Section: New Results

Security Protocol Verification

The design of cryptographic protocols is error-prone. Without a careful analysis, subtle flaws may be discovered several years after the publication of a protocol, yielding potential harmful attacks. In this context, formal methods have proved their interest for obtaining good security guarantees. Many analysis techniques have been proposed in the litterature  [66] . We develop new techniques for richer primitives, wider classes of protocols and, higher security guarantees.

Modeling complex primitives

Participants : Véronique Cortier, Yannick Chevalier, Pierre-Cyrille Héam, Olga Kouchnarenko, Michaël Rusinowitch, Mathieu Turuani.

Some attacks exploit in a clever way the interaction between protocol rules and algebraic properties of cryptographic operators. In  [71] , we provide a list of such properties and attacks as well as existing formal approaches for analyzing cryptographic protocols under algebraic properties.

Focusing on ground deducibility and static equivalence (checking whether two sequences of messages are indistinguishable to an attacker), we have proposed [26] an efficient and generic decision procedure for a wide class of equational theories, including subterm convergent theories (e.g. encryption, signatures, pairing and hash) and layered convergent theories (e.g. blind signatures). The procedure is generic in the sense that it remains sound and complete (but may not terminate) for any convergent theory. It has been implemented in the YAPA tool(http://www.lsv.ens-cachan.fr/~baudet/yapa/ ). We have also shown [53] that deducibility and static equivalence are decidable for the equational theories modeling trapdoor commitment and re-encryption, that are particularly relevant in the context of e-voting protocols.

Encryption “distributing over pairs” is employed in several cryptographic protocols. As a first step towards solving intruder constraints under this hypothesis, we show that unification is decidable for an equational theory HE specifying such an encryption [23] . The method consists in transforming any given problem in such a way, that the resulting problem can be solved by combining a graph-based reasoning on its equations involving the homomorphisms, with a syntactic reasoning on its pairings.

We have also continued the work on the symbolic derivation model for cryptographic protocols that was introduced in  [70] . We were in particular interested by the problem of whether two distinct symbolic derivations have the same sets of solutions. We have obtained a decidability result for the subterm convergent theories.

Security Properties

Participants : Véronique Cortier, Laurent Vigneron.

Most previous results focus on secrecy and authentication for simple protocols like the ones from Clark & Jacob library. We explore several directions to cover more complex security properties.

Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, in collaboration with F. Klay (France Telecom R&D), we have shown how to partially represent non-repudiation as a combination of authentications, and also defined a new method , based on the handling of the knowledge of protocol participants. This last method has been implemented in the AVISPA Tool, and used for analyzing several protocols [40] .

In particular, it has been used with L. Jing (Sun Yat-Sen University, China) for defining and analyzing a non-repudiation protocol for which there is no assumption of existence of resilient channels between the TTP and each protocol participant [20] .

Our method has also been used with Ambuj Pushkar Ojha (INRIA Internship, from IIT Bombay, India) for modeling the a protocol defined by Cederquist, Dashti and Mauw, and analyzing it, finding fairness attacks.

.

Several security cannot be defined (or cannot be naturally defined) as trace properties and require the notion of observational equivalence . Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography. In the context of the applied pi calculus and for determinate processes, we have shown [32] that observational equivalence actually coincides with trace equivalence, a notion simpler to reason with. Most existing protocols can actually be shown to be determinate. Then, for determinate processes without replication, we deduce decidability of observational equivalence for a general class of equational theories, reducing the decidability of trace equivalence to deciding an equivalence relation introduced by M. Baudet.

Advanced Classes of Protocols

Participants : Mathilde Arnaud, Najah Chridi, Véronique Cortier, Michaël Rusinowitch, Mathieu Turuani, Laurent Vigneron.

New classes of protocols are still emerging and not all can be analysed using existing techniques. We study how to cover the emergent families of security protocols.

Group Protocols. Although many works have been dedicated to standard protocols, very few address the more challenging class of group protocols. We have investigated group protocol analysis in a synchronous model, that allows the specification of unbounded sets of agents with related behavior. Also, when used in an asychronous way, this generalizes standard protocol models with bounded number of agents by permitting unbounded lists inside messages (including unbounded number of variables, nonces, etc..). This approach also applies to analyzing Web services manipulating sequences of items. In this model we propose a decision procedure for the sub-class of well-tagged protocols with autonomous keys. [10] , [30] .

In collaboration with the MADYNES EPI, and in the framework of SAFECAST project on secured group communication system design, we have experienced the use of UML and two complementary verification tools [45] : AVISPA enabled us detecting and fixing security flaws; the TURTLE toolkit enabled us saving development time by eliminating design solutions with inappropriate temporal parameters.

Securing routing Protocols. The goal of routing protocols is to construct valid routes between distant nodes in the network. If no security is used, it is possible for an attacker to disorganize the network by maliciously interacting with the routing protocols, yielding invalid routes to be build. That is why secure versions of routing protocols are now developed. Mathilde Arnaud has recently started a PhD, in collaboration with the project-team SECSI (LSV, Cachan) on designing verification techniques adapted for routing protocols. In particular, she has proposed [24] a new model and an associated decision procedure to check whether a routing protocol can ensure that honest nodes only accept valid routes, even if one of the nodes of the network is compromised. This result has been obtained for a bounded number of sessions, adapting constraint solving techniques.

Security APIs. In some systems, it is not possible to trust the host machine on which sensitive codes are executed. In that case, security-critical fragments of a program should be executed on some tamper resistant device (TRD), such as a smartcard, USB security token or hardware security module (HSM). The exchanges between the trusted and the untrusted infrastructures are ensured by special kind of API (Application Programming Interface), that are called security APIs . We have proposed [33] , [56] a new and generic API that can be used to implement most key-exchange protocols on untrusted host machines.

Securely Composing Protocols

Participants : Stefan Ciobaca, Véronique Cortier.

Even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols, possibly sharing some common identities and keys like public keys or long-term symmetric keys, are executed. In [17] , we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols are executed, provided each encryption contains some tag identifying each protocol, like e.g. the name of the protocol.

Protocols may also be built in a modular way. For example, authentication protocols may assume pre-distributed keys or may assume secure channel. How security of these protocols can be combined is an important issue. Stefan Ciobaca has started a PhD on this subject this year, in collaboration with the project-team SECSI (LSV, Cachan).

Soundness of the Dolev-Yao Model

Participant : Véronique Cortier.

All the previous results rely on symbolic models of protocol executions in which cryptographic primitives are abstracted by symbolic expressions. This approach enables significantly simple and often automated proofs. However, the guarantees that it offers have been quite unclear compared to cryptographic models that consider issues of complexity and probability. Cryptographic models capture a strong notion of security, guaranteed against all probabilistic polynomial-time attacks.

A recent line of research consists in identifying when it is possible to obtain the best of both cryptographic and formal worlds in the case of public encryption: fully automated proofs and strong, clear security guarantees. We have proposed a survey [55] of the results obtained so far. Moreover, we have proposed a framework and proof techniques to identify when static equivalence can be used for proving indistinguishability of bitstrings [15] .

Safe and Efficient Strategies for Updating Firewall Policies

Participants : Abdessamad Imine, Michaël Rusinowitch.

The large size and complexity of modern networks result in large and complex firewall policies. Two policy editing languages, Type I and Type II, are generally used to update the firewall policies. Due to intervening nature of firewall rules, correct configuration and deployment of large policies is a difficult and error-prone task. We have shown that some recently proposed deployment algorithms in the network security contain seriousflaws [52] . Then we have defined a notion of safe deployment strategies. We have provided linear algorithms for Type I safe deployment and an approximatively linear and safe algorithm for Type II.