in symbolic model using applied pi calculus, which is suitable for automated reasoning via formal analysis tools. We model the definitions of some common security properties: authenticity, non-framebility, mis-authentication resistance and privacy (anonymity and unlinkability). The case study of these security definitions is demonstrated by modelling and analyzing BLACR (BLAC with Reputation) system. We verify these security properties by Blanchet’s ProVerif and a ZKP (Zero-Knowledge Proof) compiler developed by Backes et al.. In particular, we analyze the express-lane authentication in BLACR. The analysis discovers a known attack that can be carried out by any potential user to escape from being revoked as he wishes. We provide a revised variant that can be proved successfully by ProVerif, which also indicates that the fix provided by ExBLACR (Extending BLACR) is incorrect.

[1]  Dengguo Feng,et al.  ExBLACR: Extending BLACR System , 2014, ACISP.

[2]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[3]  Dengguo Feng,et al.  Formal Analysis of DAA-Related APIs in TPM 2.0 , 2015, NSS.

[4]  Mark Ryan,et al.  Applied pi calculus , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[5]  Flemming Nielson,et al.  Set-Pi: Set Membership p-Calculus , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[6]  Siu-Ming Yiu,et al.  PE(AR)2: Privacy-Enhanced Anonymous Authentication with Reputation and Revocation , 2012, ESORICS.

[7]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[8]  Vincent Cheval,et al.  Verifying Privacy-Type Properties in a Modular Way , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[9]  Yi Mu,et al.  Constant-Size Dynamic k-TAA , 2006, SCN.

[10]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[11]  Jiangtao Li,et al.  A New Direct Anonymous Attestation Scheme from Bilinear Maps , 2008, TRUST.

[12]  Man Ho Au,et al.  PEREA: Practical TTP-free revocation of repeatedly misbehaving anonymous users , 2011, TSEC.

[13]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[14]  Sean W. Smith,et al.  BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs , 2010, TSEC.

[15]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[16]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[17]  Sean W. Smith,et al.  Nymble: Anonymous IP-Address Blocking , 2007, Privacy Enhancing Technologies.

[18]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[19]  Man Ho Au,et al.  PERM: practical reputation-based blacklisting without TTPS , 2012, CCS.

[20]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[21]  Jan Camenisch,et al.  Universally Composable Direct Anonymous Attestation , 2016, Public Key Cryptography.

[22]  Mark Ryan,et al.  Formal Analysis of Anonymity in ECC-Based Direct Anonymous Attestation Schemes , 2011, Formal Aspects in Security and Trust.

[23]  Dengguo Feng,et al.  FARB: Fast Anonymous Reputation-Based Blacklisting without TTPs , 2014, WPES.

[24]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[25]  Vincent Cheval,et al.  Proving More Observational Equivalences with ProVerif , 2013, POST.

[26]  Vincent Cheval,et al.  Edinburgh Explorer Composing Security Protocols: From Confidentiality to Privacy , 2017 .

[27]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[28]  Willy Susilo,et al.  BLACR: TTP-Free Blacklistable Anonymous Credentials with Reputation , 2012, NDSS.

[29]  Mark Ryan,et al.  StatVerif: Verification of Stateful Processes , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[30]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2012, IEEE Trans. Dependable Secur. Comput..

[31]  Ben Smyth,et al.  Formal analysis of privacy in Direct Anonymous Attestation schemes , 2015, Sci. Comput. Program..

[32]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[33]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[34]  Li Li,et al.  Stateful Security Protocol Verification , 2014, ArXiv.

[35]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[36]  Bruno Blanchet,et al.  Automatic proof of strong secrecy for security protocols , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[37]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.