Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

38 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING Intruder deduction system with implicit destructors The definitions we give below were introduced in [72]. Definition 17 (Intruder deduction rule with implicit destructors) An intruder deduction rule is a tuple of terms in T (F, X ) (t1, . . . , tn, t), denoted by t1, . . . , tn → t. Definition 18 (Intruder deduction system with implicit destructors) An intruder deduction system I, also called an intruder system, is a tuple I = 〈F, LI, H〉 where F is a signature, LI is a set of deduction rules of the form t1, . . . , tn → t, and H is an equational theory over T (F, X ). Example 6 Assume F = {encs }, and F = Fpub. The intruder deduction system I = 〈F, LI, H〉 where: � s x, y → enc (x, y) • LI = encs (x, y), y → x • and H = ∅. Intruder derivations Given an intruder system I (with explicit or implicit destructors) such that LI is the corresponding set of deduction rules, given two finite sets of terms E and F , we have E →I F if and only if there is an intruder deduction rule ˜l → r ∈ LI (where ˜l is a set of terms and r is a term), and a substitution σ, such that ˜lσ =H ˜ l ′ , rσ =H r ′ , ˜ l ′ ⊆ E and F = E ∪ {r ′ }. We denote by → ∗ I the transitive closure of →I. It is easy to see that for sets of terms E, E ′ , F and F ′ such that E =H E ′ and F =H F ′ , we have E →I F if and only if E ′ →I F ′ . We simply denote by → the relation →I when there is no ambiguity about I. An I-derivation D of length n, n ≥ 0, is a sequence of the form E0 →I E0, t1 →I · · · →I En with finite sets of terms E0, . . . , En, and terms t1, . . . , tn, such that Ei = Ei−1 ∪ {ti} for every i ∈ {1, . . . , n}. The term tn is called the goal of the derivation. Given a set of terms E, we define ĒI to be equal to the set of terms that can be derived from E with respect to I, the set Ē I = {t such that ∃F with E→I ∗ F, and t ∈ F }. If E and t are respectively a set of terms in normal form and a term in normal form, it is easy to see that if t ∈ ĒI then there exists a I-derivation starting from E of goal t, D : E →I E, t1 →I E, t1, t2 →I . . . →I E, t1, . . . , tn, t, where t1, . . . , tn are in normal form, that is in each step E, t1, . . . , ti →I E, t1, . . . , ti+1 where ˜ l → r is the applied rule, we have that ( ˜ lσ) ↓⊆ E, t1, . . . , ti and ti+1 = (rσ) ↓. From now on, we consider that in each derivation starting from E of goal t, E →I E, t1 →I E, t1, . . . , tn, t, with E and t are respectively a set of terms in normal form and a term in normal form, every term ti (1 ≤ i ≤ n) added in each step in the derivation is in normal
2.1. PRELIMINARIES 39 form. If there is no ambiguity on the intruder deduction system I we write Ē instead of ĒI . Example 7 (The Dolev-Yao deduction system with implicit destructors) We present here the Dolev-Yao deduction system with implicit destructors. Let < −, − > (concatenation), enc s (symmetric encryption), enc p (public encryption) and −1 (the inverse key) be the cryptographic primitives. The rules L are defined as follows: The rules Lencs are defined as follows: The rules Lencp are defined as follows: x, y →< x, y > (2.1) < x, y >→ x (2.2) < x, y >→ y (2.3) x, y → enc s (x, y) (2.4) enc s (x, y), y → x (2.5) x, y → enc p (x, y) (2.6) enc p (x, y), y −1 → x (2.7) enc p (x, y −1 ), y → x (2.8) The Dolev-Yao deduction system with implicit destructors is given by where • FDY = {< −, − >, enc s , enc p , −1 }, • LDY = L ∪ Lencs ∪ Lencp. I i DY = 〈FDY , LDY , ∅〉 Example 8 (The Dolev-Yao deduction system with explicit destructors) We present here the Dolev-Yao deduction system with explicit destructors. Let < −, − > (concatenation), enc s (symmetric encryption), dec s (symmetric decryption), enc p (public encryption), dec p (public decryption), and −1 (the inverse key) be cryptographic primitives. The rules L are defined as follows: x, y →< x, y > (2.9) x → π1(x) (2.10) x → π2(x) (2.11)
Page 1: Logical Analysis and Verification o
Page 5: Abstract This thesis is developed i
Page 8 and 9: viii
Page 10 and 11: x CONTENTS 2.1.7 Unification . . .
Page 12 and 13: xii CONTENTS 5.8 Decidability of re
Page 14 and 15: 2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17: 4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19: 6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21: 8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23: 10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25: 12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27: 14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29: 16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31: 18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33: 20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 100 and 101:
88 CHAPTER 4. PROTOCOLS WITH VULNER
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?