Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Equivalence Properties and Probabilistic Reasoning in Symbolic Security Protocol Analysis

DeepSec: Deciding Equivalence Properties for Security Protocols -- Improved theory and practice

A method for symbolic analysis of security protocols

Analysis for Intransitive Noninterference Security Properties in Probabilistic Systems

Degrees of Security: Protocol Guarantees in the Face of Compromising Adversaries

Combining Classical and Probabilistic Independence Reasoning to Verify the Security of Oblivious Algorithms (Extended Version)

Automatic verification of Finite Variant Property beyond convergent equational theories

Composing security protocols: from confidentiality to privacy

Security Theorems via Model Theory

A Logic of Belief and a Model Checking Algorithm for Security Protocols.

Advancing Security Protocol Verification: A Comparative Study of Scyther, Tamarin

Equivalence and Similarity Refutation for Probabilistic Programs

Photon counting statistics using a digital oscilloscope

A Verification Logic for Security Protocols Based on Computational Semantics

Quantifying pervasive authentication: the case of the Hancke-Kuhn protocol

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

Reasoning about Probabilistic Defense Mechanisms against Remote Attacks

A Logic for Signature Based Security Protocols

On Some Time Aspects in Security Protocols Analysis

Probabilistic Analysis Based On Symbolic Game Semantics and Model Counting

A Simple Process Calculus for the Analysis of Security Protocols