Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

98 CHAPTER 4. PROTOCOLS WITH VULNERABLE SIGNATURE SCHEMES We define two new deduction systems I ′ = 〈F, LI ′, ∅〉 and I” = 〈F, LI”, ∅〉. We remark that I satisfies the definition of intruder deduction system as given in Definition 16 (Chapter 2) and in [73], and the intruder deduction systems I ′ , I” satisfy the definition of intruder deduction system as given in [72]. Saturation of IDSKS and IDEO The application of the saturation given in Figure 4.1 on LDSKS terminates, and yields the following two sets of rules, each corresponding to a step of the saturation algorithm (respectively the Initialisation and the first step): L ′ DSKS = LDSKS ∪ ⎧ ⎪⎨ ⎪⎩ L”DSKS = LDSKS ∪ x, Sk ′ (P k(y), sig(x, Sk(y))) → sig(x, Sk(y)) x, sig(x, Sk(y)), P k(y) → 1 x, sig(x, Sk ′ (y1, y2)), P k ′ (y1, y2) → 1 x, sig(x, Sk(y)), P k ′ (P k(y), sig(x, Sk(y))) → 1 � x, Sk(y) → sig(x, Sk(y)) x, Sk ′ (P k(y), sig(x, Sk(y))) → sig(x, Sk(y)) and, the application of the saturation given in Figure 4.1 on LDEO terminates, and yields the following two sets of rules, each corresponding to a step of the saturation algorithm (respectively the Initialisation and the first step): L ′ DEO = LDEO∪ ⎧ ⎪⎨ ⎪⎩ x, sig(x, Sk(y)), P k(y) → 1 x, sig(x, Sk”(y1, y2)), P k”(y1, y2) → 1 f(P k(y), sig(x, Sk(y))), sig(x, Sk(y)), P k”(P k(y), sig(x, Sk(y))) → 1 f(P k(y), sig(x, Sk(y))), Sk”(P k(y), sig(x, Sk(y))) → sig(x, Sk(y)) L”DEO = LDEO∪{f(P k(y), sig(x, Sk(y))), Sk”(P k(y), sig(x, Sk(y))) → sig(x, Sk(y))} From the intruder systems IDSKS and IDEO, we define four new intruder systems: I ′ DSKS = 〈FDSKS, L ′ DSKS , ∅〉, I”DSKS = 〈FDSKS, L”DSKS, ∅〉, I ′ DEO = 〈FDEO, L ′ DEO , ∅〉 and, I”DEO = 〈FDEO, L”DEO, ∅〉. We remark that IDSKS and IDEO satisfy the definition of intruder deduction system as given in Definition 16 (Chapter 2) and in [73], and the intruder deduction systems I ′ DSKS , I′ DEO , I”DSKS, I”DEO intruder deduction system as given in [72]. satisfy the definition of In the rest of this chapter, we assume that H, R, L, L ′ , L”, I, I ′ , and I” to be either respectively HDSKS, RDSKS, LDSKS, L ′ DSKS , L”DSKS, IDSKS, I ′ DSKS , I”DSKS or respectively HDEO, RDEO, LDEO, L ′ DEO , L”DEO, IDEO, I ′ DEO , I”DEO.
4.4. DECIDABILITY RESULTS 99 Properties of the saturation Let us first prove that the intruder deduction system obtained after the saturation gives exactly the same deductive power to the initial intruder deduction system. Given a set of terms E and a term t, from now on, we make use of the notation E →∗ I t to means that there exists a I-derivation starting from E of goal t, that is t ∈ E I . Lemma 31 For any set of normal ground terms E and any normal ground term t we have: t ∈ E I t if and only if t ∈ E I” . PROOF. Lemma 8 (Chapter 2) showed that for any two sets of ground terms in normal form E and F , we have E →I F if and only if E →I ′ F . This implies that t ∈ E I if and only if t ∈ E I′ for any set of ground terms E in normal form and any ground term t in normal form. Now, we prove that t ∈ E I′ if and only if t ∈ E I” . First, let us assume that t ∈ E I′ , that is, there exists a I ′ -derivation D starting from E of goal t, and let us prove that there exists a I”-derivation starting from E of goal t. If there exists a step in the derivation D which uses a rule �l → r ∈ LI ′ but not in LI”, then, by construction of LI”, there exists another rule � l1 → r in LI” such that � l1 ⊆ �l and thus that can be applied instead of �l → r. We conclude that t ∈ E I” . For the reciprocal, let us assume that there exists a I”-derivation starting from E of goal t, and let us prove that there exists a I ′ -derivation starting from E of goal t. We begin by defining an arbitrary order on the rules of LI ′, and we extend this order to the rules of LI” \ LI ′ as follows: the rules of LI ′ are smaller than the rules of LI” \ LI ′ and the rules of LI” \ LI ′ are ordered according to the order of their construction during the saturation. Let M(D) be the multiset of deduction rules applied in D. Let Ω(E, t) = {D | D : E(→∗ I ′ ∪ →I”) ∗t}. Since t ∈ E I” , Ω(E, t) �= ∅. Let D be a derivation in Ω(E, t) having the minimal M(D), and let us prove that D does not use rules in LI” \ LI ′. By contradiction, suppose that D uses a rule �l → r ∈ LI” \ LI ′. Since �l → r /∈ LI ′, it has been constructed according to the closure rule given in Figure ??. This implies that there exists two rules � l1 → r1 and s, � l2 → r2 in LI” such that µ = mgu(r1, s), s /∈ X , �l = ( � l1, � l2)µ and r = r2µ. suppose that �l → r is applied on the set of terms F , F →el→r F, g. Since �lσ ⊆ F and rσ = g for a substitution σ, we have � l1µσ ⊆ F and (s, � l2)µσ ⊆ F ∪ r1µσ, this implies that F →e l1→r1 F, r1µσ →e l2,s→r2 F, r1µσ, g. Let D ′ be the derivation where � l1 → r1 and s, � l2 → r2 replace � l → r. D ′ is in Ω(E, t). Since � l1 → r1 and s, � l2 → r2 have an order smaller than the order of � l → r, we have M(D ′ ) < M(D) which contradicts the minimality of M(D).
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61: 48 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?