Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

x CONTENTS 2.1.7 Unification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.1.8 Finite variant property . . . . . . . . . . . . . . . . . . . . . 30 2.1.9 Narrowing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.1.10 Two intruder deduction systems . . . . . . . . . . . . . . . 36 2.1.11 Variant of the intruder deduction system . . . . . . . . . . 41 2.1.12 Constraint systems . . . . . . . . . . . . . . . . . . . . . . . 43 2.1.13 Modified I-constraint systems . . . . . . . . . . . . . . . . 44 2.1.14 Reachability problems . . . . . . . . . . . . . . . . . . . . . 46 2.1.15 Variant of I-constraint systems . . . . . . . . . . . . . . . . 46 2.2 Cryptographic protocols . . . . . . . . . . . . . . . . . . . . . . . . 48 2.2.1 Specification of protocols . . . . . . . . . . . . . . . . . . . 48 2.2.2 Execution of protocols . . . . . . . . . . . . . . . . . . . . . 51 2.3 From cryptographic protocols to constraint systems . . . . . . . . 52 2.3.1 From an execution of a protocol to a constraint system . . 52 2.3.2 From insecurity problem to satisfiability of constraint systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3 Protocols with vulnerable hash functions 57 3.1 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.1.1 Definition of hash functions . . . . . . . . . . . . . . . . . . 58 3.1.2 Properties of hash functions . . . . . . . . . . . . . . . . . . 59 3.1.3 Examples of hash functions . . . . . . . . . . . . . . . . . . 60 3.2 Collision vulnerability property . . . . . . . . . . . . . . . . . . . . 60 3.2.1 Hash functions having this property . . . . . . . . . . . . . 61 3.2.2 Collision vulnerability in practice . . . . . . . . . . . . . . 61 3.3 The model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.3.1 Mode in an equational theory . . . . . . . . . . . . . . . . . 62 3.3.2 Well-moded equational theories . . . . . . . . . . . . . . . 63 3.3.3 Subterm values . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.3.4 Intruder deduction system . . . . . . . . . . . . . . . . . . 63 3.3.5 Symbolic derivation . . . . . . . . . . . . . . . . . . . . . . 66 3.3.6 Ordered satisfiability problem . . . . . . . . . . . . . . . . 68 3.4 Symbolic formalisation . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.4.1 Intruder on words with free function symbols . . . . . . . 69 3.4.2 Hash-colliding intruder . . . . . . . . . . . . . . . . . . . . 71 3.4.3 Properties on Ifree and Ih intruder deduction systems . . 71 3.5 Decidability results . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.5.1 Decidability of ordered IAU-satisfiability problem . . . . . 76 3.5.2 Decidability of ordered If and Ig satisfiability problems . 79 3.5.3 Decidability of ordered Ifree satisfiability problem . . . . . 79 3.5.4 Decidability of ordered Ih-satisfiability problem . . . . . . 80
CONTENTS xi 3.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4 Protocols with vulnerable signature schemes 81 4.1 Signature schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.1.1 Definition of signature schemes . . . . . . . . . . . . . . . . 82 4.1.2 Classification of signature schemes . . . . . . . . . . . . . . 83 4.1.3 Attacks and breaks on signature schemes . . . . . . . . . . 85 4.2 Duplicate-signature key selection (DSKS) property . . . . . . . . . 87 4.2.1 Description of DSKS property . . . . . . . . . . . . . . . . . 87 4.2.2 DSKS property in practice . . . . . . . . . . . . . . . . . . . 88 4.3 Destructive exclusive ownership property . . . . . . . . . . . . . . 90 4.3.1 Description of DEO property . . . . . . . . . . . . . . . . . 90 4.4 Decidability results . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.4.1 Symbolic model for constructive exclusive ownership vulnerability property . . . . . . . . . . . . . . . . . . . . . 91 4.4.2 Symbolic model for destructive exclusive ownership vulnerability property . . . . . . . . . . . . . . . . . . . . . . . 93 4.4.3 Decidability of HDSKS- and HDEO-unifiability problems . 95 4.4.4 Saturation of IDSKS and IDEO deduction rules . . . . . . . 96 4.4.5 Decidability of IDSKS and IDEO reachability problems . . 101 4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5 Saturated deduction systems 111 5.1 The model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 5.2 Finite variant property . . . . . . . . . . . . . . . . . . . . . . . . . 113 5.2.1 Definition of finite variant property . . . . . . . . . . . . . 113 5.2.2 Equational theories having finite variant property . . . . . 114 5.3 Saturation of intruder deduction rules . . . . . . . . . . . . . . . . 117 5.3.1 Saturation algorithm . . . . . . . . . . . . . . . . . . . . . . 118 5.3.2 Properties of the saturation . . . . . . . . . . . . . . . . . . 119 5.4 Algorithm for solving reachability problems . . . . . . . . . . . . 120 5.5 Decidability results . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 5.5.1 Decidability of the ground reachability problems . . . . . 126 5.5.2 Termination of Saturation does not imply decidability of general reachability problems . . . . . . . . . . . . . . . . . 128 5.5.3 Decidability of the general reachability problems . . . . . 129 5.6 Applications: some relevant equational theories . . . . . . . . . . 134 5.6.1 Dolev-Yao theory with explicit destructors . . . . . . . . . 134 5.6.2 Digital signature theory with duplicate signature key selection property . . . . . . . . . . . . . . . . . . . . . . . . . 135 5.7 Decidability of ground reachability problems for the blind signature theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Page 1: Logical Analysis and Verification o
Page 5: Abstract This thesis is developed i
Page 8 and 9: viii
Page 12 and 13: xii CONTENTS 5.8 Decidability of re
Page 14 and 15: 2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17: 4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19: 6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21: 8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23: 10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25: 12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27: 14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29: 16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31: 18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33: 20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 60 and 61:
48 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?