Deciding equivalence-based properties using constraint solving

Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioural equivalence. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography. In this paper, we consider three notions of equivalence defined in the applied pi calculus: observational equivalence, may-testing equivalence, and trace equivalence. First, we study the relationship between these three notions. We show that for determinate processes, observational equivalence actually coincides with trace equivalence, a notion simpler to reason with. We exhibit a large class of determinate processes, called simple processes, that capture most existing protocols and cryptographic primitives. While trace equivalence and may-testing equivalence seem very similar, we show that may-testing equivalence is actually strictly stronger than trace equivalence. We prove that the two notions coincide for image-finite processes, such as processes without replication. Second, we reduce the decidability of trace equivalence (for finite processes) to deciding symbolic equivalence between sets of constraint systems. For simple processes without replication and with trivial else branches, it turns out that it is actually sucient to decide symbolic equivalence between pairs of positive constraint systems. Thanks to this reduction and relying on a result first proved by M. Baudet, this yields the first decidability result of observational equivalence for a general class of equational theories (for processes without else branch nor replication). Moreover, based on another decidability result for deciding equivalence between sets of constraint systems, we get decidability of trace equivalence for processes with else branch for standard primitives.

[1]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[2]  Mark Ryan,et al.  Automatic Verification of Privacy Properties in the Applied pi Calculus , 2008, IFIPTM.

[3]  Andreas Podelski,et al.  Verification of cryptographic protocols: tagging enforces termination , 2003, Theor. Comput. Sci..

[4]  Yannick Chevalier,et al.  Decidability of Equivalence of Symbolic Derivations , 2012, Journal of Automated Reasoning.

[5]  Vincent Cheval,et al.  Proving More Observational Equivalences with ProVerif , 2013, POST.

[6]  Somesh Jha,et al.  Efficient verification of security protocols using partial-order reductions , 2003, International Journal on Software Tools for Technology Transfer.

[7]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2008, J. Log. Algebraic Methods Program..

[8]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[9]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[10]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[11]  Witold Charatonik,et al.  On Name Generation and Set-Based Analysis in the Dolev-Yao Model , 2002, CONCUR.

[12]  Mark Ryan,et al.  Privacy Supporting Cloud Computing: ConfiChair, a Case Study , 2012, POST.

[13]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[14]  John A. Clark,et al.  A Survey of Authentication Protocol Literature , 2010 .

[15]  Vincent Cheval,et al.  Trace equivalence decision: negative tests and non-determinism , 2011, CCS '11.

[16]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[17]  Joost Engelfriet,et al.  Determinacy - (Observation Equivalence = Trace Equivalence) , 1985, Theor. Comput. Sci..

[18]  Jia Liu,et al.  A complete symbolic bisimulation for full applied pi calculus , 2009, Theor. Comput. Sci..

[19]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[20]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[21]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[22]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[23]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[24]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[25]  A. N.A.DurginP.D.LincolnJ.C.Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[26]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[27]  Stéphanie Delaune,et al.  Symbolic bisimulation for the applied pi calculus , 2010, J. Comput. Secur..

[28]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[29]  Rocco De Nicola,et al.  Testing Equivalence for Mobile Processes , 1995, Inf. Comput..

[30]  Jerry den Hartog,et al.  Formal Verification of Privacy for RFID Systems , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[31]  Sebastian Mödersheim,et al.  Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols , 2010, J. Comput. Secur..

[32]  Véronique Cortier,et al.  Computational soundness of observational equivalence , 2008, CCS.

[33]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2004, Theor. Comput. Sci..

[34]  Stéphanie Delaune,et al.  Constraint solving techniques and enriching the model with equational theories , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[35]  Mark Ryan,et al.  Symbolic bisimulation for the applied pi calculus , 2007, J. Comput. Secur..

[36]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[37]  Yannick Chevalier,et al.  Hierarchical Combination of Intruder Theories , 2006, RTA.

[38]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[39]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ESOP.

[40]  Mathieu Baudet,et al.  Sécurité des protocoles cryptographiques : aspects logiques et calculatoires. (Security of cryptographic protocols : logical and computational aspects) , 2007 .

[41]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[42]  Roberto M. Amadio,et al.  On the symbolic reduction of processes with cryptographic functions , 2003, Theor. Comput. Sci..

[43]  Bruno Blanchet,et al.  Automatic proof of strong secrecy for security protocols , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[44]  Véronique Cortier,et al.  A Method for Proving Observational Equivalence , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[45]  Adriano Valenzano,et al.  Automatic testing equivalence verification of spi calculus specifications , 2003, TSEM.

[46]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[47]  Ramaswamy Ramanujam,et al.  Tagging Makes Secrecy Decidable with Unbounded Nonces as Well , 2003, FSTTCS.

[48]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[49]  Jia Liu,et al.  Proof System for Applied Pi Calculus , 2010, IFIP TCS.