Automatic testing equivalence verification of spi calculus specifications

Testing equivalence is a powerful means for expressing the security properties of cryptographic protocols, but its formal verification is a difficult task because of the quantification over contexts on which it is based. Previous articles have provided insights into using theorem-proving for the verification of testing equivalence of spi calculus specifications. This article addresses the same verification problem, but uses a state exploration approach. The verification technique is based on the definition of an environment-sensitive, labeled transition system representing a spi calculus specification. Trace equivalence defined on such a transition system coincides with testing equivalence. Symbolic techniques are used to keep the set of traces finite. If a difference in the traces of two spi descriptions (typically a specification and the corresponding implementation of a protocol) is found, it can be used to automatically build the spi calculus description of an intruder process that can exploit the difference.

[1]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[2]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[3]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[4]  David A. Basin Lazy Infinite-State Analysis of Security Protocols , 1999, CQRE.

[5]  Rocco De Nicola,et al.  Testing Equivalence for Processes , 1983, ICALP.

[6]  Martín Abadi,et al.  Computing symbolic models for verifying cryptographic protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[7]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[8]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[9]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[10]  Roberto M. Amadio,et al.  On the Reachability Problem in Cryptographic Protocols , 2000, CONCUR.

[11]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[12]  Matthew Hennessy,et al.  Symbolic Bisimulations , 1995, Theor. Comput. Sci..

[13]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[14]  Gavin Lowe Towards a Completeness Result for Model Checking of Security Protocols (Extended Abstract) , 1998 .

[15]  Jonathan K. Millen,et al.  The Interrogator: Protocol Secuity Analysis , 1987, IEEE Transactions on Software Engineering.

[16]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[17]  D. Prawitz Natural Deduction: A Proof-Theoretical Study , 1965 .

[18]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[19]  Dawn Xiaodong Song Athena: a new efficient automatic checker for security protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[20]  Maria Grazia Buscemi,et al.  A Framework for the Analysis of Security Protocols , 2002, CONCUR.

[21]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[22]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[23]  Adriano Valenzano,et al.  A State-Exploration Technique for Spi-Calculus Testing Equivalence Verification , 2000, FORTE.

[24]  Antti Huima Efficient Infinite-State Analysis of Security Protocols , 1999 .

[25]  Rocco De Nicola,et al.  A Symbolic Semantics for the pi-Calculus , 1996, Inf. Comput..

[26]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[27]  Michele Boreale,et al.  Symbolic Trace Analysis of Cryptographic Protocols , 2001, ICALP.

[28]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[29]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[30]  Somesh Jha,et al.  Verifying security protocols with Brutus , 2000, TSEM.