DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Automated verification has become an essential part in the security evaluation of cryptographic protocols. Recently, there has been a considerable effort to lift the theory and tool support that existed for reachability properties to the more complex case of equivalence properties. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives—those that can be represented by a subterm convergent destructor rewrite system. We implemented the procedure in a new tool, DEEPSEC. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.

[1]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[2]  Ross Horne,et al.  SPEC: An Equivalence Checker for Security Protocols , 2016, APLAS.

[3]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[4]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[5]  Stéphanie Delaune,et al.  The Finite Variant Property: How to Get Rid of Some Algebraic Properties , 2005, RTA.

[6]  Vincent Cheval,et al.  Deciding equivalence-based properties using constraint solving , 2013, Theor. Comput. Sci..

[7]  Peter Y. A. Ryan,et al.  Prêt à Voter with Re-encryption Mixes , 2006, ESORICS.

[8]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[9]  Yannick Chevalier,et al.  Decidability of Equivalence of Symbolic Derivations , 2012, Journal of Automated Reasoning.

[10]  David Baelde,et al.  Partial Order Reduction for Security Protocols , 2015, CONCUR.

[11]  José Meseguer,et al.  A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA , 2014, STM.

[12]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[13]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[14]  Luca Trevisan,et al.  A complexity analysis of bisimilarity for value-passing processes , 2000, Theor. Comput. Sci..

[15]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[16]  Martín Abadi,et al.  Private authentication , 2004, Theor. Comput. Sci..

[17]  Véronique Cortier,et al.  When Are Three Voters Enough for Privacy Properties? , 2016, ESORICS.

[18]  Véronique Cortier,et al.  From Security Protocols to Pushdown Automata , 2015, ACM Trans. Comput. Log..

[19]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[20]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ESOP.

[21]  Ben Smyth,et al.  Automated Reasoning for Equivalences in the Applied Pi Calculus with Barriers , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[22]  Véronique Cortier,et al.  SAT-Equiv: An Efficient Tool for Equivalence Properties , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[23]  David A. Basin,et al.  Efficient Decision Procedures for Message Deducibility and Static Equivalence , 2010, Formal Aspects in Security and Trust.

[24]  Stéphanie Delaune,et al.  Computing Knowledge in Security Protocols under Convergent Equational Theories , 2009, CADE.

[25]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[26]  Vincent Cheval,et al.  Trace equivalence decision: negative tests and non-determinism , 2011, CCS '11.

[27]  Christos H. Papadimitriou,et al.  Computational complexity , 1993 .

[28]  David Baelde,et al.  A Method for Verifying Privacy-Type Properties: The Unbounded Case , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[30]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2006, Theor. Comput. Sci..

[31]  Ralf Sasse,et al.  Automated Symbolic Proofs of Observational Equivalence , 2015, CCS.

[32]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[33]  Véronique Cortier,et al.  Decidability of Trace Equivalence for Protocols with Nonces , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[34]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[35]  Vincent Cheval APTE: An Algorithm for Proving Trace Equivalence , 2014, TACAS.

[36]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[37]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[38]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[39]  John C. Mitchell,et al.  Multiset rewriting and the complexity of bounded security protocols , 2004, J. Comput. Secur..

[40]  Michaël Rusinowitch,et al.  Protocol insecurity with a finite number of sessions, composed keys is NP-complete , 2003, Theor. Comput. Sci..

[41]  Vincent Cheval,et al.  Proving More Observational Equivalences with ProVerif , 2013, POST.

[42]  Véronique Cortier,et al.  A Type System for Privacy Properties , 2017, CCS.