Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
68 CHAPTER 3. PROTOCOLS WITH VULNERABLE HASH FUNCTIONS<br />
Example 19 Let us consider the protocol <strong>and</strong> the two symbolic derivations <strong>of</strong> Example<br />
18. The normal execution <strong>of</strong> that protocol corresponds to the following composition<br />
<strong>of</strong> the two symbolic derivations <strong>of</strong> the previous example: I1 = � xA �<br />
2 , O1 = � yA �<br />
1 ,<br />
I2 = � xB �<br />
1 , <strong>and</strong> O2 = � yB �<br />
A<br />
1 . This composition imposes that x2 = yB 1 which means<br />
that the second message received by A is the first message send by B, <strong>and</strong> x B 1 = y A 1<br />
which means that the first message received by B is the first message send by A. We<br />
recall that the first message received by A is empty.<br />
3.3.6 Ordered satisfiability problem<br />
In chapter 2, we show how reduce the insecurity problem <strong>of</strong> cryptographic protocols<br />
to the satisfiability problem <strong>of</strong> constraint systems. Since this reduction<br />
is based on the fact that the capacity <strong>of</strong> the intruder attacking the protocol is<br />
represented by rules <strong>of</strong> the form x1, . . . , xn → f(x1, . . . , xn), <strong>and</strong> since, in this<br />
chapter, the intruder deduction rules have a different form, we can not apply<br />
this reduction. To this end, we introduce next another satisfiability problem,<br />
called Ordered satisfiability problem, to which we reduce the insecurity problem<br />
<strong>of</strong> cryptographic protocols using collision-vulnerable hash functions. The Ordered<br />
satisfiability problem has been initially defined in [72].<br />
Definition 42 Ordered I-satisfiability problem Given an intruder deduction system<br />
I = 〈F, LI, H〉, the ordered I-satisfiability problem is defined as follows:<br />
Input: A I-symbolic derivation C, a set <strong>of</strong> ground terms Ki representing the<br />
intruder knowledge, X = V ar(C), C = all.Cons(C) <strong>and</strong> a linear<br />
ordering ≺ on X ∪ C.<br />
Output: SAT if <strong>and</strong> only if there exists a I-symbolic derivation Ci =<br />
(Vi, Si, Ki, Ini, Outi), a closed composition Ca <strong>of</strong> Ci <strong>and</strong> C, <strong>and</strong> a substitution<br />
σ such that (1) σ |=I Ca <strong>and</strong> (2) for all x ∈ X <strong>and</strong> c ∈ C,<br />
x ≺ c implies c /∈ all.Cons(xσ).<br />
3.4 Symbolic formalisation <strong>of</strong> collision vulnerability property<br />
We show in this section the symbolic formalisation <strong>of</strong> collision vulnerability<br />
property for hash functions. We recall that the collision vulnerability property<br />
<strong>of</strong> a hash function h means that it is computationally feasible to compute two<br />
distinct inputs x <strong>and</strong> x ′ with h(x) = h(x ′ ) provided that x <strong>and</strong> x ′ are created at<br />
the same time <strong>and</strong> independently one <strong>of</strong> the other.<br />
In order to construct a couple <strong>of</strong> messages having the same hash value, we<br />
introduce two new function symbols f, g, each <strong>of</strong> them with arity 4, <strong>and</strong> we