Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 2<br />
Constraint systems to analyse<br />
cryptographic protocols<br />
The security <strong>of</strong> a cryptographic protocol is assessed with respect<br />
to the environment in which the protocol is executed. Dolev <strong>and</strong> Yao<br />
[107] have described the environment by the deductions an intruder<br />
attacking a protocol is able to perform. They considered that the intruder<br />
has a complete control over the communication medium (network),<br />
he listen to the communication <strong>and</strong> can obtain any message<br />
passing through the network, he can intercept, block, <strong>and</strong>/or redirect<br />
all messages sent by honest agents. He also can masquerade his<br />
identity <strong>and</strong> take part in the protocol under the identity <strong>of</strong> an honest<br />
agent. His control <strong>of</strong> the network is modelled by assuming that<br />
all messages sent by honest agents are sent directly to the intruder<br />
<strong>and</strong> that all messages received by the honest agents are always sent<br />
by the intruder. Besides the control <strong>of</strong> the network, the intruder has<br />
some specific rules to deduce new messages [73, 72, 156].<br />
Many procedures have been proposed to decide security problems<br />
<strong>of</strong> cryptographic protocols in the Dolev-Yao model with respect<br />
to a finite number <strong>of</strong> sessions [16, 53, 178]. Among the different approaches,<br />
there is the symbolic approaches [156, 75, 29, 87] on which,<br />
as mentionned in the introduction <strong>of</strong> this document, we work. In<br />
these approaches, cryptographic primitives are represented by function<br />
symbols, messages are represented by terms in a signature (a<br />
set <strong>of</strong> function symbols representing the cryptographic primitives),<br />
<strong>and</strong> intruder capacities are represented by deduction rules on sets <strong>of</strong><br />
messages representing his knowledge. These deduction rules allow<br />
the intruder to derive new messages from a given (finite) set <strong>of</strong> messages<br />
representing his knowledge. <strong>Cryptographic</strong> primitives may<br />
have algebraic properties, such as the associativity for the concate-<br />
19