WANG Wei

DOI: https://doi.org/10.3969/j.issn.1671-0428.2011.10.011

IF: 5.105

2011-01-01

Computers & Security

Abstract:Formal method is a powerful tool of analysis and verification of security properties of security protocols.In this paper,based on the first-order theorem prover ProVerif researched deeply,we analyzed the simplified Authentication Protocol Needham-Schroeder by formal method.

Vincent Cheval,José Moreira,Mark Ryan

2023-04-16

Abstract:Transparency protocols are protocols whose actions can be publicly monitored by observers (such observers may include regulators, rights advocacy groups, or the general public). The observed actions are typically usages of private keys such as decryptions, and signings. Examples of transparency protocols include certificate transparency, cryptocurrency, transparent decryption, and electronic voting. These protocols usually pose a challenge for automatic verification, because they involve sophisticated data types that have strong properties, such as Merkle trees, that allow compact proofs of data presence and tree extension. We address this challenge by introducing new features in ProVerif, and a methodology for using them. With our methodology, it is possible to describe the data type quite abstractly, using ProVerif axioms, and prove the correctness of the protocol using those axioms as assumptions. Then, in separate steps, one can define one or more concrete implementations of the data type, and again use ProVerif to show that the implementations satisfy the assumptions that were coded as axioms. This helps make compositional proofs, splitting the proof burden into several manageable pieces. We illustrate the methodology and features by providing the first formal verification of the transparent decryption and certificate transparency protocols with a precise modelling of the Merkle tree data structure.

Cryptography and Security

Thi Minh Chau Le,Xuan Thang Pham,Vinh Thinh Le

DOI: https://doi.org/10.54644/jte.2024.1523

2024-02-28

Journal of Technical Education Science

Abstract:In the dynamic field of Internet security, verifying and analyzing security protocols is crucial for ensuring secure and effective communication. This paper presents an analysis of leading tools used for the verification, falsification, and analysis of security protocols, focusing particularly on Scyther and Tamarin. We examine the methodologies, capabilities, and applications of these tools in various contexts, including cloud computing and IoT, highlighting their unique approaches and contributions to the field. The paper starts with an examination of the Scyther tool, emphasizing its innovative approach to automated falsification and verification, and its application in multi-protocol analysis. We then transition to exploring the use of Scyther in verifying key agreement protocols in cloud computing. A comparative analysis of Scyther and Tamarin is also presented, shedding light on their effectiveness in identifying security properties and revealing the strengths and weaknesses of different protocols. This is further enriched by a detailed look at the unbounded verification capabilities of Scyther. Additionally, the paper covers the capabilities of the Tamarin prover, exploring its advanced features in symbolic analysis, its ability to handle complex security properties, and its application in verifying protocol implementations. Through this paper, we aim to provide a comprehensive overview of the current landscape in security protocol verification, offering insights into the methodologies, challenges, and future directions in this essential area of research.

Takehiko Mieno,Hiroyuki Okazaki,Kenichi Arai,Yuichi Futa

DOI: https://doi.org/10.1109/access.2024.3368453

IF: 3.9

2024-03-06

IEEE Access

Abstract:The formal verification of cryptographic protocols has been extensively studied in recent years. To verify the cryptographic protocol security, formal verification tools consider protocol properties as interactive processes involving a cryptographic functionality. In general, we formally define a cryptographic functionality as an abstract function. However, the actual cryptographic protocols used comprise complex combinations of cryptographic functionalities. Thus, we may not determine if the protocol is secure, even when the cryptographic protocol security with cryptographic functionalities is verified using verification tools. Increasing the reliability of the verification results necessitates the verification of the security properties of these algorithms using ProVerif. Many cryptographic algorithms have been designed as iterative algorithms. These include the Merkle and Damgård construction (MD construction) method for cryptographic hash functions and the cipher block chaining mode (CBC mode) for the block cipher mode of operation. However, formalizing an iterative execution is difficult in ProVerif. Thus, we propose a method for formalizing a model of iterative executions. In the proposed method, we describe to formalize iterative execution as a formal model of function calls. We demonstrate the validity of our proposed method by formally verifying the safety of the MD construction method, which behaves like an iterative execution by including a one-way compression function and internal variables changed by the output of these functions. We also present a method for formalizing a common block cipher mode of operation (i.e., CBC mode) used in the proposed method to handle iterative execution.

computer science, information systems,telecommunications,engineering, electrical & electronic

Bruno Montalto

DOI: https://doi.org/10.3929/ethz-a-010349801

Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Computer Science

Sergiu Bursuc,Christian Johansen,Shiwei Xu

DOI: https://doi.org/10.48550/arXiv.1701.08676

2017-01-30

Cryptography and Security

Abstract:Automated verification of security protocols based on dynamic root of trust, typically relying on protected hardware such as TPM, involves several challenges that we address in this paper. We model the semantics of trusted computing platforms (including CPU, TPM, OS, and other essential components) and of associated protocols in a classical process calculus accepted by ProVerif. As part of the formalization effort, we introduce new equational theories for representing TPM specific platform states and dynamically loaded programs. Formal models for such an extensive set of features cannot be readily handled by ProVerif, due especially to the search space generated by unbounded extensions of TPM registers. In this context we introduce a transformation of the TPM process, that simplifies the structure of the search space for automated verification, while preserving the security properties of interest. This allows to run ProVerif on our proposed models, so we can derive automatically security guarantees for protocols running in a dynamic root of trust context.

Linard Arquint,Felix A. Wolf,Joseph Lallemand,Ralf Sasse,Christoph Sprenger,Sven N. Wiesner,David Basin,Peter Müller

DOI: https://doi.org/10.48550/arXiv.2212.04171

2022-12-08

Abstract:We provide a framework consisting of tools and metatheorems for the end-to-end verification of security protocols, which bridges the gap between automated protocol verification and code-level proofs. We automatically translate a Tamarin protocol model into a set of I/O specifications expressed in separation logic. Each such specification describes a protocol role's intended I/O behavior against which the role's implementation is then verified. Our soundness result guarantees that the verified implementation inherits all security (trace) properties proved for the Tamarin model. Our framework thus enables us to leverage the substantial body of prior verification work in Tamarin to verify new and existing implementations. The possibility to use any separation logic code verifier provides flexibility regarding the target language. To validate our approach and show that it scales to real-world protocols, we verify a substantial part of the official Go implementation of the WireGuard VPN key exchange protocol.

Cryptography and Security,Programming Languages

Vincent Cheval,Steve Kremer,Itsaka Rakotonirina

DOI: https://doi.org/10.46298/theoretics.24.4

2024-03-12

Abstract:Automated verification has become an essential part in the security evaluation of cryptographic protocols. In this context privacy-type properties are often modelled by indistinguishability statements, expressed as behavioural equivalences in a process calculus. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives -- those that can be represented by a subterm convergent destructor rewrite system. We also implemented the procedure in a new tool, DeepSec. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.

Cryptography and Security

Simon Jeanteur,Laura Kovács,Matteo Maffei,Michael Rawson

2024-04-05

Abstract:Cryptographic protocols are hard to design and prove correct, as witnessed by the ever-growing list of attacks even on protocol standards. Symbolic models of cryptography enable automated formal security proofs of such protocols against an idealized model, which abstracts away from the algebraic properties of cryptographic schemes and thus misses attacks. Computational models yield rigorous guarantees but support at present only interactive proofs and/or restricted classes of protocols. A promising approach is given by the computationally complete symbolic attacker (CCSA), formalized in the BC Logic, which aims at bridging and getting the best of the two worlds, obtaining cryptographic guarantees by symbolic analysis. The BC Logic is supported by a recently developed interactive theorem prover, Squirrel, which enables machine-checked interactive security proofs, as opposed to automated ones, thus requiring expert knowledge. We introduce the CryptoVampire cryptographic protocol verifier, which for the first time fully automates proofs of trace properties in the BC Logic. The key technical contribution is a first-order (FO) formalization of protocol properties with tailored handling of subterm relations. We overcome the burden of interactive proving in higher-order (HO) logic and automatically establish soundness of cryptographic protocols using only FO reasoning. On the theoretical side, we restrict full FO logic with cryptographic axioms to ensure that, by losing the expressivity of the HO BC Logic, we do not lose soundness. On the practical side, CryptoVampire integrates dedicated proof techniques using FO saturation algorithms and heuristics, which enable leveraging the state-of-the-art Vampire FO theorem prover as the underlying proving engine. Our experimental results show CryptoVampire's effectiveness of as a standalone verifier and in terms of automation support for Squirrel.

Cryptography and Security,Logic in Computer Science

Rajagopal Nagarajan,Simon Gay

DOI: https://doi.org/10.48550/arXiv.quant-ph/0203086

2002-03-18

Abstract:We propose to analyse quantum protocols by applying formal verification techniques developed in classical computing for the analysis of communicating concurrent systems. One area of successful application of these techniques is that of classical security protocols, exemplified by Lowe's discovery and fix of a flaw in the well-known Needham-Schroeder authentication protocol. Secure quantum cryptographic protocols are also notoriously difficult to design. Quantum cryptography is therefore an interesting target for formal verification, and provides our first example; we expect the approach to be transferable to more general quantum information processing scenarios. The example we use is the quantum key distribution protocol proposed by Bennett and Brassard, commonly referred to as BB84. We present a model of the protocol in the process calculus CCS and the results of some initial analyses using the Concurrency Workbench of the New Century (CWB-NC).

Quantum Physics

Vincent Cheval,Caroline Fontaine

2024-10-20

Abstract:Computer-aided analysis of security protocols heavily relies on equational theories to model cryptographic primitives. Most automated verifiers for security protocols focus on equational theories that satisfy the Finite Variant Property (FVP), for which solving unification is decidable. However, they either require to prove FVP by hand or at least to provide a representation as an E-convergent rewrite system, usually E being at most the equational theory for an associative and commutative function symbol (AC). The verifier ProVerif is probably the only exception amongst these tools as it automatically proves FVP without requiring a representation, but on a small class of equational theories. In this work, we propose a novel semi-decision procedure for proving FVP, without the need for a specific representation, and for a class of theories that goes beyond the ones expressed by an E-convergent rewrite system. We implemented a prototype and successfully applied it on several theories from the literature.

Cryptography and Security

David Basin,Cas Cremers

DOI: https://doi.org/10.1007/978-3-642-15205-4_1

2010-01-01

Abstract:We present a symbolic framework, based on a modular operational semantics, for formalizing different notions of compromise relevant for the analysis of cryptographic protocols. The framework’s rules can be combined in different ways to specify different adversary capabilities, capturing different practically-relevant notions of key and state compromise. We have extended an existing security-protocol analysis tool, Scyther, with our adversary models. This is the first tool that systematically supports notions such as weak perfect forward secrecy, key compromise impersonation, and adversaries capable of state-reveal queries. We also introduce the concept of a protocol-security hierarchy, which classifies the relative strength of protocols against different forms of compromise. In case studies, we use Scyther to automatically construct protocol-security hierarchies that refine and correct relationships between protocols previously reported in the cryptographic literature.

Linard Arquint,Malte Schwerhoff,Vaibhav Mehta,Peter Müller

DOI: https://doi.org/10.1145/3576915.3623105

2023-09-10

Abstract:Security protocols are essential building blocks of modern IT systems. Subtle flaws in their design or implementation may compromise the security of entire systems. It is, thus, important to prove the absence of such flaws through formal verification. Much existing work focuses on the verification of protocol *models*, which is not sufficient to show that their *implementations* are actually secure. Verification techniques for protocol implementations (e.g., via code generation or model extraction) typically impose severe restrictions on the used programming language and code design, which may lead to sub-optimal implementations. In this paper, we present a methodology for the modular verification of strong security properties directly on the level of the protocol implementations. Our methodology leverages state-of-the-art verification logics and tools to support a wide range of implementations and programming languages. We demonstrate its effectiveness by verifying memory safety and security of Go implementations of the Needham-Schroeder-Lowe, Diffie-Hellman key exchange, and WireGuard protocols, including forward secrecy and injective agreement for WireGuard. We also show that our methodology is agnostic to a particular language or program verifier with a prototype implementation for C.

Cryptography and Security,Programming Languages

Myrto Arapinis,Vincent Cheval,Stéphanie Delaune

DOI: https://doi.org/10.48550/arXiv.1407.5444

2014-10-21

Abstract:Security protocols are used in many of our daily-life applications, and our privacy largely depends on their design. Formal verification techniques have proved their usefulness to analyse these protocols, but they become so complex that modular techniques have to be developed. We propose several results to safely compose security protocols. We consider arbitrary primitives modeled using an equational theory, and a rich process algebra close to the applied pi calculus. Relying on these composition results, we are able to derive some security properties on a protocol from the security analysis performed on each sub-protocol individually. We consider parallel composition and the case of key-exchange protocols. Our results apply to deal with confidentiality but also privacy-type properties (e.g. anonymity, unlinkability) expressed using a notion of equivalence. We illustrate the usefulness of our composition results on protocols from the 3G phone application and electronic passport.

Cryptography and Security

Mohsen Toorani

DOI: https://doi.org/10.48550/arXiv.1605.09771

2016-06-02

Abstract:Security protocols are building blocks in secure communications. They deploy some security mechanisms to provide certain security services. Security protocols are considered abstract when analyzed, but they can have extra vulnerabilities when implemented. This manuscript provides a holistic study on security protocols. It reviews foundations of security protocols, taxonomy of attacks on security protocols and their implementations, and different methods and models for security analysis of protocols. Specifically, it clarifies differences between information-theoretic and computational security, and computational and symbolic models. Furthermore, a survey on computational security models for authenticated key exchange (AKE) and password-authenticated key exchange (PAKE) protocols, as the most important and well-studied type of security protocols, is provided.

Cryptography and Security

M.L. Martinez Ricci,J. Mazzaferri,A.V. Bragas,O.E. Martinez

DOI: https://doi.org/10.1119/1.2742400

2007-10-02

Abstract:We present a photon counting experiment designed for an undergraduate physics laboratory. The statistics of the number of photons of a pseudo-thermal light source is studied in two limiting cases: much longer and much shorter than the coherence time, giving Poisson and Bose-Einstein distributions, respectively. The experiment can be done in a reasonable time using a digital oscilloscope without the need of counting boards. The use of the oscilloscope has the advantage of allowing the storage of the data for further processing. The stochastic nature of the detection phenomena adds additional value because students are forced to do data processing and analysis.

Optics

Lewis Hammond,Sam Adam-Day

2024-12-12

Abstract:We consider the problem of how a trusted, but computationally bounded agent (a 'verifier') can learn to interact with one or more powerful but untrusted agents ('provers') in order to solve a given task. More specifically, we study the case in which agents are represented using neural networks and refer to solutions of this problem as neural interactive proofs. First we introduce a unifying framework based on prover-verifier games, which generalises previously proposed interaction protocols. We then describe several new protocols for generating neural interactive proofs, and provide a theoretical comparison of both new and existing approaches. Finally, we support this theory with experiments in two domains: a toy graph isomorphism problem that illustrates the key ideas, and a code validation task using large language models. In so doing, we aim to create a foundation for future work on neural interactive proofs and their application in building safer AI systems.

Artificial Intelligence,Machine Learning

Kangfeng Ye,Roberto Metere,Poonam Yadav

2024-10-01

Abstract:Current formal verification of security protocols relies on specialized researchers and complex tools, inaccessible to protocol designers who informally evaluate their work with emulators. This paper addresses this gap by embedding symbolic analysis into the design process. Our approach implements the Dolev-Yao attack model using a variant of CSP based on Interaction Trees (ITrees) to compile protocols into animators -- executable programs that designers can use for debugging and inspection. To guarantee the soundness of our compilation, we mechanised our approach in the theorem prover Isabelle/HOL. As traditionally done with symbolic tools, we refer to the Diffie-Hellman key exchange and the Needham-Schroeder public-key protocol (and Lowe's patched variant). We demonstrate how our animator can easily reveal the mechanics of attacks and verify corrections. This work facilitates security integration at the design level and supports further security property analysis and software-engineered integrations.

Cryptography and Security,Logic in Computer Science

Cláudia Nalon,Lan Zhang,Clare Dixon,Ullrich Hustadt

DOI: https://doi.org/10.4204/EPTCS.146.9

2014-04-03

Abstract:We present a prototype tool for automated reasoning for Coalition Logic, a non-normal modal logic that can be used for reasoning about cooperative agency. The theorem prover CLProver is based on recent work on a resolution-based calculus for Coalition Logic that operates on coalition problems, a normal form for Coalition Logic. We provide an overview of coalition problems and of the resolution-based calculus for Coalition Logic. We then give details of the implementation of CLProver and present the results for a comparison with an existing tableau-based solver.

Logic in Computer Science,Artificial Intelligence

Lawrence C. Paulson

DOI: https://doi.org/10.3233/JCS-1998-61-205

2021-05-13

Abstract:Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs are generated using Isabelle/HOL. The human effort required to analyze a protocol can be as little as a week or two, yielding a proof script that takes a few minutes to run. Protocols are inductively defined as sets of traces. A trace is a list of communication events, perhaps comprising many interleaved protocol runs. Protocol descriptions incorporate attacks and accidental losses. The model spy knows some private keys and can forge messages using components decrypted from previous traffic. Three protocols are analyzed below: Otway-Rees (which uses shared-key encryption), Needham-Schroeder (which uses public-key encryption), and a recursive protocol by Bull and Otway (which is of variable length). One can prove that event $ev$ always precedes event $ev'$ or that property $P$ holds provided $X$ remains secret. Properties can be proved from the viewpoint of the various principals: say, if $A$ receives a final message from $B$ then the session key it conveys is good.

Cryptography and Security,Logic in Computer Science