Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

72 CHAPTER 3. PROTOCOLS WITH VULNERABLE HASH FUNCTIONS Figure 3.1 Mode and Sign on Ih Mode: Mode(·, 1) = Mode(·, 2) = 0 Mode(g, i) = Mode(f, i) = 0, ∀i ∈ {1, . . . , 4} Mode(h, 1) = 0 Sign: Sign(·) = Sign(ɛ) = Sign(f) = Sign(g) = 0 Sign(h) = 1 PROOF. Let l = r ∈ R(Hh) and suppose that l ∈ X and l /∈ V ar(r). Let t1 and t2 be two different terms in T (Fh, X ) and let σ1 and σ2 be two substitutions such that σ1(l) = t1, σ2(l) = t2 and σ1(r) = σ2(r). Then, t1 =Hh t2. We deduce that if l ∈ X and l /∈ V ar(r) for a rule l = r ∈ R(Hh), all terms in T (Fh, X ) are equals modulo Hh which is impossible. Then for any rule l = r ∈ R(Hh), if l ∈ X , we have l ∈ V ar(r). � Lemma 14 Let t ∈ T (Fh, X ), we have: 1. If t ′ ∈ Sub(t) and Sign(t ′ ) = 1 then t ′ ∈ Subv(t); 2. If Sign(t) = 1 then Sign((t)↓) = 1. PROOF. 1. Let t ∈ T (Fh, X ) and t ′ ∈ Sub(t) such that Sign(t ′ ) = 1, let us prove that t ′ ∈ Subv(t). Since t ′ ∈ Sub(t), we have two cases: • t ′ = t, then t ′ ∈ Subv(t). • t ′ is a strict subterm of t, then there exists an integer p ≥ 0, an integer i ≥ 1 such that t|p.i = t ′ . We have Sign(t|p.i) = 1 and by definition of Ih theory, Mode(T op(t|p), i) = 0 then Mode(T op(t|p), i) �= Sign(t|p.i). Thus t ′ is in ill-moded position in t, which implies that t ′ ∈ Subv(t). 2. Let t be a ground term in T (Fh) such that Sign(t) = 1. We have a finite sequence of rewritings starting from t leading to (t)↓: t →R(Hh) ... →R(Hh) ti →R(Hh) ti+1 →R(Hh) ... →R(Hh) (t)↓. Suppose that Sign(ti) = 1, and let us prove that Sign(ti+1) = 1. Let l = r be the rule applied in the step i. By definition of rewriting, there exists a ground substitution σ, a position p such that ti|p = lσ, ti+1 = ti[p ← rσ] and lσ > rσ. We have two cases:
3.4. SYMBOLIC FORMALISATION 73 � • If p �= ε, then T op(ti+1) = T op(ti) and thus by Sign(ti) = 1. We have Sign(ti+1) = 1. • If p = ɛ, then ti = lσ. Since Sign(lσ) = 1 and lσ is ground, we have T op(lσ) = h. Since lσ > rσ and by lemma 13, we have l /∈ X , and thus l = h(l ′ ) for some l ′ ∈ T (Fh, X ). Since RHh is well-moded and Sign(l) = 1, we have Sign(r) = 1. We have three cases: – r is a non-free constant. Since the only non-free constant in Hh theory is ɛ and Sign(ɛ) = 0, this case is impossible. – r is a variable. By lemma 13, we have r ∈ V ar(l), and thus r ∈ Sub(l). Since l is well-moded in Hh theory, we haven Sign(r) = 0, which contradicts Sign(t) = Sign(r). – r = h(r ′ ) for r ′ ∈ T (Fh, X ). This implies that we have rσ = h(r ′ σ), and therefor Sign(rσ) = 1 = Sign(ti+1). For all i ∈ {1, . . . , n − 1}, we have Sign(ti) = 1 implies Sign(ti+1) = 1, which proves the second point of the lemma. Lemma 15 Let t be a ground term in Fh with all its factors in normal form. We have: Subv(t) \ {ɛ, t} ⊆ Subv((t)↓). PROOF. Let t be a ground term in Fh. There exists a finite sequence of rewritings starting from t leading to (t)↓: t →R(Hh) . . . →R(Hh) ti →R(Hh) ti+1 →R(Hh) . . . →R(Hh) (t)↓. Let us prove the lemma by contradiction and assume that u ∈ Subv(ti) \ {ɛ, ti} and u /∈ Subv(ti+1). Since u ∈ Subv(ti) \ {ɛ, ti}, there exists an integer q ≥ 1 such that ti|q = u. Let l = l ′ be the rule applied on ti. There exists an integer p ≥ 0, a ground substitution σ such that ti|p = lσ and ti+1 = ti[p ← l ′ σ] with lσ > l ′ σ. • If u /∈ Subv(lσ) then u ∈ Subv(ti+1). • If u ∈ Subv(lσ), by the fact that l is well-moded, u is in normal form and u �= ɛ, there exists x ∈ V ar(l) such that u ∈ Subv(xσ). Since V ar(l) = V ar(l ′ ), we have u ∈ Subv(ti+1). In the two cases, we lead to a contradiction with u /∈ Subv(ti+1). This concludes the proof of the lemma. � Lemma 16 The intruder deduction system Ih satisfies the following criterion: for E, r, t and any set of ground terms in normal form E, if E →LI h E, r →LI h r /∈ Subv(E, t) ∪ Cspec then there is a set of ground terms in normal form F such that E →∗ LI free F →LI F, t. h
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35: 22 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 134 and 135:
122 CHAPTER 5. SATURATED DEDUCTION
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?