A small bound on the number of sessions for security protocols
A small bound on the number of sessions for security protocols. Véronique Cortier, Antoine Dallon, and Stéphanie Delaune. In 35th IEEE Computer Security Foundations Symposium (CSF'22), Haifa, Israel, August 2022.
Download
Abstract
Bounding the number of sessions is a long-standing problem in the
context of security protocols. It is well known that even simple
properties like secrecy are undecidable when an unbounded number of
sessions is considered. Yet, attacks on existing protocols only
require a few sessions.
In this paper, we propose a sound algorithm that computes a sufficient
set of scenarios that need to be considered to detect an attack. Our approach can be applied for both reachability and equivalence properties, for protocols with standard primitives that
are type-compliant (unifiable messages have the
same type). Moreover, when equivalence properties are considered,
else branches are disallowed, and protocols are supposed to be simple (an attacker knows from which role and session a message comes from).
Since this class remains undecidable, our
algorithm may return an infinite set. However, our experiments show
that on most basic protocols of the literature, our algorithm computes
a small number of sessions (a dozen). As a consequence, tools for a
bounded number of sessions like DeepSec can then be used to conclude
that a protocol is secure for an unbounded number of sessions.
BibTeX
@InProceedings{tightbound-CSF22, author = {V\'eronique Cortier and Antoine Dallon and St\'ephanie Delaune}, title = {A small bound on the number of sessions for security protocols}, OPTcrossref = {}, OPTkey = {}, booktitle = {35th IEEE Computer Security Foundations Symposium (CSF'22)}, year = {2022}, abstract = {Bounding the number of sessions is a long-standing problem in the context of security protocols. It is well known that even simple properties like secrecy are undecidable when an unbounded number of sessions is considered. Yet, attacks on existing protocols only require a few sessions. \par In this paper, we propose a sound algorithm that computes a sufficient set of scenarios that need to be considered to detect an attack. Our approach can be applied for both reachability and equivalence properties, for protocols with standard primitives that are type-compliant (unifiable messages have the same type). Moreover, when equivalence properties are considered, else branches are disallowed, and protocols are supposed to be simple (an attacker knows from which role and session a message comes from). Since this class remains undecidable, our algorithm may return an infinite set. However, our experiments show that on most basic protocols of the literature, our algorithm computes a small number of sessions (a dozen). As a consequence, tools for a bounded number of sessions like DeepSec can then be used to conclude that a protocol is secure for an unbounded number of sessions.}, month = {August}, address = {Haifa, Israel}, OPTdoi = {}, }