Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 4<br />
<strong>Analysis</strong> <strong>of</strong> protocols with<br />
vulnerable digital signature schemes<br />
The idea <strong>of</strong> digital signature schemes first appeared in W. Diffie <strong>and</strong><br />
M.E. Hellman’s seminal paper [101]. Digital signatures have many<br />
applications in information security, including authentication, data<br />
integrity, <strong>and</strong> non-repudiation. In [117], the authors showed the<br />
different flaws <strong>of</strong> digital signature schemes. Furthermore, the authors<br />
defined what is a secure digital signature scheme: a digital signature<br />
scheme is considered to be secure if it is existential unforgeable<br />
against adaptative chosen message attacks. Unfortunately, while this<br />
security notion is adequate to the single-user setting, it is not adequate<br />
for the multi-user setting [152]. In this chapter, we are interested<br />
by the security <strong>of</strong> signature schemes in the multi-user setting, <strong>and</strong><br />
to this end, we consider two properties <strong>of</strong> digital signature schemes:<br />
the constructive exclusive ownership vulnerability property <strong>and</strong> the destructive<br />
exclusive ownership vulnerability property. We show the decidability<br />
<strong>of</strong> the insecurity problem for two classes <strong>of</strong> cryptographic<br />
protocols where the signature schemes employed have respectively<br />
these two properties. This result has been published in the proceedings<br />
<strong>of</strong> FSTTCS 2007 conference [66].<br />
Outline. In Section 4.1 we present the signature schemes, in Section<br />
4.2 we define the constructive exclusive ownership vulnerability property<br />
(also called duplicate-signature key selection property), <strong>and</strong> the destructive<br />
exclusive ownership vulnerability property is defined in Section 4.3.<br />
In Section 4.4, we define the symbolic model <strong>of</strong> these two perperties<br />
(Section 4.4.1 <strong>and</strong> Section 4.4.2), we prove the decidability <strong>of</strong> HDSKS<br />
<strong>and</strong> HDEO unifiability problems (Section 4.4.3), <strong>and</strong> we prove the decidability<br />
<strong>of</strong> IDSKS <strong>and</strong> IDEO reachability problems (Section 4.4.5).<br />
81