From security protocols to pushdown automata

Rémy Chrétien, Véronique Cortier, and Stéphanie Delaune. From security protocols to pushdown automata. ACM Transactions on Computational Logic, 17(1:3), ACM Press, September 2015.

Download

[PDF] 

Abstract

Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalence-based properties, crucial for studying e.g. privacy-like properties such as anonymity or vote secrecy.
We study the problem of checking equivalence of security protocols for an unbounded number of sessions. Since replication leads very quickly to undecidability (even in the simple case of secrecy), we focus on a limited fragment of protocols (standard primitives but pairs, one variable per protocol's rules) for which the secrecy preservation problem is known to be decidable. Surprisingly, this fragment turns out to be undecidable for equivalence. Then, restricting our attention to deterministic protocols, we propose the first decidability result for checking equivalence of protocols for an unbounded number of sessions. This result is obtained through a characterization of equivalence of protocols in terms of equality of languages of (generalized, real-time) deterministic pushdown automata. We further show that checking for equivalence of protocols is actually equivalent to checking for equivalence of generalized, real-time deterministic pushdown automata.
Very recently, the algorithm for checking for equivalence of deterministic pushdown automata has been implemented. We have implemented our translation from protocols to pushdown automata, yielding the first tool that decides equivalence of (some class of) protocols, for an unbounded number of sessions. As an application, we have analyzed some protocols of the literature including a simplified version of the basic access control (BAC) protocol used in biometric passports.

BibTeX

@article{CCD-tocl15,
  abstract =      {Formal methods have been very successful in analyzing
                   security protocols for reachability properties such
                   as secrecy or authentication. In contrast, there are
                   very few results for equivalence-based properties,
                   crucial for studying e.g. privacy-like properties
                   such as anonymity or vote secrecy.\par We study the
                   problem of checking equivalence of security protocols
                   for an unbounded number of sessions. Since
                   replication leads very quickly to undecidability
                   (even in the simple case of secrecy), we focus on a
                   limited fragment of protocols (standard primitives
                   but pairs, one variable per protocol's rules) for
                   which the secrecy preservation problem is known to be
                   decidable. Surprisingly, this fragment turns out to
                   be undecidable for equivalence. Then, restricting our
                   attention to deterministic protocols, we propose the
                   first decidability result for checking equivalence of
                   protocols for an unbounded number of sessions. This
                   result is obtained through a characterization of
                   equivalence of protocols in terms of equality of
                   languages of (generalized, real-time) deterministic
                   pushdown automata. We further show that checking for
                   equivalence of protocols is actually equivalent to
                   checking for equivalence of generalized, real-time
                   deterministic pushdown automata.\par Very recently,
                   the algorithm for checking for equivalence of
                   deterministic pushdown automata has been implemented.
                   We have implemented our translation from protocols to
                   pushdown automata, yielding the first tool that
                   decides equivalence of (some class of) protocols, for
                   an unbounded number of sessions. As an application,
                   we have analyzed some protocols of the literature
                   including a simplified version of the basic access
                   control (BAC) protocol used in biometric passports.},
  author =        {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and
                   Delaune, St{\'e}phanie},
  OPTDOI =           {10.1145/2811262},
  journal =       {ACM Transactions on Computational Logic},
  month =         sep,
  number =        {1:3},
  publisher =     {ACM Press},
  title =         {From security protocols to pushdown automata},
  volume =        {17},
  year =          {2015},
  nmonth =        {9},
  lsv-category =  {jour},
  wwwpublic =     {public and ccsb},
}