Section: New Results

Analysis

Analysis of equivalence properties

Participants : Vincent Cheval, Véronique Cortier, Antoine Dallon, Ivan Gazeau, Steve Kremer, Christophe Ringeissen.

Automatic tools based on symbolic models have been successful in analyzing security protocols. These tools are particularly well adapted for trace properties (e.g. secrecy or authentication). However, they often fail to analyse equivalence properties. Equivalence properties can express a variety of security properties, including in particular privacy properties (vote privacy, anonymity, untraceability). Several decision procedures have already been proposed but the resulting tools are often rather limited, and lack efficiency.

In the case of a passive adversary, Ringeissen, in collaboration with Marshall (U. of Mary Washington, USA) and Erbatur (LMU, Germany) present new combination techniques for the study of deducibility and static equivalence in unions of equational theories sharing constructors. This allows us to develop new modularity results for the decidability of deducibility and static equivalence. In turn, this should allow for the security analysis of protocols which previous disjoint combination methods could not address because their axiomatization corresponds to the union of non-disjoint equational theories.

In case of an active adversary, and a bounded number of sessions, we made several advances. In [14], Cheval and Kremer, in collaboration with Chadha (U. of Missouri, USA) and Ciobâcă (U. Iasi, Romania), present the theory underlying the Akiss tool, a Horn clause resolution based procedure for both under- and over-approximating trace equivalence. They show partial correctness for a large class of cryptographic primitives, modelled as an arbitrary convergent equational theory that has the finite variant properties. Additionally, termination is shown for subterm convergent theories. Gazeau and Kremer, in collaboration with Baelde (LSV, ENS Cachan) and Delaune (IRISA) have extended the Akiss tool with support for exclusive or. They analyse unlinkability in several RFID protocols and resistance to guessing attacks of several password base protocols. Cortier and Dallon, in collaboration with Delaune (IRISA) propose a novel algorithm, based on graph planning and SAT-solving, which significantly improves the efficiency of the analysis of equivalence properties. The resulting implementation, SAT-Equiv, can analyze several sessions where most tools have to stop after one or two sessions. Finally, Cheval and Kremer propose a novel decision procedure for verifying trace equivalence. Unlike most existing tools, they support a rich class of cryptographic primitives and protocols that may use else branches. An implementation of the procedure is currently under development.

These results are currently under submission.

Simplification results

Participants : Véronique Cortier, Antoine Dallon, Steve Kremer.

Bounding the number of agent identies is a current practice when modeling a protocol. In 2003, it has been shown that one honest agent and one dishonest agent are indeed sufficient to find all possible attacks, for trace properties. This is no longer the case for equivalence properties, crucial to express many properties such as vote privacy or untraceability. As a first result of his PhD, Antoine Dallon has shown that it is sufficient to consider two honest agents and two dishonest agents for equivalence properties, for deterministic processes with standard primitives and without else branches. More generally, we show how to bound the number of agents for arbitrary constructor theories and for protocols with simple else branches. We show that our hypotheses are tight, providing counter-examples for non action-deterministic processes, non constructor theories, or protocols with complex else branches. This work has been presented at POST 2016 [24] and obtained the EASST best paper award of the ETAPS conference.

When verifying e-voting protocols, one of the difficulties is that they need to be secure for an arbitrary number of malicious voters. In collaboration with Arapinis (U. Edinburgh, UK), Cortier and Kremer identify a class of voting protocols for which only a small number of voters needs to be considered: if there is an attack on vote privacy, for an arbitrary number of honest and dishonest voters, then there is also an attack that involves at most 3 voters (2 honest voters and 1 dishonest voter). In the case where the protocol allows a voter to cast several votes and counts, e.g., only the last one, we also reduce the number of ballots required for an attack to 10, and under some additional hypotheses, 7 ballots. They illustrate the applicability of our results on several case studies, including different versions of Helios and Prêt-à-Voter, as well as the JCJ protocol. For some of these protocols the ProVerif tool is used to provide the first formal proofs of privacy for an unbounded number of voters. This work has been presented at ESORICS 2016 [19].

Analysis of stateful security protocols

Participants : Jannik Dreier, Charles Duménil, Steve Kremer.

In collaboration with Künnemann (U. Saarland, Germany), Kremer proposes SAPIC (stateful applied pi calculus), a process calculus with constructs for manipulation of a global state by processes running in parallel. They show that this language can be translated to multiset rewriting rules whilst preserving all security properties expressible in a dedicated first-order logic for security properties. The translation has been implemented in a prototype tool which uses the TAMARIN prover as a backend. The tool is applied to several case studies among which a simplified fragment of PKCS#11, the Yubikey security token, and an optimistic contract signing protocol. This work has been published in the Journal of Computer Security [15]. Dreier, Duménil and Kremer, in collaboration with Sasse (ETH Zurich, Switzerland) improve the underlying theory and the TAMARIN tool to allow for more general user-specified equational theories: the extension supports arbitrary convergent equational theories that have the finite variant property, making TAMARIN the first tool to support at the same time this large set of user-defined equational theories, protocols with global mutable state, an unbounded number of sessions, and complex security properties. The effectiveness of this generalization is demonstrated by analyzing several protocols that rely on blind signatures, trapdoor commitment schemes, and ciphertext prefixes that were previously out of scope. This work has been accepted for publication at POST'17.

Analysis of e-voting protocols

Participants : Véronique Cortier, Constantin-Catalin Dragan.

Cortier and Dragan provide the first machine-checked proof of privacy-related properties (including ballot privacy) for an electronic voting protocol in the computational model. They target the popular Helios family of voting protocols, for which they identify appropriate levels of abstractions to allow the simplification and convenient reuse of proof steps across many variations of the voting scheme. The resulting framework enables machine-checked security proofs for several hundred variants of Helios and should serve as a stepping stone for the analysis of further variations of the scheme.

In addition, they highlight some of the lessons learned regarding the gap between pen-and-paper and machine-checked proofs, and report on the experience with formalizing the security of protocols at this scale. This work is submitted for publication.

Analysis of Electrum Bitcoin wallet

Participants : Michaël Rusinowitch, Mathieu Turuani.

Electrum is a popular Bitcoin wallet. We introduce a formal modeling in ASLan++ of the two-factor authentication protocol used by the Electrum Bitcoin wallet. This allows us to perform an automatic analysis of the wallet and show that it is secure for standard scenarios in the Dolev Yao model [30]. The result could be derived thanks to some advanced features of the Cl-Atse protocol analyzer such as the possibility to specify i) new intruder deduction rules with clauses and ii) non-deducibility constraints.

Satisfiability Modulo Bridging Theories

Participant : Christophe Ringeissen.

Bridging theories are equational theories defining recursive functions. They are useful to handle equational theories of interest in protocol analysis, as advocated in  [48], where a locality approach is promoted to solve the satisfiability problem. In collaboration with Pascal Fontaine (Veridis project-team) and Paula Chocron (IIIA-CSIC Barcelona), we investigate a combination approach for the satisfiability problem modulo this particular non-disjoint union of theories, where a source theory is connected to a target one through a bridging function. In 2016, we have prepared a new full paper unifying previous results presented respectively at CADE 2015 [4] and FroCoS 2015. In that papers, we focused on source theories admitting term-generated models. In [21], we have also explored an extension to deal with terms modulo a congruence relation. This joint work with Raphaël Berthon (ENS Rennes) allows us to consider not only trees but also data structure theories such as lists, multisets and sets.

Analysis of Security Properties for an Unbounded Number of Sessions

Participants : Jonathan Proietto-Stallone, Mathieu Turuani, Laurent Vigneron.

The internship of Jonathan Proietto-Stallone has permitted to study the method described in  [37] for analyzing protocols without bounding the number of sessions. We have clarified the formalization of this method, including the consideration of xor and exp operators, and implemented it in CL-AtSe.