A Method for Verifying Privacy-Type Properties: The Unbounded Case

Hirschi, Lucca; Baelde, David; Delaune, Stéphanie

doi:10.1109/sp.2016.40

Cited by 33 publications

(50 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main issue in implementing this idea arises from diff-equivalence being too strong regarding tests and computations of idealized terms. In [42], we had proposed a solution that avoided this problem by largely over-approximating the set of executable traces, which is sound but very imprecise. Moreover, this first solution is only adequate for the notion of idealization considered in [42], and not for the generalization proposed in the present paper.…”

Section: Frame Opacitymentioning

confidence: 99%

“…In [42], we had proposed a solution that avoided this problem by largely over-approximating the set of executable traces, which is sound but very imprecise. Moreover, this first solution is only adequate for the notion of idealization considered in [42], and not for the generalization proposed in the present paper. We describe below a simpler solution, that is much more precise and efficient, and can accommodate our generalized notion of idealization, at the cost of a slight extension of ProVerif's diff-equivalence.…”

Section: Frame Opacitymentioning

confidence: 99%

See 1 more Smart Citation

A method for unbounded verification of privacy-type properties

Hirschi

Baelde

Delaune

2019

JCS

Self Cite

View full text Add to dashboard Cite

In this paper, we consider the problem of verifying anonymity and unlinkability in the symbolic model, where protocols are represented as processes in a variant of the applied pi calculus, notably used in the ProVerif tool. Existing tools and techniques do not allow to verify directly these properties, expressed as behavioral equivalences. We propose a different approach: we design two conditions on protocols which are sufficient to ensure anonymity and unlinkability, and which can then be effectively checked automatically using ProVerif. Our two conditions correspond to two broad classes of attacks on unlinkability, i.e. data and control-flow leaks. This theoretical result is general enough that it applies to a wide class of protocols based on a variety of cryptographic primitives. In particular, using our tool, UKano, we provide the first formal security proofs of protocols such as BAC and PACE (e-passport), Hash-Lock (RFID authentication), etc. Our work has also lead to the discovery of new attacks, including one on the LAK protocol (RFID authentication) which was previously claimed to be unlinkable (in a weak sense).

show abstract

Section: Frame Opacitymentioning

confidence: 99%

Section: Frame Opacitymentioning

confidence: 99%

A method for unbounded verification of privacy-type properties

Hirschi

Baelde

Delaune

2019

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…While this tool is ex-tremely efficient, it only covers a fixed set of cryptographic primitives (the same as Spec and Apte) and verifies an approximated equivalence, similar to the diff-equivalence. A completely different approach has been taken by Hirschi et al [HBD16], identifying sufficient conditions provable by ProVerif for verifying unlinkability properties, implemented in the tool Ukano, a front-end to the ProVerif tool. Ukano does however not verify equivalence properties in general.…”

Section: Related Workmentioning

confidence: 99%

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We study the automated verification of behavioural equivalences in the applied pi calculus, an essential problem in formal, symbolic analysis of cryptographic protocols. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and propose a new decision procedure for these equivalences. Our procedure is the first tool to decide trace equivalence and labelled bisimilarity exactly for a family of equational theories, namely those that can be represented by a subterm convergent destructor rewrite system. Finally, we implement the procedure in a new tool, called Deepsec and demonstrate the applicability of the tool on several case studies.

show abstract

“…We also recall there the action-determinism assumption required in previous works [8,9], and argue why it makes it impossible to adequately model privacy properties such as unlinkability. Similarly, the diff-equivalence used in ProVerif and Tamarin systematically leads to false attacks on unlinkability [27]. For such properties, one thus has to resort to verifying trace equivalence in the bounded setting but, the lack of POR techniques supporting non-action-deterministic processes is a major problem, since equivalence verification tools perform very poorly when the state explosion problem is left untamed.…”

Section: Equivalencesmentioning

confidence: 99%

“…We verify some privacy properties on several real-life protocols of various sizes by modifying the number of sessions being analysed. We model unlinkability [27,5] of the BAC protocol [5] (used in e-passports, see Appendix A), of Private Authentication [3] and of Feldhofer [24]. We also model anonymity [27,5] for some of them.…”

Section: Experimental Evaluationmentioning

confidence: 99%

POR for Security Protocol Equivalences

Baelde¹,

Delaune²,

Hirschi³

2018

Computer Security

Self Cite

View full text Add to dashboard Cite

Formal methods have proved effective to automatically analyze protocols. Over the past years, much research has focused on verifying trace equivalence on protocols, which is notably used to model many interesting privacy properties, e.g., anonymity or unlinkability. Many tools for checking trace equivalence rely on a naive and expensive exploration of all interleavings of concurrent actions, which calls for partial-order reduction (POR) techniques. In this paper, we present the first POR technique for protocol equivalences that does not rely on an action-determinism assumption: we recast the trace equivalence problem as a reachability problem, to which persistent and sleep set techniques can be applied, and we show how to effectively apply these results in the context of symbolic executions. We report on a prototype implementation, improving the tool DeepSec.

show abstract

A Method for Verifying Privacy-Type Properties: The Unbounded Case

Cited by 33 publications

References 29 publications

A method for unbounded verification of privacy-type properties

A method for unbounded verification of privacy-type properties

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

POR for Security Protocol Equivalences

Contact Info

Product

Resources

About