Proof techniques for cryptographic processes

Contextual equivalences for cryptographic process calculi can be used to reason about correctness of protocols, but their definition suffers from quantification over all possible contexts. Here, we focus on two such equivalences, may-testing and barbed equivalence, and investigate tractable proof methods for them. To this aim, we develop an 'environment-sensitive' labelled transition system, where transitions are constrained by the knowledge the environment has of names and keys. On top of the new transition system, a trace equivalence and a co-inductive weak bisimulation equivalence are defined, both of which avoid quantification over contexts. Our main results are soundness of trace semantics and of weak bisimulation with respect to may-testing and barbed equivalence, respectively. This leads to more direct proof methods for equivalence checking. The use of such methods is illustrated via a few examples concerning implementation of secure channels by means of encrypted public channels. We also consider a variant of the labelled transition system that gives completeness, but is less handy to use.

[1]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[2]  Davide Sangiorgi,et al.  On Bisimulations for the Asynchronous pi-Calculus , 1996, Theor. Comput. Sci..

[3]  Martín Abadi Protection in Programming-Language Translations: Mobile Object Systems (Abstract) , 1998, ECOOP Workshops.

[4]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[5]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[6]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[7]  Rocco De Nicola,et al.  Testing Equivalence for Processes , 1983, ICALP.

[8]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[9]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[10]  Mariangiola Dezani-Ciancaglini,et al.  A filter model for mobile processes , 1999, Math. Struct. Comput. Sci..

[11]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[12]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[13]  Martín Abadi,et al.  Reasoning about Cryptographic Protocols in the Spi Calculus , 1997, CONCUR.

[14]  Rocco De Nicola,et al.  Testing Equivalence for Mobile Processes , 1995, Inf. Comput..

[15]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[16]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[17]  Rocco De Nicola,et al.  Proof Techniques for Cryptographic Processes , 2001, SIAM J. Comput..

[18]  Robin Milner,et al.  The Polyadic π-Calculus: a Tutorial , 1993 .

[19]  Davide Sangiorgi,et al.  On the bisimulation proof method , 1998, Mathematical Structures in Computer Science.

[20]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[21]  Martín Abadi,et al.  Secure implementation of channel abstractions , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[22]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[23]  Michael Thomas Sanderson,et al.  Proof techniques for CCS , 1983 .

[24]  D. Walker,et al.  A Calculus of Mobile Processes, Part I , 1989 .

[25]  Robin Milner,et al.  Barbed Bisimulation , 1992, ICALP.

[26]  Davide Sangiorgi,et al.  Bisimulation in name-passing calculi without matching , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[27]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[28]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.