Sécurité des protocoles cryptographiques : décidabilité et résultats de transfert

HAL Id: tel-00338362

https://tel.archives-ouvertes.fr/tel-00338362

Submitted on 12 Nov 2008

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

et résultats de transfert

Eugen Zalinescu

To cite this version:

Eugen Zalinescu. Sécurité des protocoles cryptographiques : décidabilité et résultats de transfert.

Génie logiciel [cs.SE]. Université Henri Poincaré - Nancy I, 2007. Français. �tel-00338362�

D´

epartement de formation doctorale en informatique

Ecole doctorale IAEM Lorraine

´

UFR STMIA

S´

ecurit´

e des protocoles

cryptographiques: d´

ecidabilit´

e et

r´

esultats de transfert

TH`

ESE

pr´esent´ee et soutenue publiquement le 17 d´ecembre 2007

pour l’obtention du

Doctorat de l’universit´

e Henri Poincar´

e – Nancy 1

(sp´

ecialit´

e informatique)

par

Eugen Z˘

alinescu

Composition du jury

Pr´

esident :

Yassine Lakhnech

Universit´e Joseph Fourier, Grenoble

Rapporteurs :

Jean Goubault-Larrecq

Ecole Normale Sup´erieure de Cachan

´

Thomas Wilke

Universit´e Christian-Albrechts, Kiel

Directeurs :

V´eronique Cortier

CNRS, Nancy

Micha¨el Rusinowitch

INRIA, Nancy

Examinateurs :

Philippe Even

Universit´e Henri Poincar´e, Nancy

C´edric Fournet

Microsoft Research, Cambridge

Thisthesisisdeveloped intheframework ofthesymbolicanalysisofsecurityprotocols. The contributionsarerepresentedbydecidabilityandtransferresultsinthefollowingdirectionswhich aremajor topicsinprotocolverication:

•

treatment ofthe cryptographicprimitives: CBC encryption,blind signatures;

•

securityproperties: strong secrecy,existenceofkey cycles;

•

approachesfor protocol security: construction ofthe secure protocols.

Thus, we showed the decidability (on the one hand) of the existence of key cycles for a bounded number of sessions using a generalisedconstraint system approach, and (on the other hand) of secrecy for protocols using theCBC encryption or blind signatures for an unbounded numberofsessionsbyusinga renedresolution strategy ona newfragment ofHorn clauses.

We also transferred protocol security from a weak framework towards a stronger frame-work inthe following directions. On theone hand, we showed thata weak property of secrecy (i.e.reachability-basedsecrecy)impliesundercertainwell-motivated assumptionsa stronger se-crecy property (i.e. equivalence-based secrecy). On the other hand, we built protocols secure againstactiveadversariesconsidering anunbounded numberof sessions,bytransforming proto-colswhich aresecure inanon-adversarial setting.

Keywords: securityprotocols, decisionprocedures, CBC encryption, blind signatures, key cy-cles,strong secrecy,constraint systems,Hornclauses, applied picalculus.

Résumé

Cettethèse sesitue danslecadre de l'analysesymboliquedesprotocoles Lescontributions sont représentées par l'obtention de résultatsde décidabilité et de transfert dansles directions suiv-antes quisont desthèmes majeursen vérication desprotocoles :

•

traitement des primitives cryptographiques: chirement CBC,signatures en aveugle;

•

propriétés de sécurité : secretfort, existencedecycles de clefs;

•

approchespour lasécurité : construction deprotocoles sûrs.

Ainsi, nous avons montré la décidabilité (d'une part) de l'existence de cycles de clefs et (d'autrepart)du secretpour desprotocoles utilisant lemodede chirement CBC oudes signa-turesen aveugle.

Nous avons aussi transféré la sécurité des protocoles d'un cadre faible vers un cadre plus fort dans les sens suivants. D'une part, nous avons montré qu'une propriété de secret faible implique sous certaines hypothèses une propriété de secret plus forte. D'une autre part, nous avonsconstruit desprotocoles sûrsà partir de protocoles ayant despropriétés plusfaibles. Mots-clés: protocoles desécurité,procéduresdedécision,chirementCBC,signatures en aveu-gles,cyclesde clefs, secretfort,systèmes de contraintes, clausesde Horn,pi-calcul appliqué.

Firstofall,abigandwarmthank-youtoVéronique Cortier. Iamgratefulforthecondenceshe hasshownto me,for hergreatandconstantavailability, forherclearand preciseanswers tomy questions. I cordially thank Michael Rusinowitch for his encouragements, especiallyduring the beginningofwriting,andingeneral,forhisvaluableadvices,andforhavingoeredanauspicious atmospherefor the development ofthethesis.

Ialsostrongly thankthemembersof myjuryfor havingaccepted tobepartofit. I particu-larlythankthe reviewers, Jean-GoubaultLarrecq, forhisvery carefulreading ofthemanuscript and for his relevant remarks, and Thomas Wilke, for his observation that ledto an alternative treatmentofcomplexityinChapter2(seeŸ2.2.6),andforhavingbravelyenduredapresentation inalanguage thatwasnot his.

A friendly thanks to Bogdan Warinschi for his support and optimism, and for the many discussions we had during his post-doc at Nancy. I also thank R. Ramanujam who warmly welcomedme inhis teamat IMSC, Chennai.

IthankCorneliusCroitoruandDorelLucanu,professors attheFacultyofComputerScience of Ia³i, for helping me to continue my studies inFrance, and Philippe Langevin, supervisor of mymaster'sinternship, whoencouraged and helped meto pursue aPhD thesis.

I thank Cédric Fournet for accepting me as a post-doc in his team at Microsoft Research-INRIAJoint Centre, and mynewcollaborators RicardoCorin andKarthik Bhargavan fortheir patienceandunderstanding during thenalphaseof thewriting ofthis document.

Introduction

1 Cryptographic protocols . . . 11

1.1 Communicationprotocols. Terminology . . . 11

1.2 The intruder . . . 12

1.3 Security properties. . . 13

1.4 Cryptographic primitives . . . 13

1.5 Attacks . . . 15

2 Analysis ofcryptographic protocols . . . 16

2.1 Symbolic verication ofsecurityprotocols . . . 18

2.2 Linking thesymbolic and cryptographicapproaches . . . 21

2.3 Decidabilityand transferresults . . . 22

3 Contributions and planofthe thesis . . . 22

3.1 PartI. Decidability results . . . 23

3.2 PartII. Transfer results . . . 24

Chapter 1 Models for cryptographic protocols 1.1 Preliminaries . . . 28

1.1.1 Terms over order-sortedsignatures . . . 28

1.1.2 Positions and subterms . . . 29

1.1.3 Substitutions . . . 31

1.1.4 Equational theories and rewritingsystems. . . 33

1.1.5 Termdeduction systems. . . 34

1.2 Cryptographic primitivesand messages . . . 34

1.2.1 A sort systemfor cryptographicprotocols . . . 36

1.2.2 A signature forcryptographic protocols . . . 37

1.2.3 Two deduction systemsfor cryptographicprotocols. . . 38

1.2.5 Thededuction problem . . . 43

1.3 Roles . . . 44

1.3.1 Specication of roles. . . 44

1.3.2 Executionof roles . . . 44

1.3.3 Executable roles . . . 46

1.3.4 Roles withmatching androleswithequalitytests . . . 47

1.4 Protocols . . . 48

1.4.1 Specication of protocols . . . 48

1.4.2 Executionof protocols . . . 48

1.4.3 Executable protocols . . . 50

Part I Decidabilityresults 53 Chapter 2 Decidability results using constraint systems 2.1 Themodel . . . 56

2.1.1 Constraint systems . . . 56

2.1.2 From protocols to constraint systems . . . 57

2.1.3 Securityproperties . . . 58

2.2 Simplifying constraint systems . . . 60

2.2.1 Simplication rules . . . 60

2.2.2 Decision procedureinNP-time . . . 61

2.2.3 Correctness . . . 63

2.2.4 Completeness. . . 65

2.2.5 Terminationinpolynomial time . . . 68

2.2.6 Analternative approach to polynomial-time termination. . . 71

2.3 Decidability ofsome specialisedsecurityproperties . . . 73

2.3.1 Detection ofkey cycles . . . 73

2.3.2 Secrecyfor protocols withtimestamps . . . 82

2.4 Conclusions . . . 84

Chapter 3 Decidability results for Horn clauses 3.1 Themodel . . . 85

3.1.1 Hornclauses . . . 86

3.2.1 Intruder clauses . . . 90

3.2.2 Protocolclauses . . . 91

3.2.3 Extending the intruder power. . . 91

3.3 A decidability result . . . 93

3.3.1 Ordered resolution . . . 93

3.3.2 Our resolution method . . . 94

3.3.3 A decidableclass . . . 95

3.3.4 Examples . . . 97

3.3.5 Proofsof intermediateresults . . . 98

3.4 Application to the Needham-Schroedersymmetrickeyprotocol . . . 102

3.4.1 Presentation of theprotocol . . . 102

3.4.2 Correcting theprotocol . . . 103

3.4.3 A transformation preservingsecrecy . . . 104

3.4.4 Secrecy ofthe corrected protocol . . . 106

3.5 Conclusions . . . 107

Part II Transfer results 109 Chapter 4 Fromsimple secrecy to strong secrecy 4.1 The model . . . 113

4.1.1 The applied picalculus . . . 113

4.1.2 Modeling protocols within the appliedpi calculus . . . 115

4.1.3 Secrecy properties . . . 118

4.2 Passive case. . . 120

4.2.1 Simple secrecyimplies strongsecrecy . . . 120

4.2.2 Generalisation of well-formedframes . . . 122

4.3 Active case . . . 126

4.3.1 Our hypotheses . . . 126

4.3.2 Mainresult . . . 130

4.3.3 Proofsof intermediateresults . . . 132

4.4 Application to some cryptographic protocols . . . 135

4.4.1 Yahalom . . . 135

4.4.2 Needham-Schroedersymmetrickey protocol . . . 135

4.5 Conclusions . . . 137

Chapter 5 A transformation for obtaining secure protocols 5.1 ComparisonwithKatz and Yung's compiler . . . 141

5.2 Themodel . . . 142

5.3 Securityproperties . . . 144

5.3.1 Alogic for securityproperties . . . 144

5.3.2 Examples ofsecurityproperties. . . 146

5.4 Transformation ofprotocols . . . 147

5.5 Transfer result . . . 148

5.5.1 Honest,singlesession traces . . . 148

5.5.2 Transferable security properties . . . 149

5.5.3 Transference theorem . . . 149

5.5.4 Honest executions . . . 150

5.5.5 Proofsketch ofthetransference theorem . . . 151

5.5.6 Detailed proofs. . . 152

5.6 Conclusions . . . 157 Conclusions and perspectives

Communicationprotocolsareubiquitousnowadays,beingessentialforthecorrectfunctioningof awiderangeofapplicationsinvolvingelectroniccommunicatingdevices. Theyarethuspresentin ournowcommonactivities,liketalkingonthemobilephone,chattingandemailing,watching ca-bleTV,orshoppingontheinternet. Inmanysuchapplicationssecurityisofprimaryconcern.We want our communications to be private, our datato be unmodied during its transmission, to be sureof the identity ofour communication partner.

Security protocols are then designed to ensure such goals, and they use cryptography to obtainthebasic buildingbricks. However,evenifthesebricksareperfectly secure,thewaythey arecombinedinordertoobtainaprotocolisveryimportant. Indeed,manyprotocolswhichwere believedto be correctwerelater found tohave aws (notat allrelatedto cryptanalysis). These aws can thus beused bymalicious entities,and can lead to major negative consequencesonce theprotocolisalreadydeployed, asthesame awcan be usedoverand overagainuntila patch is released. It is hence particularly important to perform careful analyses of security protocols inorderto besure thattheydo achieve thegoalsthey aredesigned for.

1 Cryptographic protocols

1.1 Communication protocols. Terminology

Asimplecommunicationprotocolistheoneusedwhentwopeoplearemeetingforthersttime, andmaybe described asfollows:

A ⇒ B :

Hello, Iam

A

.

B ⇒ A :

I am

B

. Niceto meet you.

We see that a protocol is a sequence of rules, each one specifying the sender (

A

in the rst rule),the receiver (

B

inthe rst rule), and the message sent bythesender. In a protocol each participant plays a certainrole. Here thereare two: theinitiator

A

and theresponder

B

. The symbols

A

and

B

(abbreviations for Aliceand Bob) inthe right hand side of rules are generic names which denote the identities of the initiator and the responder respectively. In specic situationswe needto instantiate thisdescription(thatis,thegenericparts) toobtaintheactual sequence of exchanged messages, thus talking about a session of the protocol. We may also instantiate only somerolethus obtainingarolesession. Participants, eithergenericor concrete, arealsocalledagents, principals,or parties.

For example the role of Bob may be played by

b

, where

b

is some agent identity. Nothing prevents

b

fromplaying, inanother session,therole of

A

. Moreover these sessionscouldbe run concurrently,inotherwordstheir rulesmaybeinterleaved. Forexample,thefollowingexecution

ispossible:

(1).1

a(A) ⇒ b(B) :

Hello, Iam

a

.

(2).1

b(A) ⇒ c(B) :

Hello, Iam

b

.

(2).2

c(B) ⇒ b(A) :

Iam

c

. Nice to meet you.

(1).2

b(B) ⇒ a(A) :

Iam

b

. Nice to meet you.

Here the numbers in parenthesis denote the session, and the numbers that follow denote the index of the rule within a session. Also,

b(A)

denotes that theparticipant

b

is playing therole of Alice. A run of the protocolis theexecution ofa singlesession.

Each protocol is designed to achieve a certain goal. In the example above the goal is that theparticipants introduce themselves. Thegoalcan beexpressedbyone or moreproperties the executionsoftheprotocolshouldsatisfy. Propertiesaregenerallydependentontheenvironment inwhichtheprotocol isdeployed. Suppose,using thesameexample,thattheparticipantswant to have a condential conversation. If their conversation takes place in a public place or over the telephone, the communication is clearly unsafe, since a malicious entity can listen to the conversations (without theparticipantseven noticingit).

Thesituationismuchthesame whenprotocols aredeployedovercomputernetworks, where the endpoints are programs (or computers). Consider for example the Simple Mail Transfer Protocol, which can be schematically

1

describedby:

A ⇒ S :

mail from:,

A

,rcptto:,

B

,data,

msg

,.

S ⇒ B :

msg

Here `,' denotes the concatenation of messages and

S

denotes the role of the mail server. A user

A

simply species the sender (himself), the intended recipient

B

, and the content

msg

of the email. The main goal of this protocol is to send mail over the Internet, its correctness being formulated with respect to this requirement. However we see that the content of a mail is not protected from disclosure or tampering, and the participants need not be the ones they pretendto be (e.g.

a

can senda messagestartingwithmailfrom:

c

 insteadof mailfrom:

a

). Indeed,maliciousactions,likeeavesdropping, tamperingwith,orforgingmessages,can beeasily performed bya corrupted server, a maliciousagent, or a packet snier. Hence itis desirable to ensure properties thatshowthe impossibilityof suchactions. Such propertieswhichrelyon the existence of a malicious environment are called security properties and protocols which aim at guaranteeing them aresecurity protocols.

1.2 The intruder

Security properties are particularly important mainly when the environment is unsafe. Hence when talking about security protocols we always assume a malicious environment. Concretely this environment takes the form of an agent with special capabilities, called the intruder and denoted

I

, also known as adversary, attacker, or penetrator. It is assumed that he can listen to the communication and hence knows all the messages that were sent on thenetwork. If his capabilities are restricted to this one, we talk about a passive intruder. An active intruder can domuchmore. R.NeedhamandM.Schroeder[NS78]rstdescribedthecapabilitiesofanactive intruder:

We assume that an intruder can interpose a computer in all communication paths, andthuscan alterorcopypartsofmessages,replaymessages,oremitfalsematerial. 1

Thisdescriptionisapproximatesinceeachofthethreepartsoftherstmessageareinfact sentsequentially andarefollowedbyacknowledgementsoftheserver;also,thesecondruleisnotpartoftheprotocolitself.

Anintruder (beinganagent)can playarole intheprotocol, buthe neednot followtherules of theprotocol, as honest agents do. Moreover, he knows all theprivate dataof corrupted agents, thus being able to play their roles without the others agent's notice. Also it is assumed that dishonestagents(i.e. thatdonot followthe protocol)arepartofthemaliciousenvironment and arehencerepresentedbytheintruder. Inotherwords, dishonestagentand corruptedagentsare thesameconcept.

1.3 Security properties

Secrecyand authentication arebasic properties thatare required inmany genericapplications. Some specic applications however need properties tailored to their needs. For example, in contract-signing protocols we mayask for properties like fairnessand non-repudiation, while in voting protocols anonymity (of the voters) and coercion-resistance are needed. Specifying and analysingthesepropertiesmayalsorequirededicatedtechniques(forexamplefromgametheory). Secrecy This property usually species that some messages should be known only by some agents, in particular they should not be known by the intruder. However we sometimes also requirethattheintruderisnotabletoinferanythingaboutthesecretmessages. Thisisequivalent tosayingthattheintruderisnotabletodistinguishbetweenexecutionsoftheprotocolinwhich the secrets were replaced by arbitrary messages. To dierentiate between the two versions of secrecy we call the former one simple secrecy and the latter one strong secrecy. Still another variant is when some values are to remain secret after revealing some other secret values, a propertyknown asforward secrecy.

Authentication This property holds ifthe agents have proven their identity (to some other agents) in some way. Depending on the mechanism used to achieve it and/or on how much assuranceisneededtherecan bemanyvariantsofthisproperty. Forexample,itcouldbestated inan absolute way: the agents are right about the identities of their communication partners; or,dependingonthe mechanismthatisusedforauthentication: theagentsagreeonsomevalues (what wassent iswhat wasreceived).

We have mentioned that the intruder has control over thecommunication, in particular he knowsandisabletomodifythe messageswhicharesentoverthenetwork. Hencesecurity prop-ertiescouldnotbesatisedifwedidn'thavetoolsforensuringthecondentialityandintegrityof messages. Fortunatelysuchtoolsexist,beingprovidedandguaranteedbycryptography. Security protocols arethus alsocalledcryptographic protocols.

1.4 Cryptographic primitives

Cryptographic tools have existed from ancient times, serving mostly military purposes, but it is only with the advent of electronicdevices that cryptography has become an established and general purpose eld(see,e.g., [MVO96 , Sch93 ] for introductorytexts).

Cryptographic primitives arethe basic operationsfrom which securityisbuilt. Theyoperate onbitstrings. Themost usedoperations areencryption, which providesmessage condentiality, hashing, which assures message integrity, and digital signing, which provides message origin authentication.

Encryption hides information, while decryption reveals it. These operations are parame-terisedbykeys whichallowthesame schematobeusedbydierent parties. Theinformation in

clear usedasinputto the encryption algorithm iscalledplaintext,while theencrypted informa-tion(i.e. the output) iscalledciphertext.

Symmetric encryption Insuchencryption schemes the same key isused to encrypt and to decrypt amessage. Hencetwo parties share a keyin orderto be ableto communicate securely, thus thealternative nameshared-key encryption. Thesymmetricencryption oftheplaintext

M

withthekey

K

isdenoted

{{M }}

K

.

Encryptionof a messageis usually done bycutting themessage into several blocksof xed-length and thenusing a blockcipher (like DES or themore recent AES). The encryption mode species the way the block cipher is used to obtain the ciphertext. The simplest mode, called ECB (electronic codebook), operates by encrypting each block independently, the ciphertext being the concatenation of the results, that is the encryption of the message block sequence

P

1

P

2

· · · P

n

(where some bits may be added to

P

n

such that every block has the same length) withthekey

K

is

{{P

1

}}

K

{{P

2

}}

K

· · · {{P

n

}}

K

.

Inothermodes,liketheCBC(cipher-blockchaining)mode,theencryptionofablockdepends ontheencryptionofthepreviousblock. IntheCBCmode(illustratedinFigure1),theencryption of

P

1

P

2

· · · P

n

with

K

is

C

1

C

2

· · · C

n

where

C

0

= IV

(initialisation vector) and

C

i

= {{C

i−1

⊕

P

i

}}

K

for

i ≥ 1

,with

⊕

being the exclusive or (XOR)operation on bits.

E

_K

E

_K

1

P

P

₂

P

3

0

C

2

C

C

3

1

C

E

_K

...

...

Figure 1: CBCencryption mode.

Encryption inthe CBCmode hasthefollowing prex property: if

C

1

C

2

· · · C

i

C

i+1

· · · C

n

=

{{P

1

P

2

· · · P

i

P

i+1

· · · P

n

}}

K

then

C

1

C

2

· · · C

i

= {{P

1

P

2

· · · P

i

}}

K

. That is to say thatone (e.g. an intruder) canget

{{P }}

K

from

{{P, P

0

_}}

K

ifthelength of

P

isamultiple oftheblocklength used by the cryptographic algorithm. Note that encryption in the ECB mode also has the prex property.

Asymmetric encryption In such encryption schemes, a.k.a. public-key encryption schemes, eachuser

a

hasapairofkeys,thepublickey

ek(a)

,usedforencryption,andtheprivatekey

dk(a)

, usedfordecryption. Publickeysaremadeavailabletoanyone,whileprivatekeysareknownonly by the owner. The encryption of a message

M

is this time denoted

{[M ]}

ek(a)

. The security of public-key encryption relies on the diculty to solve problems like integer factoring (asfor the RSA system[RSA78])or thediscretelogarithm problem(asfor theElGamal system[Gam85 ]). Symmetric encryption algorithms are several orders of magnitude faster than asymmetric ones. However, they are impractical in large networks due to the large number of keys needed to be exchanged a priori. Hence, the two systems are complementary and are frequently used together: public-key encryption is rst used for establishing a session key, which is used in subsequent symmetricencryptions.

Digitalsignatures Digital signatureschemesareusedto bindamessagewithanentity: they compute a digital signature from the message and a private key of the entity (signing key). Given a signature and a verication key, which is public, one can check theauthenticity of the signature. In other words, anyone can verify a signature but only the possessor of the signing keycan sign.

Incertainsituations,for exampleinvotingprotocols,itisuseful thatapartysignsmessages without knowing them. This can be done using blind signatures schemes. For instance, such a schemeallowsanagent(e.g. avoter)tohaveamessage(e.g. avote)signedblindlybyananother entity(e.g. anadministrator). Inatypicalimplementation, themessageisrstblinded andthen signed,to obtain ablind signature. Later on,the inverse operation of blinding, unblinding, can be applied on the blinded signature to obtain a valid signature on the initial message. These operations are illustrated inthe Figure 2 (where

m

is themessage,

r

is the blinding key, and

k

isthesigning key).

m

m

r

k

m

r

m

Figure2: Blindsignatures.

Hashing A hash function associates a (short) xed length bitstring to an arbitrary length message. In cryptographic applications hash functions are one-way operations. Using hash functions,dataintegrityofamessagecanbeveriedeasily,providedahashofthatmessagewas securely stored. Indeed, it suces to compute again the hash of the message and compare it withthestored one.

Cryptographic primitives may be probabilistic (or deterministic) depending whether some randomnessisused(ornot)whenapplyingtheprimitive. Thus, whenapplied twicetothesame inputsa probabilistic primitive gives twodierent outputs(except withnegligibleprobability).

Besidescryptographicprimitives,otherbasicelementspresentinsecurityprotocolsarenonces andtimestamps. Nonces arerandomnumbersusedno morethan oncefor thesamepurpose, up to some negligible probability. Nonces and timestamps are intended to provide uniqueness or timelinenessguarantees.

1.5 Attacks

Afamous cryptographicprotocolisthe Needham-Schroederpublic key protocol 2

[NS78]:

A ⇒ B : {[N

a

, A]}

ek(B)

B ⇒ A : {[N

a

, N

b

]}

ek(A)

A ⇒ B : {[N

b

]}

ek(B)

Thegoalofthe protocolisthemutualauthenticationbetween

A

and

B

,meaning thatifBobhas nisheditsrunthenheindeedplayedhisrolewithAlice(ashebelieveshedid),andsymmetrically forAlice. Sheinitiatesasessionbycreatingafreshnonce

N

a

,concatenating itwithheridentity, encrypting the result with the public key of Bob and sending the encrypted message to him. Bobanswers by copying the received nonce (the rst component obtained after decrypting the

2

received message with his private key), appending his own freshly generated nonce, encrypting the message with the public. Finally, Alice sends back to Bob his nonces encrypted with his public key. The role of nonces isto ensure authentication: only Bob can readtherst message andndoutthevalueof

N

a

,henceonlyhecouldhavesentthesecondmessage. Similarreasoning appliesfor

N

b

.

Considerhowever the following execution:

(1).1

A ⇒ I

: {[N

a

, A]}

ek(I)

(2).1

I(A) ⇒ B

: {[N

a

, A]}

ek(B)

(2).2

B ⇒ I(A) : {[N

a

, N

b

]}

ek(A)

(1).2

I ⇒ A

: {[N

a

, N

b

]}

ek(A)

(1).3

A ⇒ I

: {[N

b

]}

ek(I)

(2).3

I(A) ⇒ B

: {[N

b

]}

ek(B)

Aliceisstartingacommunicationwithacorruptedagent

I

(sheisprobablyunawareoftheagent being corrupted). Theagent

I

isable to build the second messageand to impersonate Aliceto Bob. Thus Bobanswers andhismessageisforwardedtoAliceascoming from

I

(steps3and4). Alicecontinues asexpected(step 5), andagain

I

impersonates Aliceto Bob(step 6). Hence at theend of his run, Bobbelieves thathe is talking withAlice while infacthe is talking with

I

. So theauthentication ofAliceto Bobdoesn't hold.

Theabovedescriptioncorrespondstoanattack,thatisasequenceofactionsthattheintruder performsinordertofalsifyacertainsecurityproperty,thatistobreak it. Remarkthattheattack doesn't rely on the weakness of anyof thecryptographic primitives, which are supposed to be secure,but onthelogical aws oftheprotocol(thereisno informationinthesecondmessageto deducewhere the message comes from).

The above attack is an example of a man-in-the-middle attack. There arealso other types of attacks,like:

•

replay attacks, when the aw is obtained by replaying some oldmessages (i.e. that have beensent previously,inthe same or inother protocolruns);

•

type-aw attacks relying on a message of a certain type (e.g.an identity) being misinter-preted asamessage ofanother type (e.g.anonce);

•

guessing attacks in which some secret message (e.g. a password) can be relatively easy guessed (because its set of possible values is small) and the guess can be checked for validity.

Comingback to the above protocol, thecreators of the protocol were aware thatit may be prone to extremely subtle errors and acknowledged that techniques to verify the correctness of security protocols are strongly needed. Indeed even though man-in-the-middle attacks were known before, it took 17 years to nd such errors, the mentioned attack being discovered by G. Lowe [Low96].

2 Analysis of cryptographic protocols

Development of protocols. Mainly two steps are performed before the deployment of a cryptographic protocol: the rst one is the design of the protocol and the second one is the validation of the protocol. There is an implicit loop here, the design being rened until the protocol isnallyconsidered secure. There is thusa tight dependency between thesetwo steps.

The design is guided bythe security goals the protocol should verify and bythe context in which it is deployed. The context, which can be given by the network structure (e.g. private vs.public channels, cable vs. wireless networks), the number of participants, their architecture (e.g. servers vs. clients, programs vs. hardware devices) and so on, imposes a number of con-straints,like eciencyor limitedresources. Hencetheconstraintscan varygreatly,andthis isa reasonwhy thereareplenty ofprotocolsfor achieving thesamesecuritygoals.

Aswehaveseenintheaboveexample,informalargumentsarenot enough tovalidatesecure protocols. Anditisnotasingularexample. Indeed manyofthereleasedsecurityprotocols have awswhetheritisabouttoyprotocols(usedforstudyintheacademiccommunity)e.g.[Low96, CJ97 , Spo], or about real protocols (used by the industry) as in[CJT

+

06 ]. It is hence clear thatrigorous analysis methods are mandatory to validate security protocols. Moreover, due to the large number of protocols and variants of them, and also due to the complexity of their analysis,(full or at leastpartial) automationisalso a strongdesiderata, both duringthe design processand aftertheir release.

Two worlds for verication. For about 20 years (from late 70's tolate 90's) twodistinct and seemingly unrelated approaches have been used for rigorous validation of protocols. The models that these approaches use are called on the one hand symbolic models (a.k.a. Dolev-Yao, formalor abstract models),and theother hand cryptographic models (a.k.a. probabilistic, computationalor concrete models). In thesymbolicmodels,messagesaremodeled by elements (orequivalenceclasses)inaterm algebrathattheadversary canmanipulate usinga xedsetof symbolic operations. Thus these models introduce abstractions, which allow simpler reasoning about securityof protocols,but aresubjectto questionsabout theirfaithfulnesswithrespectto reality. Inthe cryptographicmodels, messagesarebit strings and theadversary isan arbitrary probabilistic polynomial-time Turing machine. Being close to reality, results in these models yield strong security guarantees, but the validation proofs are often quite involved and only rarelysuitable forautomation (see e.g. [GM84, BR93]). It isonlyrecently thatautomatic tools have appeared[BL06 , Bla07]for cryptographicmodels.

Thesymbolic approach Fromnowonwefocusonthesymbolicworld (although references totheother world mayoccur).

FollowingpreviousworkofR.NeedhamandM.Schroeder[NS78 ],D.DolevandA.Yao[DY83 ] performed the rst analysis ina symbolic model, hencethe alternative name of this approach. A very important implicit abstraction introduced by their work is that encryption is perfect in the sense that no (not even partial) information about the plaintext can be obtained from a ciphertext without knowing the decryption key. When generalising this hypothesis to arbi-trarycryptographicprimitiveswetalk about the perfect cryptography hypothesis. Subsequently, S.EvenandO.Goldreich[EG83 ]showed thatsecrecy isundecidable(evenforprotocolswithout nonces). Thisshowedthattheanalysisisindeedadicultproblem,andthatfurtherabstractions orrestrictions need to be formulated to tackle the problem.

Starting from these seminal works a new topic has emerged: the symbolic verication of security protocols, with the objectives: rigorous, automatic and faithful analysis of protocols. Theresultscan beclassied innumberofways: chronologically,bytheclassofprotocols,bythe set of primitives, by thetype of attackor by the security property under study, by theaim of the analysis, by the model or by the method used inanalysis, bythe level of automation, etc. We willtry inthe following to sketch some ofthese criteria,focusing only onsome of them.

2.1 Symbolic verication of security protocols

Symbolic approaches mainly focused, as we do, on key exchange and authentication protocols. However, as the applications of protocols have diversied and the verication methods have become more mature, voting protocols [DKR06 ], contract-signing protocols [KKW05 ], recur-sive protocols [KKW07 ], web-services protocols [BFG04 , CLR07 ]etc. are being analysed using symbolicmethods.

2.1.1 Security properties

A rst diculty of symbolic verication is to formally express the security properties that are expected. As we have seen, even a basic property such as secrecy admits two dier-ent acceptable denitions, namely reachability-based (simple) secrecy and equivalence-based (strong) secrecy, and these notions seemed unrelated [Aba00 ]. However, a quite surprising re-sult (see [CW05 ])states thatthecryptographic counterparts of thetwo notions (simple secrecy can be translated into a similarreachability-basedsecrecy notion, and strong secrecy isclose to indistinguishabilitya standard securitydenition incryptography) arerelated: cryptographic simple secrecy actuallyimplies indistinguishability inthe cryptographicsetting.

Authenticationhasevenmorevariants. Theyareoftenformulatedbymeansofcorresponding assertions [WL94 ]. G.Lowe hasgiven ahierarchyofformulations[Low97], goingfromaliveness (which onlyrequiresthat, whentheauthenticating agentnishesarun,theauthenticatedagent hasat leastparticipated insome run)to injectiveagreement which requiresthat to eachrun of the authenticating agent there is a unique corresponding run of the authenticated agent such thatthe two agentsagree onsome values.

Simple secrecy and authentication properties are usually expressed by predicates on traces (sequencesofstatesand/oractionsdescribingtheexecutionofthesystemcomposedbyaprotocol and its environment), which have been intensively studied inthe context ofconcurrent systems (but without considering security). Nevertheless, many other properties, like strong secrecy, anonymity, fairness, non-repudiation are not trace properties. The techniques used to treat these properties are usually dierent, and more subtle and involved. Some of these properties haveonlyrecentlyreceivedproperformaldenitions(see[CDE05 ]forguessingattacks,[KKT07 ] for properties of contract-signing protocols, or [DKR06] for properties of voting protocols). We mainly focus inthis thesis ontrace propertiesand inthe rest ofthis sectionon simple secrecy. 2.1.2 Primitives and their properties

Whilethesetofstudiedprimitivesisratherstandard(symmetricand/orasymmetricencryption, digital signatures), it is the amount of faithfulness in capturing their properties that varies. Many cryptographic functions admit simple algebraic properties. For example, concatenation is associative, encryption is homomorphic in ECB mode,has theprex property inCBC mode etc. In standard Dolev-Yao models, which assume the perfect cryptography assumption, these properties are ignored. For example, concatenation is modeled by pairing (denoted

hm, m

0

_i

) whichisnon-associative,thatis

hm

1

, hm

2

, m

3

ii 6= hhm

1

, m

2

i, m

3

i

. Thesealgebraicpropertiescan be exploited by intruders, and thus attacks may be missed if they are not taken into account. Moreover, such properties may be crucial too for a proper working of the protocol, as it is the case for some voting protocols which explicitly rely on the properties of blind signatures. Therefore,a lot of recent work hasfocusedon weakening theperfect cryptographyassumption, e.g. [AF01,CLS03 , CD05 ,CR06].

2.1.3 Approaches

Security protocols are dicult to verify due to their innite nature, given by several elements: the exchanged messages can have any size, they can use any number of new keys and nonces, thenumberofparticipantsandsessionsarenotbounded. Indeed,focusingonreachability-based secrecy,severalundecidabilityresultsshowthattheseelementscontributetothedicultyofthe problem. Thus, the problem remains undecidable even if one boundsthe size of messages (see e.g. [DLMS99 ,AC02 ]), or thenumber ofnonces generated duringthe execution ofthe protocol (see e.g. [CC05 ]). One then needs to nd alternative approaches to the generic verication problem.

Search forattacks Sincemost attacksinvolveonly afewmessagesandsessions,anapproach isto rstsearch for attacks,byconsidering only asubset of allthepossibleexecutions.

Indeed, most of the rst automatic tools for protocol analysis were model-checkers (like FDR[DNL99], Mur

φ

[MMS97],or Brutus[CJM00 ])whichdiddiscovermanyinterestingattacks (see e.g. [Low96]). Such tools represent protocols as nite-state machines (and security prop-erties by temporal logic formulas), usually byconsidering only messages ofbounded size and a nite number of sessions. Another possibility for bounding the search space is to consider, as in[DLM04], messagesof bounded size and a nite number of nonces, which leads to searching forthesecret inanite intruder knowledge.

Assuming a nite number of sessions, but no bound on the message size, the search space becomes again innite. The standard way to approach this setting is to use symbolic tech-niques (which, intuitively, use symbolic states to represent sets of concrete states), as rst suggested by the work of A. Huima in [Hui99 ]. The secrecy problem was then proved to be NP-completein this setting by M. Rusinowitch and M. Turuani [RT01]. The same setting was formalisedbyJ.Millen andV. Shmatikovin[MS01 ] asa constraint systemproblem(an attack is expressed as a sequence of constraints that the intruder should solve). To solve constraint systems,these arersttransformed to simpler constraints, usuallycalledsolvedforms,byusing a small set of simplication rules (testing the satisability of these constraints is much more easy). Compared to [RT01], presenting the decision procedure using a small set of simpli-cation rules makes it more easily amenable to further extensions and modications. Indeed, constraint systems have become the standard model when considering a bounded number of sessions(see e.g. [CLS03,BCD07 , DLLT07, CDL06 ] for results concerningalgebraic properties developed withinthis framework.) The sameapproachisusedto handlearbitrarytrace proper-tiesin[CSE05,Cor06 ],andequivalence-basedpropertieslikestrongsecrecyandguessingattacks in[Bau05 ,Bau07 ]. Also,severaltools[CE02,Tur06 ]have been developedfor verifyingprotocols fora bounded number ofsessions.

Proof of correctness Searchingfor attacks isan eective method,but itdoesnot guarantee the correctness ofa protocol. And, aswe saw, theautomatic verication of arbitraryprotocols isnot possible. Then, one caneitherrenounce fullautomation, or usesemi-decision procedures, or restrict the considered classof protocols, or still, perform some approximations (or consider combinationof thesepossibilities).

Indeed,oneofthersttoolswhichdoesnotrestrictinanywaythemodelistheNRLprotocol analyser[Mea96 ]ofC.Meadows. However,theuserneedsto interactwithandhelp thetoolin orderto obtainan answer. Inthe same veinaretheapproaches which usetheoremprovers, like the inductive approach of L.Paulson [Pau98]whichuses Isabelle to prove securityproperties.

If one does want full automation and no loss of generality then one needs to cope with semi-decisionprocedureswhichnishifthereisanattack(and sayso), butneednot nishifthe protocoliscorrect(andthusmayfailtosayso). InthiscategorywendtoolslikeCasrul[JRV00] or Athena[SBP01].

However, it is often the case that semi-decision procedures take too long before giving an answer(iftheyeverwould). Thenanotherwaytoproceedistointroduce approximationsor ab-stractionsinthemodel. Theseapproximationsneedtobecorrect: iftheprotocolisprovedsecure using them then it is indeed secure (i.e. without them). The drawback is that approximations mayintroducefalseattacks. Anexampleofsuchanalysisistheuseoftreeautomatatorecognise anover-approximationoftheintruder knowledge,asithasbeen donein[Mon99 ,GK00 , Gou00 ] orinthetoolTA4SP[ABB

+

05 ]. Vice-versa,one canunder-approximate theinnitesetofsafe messagesasithasdoneintheHermestool[BLP03 ]byusingasymbolicrepresentationbasedon patterns. StillanotherexampleistheuseofHornclausesto represent(rulesof)protocols. Horn clausesusuallyabstractawaysessionsandorderofexecutionofrules,sincetheycanbeusedany numberoftimes. However, theadvantageofthis modelingisthatone can thenuseecient res-olutionstrategiestosearchforproofs. Thisapproachwaspioneered byCh.Weidenbach[Wei99 ], and it gave rise to an ecient tool, ProVerif [Bla01]. Moreover, reference implementations of protocols written inCor ML can be veried, byextracting aset of Hornclauses which is then passed onto tools like SPASS,

h1

,orProVerif(see respectively [GP05 ]and [BFGT06 ]).

Even if the problem is undecidable in general one can still hope that it is decidable for a restricted(butstilllarge)classofprotocols. Andindeedseveralsuchclasseshavebeenexhibited. Arstdecidabilityresultwasobtainedin[DEK82 ]fortheclassofping-pongprotocols,protocols inwhichparticipantshavenomemoryandcanthusonlyapplysomesequencesofunaryoperators onthelastreceivedmessageandsendtheresultback. Thisishowevernotarealistsetting. Next, inthecontext of model-checking niterepresentations of protocols, G.Lowe showed in[Low99] that under strong restrictions on protocols this method is complete. Such restrictions imposed for example the absence of blind copies; a blind copy is the transfer by a participant of an unknown data from the received message to the sent message. In [CLC03a ], this restriction was relaxed by allowing one blind copying, but the analysis only considered a nite number of nonces. Ramanujam and Suresh [RS03], considering again no blind copies, showed that for tagged protocols (protocols for which all encryptions in the specication contain a dierent tag, and which are thus distinguishable also in the execution) secrecy is decidable, even for protocols withnonces. A similarresult[BP03b ]isobtainedfor asimpler taggingscheme,but in the context of Hornclauses (which, as we mentioned, introduce approximations), showing that ProVerif always terminatesfor tagged protocols. All thesedecidabilityresults showthata class ofmore realistic protocols for which thesecrecyproblem to be decidablecould stillbefound.

Correctness by design A completely dierent approach is to avoid the verication prob-lem, simply by designing from the start provably correct protocols. To our knowledge, in the cryptographic world this was not explored mainly because of the diculty to produce proofs of correctness. Indeed, only a few protocols are having such proofs in a cryptographic set-ting[War05 , BP03a,BCJ

+

06 ](thesituation islikelyto change dueto thedevelopment of auto-matictoolsinthissetting). However,asimilarbutslightly dierentapproachisratherpervasive incryptographic design: one starts with thedesign of a simple version of a systemintended to work inrestricted environments (i.e. with restrictedadversaries) and thenobtain,via a generic transformation,amorerobustsystemintendedto workinarbitraryenvironments. For example, Goldreich,Micali,andWigdersonshowhowtocompilearbitraryprotocolssecureinthepresence

ofparticipants thathonestly followtheprotocol(butmaytryto learn information theyarenot entitled to) into protocols secure in the presence of participants that may arbitrarily deviate from the protocol [GMW87]. Bellare, Canetti, and Krawczyk have shown how to transform a protocol thatis secure when the communication between parties is authenticated into one that remainssecure when thisassumption is not met[BCK98 ].

Inthesymbolicworld,fewtoolshave been developed having asgoaltheautomaticsynthesis of secure protocols. For example, Perrig and Song [PS00 ] describe a tool which mainly works byexhaustively searchingtheprotocol spaceand invoking Athena to test for thecorrectness of eachgenerated protocol. However, due to the huge search space, thetoolis limitedto generate onlythree partyprotocols.

Symbolicapproachesthatfocusonmodularprotocoldesignincludethefollowingones. Datta, Derek, Mitchell, and Pavlovic [DDMP05 ] propose a framework for deriving security protocols from simple components such as nonces, certicates, encrypted or signed messages. Security propertiesarethusaddedtoaprotocolthroughgenerictransformations. M.Abadi,G.Gonthier, and C. Fournet [AFG02 ]give a compiler for programs written in a language with abstractions for secure channels into an implementation that uses cryptography with the aim to eliminate cryptographicsecurityanalysisininvolved settings.

Finally,letusrecallalsothatanoftenusedtechniqueistopatchawedprotocolsandthento arguethatthe patchedprotocolisthis time correct. Recently,this methodhasbeen automated in[LMH07 ].

2.2 Linking the symbolic and cryptographic approaches

As we have mentioned, two independent approaches have been developed for the analysis of security protocols. Nevertheless, in the late 90's these approaches have started to be related (see [PSW00 , LMMS98, AR00] for some seminal works in this direction). For example, one particularly interesting path, opened by M. Abadi and P. Rogaway [AR00, AR02], consists in proving thatthe abstractionofcryptographicprimitivesmadeintheDolev-Yao modeliscorrect assoon as strong enough primitives are used inthe implementation. The goal is to obtain the best of both worlds: relatively simple, automated security proofs that entail strong security guarantees. Forexample,inthecaseofasymmetricencryption,ithasbeenshown[MW04a ]that theperfect encryption assumption is a soundabstraction for encryption schemes satisfying the IND-CCA2property,which correspondsto a veryhighand well-established securitylevel.

However, it is not always sucient to nd the right cryptographic hypotheses. Symbolic modelsmayneedtobeamendedinordertobecorrectabstractionsofthecryptographicmodels. Thisisinparticular thecase for symmetricencryption. For example,in[BP04 ], M. Backes and B.Ptzmann consider extra-rules for the formalintruder inorder to reectthe abilityof a real intruder to choose its own keys ina particular manner. A more widely used requirement is to control howkeyscanencryptotherkeys. Inapassivesetting, soundnessresults[AR02,MW04b] require that no key cycles can be generated during the execution of a protocol. Key cycles are messages like

{{k}}

k

or

{{k

1

}}

k

2

, {{k

2

}}

k

1

where a key encrypts itself or more generally when the encryption relation between keys contains a cycle. Such key cycles have to be disallowed simplybecause usual security denitions for encryption schemes do not provide anyguarantees whensuch keycycles occur. Intheactive setting, thetypicalhypothesesareevenstronger. For instance, in [BP04 , JLM05 ] the authors require that a key

k

never encrypts a key generated before

k

, or, more generally, that it is known in advance which key encrypts which other key. More precisely, the encryption relation has to be compatible with the order in which keys are generated, or more generally, it hasto be compatible withan a priori given order on keys. We

note that the absence of key cycles and related properties are not only trace properties but also message structure properties, and thus cannot be treated by standard techniques for trace properties.

2.3 Decidability and transfer results

We have already seenthat one can attack theverication problem from dierent angles: either directly by searching for decidability results, or indirectly by transferring a problem from one setting to another setting in which the problem is solved or simpler. This was the case for transformations of protocols which are (in)secure in one setting to protocols which are secure ina strongersetting; or for soundnessresults of symbolic models withrespectto cryptographic models. Letus mention one more suchexample.

There aremanydierent models inwhichone reasons about securityprotocols,like process algebras(spi calculus, appliedpicalculus, andvariants),strand spaces,multiset rewriting, rst-order logics etc. It is generally accepted that a characterisation of security protocols obtained in one model also holds in dierent models. For example, we say that the secrecy problem is NP-completeforaboundednumberofsessionsbutwedonotspecifythemodelinwhichthiswas proved. However,onlyafewrigorouscomparisonsbetweenmodelsexist [CDL

+

00 ,AB02 ,Bla05 ]. We can alsosee themastransfer results.

3 Contributions and plan of the thesis

In a phrase, the contributions of this thesis consist in improving the state of the art in the symbolic verication of cryptographic protocols while studying less explored features of in the following directions:

•

cryptographic primitives: CBCencryption, digitalblind signatures;

•

security properties: strong secrecy,existenceof keycycles;

•

approachestosecurity: transferringsecurityfromweakertostrongersettings,transforming protocols.

These features have been studied before, but (at least at the beginning of this thesis) they represent(ed) arelative small fractionof thevast bodyof literature on cryptographic protocols which mainlyfocusedon:

•

cryptographicprimitives: Dolev-Yaoprimitives(i.e.mainlypairingandperfectencryption);

•

security properties: simple secrecy,authentication;

•

approaches to security: direct verication ofexistingprotocols.

We have thus also tackled (though not directly) two important related topics: weakening the perfect cryptography hypothesis (by considering the prex property of encryption in CBC mode), and linking the symbolic and cryptographic approaches (by considering theexistenceof key cycles). Others, for example G. Bana [Ban05 ], S. Delaune [Del06 ], P. Lafourcade [Laf06 ], P.Adão[Adã06 ],R.Janvier[Jan06 ],L.Mazaré[Maz06 ],M.Baudet[Bau07 ],haverecentlyfocused directlyon these topicsintheir theses.

Planofthe thesis Aftergivingthenecessarypreliminarydenitions,wepresentinChapter1 howsecurityprotocolsaremodeled. Theparticularmodelwechooseisinspiredfromthesymbolic model of D. Micciancio and B. Warinschi [MW04a] and is rather standard for modeling an unboundednumberofsessions. Ithastheadvantageofbeingintuitiveandexplicit(w.r.t. tothe actionsof theintruder andofotheragents). Wheneverweworkinadierent modelwedescribe brieyits relationshipwiththis referencemodel.

According to the classication given in the previous section we separate our contributions by the approach: a direct one (obtaining decidability results) and an indirect one (obtaining transferresults). Eachmain contributionis thenpresentedindierent chapters,asshownnext. 3.1 Part I. Decidabilityresults

3.1.1 Chapter 2. Deciding the existence of key cycles

A rst contribution is an NP-complete decision procedure for detecting the generation of key cycles during the execution of a protocol, in the presence of an active intruder, for a bounded number of sessions. This procedure deals with several versions of the denition of key cycles (forexample, key cycles à la Abadi-Rogaway, or key orders à la Backes). We thereforeprovide a necessary component for the approach which consists in proving security properties in the cryptographic world by starting from security proofs of these properties in thesymbolic world (and usingsoundnessresults like theonespresentedinSection 0.2.2 inorderto achieve this).

We have obtained the decidability of key cycles by generalising the constraint system ap-proach. Indeed,weusethesamesimplicationrulesasin[CLS03 ],butinaddition weshowthat this method is applicable to any security property that can be expressedas a predicate on the protocol trace and the agent memories. Compared to [CLS03], the framework is also extended to more general primitives, since we consider sorted terms, symmetric and asymmetric encryp-tion, pairing and signatures (but we do not consider algebraic properties). Moreover, we prove termination in polynomial time of the (non-deterministic) decision procedure. This establishes thecomplexityoftheconstraint systemapproach,andalsooftheproblemunderstudy (modulo itscomplexityon solved forms).

We further illustrate the applicability of our generic approach, bygiving an alternative and simple proof of the co-NP-completeness of secrecy for protocols withtimestamps. We actually retrievea signicant fragment ofthe decidableclassidentied byL.Bozgaet al [BEL04]. 3.1.2 Chapter 3. Deciding a fragment of Horn clauses for protocols with CBC

encryption and blind signatures

We propose a resolution strategy for decidinga fragment of rst-order logic that allows one to incorporate the prex property of CBC encryption in our protocol modeling and to prove the absenceofattacksexploiting thisproperty. The samefragment appliestoabstract properties of blindsignatureschemes. Theapproachfollowsthelineof[CLC03a ]butrequiresarenedstrategy inordertoeliminatetheadditionalclausesgeneratedbyresolutionduetothenewproperties. As aconsequence,weobtainthatsecrecyofcryptographicprotocolscanbeprovenforanunbounded numberofsessions,inthecaseforexampleofCBCencryptionandblindsignatures,whennonces areabstractedbyconstant termsandat most one blind copy isperformedat eachtransition.

We applytheverication algorithmto Needham-Schroedersymmetrickeyprotocol, whichis subject to an attack when the CBC encryption mode is used[PQ00]. We show how to xthe protocolandwe prove thecorrection oftheresulting protocol. Thelatterisdone automatically, aswe have extendeda prototypeimplementation of theprocedurein [CLC03a].

3.2 Part II. Transfer results

3.2.1 Chapter 4. From simple tostrong secrecy

Motivatedbytheresultof [CW05]andthe large numberof availablesystems forsimple secrecy verication,weinitiateasystematicinvestigationofsituationswheresimplesecrecyentailsstrong secrecy. Thishappensinmanyinteresting cases.

We oer results in both passive and active cases in the setting of the applied pi calcu-lus [AF01]. We rst treat thecase of passive adversaries. We prove that simple secrecyimplies strong secrecy, as long as probabilistic primitives are used, and ifthe secret is not used to en-crypt messages. The former condition is not a restriction since probabilistic encryption is de facto thestandard inalmost all cryptographic applications. The latterhypothesis is sustained bycounter-examples. Next,we considerthemorechallenging caseofactiveadversaries. Wegive sucient syntacticconditions on the protocols for simple secrecyto imply strong secrecy. Intu-itively,werequireinadditionthatthe conditional testsarenot performeddirectlyon thesecret since such tests may provide information on the value of this secret. We again exhibit several counter-examples to motivate the introduction of our conditions. An important aspect of our result isthat we do not make any assumption on the number of sessions: we put no restriction on theuseofreplication. Inparticular, our resultholds for anunbounded number ofsessions.

Theinterestofthis contribution istwofold. First, conceptually,ithelps tounderstand when the two denitions of secrecy are actually equivalent. Second, we can transfer many existing results (and the armada of automatic tools) developed for simple secrecy. For instance, since the simple secrecy problem is decidable for tagged protocols for an unbounded number of ses-sions[RS03 ], by translatingthe tagging assumption to the applied-pi calculus, we can derive a rst decidability result for strong secrecy for an unbounded number of sessions for theclass of protocols satisfyingourconditions. Other decidablefragmentsmightbederived from[DLMS99 ] forboundedmessages(andnonces) and[AL00]for abounded numberofsessions. Weexemplify our approachbyshowingstrong secrecyofthreeprotocolsfromtheliterature(starting fromthe known factthatthese protocols satisfysimple secrecy).

3.2.2 Chapter 5. A transformation for obtaining secure protocols

Finally, we present a transformation that maps a protocol secure in an extremely weak sense (essentially in a model where no adversary is present) into a protocol that is secure against a fully active adversary which interacts with an unbounded number of protocol sessions. The transformation works for arbitrary protocols with any number of participants, written with usual cryptographic primitives. It provably preserves a large class of trace security properties that contains secrecy and authentication. Conceptually, the transformation isvery simple, and hasa clean, well motivateddesign. Each message is tied to the session for which it isintended viadigitalsignatures andon-the-y generatedsession identiers,and preventsreplayattacksby encrypting themessagesunderthe recipient's publickey.

The table on the next page shows a summary of properties, primitives, approaches, and models usedinthis thesis.

ThecontributionspresentedinChapters2,3,4,and5havebeenpublishedintheProceedings ofLPAR'06[CZ06 ],PPDP'05[CRZ05 ],CSL'06[CRZ06 ],andESORICS'07[CWZ07 ]conferences respectively. These contributions represent joint work with Véronique Cortier (in all papers), MichaëlRusinowitch(inthe secondandthethirdpapers),andBogdanWarinschi(inthefourth paper).

3. Contributions and plan of the thesis 2 2.1, 2.2 trace properties

Dolev-Yao searchfor attacks constraint systems 2.3.1 keycycles

2.3.2 secrecy (withtimestamps) 3 secrecy

CBCencryption

proofof correctness Hornclauses blindsignatures

4 (simple and strong)secrecy Dolev-Yao transfer applied picalculus 5 trace properties Dolev-Yao transfer tracemodel[MW04a ]

Models for cryptographic protocols

Contents

1.1 Preliminaries. . . 28 1.1.1 Termsoverorder-sortedsignatures . . . 28 1.1.2 Positionsandsubterms . . . 29 1.1.3 Substitutions . . . 31 1.1.4 Equationaltheoriesandrewritingsystems . . . 33 1.1.5 Termdeductionsystems . . . 34 1.2 Cryptographicprimitivesand messages. . . 34 1.2.1 Asortsystemforcryptographicprotocols . . . 36 1.2.2 Asignatureforcryptographicprotocols . . . 37 1.2.3 Twodeductionsystemsforcryptographicprotocols . . . 38 1.2.4 Ontheuseofathirddeductionsystem . . . 42 1.2.5 Thedeductionproblem . . . 43 1.3 Roles . . . 44 1.3.1 Specicationofroles . . . 44 1.3.2 Executionofroles . . . 44 1.3.3 Executableroles . . . 46 1.3.4 Roleswithmatchingandroleswithequalitytests . . . 47 1.4 Protocols . . . 48 1.4.1 Specicationofprotocols . . . 48 1.4.2 Executionofprotocols . . . 48 1.4.3 Executableprotocols . . . 50 As mentioned in the introduction we work in so called symbolic (or abstract, Dolev-Yao) models that represent messages by elements (or equivalence classes) in some term algebra. In thischapterwemainlypresenthowprotocolsaremodeledwithinthissetting. Westartbygiving, inSection 1.1, thebasic technical denitions and notions used throughout this document. We thenpresent, in Section 1.2, how messagesand the operations on them arerepresented. Next, inSections1.3and 1.4,weshow how we modelprotocols.

1.1 Preliminaries

Thissection mainlyintroducestheterm algebra settingusedin thisthesis. Foraset

S

wedenoteby

S

∗

thefreemonoidofwordsover

S

,by

·

theconcatenationoperator over

S

and



the empty word. We may omit the symbol

·

when writing a word over

S

. The cardinalityof a set

S

isdenoted by

]S

. Also we write

2

S

forthe powerset of

S

. By inniteset we mean a countably innite set (i.e. withthe same cardinalityas

N

),and we saythat a setis atmost countable ifitisniteorcountablyinnite. Foranatural number

n

we write

[n]

for the set

{1, 2, . . . , n}

, withthe convention that

[0] = ∅

. For a binaryrelation

ρ

we denote by

ρ

+

its transitiveclosure andby

ρ

∗

its reexive andtransitive closure. 1.1.1 Terms over order-sorted signatures

Let

(Sorts, ≤)

be a nite partiallyordered set, its elements beingcalled basic sorts. A sort isa pair

(w, s) ∈ (Sorts

∗

_{× Sorts)}

, denoted

s

1

× · · · × s

n

→ s

if

n ≥ 1

and simply

s

if

n = 0

, where

w = s

1

. . . s

n

. By language abuse, we often call basic sortsjust sorts. Furthermore, we assume that

(Sorts, ≤)

isa tree,where a treeis a partially ordered setsuch that for each

s

∈ Sorts

, the set

{s

0

_{∈ Sorts | s ≤ s}

0

_}

is well-ordered bytherelation

≥

(with

s

≥ s

0

i

s

0

_{≤ s}

).

We consider an innite set of variables

X

, and an innite set of names

N

. Each variable and name has associated a unique basic sort, and for each sort there is an innite number of variables and names of that sort. For a sort

s

, we denote by

X

s

(and

N

s

) the set of variables (and respectively,names)of sort

s

.

Let

F

beanat mostcountablenon-emptysetoffunction symbols. For eachfunctionsymbol

f

there is a unique associated sort

s

1

× · · · × s

n

→ s

. This association is usually denoted by

f : s

1

× · · · × s

n

→ s

, and

n

is called the arity of

f

. Function symbols of arity

0

are called constants. Thesetof function symbols ofsort

(w, s)

isdenoted by

F

w,s

.

Theset

F

isalso calleda signature. Anorder-sorted signature 3

isa tuple

Σ = (Sorts, F, ≤)

, with

(Sorts, ≤)

and

F

asabove.

Aterm overthe signature

F

isdened inductively by:

•

elementsof

X ∪ N

areterms,and

•

if

f ∈ F

hasarity

n

and

t

1

, . . . , t

n

areterms then

f (t

1

, . . . , t

n

)

isaterm.

We denoteby

T (F, X , N )

thesetofterms overthesignature

F

. Wesaythataterm has sort

s

, and we denoteit

t : s

,if

• t ∈ X

s

∪ N

s

,or

• t = f (t

1

, . . . , t

n

)

,

f ∈ F

s

1

×···×s

n

→s

and

t

1

, . . . t

n

are terms of sorts

s

0

1

, . . . , s

0

n

respectively with

s

0

i

≤ s

i

for all

1 ≤ i ≤ n

.

Note that a term has at most one (basic) sort. Terms that do not have a sort are called ill-sorted. In contrast, terms thathave a sort are calledwell-sorted. Remark also that when

Sorts

isasingletoneverytermiswell-sorted. Wedenoteby

T

s

(Σ, X , N )

thesetoftermsofsort

s

,and let

T (Σ, X , N )

def

=

S

_s∈Sorts

T

s

(Σ, X , N )

be thesetof well-sortedterms. 3

Thisnotion oforder-sortedsignature isasimpliedversionof whatoneusuallyndsintheliterature(see, e.g.[GM92]),sinceherefunctionsymbolsarenotoverloaded(i.e. theyhaveauniquesort).

Exemple 1.1 Consider

Sorts

= {A, B}

with

A

< B

,

F = {f : A → A, g : A → B}

, and

x, y

variables ofsort

A

and

B

respectively. Then

f (x)

has sort

A

,

g(x)

has sort

B

and

f (y)

,

g(y)

are ill-sorted terms.

Unless explicitly mentioned, we consider only well-sorted terms. Thus, and by abuse of notation,we usually denotean order-sortedsignature

Σ

byits signature

F

,especiallywhenthe setof sortsisclear fromthecontext.

For a set of function symbols

F ⊆ F

,a set of variables

X ⊆ X

,and a setof names

N ⊆ N

wedenoteby

T (F, X, N )

thesetoftermswithfunctionsymbolsin

F

,variablesin

X

,andnames in

N

. Thesets

T (F, X, ∅)

,

T (F, ∅, N )

and

T (F, ∅, ∅)

areabbreviated by

T (F, X)

,

T (F, N )

,and

T (F )

respectively. Moreover,wemayusesimply

T

insteadof

T (F, X, N )

ifthesets

F, X, N

are clear from the context. We denote theset of variables (names) occurring ina term

t

by

var(t)

(respectively

names(t)

). A term withoutvariables iscalledground or closed. If

T, T

0

aresets of termsand

t, t

0

areterms we abbreviate

T ∪ T

0

by

T, T

0

,

T ∪ {t}

by

T, t

,and

{t, t

0

_}

by

t, t

0

. 1.1.2 Positions and subterms

Wedenoteby

N

+

thesetofpositiveintegers. Then

N

∗

+

isthesetofsequencesofpositiveintegers. Wecall positions theelementsof

N

∗

+

. We saythataposition

p

issmaller thana position

q

,and we write

p ≤ q

,if

p

isa prexof

q

.

Given aterm

t

,thesetof positionsof

t

,denotedby

pos(t)

,is dened inductively asfollows:

•

if

t

isa variable or aname then

pos(t) = {}

;

•

if

t = f (t

1

, . . . , t

n

)

then

pos(t) = {} ∪

S

1≤i≤n

{i · p | p ∈ pos(t

i

)}

.

Given a term

t

and a position

p ∈ pos(t)

, thesubterm of

t

at position

p

,denoted by

t|

p

, is dened inductively by:

•

if

p = 

then

t|

p

def

= t

,

•

if

p = i · p

0

then

t|

p

def

= t

i

|

p

0

, where

t = f (t

1

, . . . , t

n

)

for some

f ∈ F

and some terms

t

1

, . . . , t

n

.

A term

u

is a (proper) subterm of a term

v

i there is a position

p ∈ pos(v)

such that

u = v|

p

(and

u 6= v

). We extend the notion of subterm to sets of terms and say that a term

u

is a subtermof a set of terms

T

if

u

isa subterm of

t

for some

t ∈ T

. We write

st(t)

and

st(T )

for the set of subterms of a term

t

, and of a set of terms

T

,respectively. We denote by

≤

st

(

<

st

) the subterm(strict) ordering,with

u ≤

st

v

(

u <

st

v

) i

u

isa (proper) subtermof

v

.

The head symbol of a term

t

, denoted by

head(t)

, is dened by

head : T (F, X , N ) → F ∪

X ∪ N

,with

• head(t) = t

if

t

isa name ora variable,

• head(t) = f

if

t = f (t

1

, . . . , t

n

)

. Anoccurrence ofasubterm

t

0

inaterm

t

isaposition

p ∈ pos(t)

suchthat

t|

p

= t

0

. Anoccurrence ofafunction symbol

f

inaterm

t

isa position

p ∈ pos(t)

suchthatthehead symbolof

t|

p

is

f

. Alsowewrite

pos

v

(t)

for thesetofvariablepositions of

t

(i.e.occurrencesofvariablesin

t

),and

pos

_nv

(t)

for thesetofnon-variablepositionsof

t

(i.e.occurrencesofnamesandfunctionsymbols in

t

).

h

g

a

b

g

a

b

b

h

g

a

b

(a)

f

f

1

f

2

. . .

f

k

a

1

a

2

. . .

a

k

(b)

Figure 1.1: (a)The tree and theDAG representations of

t = h(g(a, b), g(a, b), b)

; (b)the DAG representation of

f (f

1

(a

1

, . . . , a

k

), . . . , f

k

(a

1

, . . . , a

k

))

.

For two terms

u

,

v

and a position

p ∈ pos(t)

such that

u|

p

and

v

have thesame sort,

u[v]

p

denotes the term obtained byreplacing in

u

the subterm at position

p

by

v

. Formally we have thefollowing inductive denition:

•

if

p = 

then

u[v]

p

def

= v

,

•

if

p = i · p

0

then

u = f (u

1

, . . . , u

n

)

with

1 ≤ i ≤ n

,and

u[v]

p

def

= f (u

1

, . . . , u

i−1

, u

i

[v]

p

0

, u

_i+1

, . . . , u

_n

).

Representations of terms The tree-representation of a term

t

is the ordered directed tree

G = (V, E)

with

V = pos(t)

and

E = {(p, i, q) | p · i = q}

, where a triple

(n, i, n

0

₎

denotes the

i

-th outgoing arcfrom the parent node

n

(to the child node

n

0

). Remark that the size of this representation is linearinthenumberof nodesof the tree.

Thesize of aterm

t

is

|t|

def

= ]pos(t)

and the sizeof a setof terms

T

is

|T |

def

=

P

_t∈T

|t|

.

Ina tree-representation of

t

,nodes

p

are ina many-to-one correspondence to subterms of

t

(i.e.

t|

p

). Amorecompact representationisobtainedbyconsideringaone-to-onecorrespondence between nodes andsubterms (see Figure1.1a).

TheDAG-representation ofa term

t

istheorderedDAG(directedacyclicgraph)

G = (V, E)

with

V = st(t)

and

E = {(u, i, v) | u = f (u

1

, . . . , u

n

), v = u

i

, 1 ≤ i ≤ n}

. We observe that

]E =

P

u∈st(t)

k

u

,where

k

u

isthearityoftheheadfunctionsymbolof

u

. Thus

]E ≤ k ×]( st(t))

,where

k

is themaximal arity of function symbols in the signature (see Figure 1.1b). Supposing that thesignatureis xed,and thatDAGs areimplementedwithlists,thesize ofthisrepresentation is linear in the number of subterms. Given a set of terms

T

, a single DAG can represent all terms in

T

(consider this time

V = st(T )

) provided that for each term there is pointer to the corresponding node inthe graph. Observe that the number of terms in

T

,thus of pointers, is smallerthan thenumberof subtermsof

T

,thus thesize of therepresentation of

T

isstill linear inthenumberof subterms of

T

.

Thedag-size of aterm

t

is

|t|

dag

def

= ]st(t)

and the dag-sizeof aset ofterms

T

is

|T |

dag

def