Section: New Results

Analysis

Analysis of equivalence properties

Participants : Vincent Cheval, Véronique Cortier, Antoine Dallon, Ivan Gazeau, Steve Kremer, Joseph Lallemand, Itsaka Rakotonirina, Christophe Ringeissen.

Automatic tools based on symbolic models have been successful in analyzing security protocols. These tools are particularly well adapted for trace properties (e.g. secrecy or authentication). However, they often fail to analyse equivalence properties. Equivalence properties can express a variety of security properties, including in particular privacy properties (vote privacy, anonymity, untraceability). Several decision procedures have already been proposed but the resulting tools are often rather limited, and lack efficiency.

In the case of a passive adversary, Ringeissen, in collaboration with Marshall (Univ Mary Washington, USA) and Erbatur (LMU, Germany) present new combination techniques for the study of deducibility and static equivalence in unions of equational theories sharing constructors. This allows us to develop new modularity results for the decidability of deducibility and static equivalence. In turn, this should allow for the security analysis of protocols which previous disjoint combination methods could not address because their axiomatization corresponds to the union of non-disjoint equational theories. This work has been presented at CADE'17 [28].

In case of an active adversary, and a bounded number of sessions, we made several advances. The Akiss tool has been extended in two directions. Gazeau and Kremer, in collaboration with Baelde (LSV, ENS Cachan) and Delaune (IRISA) have extended the underlying theory and the Akiss tool with support for exclusive or. They analyse unlinkability in several RFID protocols and resistance to guessing attacks of several password-based protocols. This work has been presented at CSF'17 [18]. Gazeau and Kremer also extended the Akiss tool to analyse protocols with else branches. This is particularly useful when verifying equivalence properties, as one needs to model precisely the error messages sent out when tests fail. While ignoring these branches may often be safe when studying trace properties this is not the case for equivalence properties, as for instance witnessed by an attack on the European electronic passport. One appealing feature of our approach is that our extension re-uses the saturation procedure which is at the heart of the verification procedure of Akiss as a black box, without need to modify it. As a result we obtain the first tool that is able verify equivalence properties for protocols that may use xor and else branches. We demonstrate the tool's effectiveness on several case studies, including the AKA protocol deployed in mobile telephony. This result was presented at ESORICS'17 [29]. Cortier and Dallon, in collaboration with Delaune (IRISA) propose a novel algorithm, based on graph planning and SAT-solving, which significantly improves the efficiency of the analysis of equivalence properties. The resulting implementation, SAT-Equiv, can analyze several sessions where most tools have to stop after one or two sessions. The approach has been presented at CSF'17 [20] for protocols with symmetric encryption and no else branches. Finally, Cheval, Kremer, and Rakotonirina have worked on complexity results for deciding equivalence properties and provide a decision procedure in the case of a bounded number of sessions. They showed that trace equivalence and labelled bisimilarity for a large variety of cryptographic primitives—those that can be represented by a subterm convergent destructor rewrite system— are both CoNEXP complete. Moreover, the procedure has been implemented in a new tool, DeepSec. Extensive experiments demonstrate that it is significantly more efficient than most other similar tools (being only slightly outperformed by SAT-Equiv in some specific examples), while at the same time raises the scope of the protocols that can be analysed. These results are currently under submission.

The previous results apply for a bounded number of sessions and may still be limited for a large number of sessions. In collaboration with Maffei and Grimm, Lallemand and Cortier have devised a novel approach [24] for proving equivalence properties. Instead of deciding equivalence, like for the previous approaches, they design a type system, sound w.r.t. equivalence. The resulting tool TypeEquiv can consider a bounded as well as an unbounded number of sessions, or a mix of both. It induces a significant speedup compared to previous tools for a bounded number of sessions and compares similarly to ProVerif for an unbounded number of sessions, with the advantage of a tighter treatment of bounded number of sessions. It can be applied to protocols with standard primitives and else branches.

Analysis of stateful security protocols

Participants : Vincent Cheval, Véronique Cortier, Jannik Dreier, Steve Kremer, Mathieu Turuani.

Many real-life protocols need to maintain a global state–such as counters, tables, or more generally, memory cells–that may be read and updated by parallel threads. Modelling such mutable, global state in protocols complicates the verification problem, in particular when analyzing an unbounded number of sessions.

The SAPIC/TAMARIN toolchain is one of the few tools that was designed to handle such global state. Dreier, Duménil (former intern in Pesto) and Kremer, in collaboration with Sasse (ETH Zurich, Switzerland) improve the underlying theory and the TAMARIN tool to allow for more general user-specified equational theories: the extension supports arbitrary convergent equational theories that have the finite variant property, making TAMARIN the first tool to support at the same time this large set of user-defined equational theories, protocols with global mutable state, an unbounded number of sessions, and complex security properties. The effectiveness of this generalization is demonstrated by analyzing several protocols that rely on blind signatures, trapdoor commitment schemes, and ciphertext prefixes that were previously out of scope. This work has been presented at POST'17 [27].

ProVerif is a very popular tool for the analysis of security protocols, that works very well in practice. However, in the case of protocols with global states, ProVerif typically fails in its analysis, due to its internal abstraction. Instead of designing a new ad-hoc procedure, we devise a generic transformation of the security properties queried to ProVerif. We prove the soundness of our transformation and implement it into a front-end GSVerif. Our experiments show that our front-end (combined with ProVerif) outperforms the few existing tools, both in terms of efficiency and protocol coverage. We successfully apply our tool to a dozen of protocols of the literature including a deployed voting and a payment protocol. This work is under submission.

Analysis of e-voting protocols

Participants : Véronique Cortier, Constantin-Catalin Dragan, Mathieu Turuani.

Cortier and Dragan provide the first machine-checked proof of privacy-related properties (including ballot privacy) for an electronic voting protocol in the computational model. They target the popular Helios family of voting protocols, for which they identify appropriate levels of abstractions to allow for simplification and convenient reuse of proof steps across many variations of the voting scheme. The resulting framework enables machine-checked security proofs for several hundred variants of Helios and should serve as a stepping stone for the analysis of further variations of the scheme. In addition, they highlight some of the lessons learned regarding the gap between pen-and-paper and machine-checked proofs, and report on the experience with formalizing the security of protocols at this scale. This work has been presented at S&P'17 [21].

Turuani and Cortier, in collaboration with Galindo (Univ Birmingham), have analysed the e-voting protocol developed by Scytl and planned to be deployed in Switzerland. The formal analysis of both privacy and individual verifiability has been conducted in ProVerif. It required to develop a crafty encoding of the security properties in order to avoid the limitations of ProVerif in the presence of global states (here, no revoting). This first encoding yielded the preliminary ideas for the GSVerif tool mentioned in the previous section. Such a formal analysis is required by the Swiss Chancellerie and has been accepted at EuroSP'18 [23].

Norway used e-voting in its last political election both in September 2011 and September 2013. The underlying protocol was also developed by Scytl. Cortier, in collaboration with Wiedling, has conducted a formal analysis (by hand) of vote privacy of this protocol, considering several corruption scenarios [13].

Unification in Forward-Closed Theories

Participant : Christophe Ringeissen.

In collaboration with Marshall (Univ Mary Washington, USA) and Erbatur (LMU, Germany), we investigate the unification problem in equational theories involving forward-closed convergent term rewrite systems. In the class of forward-closed theories, unification is decidable and finitary since a convergent term rewrite system has a finite forward-closure if and only if it has the finite variant property. Actually, forward-closed theories are syntactic theories admitting a terminating mutation-based unification procedure. This can be shown by reusing a mutation-based unification algorithm originally developed for equational theories saturated by paramodulation, since a forward-closed theory is indeed a sufficient condition to get soundness and completeness. Building on this fact we develop a new mutation-based unification algorithm which is simpler, with regard to conflicts and number of rules, than the first algorithm. We then use this simplified algorithm as a component to develop a new method that solves the unification problem in unions of forward-closed theories with non-disjoint theories. The resulting algorithm can be viewed as a terminating instance of a procedure initiated for hierarchical combination. This work has been presented at the workshop UNIF'17 [33].

Analysis of Combinations of Protocols

Participant : Jannik Dreier.

When trying to prove the security of a protocol, one usually analyzes the protocol in isolation, i.e., in a network with no other protocols. But in reality, there will be many protocols operating on the same network, maybe even sharing data including keys, and an intruder may use messages of one protocol to break another. We call that a multi-protocol attack. In this work, we tried to find such attacks using the TAMARIN prover. We analyzed both examples that were previously analyzed by hand or using other tools, and found novel attacks. This work was presented at FPS'17 [31].