Proving More Observational Equivalences with ProVerif

This paper presents an extension of the automatic protocol verifier ProVerif in order to prove more observational equivalences. ProVerif can prove observational equivalence between processes that have the same structure but differ by the messages they contain. In order to extend the class of equivalences that ProVerif handles, we extend the language of terms by defining more functions (destructors) by rewrite rules. In particular, we allow rewrite rules with inequalities as side-conditions, so that we can express tests "if then else" inside terms. Finally, we provide an automatic procedure that translates a process into an equivalent process that performs as many actions as possible inside terms, to allow ProVerif to prove the desired equivalence. These extensions have been implemented in ProVerif and allow us to automatically prove anonymity in the private authentication protocol by Abadi and Fournet.

[1]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[2]  Stefan Ciobaca Verification and composition of security protocols with applications to electronic voting. (Vérification et composition des protocoles de securité avec des applications aux protocoles de vote electronique) , 2011 .

[3]  Ramaswamy Ramanujam,et al.  Tagging Makes Secrecy Decidable with Unbounded Nonces as Well , 2003, FSTTCS.

[4]  Stéphanie Delaune,et al.  Symbolic bisimulation for the applied pi calculus , 2010, J. Comput. Secur..

[5]  Adriano Valenzano,et al.  Automatic testing equivalence verification of spi calculus specifications , 2003, TSEM.

[6]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[7]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[8]  Hans Hüttel,et al.  Deciding Framed Bisimilarity , 2003, INFINITY.

[9]  Uwe Nestmann,et al.  Symbolic Bisimulation in the Spi Calculus , 2004, CONCUR.

[10]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[11]  Jia Liu,et al.  A complete symbolic bisimulation for full applied pi calculus , 2009, Theor. Comput. Sci..

[12]  Cjf Cas Cremers Scyther : semantics and verification of security protocols , 2006 .

[13]  Bernhard Rumpe,et al.  SOFSEM 2010: Theory and Practice of Computer Science, 36th Conference on Current Trends in Theory and Practice of Computer Science, Spindleruv Mlýn, Czech Republic, January 23-29, 2010. Proceedings , 2010, SOFSEM.

[14]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[15]  Vincent Cheval,et al.  Verifying Privacy-Type Properties in a Modular Way , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[16]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[17]  Philip Wadler Call-by-Value Is Dual to Call-by-Name - Reloaded , 2005, RTA.

[18]  Vincent Danos,et al.  Reversible Communicating Systems , 2004, CONCUR.

[19]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[20]  Vincent Cheval,et al.  Trace equivalence decision: negative tests and non-determinism , 2011, CCS '11.

[21]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[22]  Stéphanie Delaune,et al.  The Finite Variant Property: How to Get Rid of Some Algebraic Properties , 2005, RTA.

[23]  Martín Abadi,et al.  Private authentication , 2004, Theor. Comput. Sci..

[24]  Mathieu Baudet,et al.  Sécurité des protocoles cryptographiques : aspects logiques et calculatoires. (Security of cryptographic protocols : logical and computational aspects) , 2007 .

[25]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[26]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[27]  Michaël Rusinowitch,et al.  Protocol insecurity with a finite number of sessions, composed keys is NP-complete , 2003, Theor. Comput. Sci..

[28]  Sanjiva Prasad,et al.  FSTTCS 2007: Foundations of Software Technology and Theoretical Computer Science, 27th International Conference, New Delhi, India, December 12-14, 2007, Proceedings , 2007, FSTTCS.

[29]  Mark Ryan,et al.  Symbolic bisimulation for the applied pi calculus , 2007, J. Comput. Secur..

[30]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..