Automatic proof of strong secrecy for security protocols

We present a new automatic technique for proving strong secrecy for security protocols. Strong secrecy means that an adversary cannot see any difference when the value of the secret changes. Our technique relies on an automatic translation of the protocol into Horn clauses, and a resolution algorithm on the clauses. It requires important extensions with respect to previous work for the proof of (standard) secrecy and authenticity. This technique can handle a wide range of cryptographic primitives, and yields proofs valid for an unbounded number of sessions and an unbounded message space; it is also flexible and efficient. We have proved its correctness, implemented it, and tested it on several examples of protocols including JFK by W. Aiello et al. (2002).

[1]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[2]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[3]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[4]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[5]  Benjamin C. Pierce,et al.  Logical relations for encryption , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[6]  Roberto Gorrieri,et al.  Non Interference for the Analysis of Cryptographic Protocols , 2000, ICALP.

[7]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[8]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[9]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[10]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[11]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[12]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[13]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[14]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[15]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[16]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2004, Theor. Comput. Sci..

[17]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[18]  Angelos D. Keromytis,et al.  Efficient, DoS-resistant, secure key exchange for internet protocols , 2001, CCS '02.

[19]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[20]  Martn Abadi,et al.  Security Protocols and their Properties , 2000 .

[21]  Mads Dam,et al.  On the Secure Implementation of Security Protocols , 2003, ESOP.

[22]  Uwe Nestmann,et al.  On Bisimulations for the Spi Calculus , 2002, AMAST.

[23]  Michele Bugliesi,et al.  Non-interference proof techniques for the analysis of cryptographic protocols , 2005, J. Comput. Secur..

[24]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[25]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[26]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[27]  Peeter Laud,et al.  Handling Encryption in an Analysis for Secure Information Flow , 2003, ESOP.

[28]  Birgit Pfitzmann,et al.  Intransitive non-interference for cryptographic purposes , 2003, 2003 Symposium on Security and Privacy, 2003..

[29]  Andreas Podelski,et al.  Verification of cryptographic protocols: tagging enforces termination , 2003, Theor. Comput. Sci..

[30]  Gavin Lowe Analysing Protocol Subject to Guessing Attacks , 2004, J. Comput. Secur..

[31]  Sandro Etalle,et al.  Guess what? Here is a new tool that finds some new guessing attacks (Extended Abstract) , 2003 .

[32]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[33]  Birgit Pfitzmann,et al.  Computational probabilistic noninterference , 2002, International Journal of Information Security.

[34]  Nancy A. Lynch,et al.  Cryptographic protocols , 1982, STOC '82.

[35]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[36]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[37]  Martín Abadi,et al.  Formal Eavesdropping and Its Computational Interpretation , 2001, TACS.

[38]  Mads Dam,et al.  Confidentiality for mobile code: the case of a simple payment protocol , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[39]  Adriano Valenzano,et al.  A State-Exploration Technique for Spi-Calculus Testing Equivalence Verification , 2000, FORTE.

[40]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[41]  Bruno Blanchet,et al.  From Secrecy to Authenticity in Security Protocols , 2002, SAS.

[42]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .