Bisimulation-based non-deterministic admissible interference and its application to the analysis of cryptographic protocols

Abstract In this paper, we first define bisimulation-based non-deterministic admissible interference (BNAI), derive its process-theoretic characterisation and present a compositional verification method with respect to the main operators over communicating processes, generalising in this way the similar trace-based results obtained [J. Univ. Comput. Sci. 6 (2000) 1054] into the finer notion of observation-based bisimulation [Logic and Models of Concurrent Systems, 1985]. Like its trace-based version, BNAI admits information flow between secrecy levels only through a downgrader (e.g. a cryptosystem), but is phrased into a generalisation of observational equivalence [Communication and Concurrency, 1989]. We then describe an admissible interference-based method for the analysis of cryptographic protocols, extending, in a non-trivial way, the non-interference-based approach presented by Focardi et al. [Proceedings of DERA/RHUL Workshop on Secure Architectures and Information Flow, 2000]. Confidentiality and authentication for cryptoprotocols are defined in terms of BNAI and their respective bisimulation-based proof methods are derived. Finally, as a significant illustration of the method, we consider simple case studies: the paradigmatic examples of the Wide Mouthed Frog protocol [ACM Trans. Comput. Syst. 8 (1990) 18] and the Woo and Lam one-way authentication protocol [IEEE Comput. 25 (1992) 39]. The original idea of this methodology is to prove that the intruder may interfere with the protocol only through selected channels considered as admissible when leading to harmless interference.

[1]  Thomas Y. C. Woo,et al.  Authentication for distributed systems , 1997, Computer.

[2]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[3]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[4]  Scott A. Smolka,et al.  CCS expressions, finite state processes, and three problems of equivalence , 1983, PODC '83.

[5]  Dimacs DIMACS Workshop on Design and Formal Verification of Security Protocols , 1997 .

[6]  Martín Abadi,et al.  Reasoning about Cryptographic Protocols in the Spi Calculus , 1997, CONCUR.

[7]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[8]  Rance Cleaveland,et al.  The concurrency workbench: a semantics-based tool for the verification of concurrent systems , 1993, TOPL.

[9]  Scott A. Smolka,et al.  CCS expressions, finite state processes, and three problems of equivalence , 1983, PODC '83.

[10]  Flemming Nielson,et al.  Static Analysis for the pi-Calculus with Applications to Security , 2001, Inf. Comput..

[11]  Simon S. Lam,et al.  A lesson on authentication protocol design , 1994, OPSR.

[12]  Roberto Gorrieri,et al.  Secrecy in Security Protocols as Non Interference , 1999, Workshop on Secure Architectures and Information Flow.

[13]  Roberto Gorrieri,et al.  CVS: a compiler for the analysis of cryptographic protocols , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[14]  John Mullins Nondeterministic Admissible Interference , 2000, J. Univers. Comput. Sci..

[15]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[16]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[17]  Krzysztof R. Apt,et al.  Logics and Models of Concurrent Systems , 1989, NATO ASI Series.

[18]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[19]  R.,et al.  A CLASSIFICATION OF SECURITY PROPERTIES FOR PROCESS ALGEBRAS 1 , 1994 .

[20]  John J. Marciniak,et al.  Encyclopedia of Software Engineering , 1994, Encyclopedia of Software Engineering.

[21]  Fabio Martinelli,et al.  A Uniform Approach for the Definition of Security Properties , 1999, World Congress on Formal Methods.

[22]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[23]  Sylvan Pinsky,et al.  Absorbing covers and intransitive non-interference , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[24]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[25]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[26]  Claudia Eckert On security models , 1996, SEC.

[27]  Antoni Mazurkiewicz,et al.  CONCUR '97: Concurrency Theory , 1997, Lecture Notes in Computer Science.

[28]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[29]  G. Boudol,et al.  Notes on Algebraic Calculi of Processes , 1989, Logics and Models of Concurrent Systems.