Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1.4. ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS 13<br />
cryptographic protocols has been studied later by [15, 156, 53], <strong>and</strong> then by<br />
[68, 95, 73, 70, 69, 54] who considered cryptographic protocols with algebraic<br />
primitives such as modular exponentiation, exclusive or, etc. Constraint solving<br />
has become the st<strong>and</strong>ard model to analyse cryptographic protocols in the<br />
case <strong>of</strong> bounded number <strong>of</strong> sessions.<br />
In this approach, other works have been done in order to capture other security<br />
properties such as the resistance to the dictionary attacks [96], equivalencebased<br />
properties [109], <strong>and</strong> the properties related to contract-signing protocols<br />
[135].<br />
Search for pro<strong>of</strong>s. The drawback <strong>of</strong> this approach is that, assuming a bounded<br />
number <strong>of</strong> sessions, it does not prove the correctness <strong>of</strong> the protocol. We<br />
show here another approach, the “search for pro<strong>of</strong>s”, which does not assume<br />
a bounded number <strong>of</strong> sessions. One <strong>of</strong> its inconvenient is that it may introduce<br />
false attacks, that is it may reject protocols that do not have logical attacks. We<br />
give below some <strong>of</strong> the methods elaborated in this approach:<br />
• Methods that use theorem provers such as the inductive approach <strong>of</strong> L.<br />
Paulson [168] which uses Isabelle to prove security properties, <strong>and</strong> the<br />
approach <strong>of</strong> Bolignano [52].<br />
• Methods based on process algebra such as pi-calculus, spi-calculus <strong>and</strong><br />
applied pi-calculus [12, 11].<br />
• Methods based on logics such as BAN logic [57] which is due to M. Burrows<br />
<strong>and</strong> M. Abadi <strong>and</strong> R. M. Needham.<br />
• NRL protocol analyser [151] which is known to be the first tool that does<br />
not impose any restriction.<br />
• Methods that use tree automata [161, 118, 85].<br />
• Methods based on Horn clauses [46, 180, 84, 205].<br />
Several automatic tools have been developed to symbolically verify cryptographic<br />
protocols such as “Proverif” [46, 50], “AVISS” [17], or “AVISPA” [19].<br />
The symbolic methods have been used to analyse a wide class <strong>of</strong> cryptographic<br />
protocols such as key exchange <strong>and</strong> authentication protocols, voting protocols<br />
[136, 97], contract-signing protocols [128], recursive protocols [138], Web Services<br />
[41, 72], <strong>and</strong> others.<br />
(Un)Decidability results<br />
The security problem <strong>of</strong> cryptographic protocols, stated in Figure 1.2 is undecidable<br />
in general [111], but under some restrictions several decidability results