Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

94 CHAPTER 4. PROTOCOLS WITH VULNERABLE SIGNATURE SCHEMES a new pair of secret and public keys (Sk”(pk, s), P k”(pk, s)), a new message m ′ (m ′ = f(pk, s)) such that the verification of s with respect to the new message m ′ and the new public key succeeds. We assume that FDEO = FDEOpub ∪ FDEOpri where FDEOpub = {sig, ver, Sk”, P k”, f, 1} and FDEOpri = {Sk, P k}. In addition to the signature FDEO, and as described in Chapter 2, we make use of an infinite set of variables X and an infinite set of constants C. The destructive exclusive ownership vulnerability property is represented by the following equational theory, denoted by HDEO: ⎧ ⎨ ver(x, sig(x, Sk(y)), P k(y)) = 1 HDEO = ver(x, sig(x, Sk”(y1, y2)), P k”(y1, y2)) = 1 ⎩ sig(f(P k(y), sig(x, Sk(y))), Sk”(P k(y), sig(x, Sk(y))) = sig(x, Sk(y)) The intruder system we consider to analyse our class of cryptographic protocols is given as follows: with: ⎧ ⎪⎨ ⎪⎩ IDEO = 〈FDEO, TDEO, HDEO〉 FDEO = FDEOpub ∪ FDEOpri FDEOpub = {sig, ver, Sk”, P k”, f, 1} FDEOpri = {Sk, P k} TDEO = {sig(x, y), ver(x, y, z), Sk”(x, y), P k”(x, y), f(x, y), 1} The associated set of intruder deduction rules, denoted by LDEO is given as follows: ⎧ x, y → sig(x, y) ⎪⎨ x, y, z → ver(x, y, z) x, y → Sk”(x, y) LDEO = x, y → P k”(x, y) ⎪⎩ x, y → f(x, y) ∅ → 1 In what follows, we introduce the rewrite system, RDEO, generating the equational theory HDEO, and we prove that RDEO is convergent. The rewrite system RDEO is obtained by applying Knuth-Bendix completion procedure [131] on HDEO. This completion procedure is described in Chapter 2, at Section 2.1.6. Lemma 28 HDEO is generated by the convergent rewriting system: ⎧ ⎪⎨ ver(x, sig(x, Sk(y)), P k(y)) → 1 ver(x, sig(x, Sk”(y1, y2)), P k”(y1, y2)) → 1 RDEO = ⎪⎩ ver(f(P k(y), sig(x, Sk(y))), sig(x, Sk(y)), P k”(P k(y), sig(x, Sk(y)))) → 1 sig(f(P k(y), sig(x, Sk(y))), Sk”(P k(y), sig(x, Sk(y)))) → sig(x, Sk(y))
4.4. DECIDABILITY RESULTS 95 PROOF. The application of the Knuth-Bendix completion procedure [131] on HDEO terminates successfully and outputs the rewrite system RDEO, which is a convergent rewrite system generating HDEO (Chapter 2, Section 2.1.6). � Lemma 29 Any RDEO-narrowing derivation starting from any term t terminates. PROOF. In Lemma 28, we proved that RDEO is a convergent rewrite system. Following the definition of basic narrowing (Definition 13, Chapter 2), it is easy to see that any right member of any RDEO rule is not RDEO-basic narrowable, and hence, by Theorem 1 (Chapter 2) , we conclude that any RDSKS-narrowing derivation starting from any term terminates.� Lemma 30 HDEO has the finite variant property. PROOF. In Lemma 28, we proved that HDEO is generated by a convergent rewrite system RDEO, and in lemma 29, we proved that any RDEO-narrowing derivation starting from any term terminates. In [86], the authors showed that each convergent rewrite system R such that any R-basic narrowing derivation starting from any term terminates has the finite variant property. This allows us to conclude that RDEO and hence HDEO has the finite variant property. � 4.4.3 Decidability of HDSKS- and HDEO-unifiability problems In this section, we prove the decidability of HDSKS- and HDEO-unifiability problems. Given an arbitrary equational theory H, we recall the definition of Hunifiability problem (Chapter 2, Definition 3). The H-unifiability problem is defined as follows: Input: A H-unification system U. Output: SAT if and only if there exists a substitution σ such that σ |=H U. In Chapter 2 (Section 2.1.8), we present a complete, sound and finite Hunification algorithm where H is an equational theory having the finite variant property. Since RDSKS and RDEO have the finite variant property (Lemma 27 and Lemma 30 respectively), we conclude the following theorem. Theorem 6 The HDSKS- and HDEO-unifiability problems are decidable. We prove below that HDSKS- (respectively HDEO-) unifiability problem is in fact in NP time.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57: 44 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 156 and 157:
144 CHAPTER 5. SATURATED DEDUCTION
Page 158 and 159:
146 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?