Previous | 
Home
Section: New Results
Security Protocol Verification
The design of cryptographic protocols is error-prone. Without a careful analysis, subtle flaws may be discovered several years after the publication of a protocol, yielding potential harmful attacks. In this context, formal methods have proved their interest for obtaining good security guarantees. Many analysis techniques have been proposed in the literature [79] . We have edited a book [64] where each chapter presents an important and now standard analysis technique. We develop new techniques for richer primitives, wider classes of protocols and higher security guarantees.
Modeling complex primitives
Participants : Mathilde Arnaud, Véronique Cortier, Michaël Rusinowitch, Mathieu Turuani.
Some attacks exploit in a clever way the interaction between protocol rules and algebraic properties of cryptographic operators. In [82] , we provide a list of such properties and attacks as well as existing formal approaches for analyzing cryptographic protocols under algebraic properties.
Encryption “distributing over pairs” is employed in several cryptographic protocols. We have shown that unification is decidable for an equational theory HE specifying such an encryption [18] . We model block chaining in terms of a simple, convergent, rewrite system over a signature with two disjoint sorts: list and element. and present in [65] an algorithm for deciding the unification problem modulo this rewrite system. Potential applications of this unification procedure include flaw detection for protocols employing the CBC encryption mode. We have also proposed in [13] [28] an algorithm for solving general intruder constraints in the equational theory ACI. This last result is useful for handling set datastructures and also multiple intruders.
In their seminal work Dolev and Yao used string rewriting to check protocol security against an active intruder. The main technical result and algorithm were improved by Book and Otto who formulated the security check in terms of an extended word problem for cancellation rules. We extend in [66] their main decidability result to a larger class of string rewrite systems called opt-monadic systems.
Most current techniques do not apply to protocols that perform recursive computation e.g. on a list of messages received from the network. While considering general recursive input/output actions very quickly yields undecidability, we provide NPTIME decision procedures on protocols that perform recursive tests on received messages but output messages that depend on the inputs in a standard way [26] . This is in particular the case of secured routing protocols, distributed right delegation or PKI certification paths.
We have also shown [19] that deducibility and static equivalence are decidable for the equational theories modeling trapdoor commitment and re-encryption, that are particularly relevant in the context of e-voting protocols.
Voting and Advanced Classes of Protocols
Participants : Mathilde Arnaud, Stefan Ciobaca, Véronique Cortier, Steve Kremer, Mathieu Turuani, Laurent Vigneron, Cyrille Wiedling.
New classes of protocols are still emerging and not all can be analysed using existing techniques. We study how to cover the emergent families of security protocols with a special focus on voting protocols.
Voting Protocols. Voting is a cornerstone of democracy and many voting systems have been proposed so far, from old paper ballot systems to purely electronic voting schemes. Although many works have been dedicated to standard protocols, very few address the challenging class of voting protocols. One major issue is the fact that privacy-related properties are stated using equivalences, which are very difficult to prove. We have studied several protocols that are currently in use:
-
Helios is an open-source web-based end-to-end verifiable electronic voting system, used e.g. by UCL and the IACR association in real elections. We have discovered a vulnerability which allows an adversary to compromise the privacy of voters and we have presented a fixed version, showed to satisfy a formal definition of ballot secrecy using the applied pi calculus [39] . The vulnerability we discovered apply to some other protocols of the literature [71] . Studying further the Helios protocol, we have provided a computational proof of ballot secrecy [30] .
-
Norway has used e-voting in its last political election in September 2011, with more than 25 000 voters using the e-voting option. Using formal models, we have analyzed the underlying protocol w.r.t. privacy, considering several corruption scenarios [69] .
-
We have reviewed a postal voting system used in spring 2011 by the French research institute CNRS and designed by a French company (Tagg Informatique). We have shown how to perform major ballot stuffing, making possible to change the outcome of the election [38] . Our attack has been tested (without any prior knowledge of the system except a few samples of voting material) and confirmed by the CNRS.
Securing routing Protocols. The goal of routing protocols is to construct valid routes between distant nodes in the network. If no security is used, it is possible for an attacker to disorganize the network by maliciously interacting with the routing protocols, yielding invalid routes to be built. That is why secure versions of routing protocols are now developed. In her PhD thesis [12] , Mathilde Arnaud has proposed a new model and an associated decision procedure to check whether a routing protocol can ensure that honest nodes only accept valid routes, even if one of the nodes of the network is compromised. This result has been obtained for a bounded number of sessions, adapting constraint solving techniques.
Automated verification of indistinguishability properties. New emerging classes of protocols often require to model less classical security properties, such as anonymity properties, strong versions of confidentiality and resistance to offline guessing attacks. Many of these properties can be modelled using the notion of indistinguishability by an adversary, which can be conveniently modeled using process equivalences. In [67] we present a novel procedure to verify equivalence properties for a bounded number of sessions which is able to handle a large class of equational theories. Although, we were unable to prove termination of the resolution procedure, the procedure has been implemented in a prototype tool and has been effectively tested on examples, some of which were outside the scope of existing tools, including fully automated checking of anonymity of an electronic voting protocol by Fujioka et al.
Securely Composing Protocols
Participants : Stefan Ciobaca, Véronique Cortier, Steve Kremer.
Protocols are often built in a modular way. For example, authentication protocols may assume pre-distributed keys or may assume secure channel. However, when an authentication protocol has been proved secure assuming pre-distributed keys, there is absolutely no guarantee that it remains secure when executing a real protocol for distributing the keys. How the security of these protocols can be combined is an important issue that is studied in the PhD thesis of Stefan Ciobaca [15] . More precisely, we show how protocols sharing data can be safely interleaved, provided that they use disjoint primitives or that each common primitive contains some tag identifying each protocol, like e.g. the name of the protocol. As a sub-result, we provide sufficient and simple conditions for composing key distribution protocols with any protocol using secure channels or pre-distributed keys.
Moreover, we studied [35] whether password protocols can be safely composed, even when a same password is reused. The hypothesis that users do not reuse the same password for different protocols seems indeed unreasonable. More precisely, we present a transformation which maps a password protocol that is secure for a single protocol session (a decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure password protocols: (i) design a protocol intended to be secure for one protocol session; (ii) apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. Our technique also applies to compose different password protocols allowing us to obtain both inter-protocol and inter-session composition.
Soundness of the Dolev-Yao Model
Participants : Véronique Cortier, Guillaume Scerri.
All the previous results rely on symbolic models of protocol executions in which cryptographic primitives are abstracted by symbolic expressions. This approach enables significantly simple and often automated proofs. However, the guarantees that it offers have been quite unclear compared to cryptographic models that consider issues of complexity and probability. Cryptographic models capture a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. A recent line of research consists in identifying cases where it is possible to obtain the best of both cryptographic and formal worlds in the case of public encryption: fully automated proofs and strong, clear security guarantees. We have proposed a survey [22] of the results obtained so far.
Existing soundness results for symmetric encryption are not satisfactory. This is due to the fact that dishonest keys may introduce many behaviors that cannot be easily captured in symbolic models. We discuss the difficulties and limitations of the available results in [37] . In particular, we provide several examples of protocols that are symbolically correct but computationally flawed if assuming IND-CCA2. Based on these findings, Guillaume Scerri has started a PhD thesis on designing more flexible symbolic models for cryptographic proofs. His first result is a computationally sound symbolic model in the presence of dishonestly generated keys, allowing a symbolic adversary to generate new equalities between terms, on-the-fly.
A soundness result is usually established for some set of cryptographic primitives and extending the result to encompass new primitives typically requires redoing most of the work. In [41] , [40] , we propose a notion of computational soundness, amenable to modular extensions. Specifically, we prove that a deduction sound implementation of some arbitrary primitives can be extended to include asymmetric encryption and public data-structures (e.g. pairings or list), without repeating the original proof effort. Furthermore, our notion of soundness concerns cryptographic primitives in a way that is independent of any protocol specification language.