ebook img

Formal Models and Techniques for Analyzing Security Protocols PDF

312 Pages·2011·2.08 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Formal Models and Techniques for Analyzing Security Protocols

FORMAL MODELS AND TECHNIQUES FOR ANALYZING SECURITY PROTOCOLS Cryptology and Information Security Series The Cryptology & Information Security Series (CISS) presents the latest research results in the theory and practice, analysis and design, implementation, application and experience of cryptology and information security techniques. It covers all aspects of cryptology and information security for an audience of information security researchers with specialized technical backgrounds. Coordinating Series Editors: Raphael C.-W. Phan and Jianying Zhou Series editors Feng Bao, Institute for Infocomm Research, Singapore Nasir Memon, Polytech University, USA Kefei Chen, Shanghai Jiaotong University, China Chris Mitchell, RHUL, United Kingdom Robert Deng, SMU, Singapore David Naccache, École Normale Supérieure, France Yevgeniy Dodis, New York University, USA Gregory Neven, IBM Research, Switzerland Dieter Gollmann, TU Hamburg-Harburg, Germany Phong Nguyen, CNRS / École Normale Supérieure, France Markus Jakobsson, Indiana University, USA Andrew Odlyzko, University of Minnesota, USA Marc Joye, Thomson R&D, France Adam Young, MITRE Corporation, USA Javier Lopez, University of Malaga, Spain Moti Yung, Columbia University, USA Volume 5 Recently published in this series Vol. 4. Y. Li and J. Zhou (Eds.), Radio Frequency Identification System Security – RFIDsec’10 Asia Workshop Proceedings Vol. 3. C. Czosseck and K. Geers (Eds.), The Virtual Battlefield: Perspectives on Cyber Warfare Vol. 2. M. Joye and G. Neven (Eds.), Identity-Based Cryptography Vol. 1. J. Lopez and J. Zhou (Eds.), Wireless Sensor Network Security ISSN 1871-6431 (print) ISSN 1879-8101 (online) Formal Models and Techniques for Analyzing Security Protocols Edited by Véronique Cortier CNRS and Steve Kremer INRIA Amsterdam • Berlin • Tokyo • Washington, DC © 2011 The authors and IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-60750-713-0 (print) ISBN 978-1-60750-714-7 (online) Library of Congress Control Number: 2011923591 Publisher IOS Press BV Nieuwe Hemweg 6B 1013 BG Amsterdam The Netherlands fax: +31 20 687 0019 e-mail: [email protected] Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail: [email protected] LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS Formal Models and Techniques for Analyzing Security Protocols v V. Cortier and S. Kremer (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. Preface Security protocols are small distributed programs which aim to achieve security proper- ties such as confidentiality, authentication, anonymity, etc. Nowadays, security proto- cols are omnipresent in our daily lives: home-banking, electronic commerce, mobile phones, etc. However, because these protocols are generally implemented on poten- tially insecure networks (e.g. the Internet) they are extremely difficult to devise. Using Roger Needham’s words “Security protocols are three line programs that people still manage to get wrong”. Based on the seminal work of Dolev and Yao, symbolic meth- ods for analyzing such protocols have been in development for about 25 years. The main components of these models are the perfect cryptography assumption and an un- bounded non-deterministic adversary that has complete control of the network. The field of symbolic analysis of security protocols has seen significant advances during the last few years. We now have a better understanding of decidability and com- plexity questions and models with solid theoretical foundations have been developed together with proof techniques. Automated tools have also been designed and success- fully applied to numerous protocols, including industrial protocols, for the provision of security or the discovery of attacks, and models have been extended with algebraic properties in order to weaken the perfect cryptography assumption. Recently, even computational soundness results towards cryptographic models have been achieved. However, the field was still missing a book which summarized the state-of-the-art of these advances. While we certainly do not pretend to give a complete overview of the field, which would be impossible in a single book, nevertheless, we believe that we have covered a representative sample of the ongoing work in this field, which is still very active. This book contains an introduction and 10 tutorial-like chapters on selected topics, each written by a leading expert in the field of formal analysis of security proto- cols. We are extremely grateful to all the authors for their hard work and effort in pre- paring these chapters. January 2011 Véronique Cortier and Steve Kremer This page intentionally left blank vii Contents Preface v Véronique Cortier and Steve Kremer Introduction 1 Véronique Cortier and Steve Kremer Verifying a Bounded Number of Sessions and Its Complexity 13 Michael Rusinowitch and Mathieu Turuani Constraint Solving Techniques and Enriching the Model with Equational Theories 35 Hubert Comon-Lundh, Stéphanie Delaune and Jonathan K. Millen Analysing Security Protocols Using CSP 62 Gavin Lowe Using Horn Clauses for Analyzing Security Protocols 86 Bruno Blanchet Applied pi Calculus 112 Mark D. Ryan and Ben Smyth Types for Security Protocols 143 Riccardo Focardi and Matteo Maffei Protocol Composition Logic 182 Anupam Datta, John C. Mitchell, Arnab Roy and Stephan Hyeonjun Stiller Shapes: Surveying Crypto Protocol Runs 222 Joshua D. Guttman Security Analysis Using Rank Functions in CSP 258 Steve Schneider Computational Soundness – The Case of Diffie-Hellman Keys 277 Emmanuel Bresson, Yassine Lakhnech, Laurent Mazaré and Bogdan Warinschi Author Index 303 This page intentionally left blank Formal Models and Techniques for Analyzing Security Protocols 1 V. Cortier and S. Kremer (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-714-7-1 Introduction VéroniqueCORTIERaandSteveKREMERb aLORIA,CNRS bLSV,ENSCachan&CNRS&INRIA Formalmethodshaveshowntheirinterestwhendevelopingcriticalsystems,where safetyorsecurityisimportant.Thisisparticularlytrueinthefieldofsecurityprotocols. Such protocolsaim at securing communicationsover a public network. Small flaws in thedevelopmentofsuchsystemsmaycauseimportanteconomicaldamages.Examples ofsecurityprotocolsincludetheTransportLayerSecurity(TLS)protocolanditsprede- cessor,theSecureSocketsLayer(SSL).Theseprotocolsaretypicallyusedforguaran- teeingasecureconnectiontoawebsiteinparticularforsecurepaymentovertheInter- net.Mostwebbrowsersdisplayasmalllocktoindicatethatyouareexecutingasecure sessionusingoneoftheseprotocols.Anotheremergentapplicationofsecurityprotocol is electronic voting.For instance,in the 2007nationalelectionsin Estonia the govern- ment offered the possibility to vote via the Internet. The development of such proto- colsiserror-proneandflawsareregularlydiscovered.Forexample,theSAML2.0Web BrowserSingleSign-OnauthenticationsystemdevelopedbyGooglehasrecentlybeen attacked. The Single Sign-Onprotocolallows a user to identify himself only once and thenaccesstovariousapplications(suchasGmailorGooglecalendar).Whiledesigning + a formalmodelof this protocol,Armandoet al [ACC 08] discoveredthat a dishonest serviceprovidercouldactuallyimpersonateanyofitsusersatanotherserviceprovider. This flaw has been corrected since. Those examples show the need of precise security guaranteeswhendesigningprotocols.Moreover,therelativelysmallsizeofsecuritypro- tocolsmakestheuseofformalverificationreasonable. The use of symbolic methodsfor formally analyzingsecurity protocolsgoes back to the seminal paper of Dolev and Yao [DY81]. While there is not a unique symbolic model,theso-calledDolev-Yaomodelsgenerallysharethefollowingingredients:thead- versary is computationally unbounded and has complete control of the network while cryptographyisassumedtobeperfect.Forexample,theadversaryisnotallowedtoper- formcryptanalysisortodecryptaciphertextwithoutknowingthedecryptionkey.Find- ingcollisionsorguessingfreshnoncesisalsosupposedtobeimpossible,etc.Mostearly tools[Mil84,Low96b]andtechniques[BAN89]wereaimingaboveallatfindingbugsin protocols.Many errorshave indeed beenidentified using formal methods,demonstrat- ing their usefulness. At the end of the ’90s more foundationalquestions were investi- gated:thegeneralundecidabilityresultsforautomatedverificationofsecurityprotocols havebeenrefinedanddecidableclassesofprotocolsandrestrictionsyieldingdecidabil- ity were identified together with their complexity [DLM04,CC01,RT01]. At about the sametime,models[THG99,AF01]andtoolsupport[Pau98,Bla01]werealsodeveloped forprovingprotocolscorrectratherthanonlyfindingflaws.Whenthefocusshiftedfrom findingflaws to provingsecurityprotocolscorrect,a naturalquestionwas raised about the guarantees provided in these models relying on the so-called perfect cryptography

Description:
Security protocols are the small distributed programs which are omnipresent in our daily lives in areas such as online banking and commerce and mobile phones. Their purpose is to keep our transactions and personal data secure. Because these protocols are generally implemented on potentially insecure
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.