Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1.5. CONTRIBUTIONS AND PLAN OF THIS THESIS 15<br />
1.5 Contributions <strong>and</strong> plan <strong>of</strong> this thesis<br />
In this thesis, we relax the perfect cryptography hypothesis by taking into account<br />
some algebraic properties <strong>of</strong> cryptographic primitives that we formulate<br />
by equations. We follow the symbolic approach to analyse security protocols,<br />
<strong>and</strong> in particular, the approach based on the resolution <strong>of</strong> constraint systems. To<br />
this end, we formulate the capacity <strong>of</strong> the intruder by deduction rules, <strong>and</strong> the<br />
verification task <strong>of</strong> the protocol by a reachability problem. The latter is the problem<br />
<strong>of</strong> determining if a certain (finite) parallel program which models the protocol<br />
<strong>and</strong> the specification can reach an erroneous state while interacting with<br />
the environment. We provide decision procedures for the reachability problem<br />
in presence <strong>of</strong> several algebraic operators.<br />
In Chapter 2, we give the basic notions <strong>and</strong> definitions we use in the most<br />
<strong>of</strong> this thesis. We define the constraint systems, <strong>and</strong> reachability problem. These<br />
notions have been initially introduced by J. Millen <strong>and</strong> V. Shmatikov [156], but<br />
as defined there, they are not adequate for the non empty equational theories.<br />
We actually follow the definitions introduced by Y. Chevalier <strong>and</strong> M. Rusinowitch<br />
[73] who generalised the initial definitions <strong>of</strong> [156] in order to capture non<br />
empty equational theories. We show how protocols are modeled in a high specification<br />
language, <strong>and</strong> we show how to reduce the insecurity problem <strong>of</strong> cryptographic<br />
protocols to the satisfiability problem <strong>of</strong> constraint systems. Several<br />
works follow this approach [156, 87, 73, 72].<br />
1.5.1 Decidability results in presence <strong>of</strong> algebraic operators<br />
Chapter 3: <strong>Analysis</strong> <strong>of</strong> protocols with collision vulnerable hash functions.<br />
In Chapter 3, we consider the class <strong>of</strong> cryptographic protocols that use collision<br />
vulnerable hash functions. The collision vulnerability property for a hash<br />
function means that one can construct two different messages having the same<br />
hash value. We remark that only a few years ago, it was intractable to compute<br />
collisions on hash functions, so they were considered to be collision resistant<br />
by cryptographers, <strong>and</strong> collision was considered to be a possible attack on hash<br />
functions only from the nineties when collision attacks have been proved <strong>and</strong><br />
showed by several ressearchers [98, 103, 199, 201]. Examples <strong>of</strong> collision vulnerable<br />
hash functions are “MD5” <strong>and</strong> “SHA-0”.<br />
In this chapter, we symbolically represent how the intruder may compute<br />
collisions on hash functions. We then reduce the insecurity problem <strong>of</strong> our class<br />
<strong>of</strong> cryptographic protocols to the ordered satisfiability problem for the intruder<br />
using the collision vulnerability property <strong>of</strong> hash functions when attacking a<br />
protocol execution. The ordered satisfiability problem is a variant <strong>of</strong> the satisfiability<br />
problem presented in Chapter 2. It was initially introduced by Y. Chevalier<br />
et al. [72]. Roughly following the results obtained in [74], we conjecture that