## Section: New Results

Keywords : Protocol, Security, Verification, Exclusive-Or, Exponentiation.

### Security Protocol Verification

Cryptographic protocols are successfully analyzed using formal methods and many techniques have appeared in the litterature [57] . However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators.

#### Extension of the Dolev-Yao Model

Participants : Yannick Chevalier, Michaël Rusinowitch, Mathieu Turuani.

Some attacks exploit in a clever way the interaction between protocol rules and algebraic properties of cryptographic operators. In [64] , we provide a list of such properties and attacks as well as existing formal approaches for analyzing cryptographic protocols under algebraic properties.

When modelling protocol steps as rigid Horn clauses, and the intruder abilities as an equational theory over a convergent rewrite system, the insecurity problem (for active intruder and a bounded number of sessions) can be interpreted as a Cap Unification problem which is an extension of Equational Unification: we look for a cap i.e. a context to be placed on a given set of terms, so that it unifies with a given term modulo the equational theory. With that approach, simpler proofs for the case of subterm convergent theories can be derived [43] .

*Symbolic Derivations.* We have also continued the work on the symbolic derivation model for cryptographic protocols that was introduced in
[63] . We were in particular interested by the problem of whether two distinct symbolic derivations have the same sets of solutions. We have obtained a preliminary
decidability result for the syntactic Dolev-Yao intruder model case.

#### Soundness of the Dolev-Yao Model

Participants : Véronique Cortier, Mathieu Turuani.

All the previous results rely on symbolic models of protocol executions in which cryptographic primitives are abstracted by symbolic expressions. This approach enables significantly simple and often automated proofs. However, the guarantees that it offers have been quite unclear compared to cryptographic models that consider issues of complexity and probability. Cryptographic models capture a strong notion of security, guaranteed against all probabilistic polynomial-time attacks.

We have shown in recent years that it is possible to obtain the best of both cryptographic and formal worlds in the case of public encryption: fully automated proofs and strong, clear security guarantees. Most recent results have concentrated on trace-based properties such as
authentication or specific indistinguishability properties such as secrecy of nonces or secrecy of keys. We show in
[28] ,
[48] ,
[45] that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show
a soundness theorem, following the line of research launched by Abadi and Rogaway in 2000: computational indistinguishability in presence of an active attacker is implied by the
*observational equivalence* of the corresponding symbolic processes.

#### Securely Composing Protocols

Participant : Véronique Cortier.

Even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols, possibly sharing some common identities and keys like public keys or long-term symmetric keys, are executed. In [13] , we show that security of protocols can be easily composed. More precisely, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols are executed, provided each encryption contains some tag identifying each protocol, like e.g. the name of the protocol.

Protocols may also be built in a modular way. For example, authentication protocols may assume pre-distributed keys or may assume secure channel. How security of these protocols can be combined is an important issue. Stefan Ciobaca has started a PhD on this subject this year, in collaboration with the project-team SECSI (LSV, Cachan). He is also working on developing new techniques for analyzing e-voting protocols.

#### Security Properties and Advanced Class of Protocols

Participants : Tigran Avanesov, Najah Chridi, Véronique Cortier, Michaël Rusinowitch, Laurent Vigneron.

Most previous results focus on secrecy and authentication for simple protocols like the ones from Clark & Jacob library. We explore several directions to cover more complex protocols and security properties.

*Security Properties.* Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, in
collaboration with F. Klay (France Telecom R&D), we have shown how to partially represent non-repudiation as a combination of authentications. Because of the limits of this method, we have defined a new one, based on the handling of the knowledge of protocol participants. This method is
very general and is of natural use, as it consists in adding simple annotations, like for authentication problems. The method is very easy to implement in tools able to handle participants knowledge. We have implemented it in the AVISPA Tool and analyzed two protocols: the Fair
Zhou-Gollmann protocol and the optimistic Cederquist-Corin-Dashti protocol, discovering attacks for both of them
[40] . This extension of the AVISPA Tool for handling non-repudiation opens a highway to the specification of many other properties, without any more change in the tool
itself.

*SIP Analysis.* The recent and massive deployment of Voice over IP infrastructures had raised the importance of the VoIP security and more precisely of the underlying signalisation protocol SIP. We have formalized a new attack found by MADYNES EPI against the authentication mechanism of
SIP. This attack allows to perform toll fraud and call hijacking. We have shown how to derive this vulnerability with AVISPA, highlighted a simple usage case and proposed a mitigation technique
[22] .

Mathilde Arnaud has recently started a PhD, in collaboration with the project-team SECSI (LSV, Cachan) on designing verification techniques adapted for protocols on wireless networks.

#### Analysing Group Protocols

Participants : Najah Chridi, Michaël Rusinowitch, Mathieu Turuani.

Although many works have been dedicated to standard protocols, very few address the more challenging class of group protocols. We investigated group protocol analysis in a synchronous model, that allows the specification of unbounded sets of agents with related behavior. Also, when used in an asycronous way, this generalizes standard protocol models with bounded number of agents by permitting unbounded lists inside messages (including unbounded number of variables, nonces, etc..). In this extended model we proposed [44] a correct and complete set of inference rules for checking security properties in presence of an active intruder for the class of well-tagged protocols. This inference system generalizes the ones that are implemented in several tools for a bounded number of sessions and fixed size lists in message. In particular when applied to protocols whose specification does not contain unbounded lists, this provides a decision procedure for secrecy in the case of a fixed number of sessions.