On Communication Models When Verifying Equivalence Properties
Symbolic models for security protocol verification, following the seminal ideas of Dolev and Yao, come in many flavors, even though they share the same ideas. A common assumption is that the attacker has complete control over the network: he can therefore intercept any message. Depending on the precise model this may be reflected either by the fact that any protocol output is directly routed to the adversary, or communications may be among any two participants, including the attacker — the scheduling between which exact parties the communication happens is left to the attacker. These two models may seem equivalent at first glance and, depending on the verification tools, either one or the other semantics is implemented. We show that, unsurprisingly, they indeed coincide for reachability properties. However, when we consider indistinguishability properties, we prove that these two semantics are incomparable. We also introduce a new semantics, where internal communications are allowed but messages are always eavesdropped by the attacker. We show that this new semantics yields strictly stronger equivalence relations. We also identify two subclasses of protocols for which the three semantics coincide. Finally, we implemented verification of trace equivalence for each of these semantics in the APTE tool and compare their performances on several classical examples.
KeywordsFunction Symbol Operational Semantic Authentication Protocol Extended Process Classical Semantic
We would like to thank Catherine Meadows and Stéphanie Delaune for interesting discussions, as well as the anonymous reviewers for their comments. This work has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grant agreement No 645865-SPOOC) and the ANR project SEQUOIA ANR-14-CE28-0030-01.
- 1.Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Nielson, H.R.: 28th Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115. ACM, London, January 2001Google Scholar
- 4.Arapinis, M., Cheval, V., Delaune, S.: Verifying privacy-type properties in a modular way. In: Cortier, V., Zdancewic, S. (eds.) Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF 2012), pp. 95–109. IEEE Computer Society Press, Cambridge, June 2012Google Scholar
- 5.Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied pi calculus. In: Proceedings of 23rd Computer Security Foundations Symposium (CSF 2010), pp. 107–121. IEEE Computer Society Press (2010)Google Scholar
- 7.Babel, K., Cheval, V., Kremer, S.: On communication models when verifying equivalence properties. Technical report, HAL (2017)Google Scholar
- 11.Cheval, V., Comon-Lundh, H., Delaune, S.: Trace equivalence decision: negative tests and non-determinism. In: Proceedings of 18th ACM Conference on Computer and Communications Security (CCS 2011), ACM, October 2011Google Scholar
- 16.Force, P.T.: PKI for machine readable travel documents offering ICC read-only access. Technical report, International Civil Aviation Organization (2004)Google Scholar
- 17.Millen, J.K., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of 8th Conference on Computer and Communications Security, pp. 166–175. ACM Press (2001)Google Scholar
- 19.Ryan, P., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, A.: Modelling and Analysis of Security Protocols. Addison Wesley, Boston (2000)Google Scholar
- 22.Tiu, A., Dawson, J.E.: Automating open bisimulation checking for the spi calculus. In: Proceedings of 23rd Computer Security Foundations Symposium (CSF 2010), pp. 307–321. IEEE Computer Society (2010)Google Scholar