Skip to main content
SpringerLink
Log in

A Decidable Class of Security Protocols for Both Reachability and Equivalence Properties

Journal of Automated Reasoning volume 65pages 479–520 (2021)Cite this article

Abstract

We identify a new decidable class of security protocols, both for reachability and equivalence properties. Our result holds for an unbounded number of sessions and for protocols with nonces. It covers all standard cryptographic primitives. Our class sets up three main assumptions. (i) Protocols need to be “simple”, meaning that an attacker can precisely identify from which participant and which session a message originates from. We also consider protocols with no else branches (only positive test). (ii) Protocols should be type-compliant, which is intuitively guaranteed as soon as two encrypted messages of the protocol cannot be confused. (iii) Finally, we define the notion of a dependency graph, which, given a protocol, characterises how actions depend on the other ones (both sequential dependencies and data dependencies are taken into account). Whenever the graph is acyclic, then the protocol falls into our class. We show that many protocols of the literature belong to our decidable class, including for example some of the protocols embedded in the biometric passport.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price includes VAT (Canada)

Fig. 1
Fig. 2
Fig. 3
Fig. 4

References

  1. Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Protzenko, J., Rastogi, A., Swamy, N., Béguelin, S.Z., Bhargavan, K., Pan, J., Zinzindohoue, J.K.: Implementing and proving the TLS 1.3 record layer. In: 2017 IEEE Symposium on Security and Privacy (S&P 2017), pp. 463–482 (2017)

  2. Exigences techniques et administratives applicables au vote électronique. Chancellerie fédérale ChF (2014). Swiss recommendation on e-voting

  3. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of 14th Computer Security Foundations Workshop (CSFW’01). IEEE Computer Society Press (2001)

  4. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN Prover for the Symbolic Analysis of Security Protocols. In: Computer Aided Verification, 25th International Conference, CAV 2013, Princeton, USA, Proceeding. LNCS, vol. 8044, pp. 696–701. Springer, Berlin (2013)

  5. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Hankes Drielsma, P., Héam, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S. (eds.) 17th International Conference on Computer Aided Verification, CAV’2005. Lecture Notes in Computer Science, vol. 3576, pp. 281–285. Springer, Edinburgh (2005)

    Chapter  Google Scholar 

  6. Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theor. Comput. Sci. 367(1–2), 162–202 (2006)

    Article  MathSciNet  Google Scholar 

  7. Cremers, C.: The Scyther Tool: Verification, falsification, and analysis of security protocols. In: Proceedings 20th International Conference on Computer Aided Verification (CAV’08), Lecture Notes in Computer Science, pp. 414–418. Springer, Berlin (2008)

  8. Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Workshop on Formal Methods and Security Protocols. Trento, Italia (1999)

  9. Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theor. Comput. Sci. 299, 451–475 (2003)

    Article  MathSciNet  Google Scholar 

  10. Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: Proceedings of 12th ACM Conference on Computer and Communications Security (CCS’05). ACM Press, Cambridge (2005)

  11. Cheval, V., Kremer, S., Rakotonirina, I.: Deepsec: Deciding equivalence properties in security protocols—theory and practice. In: Proceedings 39th IEEE Symposium on Security and Privacy (S&P’18), pp. 525–542. IEEE Computer Society Press, San Francisco, CA, USA (2018)

  12. Dawson, J., Tiu, A.: Automating open bisimulation checking for the spi-calculus. In: IEEE Computer Security Foundations Symposium (CSF 2010) (2010)

  13. Cheval, V.: APTE: an algorithm for proving trace equivalence. In: Proceedings of the 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’14), LNCS, vol. 8413, pp. 587–592 (2014)

  14. Chadha, R., Ciobâcă, S., Kremer, S.: Automated verification of equivalence properties of cryptographic protocols. In: Programming Languages and Systems—Proceedings of the 21th European Symposium on Programming (ESOP’12), LNCS, vol. 7211, pp. 108–127. Springer, Berlin (2012)

  15. Cortier, V., Delaune, S., Dallon, A.: SAT-Equiv: an efficient tool for equivalence properties. In: Proceedings of 30th IEEE Computer Security Foundations Symposium (CSF’17), pp. 481–494. IEEE Computer Society Press (2017)

  16. Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Proceedings 14th International Conference on Rewriting Techniques and Applications (RTA’2003), LNCS, vol. 2706. Springer, Berlin (2003)

  17. Chrétien, R., Cortier, V., Delaune, S.: From security protocols to pushdown automata. In: Proceedings of 40th International Colloquium on Automata, Languages and Programming (ICALP’13) (2013)

  18. Chrétien, R., Cortier, V., Delaune, S.: Typing messages for free in security protocols: the case of equivalence properties. In: Proceedings of 25th International Conference on Concurrency Theory (CONCUR’14), Lecture Notes in Computer Science, vol. 8704, pp. 372–386. Springer, Berlin (2014)

  19. Chrétien, R., Cortier, V., Delaune, S.: Decidability of trace equivalence for protocols with nonces. In: Proceedings of 28th IEEE Computer Security Foundations Symposium (CSF’15), pp. 170–184. IEEE Computer Society Press (2015)

  20. Lowe, G.: Towards a completeness result for model checking of security protocols. In: Proceedings of the 11th Computer Security Foundations Workshop (CSFW’98). IEEE Computer Society Press (1998)

  21. Ramanujam, R., Suresh, S.P.: Tagging makes secrecy decidable with unbounded nonces as well. In: Proceedings of 23rd Conference of Foundations of Software Technology and Theoretical Computer Science (FST&TCS’03), LNCS, pp. 363–374. Springer, Berlin (2003)

  22. Dougherty, D.J., Guttman, J.D.: Decidability for lightweight Diffie–Hellman protocols. In: Proceedings of 27th IEEE Symposium on Computer Security Foundations (CSF’14) (2014)

  23. Fröschle, S.: Leakiness is decidable for well-founded protocols? In: Proceedings of 4th Conference on Principles of Security and Trust (POST’15), Lecture Notes in Computer Science. Springer (2015)

  24. Chrétien, R., Cortier, V., Dallon, A., Delaune, S.: Typing messages for free in security protocols. ACM Trans Comput Log 21(1), 1 (2019)

    Article  MathSciNet  Google Scholar 

  25. Cortier, V., Dallon, A., Delaune, S.: Efficiently deciding equivalence for standard primitives and phases. In: Proceedings 23rd European Symposium on Research in Computer Security (ESORICS’18), Lecture Notes in Computer Science. Springer, Barcelona (2018)

  26. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proceedings of 28th ACM Symposium on Principles of Programming Languages, POPL ’01, pp. 104–115. ACM (2001). https://doi.org/10.1145/360204.360213

  27. Blanchet, B.: Vérification automatique de protocoles cryptographiques : modèle formel et modèle calculatoire. automatic verification of security protocols: formal model and computational model. Mémoire d’habilitation à diriger des recherches, Université Paris-Dauphine (2008). En français avec publications en anglais en annexe. In French with publications in English in appendix

  28. Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981). https://doi.org/10.1145/358722.358740

    Article  Google Scholar 

  29. Chadha, R., Ciobâcă, Ş., Kremer, S.: Automated verification of equivalence properties of cryptographic protocols. In: Proceedings of 21th European Symposium on Programming (ESOP’12), LNCS (2012)

  30. Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: the spi calculus. Inf. Comput. 148, 1–70 (1999)

    Article  MathSciNet  Google Scholar 

  31. Cortier, V., Dallon, A., Delaune, S.: Bounding the number of agents, for equivalence too. In: Piessens, F., Viganó, L. (eds.) Proceedings of the 5th International Conference on Principles of Security and Trust (POST’16), Lecture Notes in Computer Science, vol. 9635, pp. 211–232. Springer, Eindhoven (2016)

  32. PKI for machine readable travel documents offering ICC read-only access. Technical report, International Civil Aviation Organization (2004)

  33. Hirschi, L., Delaune, S.: Description of some case studies. Deliverable VIP 6.1, (ANR-11-JS02-0006) (2013), p. 14

  34. Cortier, V., Delaune, S., Sundararajan, V.: A decidable class of security protocols for both reachability and equivalence properties. Research report, Loria & Inria Grand Est ; Irisa (2020). https://hal.inria.fr/hal-02446170. Supplementary material available at https://hal.inria.fr/hal-02446170/file/protocol-files.zip (protocol specification and dependency graph)

Download references

Acknowledgements

The research leading to these results has received funding from the European Research Council under the European Union’s horizon 2020 research and innovation program (ERC Grant Agreement \(n^{\circ }\) 714955-POPSTAR and ERC Grant Agreement \(n^{\circ }\) 645865-SPOOC), as well as from the French National Research Agency (ANR) under the project TECAP.

Author information

Authors and Affiliations

  1. LORIA, CNRS & Univ Lorraine & Inria Grand Est, Vandœuvre-lès-Nancy, France

    Véronique Cortier

  2. IRISA, CNRS & Univ Rennes, Rennes, France

    Stéphanie Delaune & Vaishnavi Sundararajan

Authors
  1. Véronique Cortier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stéphanie Delaune
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vaishnavi Sundararajan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Véronique Cortier.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cortier, V., Delaune, S. & Sundararajan, V. A Decidable Class of Security Protocols for Both Reachability and Equivalence Properties. J Autom Reasoning 65, 479–520 (2021). https://doi.org/10.1007/s10817-020-09582-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-020-09582-9

Keywords

  • Security protocols
  • Verification
  • Privacy properties

Search

Navigation