On the semantics of communications when verifying equivalence properties
Kushal Babel, Vincent Cheval, and Steve Kremer. On the semantics of communications when verifying equivalence properties. Journal of Computer Security, 28(1):71–127, 2020.
doi:10.3233/JCS-191366
Download
Abstract
Symbolic models for security protocol verification were pioneered by Dolev and Yao in their seminal work. Since then, although inspired by the same ideas, many variants of the original model were developed. In particular, a common assumption is that the attacker has complete control over the network and can therefore intercept any message. This assumption has been interpreted in slightly different ways depending on the particular models: either any protocol output is directly routed to the adversary, or communications may be among any two participants, including the attacker --- the scheduling between which exact parties the communication happens is left to the attacker. This difference may seem unimportant at first glance and, depending on the verification tools, either one or the other semantics is implemented. We show that, unsurprisingly, they indeed coincide for reachability properties. However, for indistinguishability properties, we prove that these two interpretations lead to incomparable semantics. We also introduce and study a new semantics, where internal communications are allowed but messages are always eavesdropped by the attacker. This new semantics yields strictly stronger equivalence relations. Moreover, we identify two subclasses of protocols for which the three semantics coincide. Finally, we implemented verification of trace equivalence for each of the three semantics in the DEEPSEC tool and compare their performances on several classical examples.
BibTeX
@Article{BCK-jcs20,
abstract = {Symbolic models for security protocol verification
were pioneered by Dolev and Yao in their seminal
work. Since then, although inspired by the same
ideas, many variants of the original model were
developed. In particular, a common assumption is
that the attacker has complete control over the
network and can therefore intercept any
message. This assumption has been interpreted in
slightly different ways depending on the particular
models: either any protocol output is directly
routed to the adversary, or communications may be
among any two participants, including the attacker
--- the scheduling between which exact parties the
communication happens is left to the attacker. This
difference may seem unimportant at first glance and,
depending on the verification tools, either one or
the other semantics is implemented. We show that,
unsurprisingly, they indeed coincide for
reachability properties. However, for
indistinguishability properties, we prove that these
two interpretations lead to incomparable
semantics. We also introduce and study a new
semantics, where internal communications are allowed
but messages are always eavesdropped by the
attacker. This new semantics yields strictly
stronger equivalence relations. Moreover, we
identify two subclasses of protocols for which the
three semantics coincide. Finally, we implemented
verification of trace equivalence for each of the
three semantics in the DEEPSEC tool and compare
their performances on several classical examples.},
author = {Babel, Kushal and Cheval, Vincent and Kremer, Steve},
title = {On the semantics of communications when verifying
equivalence properties},
journal = {Journal of Computer Security},
volume = 28,
number = 1,
pages = {71-127},
year = 2020,
doi = {10.3233/JCS-191366},
url = {https://hal.inria.fr/hal-02446910/document},
}