Timing Attacks in Security Protocols: Symbolic Framework and Proof Techniques

  • Vincent Cheval
  • Véronique Cortier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9036)


We propose a framework for timing attacks, based on (a variant of) the applied-pi calculus. Since many privacy properties, as well as strong secrecy and game-based security properties, are stated as process equivalences, we focus on (time) trace equivalence. We show that actually, considering timing attacks does not add any complexity: time trace equivalence can be reduced to length trace equivalence, where the attacker no longer has access to execution times but can still compare the length of messages. We therefore deduce from a previous decidability result for length equivalence that time trace equivalence is decidable for bounded processes and the standard cryptographic primitives.

As an application, we study several protocols that aim for privacy. In particular, we (automatically) detect an existing timing attack against the biometric passport and new timing attacks against the Private Authentication protocol.


Computation Time Timing Attack Time Function Function Symbol Security Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
  2. 2.
    Machine readable travel document. Technical Report 9303, International Civil Aviation Organization (2008)Google Scholar
  3. 3.
    Abadi, M., Cortier, V.: Deciding knowledge in security protocols under equational theories. Theoretical Computer Science 387(1-2), 2–32 (2006)CrossRefMathSciNetGoogle Scholar
  4. 4.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th ACM Symp. on Principles of Programming Languages, POPL 2001 (2001)Google Scholar
  5. 5.
    Abadi, M., Gordon, A.: A calculus for cryptographic protocols: The spi calculus. In: 4th Conference on Computer and Communications Security (CCS 1997), pp. 36–47. ACM Press (1997)Google Scholar
  6. 6.
    Abadi, M., Blanchet, B.: Analyzing Security Protocols with Secrecy Types and Logic Programs. Journal of the ACM 52(1), 102–146 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Abadi, M., Fournet, C.: Private authentication. Theoretical Computer Science 322(3), 427–476 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Certified computer-aided cryptography: Efficient provably secure machine code from high-level implementations. In: 21st ACM Conference on Computer and Communications Security, CCS 2013 (2013)Google Scholar
  9. 9.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied pi calculus. In: 23rd IEEE Computer Security Foundations Symposium, CSF 2010 (2010)Google Scholar
  10. 10.
    Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M., Golde, N., Redon, K., Borgaonkar, R.: New privacy issues in mobile telephony: fix and verification. In: ACM Conference on Computer and Communications Security, pp. 205–216 (2012)Google Scholar
  11. 11.
    Backes, M., Doychev, G., Köpf, B.: Preventing side-channel leaks in web traffic: A formal approach. In: Network and Distributed System Security Symposium, NDSS 2013 (2013)Google Scholar
  12. 12.
    Backes, M., Duermuth, M., Gerling, S., Pinkal, M., Sporleder, C.: Acoustic emanations of printers. In: 19th USENIX Security Symposium (2010)Google Scholar
  13. 13.
    Backes, M., Köpf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: Symposium on Security and Privacy, S&P 2009 (2009)Google Scholar
  14. 14.
    Baudet, M., Cortier, V., Delaune, S.: YAPA: A generic tool for computing intruder knowledge. ACM Transactions on Computational Logic 14 (2013)Google Scholar
  15. 15.
    Bella, G., Paulson, L.C.: Kerberos version IV: Inductive analysis of the secrecy goals. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 361–375. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Bernstein, D.J., Chou, T., Schwabe, P.: Mcbits: Fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Biondi, F., Legay, A., Malacaria, P., Wąsowski, A.: Quantifying information leakage of randomized protocols. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 68–87. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Blanchet, B., Abadi, M., Fournet, C.: Automated Verification of Selected Equivalences for Security Protocols. In: 20th Symposium on Logic in Computer Science, LICS 2005 (2005)Google Scholar
  19. 19.
    Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: Symposium on Security and Privacy (S&P 2004), pp. 86–100. IEEE Comp. Soc. Press (2004)Google Scholar
  20. 20.
    Cheval, V.: APTE (Algorithm for Proving Trace Equivalence) (2013),
  21. 21.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Trace equivalence decision: Negative tests and non-determinism. In: 18th ACM Conference on Computer and Communications Security, CCS 2011 (2011)Google Scholar
  22. 22.
    Cheval, V.: Apte: an algorithm for proving trace equivalence. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 587–592. Springer, Heidelberg (2014)Google Scholar
  23. 23.
    Cheval, V., Blanchet, B.: Proving more observational equivalences with proverif. In: Basin, D., Mitchell, J.C. (eds.) POST 2013. LNCS, vol. 7796, pp. 226–246. Springer, Heidelberg (2013)Google Scholar
  24. 24.
    Cheval, V., Cortier, V., Plet, A.: Lengths may break privacy – or how to check for equivalences with length. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 708–723. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  25. 25.
    Chothia, T., Smirnov, V.: A traceability attack against e-passports. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 20–34. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Cohen, E.: Taps: A first-order verifier for cryptographic protocols. In: 13th IEEE Computer Security Foundations Workshop (CSFW 2000). IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  27. 27.
    Comon-Lundh, H., Cortier, V.: Computational soundness of observational equivalence. In: 15th Conf. on Computer and Communications Security, CCS 2008 (2008)Google Scholar
  28. 28.
    Cortier, V., Delaune, S.: Decidability and combination results for two notions of knowledge in security protocols. Journal of Automated Reasoning, 48 (2012)Google Scholar
  29. 29.
    Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. Journal of Computer Security (4), 435–487 (2008)Google Scholar
  30. 30.
    Evans, N., Schneider, S.: Analysing time dependent security properties in CSP using PVS. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 222–237. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
    Gorrieri, R., Locatelli, E., Martinelli, F.: A simple language for real-time cryptographic protocol analysis. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 114–128. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. 32.
    Jakubowska, G., Penczek, W.: Modelling and checking timed authentication of security protocols. Fundamenta Informaticae, 363–378 (2007)Google Scholar
  33. 33.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant aes-gcm. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  34. 34.
    Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  35. 35.
    Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: 14th ACM Conf. on Computer and Communications Security, CCS 2007 (2007)Google Scholar
  36. 36.
    Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: Automatic detection and removal of control-flow side channel attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  37. 37.
    Phan, Q.-S., Malacaria, P., Tkachuk, O., Pasareanu, C.S.: Symbolic quantitative information flow. ACM SIGSOFT Software Engineering Notes (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Vincent Cheval
    • 1
    • 2
  • Véronique Cortier
    • 1
  1. 1.LORIACNRSNancyFrance
  2. 2.School of ComputingUniversity of KentKentUK

Personalised recommendations