Team Cassis

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results

Security Protocol Verification

The design of cryptographic protocols is error-prone. Without a careful analysis, subtle flaws may be discovered several years after the publication of a protocol, yielding potential harmful attacks. In this context, formal methods have proved their interest for obtaining good security guarantees. Many analysis techniques have been proposed in the litterature  [63] . We develop new techniques for richer primitives, wider classes of protocols and higher security guarantees.

Modeling complex primitives

Participants : Véronique Cortier, Michaël Rusinowitch, Mathieu Turuani.

Some attacks exploit in a clever way the interaction between protocol rules and algebraic properties of cryptographic operators. In  [68] , we provide a list of such properties and attacks as well as existing formal approaches for analyzing cryptographic protocols under algebraic properties.

Focusing on ground deducibility and static equivalence (checking whether two sequences of messages are indistinguishable to an attacker), we propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of these theories. We have also shown that decidability results can be easily combined for any disjoint equational theories: if the deducibility and indistinguishability relations are decidable for two disjoint theories, they are also decidable for their union. These two results are presented in [17] .

Encryption “distributing over pairs” is employed in several cryptographic protocols. We have shown that unification is decidable for an equational theory HE specifying such an encryption [12] We have given an algorithm for solving intruder constraints in HE [28] and general intruder constraints in the equational theory ACI [30] . This last result is useful for handling set datastructures and also multiple intruders.

We have defined in [13] a translation from a protocol narration to the sequences of operations to be performed by each protocol role. Unlike previous works, we reduce this compilation process to known decision problems from formal protocol verification. This allows one to define a precise notion of prudent implementation and to reuse results from the literature in order to cover more crypto-primitives. In particular this is a first work showing how to compile protocols parameterised by the algebraic properties of their symbols.

Security Properties

Participants : Véronique Cortier, Michaël Rusinowitch, Laurent Vigneron.

Most previous results focus on secrecy and authentication for simple protocols like the ones from Clark & Jacob library. We explore several directions to cover more complex security properties.

Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, in collaboration with F. Klay (France Telecom R&D), we have shown how to partially represent non-repudiation as a combination of authentications, and also defined a new method, based on the handling of the knowledge of protocol participants. This last method has been implemented in the AVISPA Tool, and used for analyzing several protocols. In particular, it has been used with L. Jing (Sun Yat-Sen University, China) for defining and analyzing a non-repudiation protocol for which there is no assumption of existence of resilient channels between the TTP and each protocol participant [22] .

Revisiting and extending the NP-complete decision procedure for a bounded number of sessions developped by Hubert Comon-Lundh, we show how to decide several new properties such as the non-existence of key-cycles (required by recent works relating computational and symbolic models), authentication-like properties and the decidability of a significant fragment of protocols with timestamps [16] .

Observational equivalence is a crucial notion for specifying security properties such as anonymity or secrecy of a ballot in vote protocols. For instance, observational equivalence can justify that there is no action of an attacker that makes distinguishable two protocol executions with different identities or vote values. For simple processes without branch nor replication observational equivalence can be reduced to checking whether two symbolic constraints (representing honest agents) are equivalent   [67] . We have obtained a new proof that symbolic constraints equivalence is decidable for subterm convergent theories [15] . We believe it is simpler than the first one given by M. Baudet  [60] .

Advanced Classes of Protocols

Participants : Mathilde Arnaud, Véronique Cortier, Laurent Vigneron.

New classes of protocols are still emerging and not all can be analysed using existing techniques. We study how to cover the emergent families of security protocols.

Group Protocols. Although many works have been dedicated to standard protocols, very few address the more challenging class of group protocols. We have investigated group protocol analysis in a synchronous model, that allows the specification of unbounded sets of agents with related behavior. In collaboration with the project-team Madynes, and in the framework of SAFECAST project on secured group communication system design, we have experienced the use of UML and two complementary verification tools [19] : AVISPA enabled us detecting and fixing security flaws; the TURTLE toolkit enabled us saving development time by eliminating design solutions with inappropriate temporal parameters.

Securing routing Protocols. The goal of routing protocols is to construct valid routes between distant nodes in the network. If no security is used, it is possible for an attacker to disorganize the network by maliciously interacting with the routing protocols, yielding invalid routes to be build. That is why secure versions of routing protocols are now developed. We have proposed [29] a new model and an associated decision procedure to check whether a routing protocol can ensure that honest nodes only accept valid routes, even if one of the nodes of the network is compromised. This result has been obtained for a bounded number of sessions, adapting constraint solving techniques.

Security APIs. In some systems, it is not possible to trust the host machine on which sensitive codes are executed. In that case, security-critical fragments of a program should be executed on some tamper resistant device (TRD), such as a smartcard, USB security token or hardware security module (HSM). The exchanges between the trusted and the untrusted infrastructures are ensured by special kind of API (Application Programming Interface), that are called security APIs. We have proposed new techniques for formally analyze APIs.

Securely Composing Protocols

Participants : Stefan Ciobaca, Véronique Cortier.

Protocols are often built in a modular way. For example, authentication protocols may assume pre-distributed keys or may assume secure channel. However, when an authentication protocol has been proved secure assuming pre-distributed keys, there is absolutely no guarantee that it remains secure when executing a real protocol for distributing the keys. How the security of these protocols can be combined is an important issue that is studied in [38] . More precisely, we show how protocols sharing data can be safely interleaved, provided that they use disjoint primitives or that each common primitive contains some tag identifying each protocol, like e.g. the name of the protocol. As a sub-result, we provide sufficient and simple conditions for composing key distribution protocols with any protocol using secure channels or pre-distributed keys.

Soundness of the Dolev-Yao Model

Participant : Véronique Cortier.

All the previous results rely on symbolic models of protocol executions in which cryptographic primitives are abstracted by symbolic expressions. This approach enables significantly simple and often automated proofs. However, the guarantees that it offers have been quite unclear compared to cryptographic models that consider issues of complexity and probability. Cryptographic models capture a strong notion of security, guaranteed against all probabilistic polynomial-time attacks.

A recent line of research consists in identifying cases where it is possible to obtain the best of both cryptographic and formal worlds in the case of public encryption: fully automated proofs and strong, clear security guarantees. We have proposed a survey [18] of the results obtained so far.

Safe and Efficient Strategies for Updating Firewall Policies

Participants : Abdessamad Imine, Michaël Rusinowitch.

The large size and complexity of modern networks result in large and complex firewall policies. Two policy editing languages, Type I and Type II, are generally used to update the firewall policies. Due to intervening nature of firewall rules, correct configuration and deployment of large policies is a difficult and error-prone task. We have shown that some recently proposed deployment algorithms in the network security contain serious flaws [27] . Then we have defined a notion of safe deployment strategies. We have provided linear algorithms for Type I safe deployment and an approximatively linear and safe algorithm for Type II.


Logo Inria