Security protocols: formal models and verification Sergiu Bursuc - PowerPoint PPT Presentation

Messages as terms Term algebra T ( F , N ∪ X ) N = a , b , c , k 1 , k 2 , . . . X = x , y , z , . . . F = f 1 , . . . , f k ◮ N ⊆ T ( F , N ∪ X ) ◮ X ⊆ T ( F , N ∪ X ) ◮ t 1 , . . . , t k ∈ T ( F , N ∪ X ) f ∈ F and = ⇒ f ( t 1 , . . . , t k ) ∈ T ( F , N ∪ X ) Examples: enc( a , k ), enc( x , k ), enc(enc( x , k 1 ) , k 2 ), dec( x , k ) , Equational theory: u 1 = v 1 , . . . , u n = v n Example: dec(enc( x , y ) , y ) = x

Messages as terms Term algebra T ( F , N ∪ X ) N = a , b , c , k 1 , k 2 , . . . X = x , y , z , . . . F = f 1 , . . . , f k ◮ N ⊆ T ( F , N ∪ X ) ◮ X ⊆ T ( F , N ∪ X ) ◮ t 1 , . . . , t k ∈ T ( F , N ∪ X ) f ∈ F and = ⇒ f ( t 1 , . . . , t k ) ∈ T ( F , N ∪ X ) Examples: enc( a , k ), enc( x , k ), enc(enc( x , k 1 ) , k 2 ), dec( x , k ) , Equational theory: u 1 = v 1 , . . . , u n = v n Example: dec(enc( x , y ) , y ) = x Note: both augments and restricts attacker’s power

Equational theories Symmetric key encryption: dec(enc( x , y ) , y ) = x

Equational theories Symmetric key encryption: dec(enc( x , y ) , y ) = x Public key encryption: dec(enc( x , pub( y )) , y ) = x

Equational theories Symmetric key encryption: dec(enc( x , y ) , y ) = x Public key encryption: dec(enc( x , pub( y )) , y ) = x Signatures: check(sign( x , y ) , pub( y )) = ok get(sign( x , y )) = x

Equational theories Symmetric key encryption: dec(enc( x , y ) , y ) = x Public key encryption: dec(enc( x , pub( y )) , y ) = x Signatures: check(sign( x , y ) , pub( y )) = ok get(sign( x , y )) = x Blind signatures: check(sign( x , y ) , pub( y )) = ok get(sign( x , y )) = x unblind(sign(blind( x , y ) , z ) , y ) = sign( x , z ) unblind(blind( x , y ) , y ) = x

Equational theories Modular exponentiation: exp(exp( x , y ) , z ) = exp(exp( x , z ) , y )

Equational theories Modular exponentiation: exp(exp( x , y ) , z ) = exp(exp( x , z ) , y ) Re-randomizable encryption: dec(enc( x , pub( y ) , z ) , y ) = x renc(enc( x , y , z ) , z ′ ) enc( x , y , f ( z , z ′ )) =

Equational theories Modular exponentiation: exp(exp( x , y ) , z ) = exp(exp( x , z ) , y ) Re-randomizable encryption: dec(enc( x , pub( y ) , z ) , y ) = x renc(enc( x , y , z ) , z ′ ) enc( x , y , f ( z , z ′ )) = Homomorphic encryption: dec(enc( x , pub( y ) , z ) , y ) = x enc( x 1 , y , z 1 ) ⋆ enc( x 2 , y , z 2 ) = enc( x 1 + x 2 , y , z 1 ⋆ z 2 )

Intruder deduction: T ⊢ t T ⊢ t 1 . . . T ⊢ t k T ⊢ u if u = E v T ⊢ f ( t 1 , . . . , t k ) T ⊢ v

Intruder deduction: T ⊢ t T ⊢ t 1 . . . T ⊢ t k T ⊢ u if u = E v T ⊢ f ( t 1 , . . . , t k ) T ⊢ v enc( s , k 1 ) , enc( k 1 , k 2 ) , sign( k 2 , k 3 ) ⊢ s ?

Intruder deduction: T ⊢ t T ⊢ t 1 . . . T ⊢ t k T ⊢ u if u = E v T ⊢ f ( t 1 , . . . , t k ) T ⊢ v enc( s , k 1 ) , enc( k 1 , k 2 ) , sign( k 2 , k 3 ) ⊢ s ? enc( s , enc( s , k 1 )) , enc(enc( s , k 1 ) , sign( k 1 , k 2 )) , k 1 , k 2 ⊢ s ?

Intruder deduction: T ⊢ t T ⊢ t 1 . . . T ⊢ t k T ⊢ u if u = E v T ⊢ f ( t 1 , . . . , t k ) T ⊢ v enc( s , k 1 ) , enc( k 1 , k 2 ) , sign( k 2 , k 3 ) ⊢ s ? enc( s , enc( s , k 1 )) , enc(enc( s , k 1 ) , sign( k 1 , k 2 )) , k 1 , k 2 ⊢ s ? enc( s , enc( s , k 1 )) , enc(enc( s , k 1 ) , sign( k 1 , k 2 )) , k 1 , k ′ 2 ⊢ s ?

Intruder deduction and passive security Intruder knowledge: t 1 , . . . , t n Intruder power: E Security question: t 1 , . . . , t n ⊢ E s ?

Intruder deduction and passive security Intruder knowledge: t 1 , . . . , t n Intruder power: E Security question: t 1 , . . . , t n ⊢ E s ? 1 . C → T : C , S , Nc 2 . T → C : enc( � Nc , S , Kcs , enc( � Kcs , C � , Kst ) � , Kct ) 3 . C → S : enc( � Kcs , C � , Kst ) 4 . S → C : enc( Nb , Kcs ) 5 . C → S : enc( inc ( Nb ) , Kcs ) Intruder knowledge (after 2 sessions): C 1 , C 2 , S , Nc 1 , Nc 2 , enc( � Nc 1 , S , Kc 1 s , enc( � Kc 1 s , C 1 � , Kst ) � , Kc 1 t ) , enc( � Nc 2 , S , Kc 2 s , enc( � Kc 2 s , C 2 � , Kst ) � , Kc 2 t ) , enc( � Kc 1 s , C 1 � , Kst ) , enc( � Kc 2 s , C 2 � , Kst ) , enc( Nb 1 , Kc 1 s ) , enc( Nb 2 , Kc 2 s ) , enc( inc ( Nb 1 ) , Kc 1 s ) , enc( inc ( Nb 2 ) , Kc 2 s ) Security question: does the intruder know Kc 1 s or Kc 2 s ?

Formal verification  Formalization       system S ⇒ M ( S )    environment E ⇒ M ( E ) Verification  properties P ⇒ M ( P )         does S satisfy P in E ? ⇒ M ( S ) | = M ( E ) M ( P )? ◮ Messages as terms ◮ Roles as processes ◮ Security properties as logical formulas

Process algebra: [Abadi, Fournet 2001] and [Blanchet 2001] new n ; P let x = u in P in ( c , u ); P out ( c , u ); P P | Q ! P if u = v then P else Q

Process algebra: [Abadi, Fournet 2001] and [Blanchet 2001] new n ; P let x = u in P new k ; in ( c , u ); P out ( c , u ); P out ( c , pub( k )); in ( c , x ); P | Q ! P let y = dec( x , k ) in if u = v then P else Q out ( c , y )

Process algebra: [Abadi, Fournet 2001] and [Blanchet 2001] new n ; P let x = u in P new k ; in ( c , u ); P out ( c , u ); P out ( c , pub( k )); in ( c , x ); P | Q ! P let y = dec( x , k ) in if u = v then P else Q out ( c , y ) P | Security : = att: k ?

Process algebra: [Abadi, Fournet 2001] and [Blanchet 2001] new n ; P let x = u in P new k ; new s ; out ( c , enc( s , pub( k ))) in ( c , u ); P out ( c , u ); P out ( c , pub( k )); in ( c , x ); P | Q ! P let y = dec( x , k ) in if u = v then P else Q out ( c , y ) P | Security : = att: k ? P | = att: s ?

Process algebra: [Abadi, Fournet 2001] and [Blanchet 2001] new n ; P let x = u in P new k ; new s ; out ( c , enc( s , pub( k ))) in ( c , u ); P out ( c , u ); P out ( c , pub( k )); in ( c , x ); P | Q ! P let y = dec( x , k ) in if u = v then P else Q event DEC ( y ); out ( c , y ) P | Security : = att: k ? P | = att: s � event:DEC ( s )

Process algebra: [Abadi, Fournet 2001] and [Blanchet 2001] new n ; P let x = u in P new k ; new s ; out ( c , enc( s , pub( k ))) in ( c , u ); P out ( c , u ); P out ( c , pub( k )); in ( c , x ); P | Q ! P let y = dec( x , k ) in if u = v then P else Q event DEC ( y ); out ( c , y ) Security : P | = att: k ? P | = att: s � event:DEC ( s ) Tools: ProVerif, Avispa, Scyther, Tamarin, etc

Configurations ( N , M , P ) ◮ N - names representing fresh data in an execution ◮ M - terms representing messages sent over the network ◮ P - set of processes that are being executed in parallel

Configurations ( N , M , P ) ◮ N - names representing fresh data in an execution ◮ M - terms representing messages sent over the network ◮ P - set of processes that are being executed in parallel new k ; new s ; out ( c , enc( s , pub( k ))) out ( c , pub( k )); in ( c , x ); let y = dec( x , k ) in out ( c , y ) ◮ N = { k , s } ◮ M = { enc( s , pub( k )) , pub( k ) } ◮ P = { in ( c , x ); let y = dec( x , k ) in out ( c , y ) }

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { 0 } ) � ( N , M , P ) (NIL)

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { 0 } ) � ( N , M , P ) (NIL) ( N , M , P ∪ { ! P } ) � ( N , M , P ∪ { P , ! P } ) (BANG)

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { 0 } ) � ( N , M , P ) (NIL) ( N , M , P ∪ { ! P } ) � ( N , M , P ∪ { P , ! P } ) (BANG) ( N , M , P ∪ { P | Q } ) � ( N , M , P ∪ { P , Q } ) (PAR)

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { 0 } ) � ( N , M , P ) (NIL) ( N , M , P ∪ { ! P } ) � ( N , M , P ∪ { P , ! P } ) (BANG) ( N , M , P ∪ { P | Q } ) � ( N , M , P ∪ { P , Q } ) (PAR) ( N , M , P ∪ { new n ; P } ) � ( N ∪ { n ′ } , M , P ∪ { P } ) (NEW) where n ′ / ∈ N

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { out ( c , t ); P , in ( c , x ); Q } ) (COMM) � ( N , M ′ , P ∪ { P , Q [ x �→ t ] } )

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { out ( c , t ); P , in ( c , x ); Q } ) (COMM) � ( N , M ′ , P ∪ { P , Q [ x �→ t ] } ) where M ′ = M ∪ { t } , if M ⊢ c , and M ′ = M , otherwise

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { out ( c , t ); P , in ( c , x ); Q } ) (COMM) � ( N , M ′ , P ∪ { P , Q [ x �→ t ] } ) where M ′ = M ∪ { t } , if M ⊢ c , and M ′ = M , otherwise ( N , M , P ∪ { out ( c , t ); P } ) � ( N , M ′ , P ∪ { P } ) (OUT) where M ′ = M ∪ { t } , if M ⊢ c

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { out ( c , t ); P , in ( c , x ); Q } ) (COMM) � ( N , M ′ , P ∪ { P , Q [ x �→ t ] } ) where M ′ = M ∪ { t } , if M ⊢ c , and M ′ = M , otherwise ( N , M , P ∪ { out ( c , t ); P } ) � ( N , M ′ , P ∪ { P } ) (OUT) where M ′ = M ∪ { t } , if M ⊢ c ( N , M , P ∪ { in ( c , x ); Q } ) � ( N , M , P ∪ { Q [ x �→ t ] } ) (IN) if M ⊢ c and M ⊢ t

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { if U = V then P else Q } ) � ( N , M , P ∪ { P } ) (IF T ) if U = E V

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { if U = V then P else Q } ) � ( N , M , P ∪ { P } ) (IF T ) if U = E V ( N , M , P ∪ { if U = V then P else Q } ) � ( N , M , P ∪ { Q } ) (IF F ) if U � = E V

Operational semantics: ( N , M , P ) � ( N ′ , M ′ , P ′ ) ( N , M , P ∪ { if U = V then P else Q } ) � ( N , M , P ∪ { P } ) (IF T ) if U = E V ( N , M , P ∪ { if U = V then P else Q } ) � ( N , M , P ∪ { Q } ) (IF F ) if U � = E V ( N , M , P ∪ { let x = T in P } ) � ( N , M , P ∪ { P [ x �→ T ] } ) (LET)

Needham-Schroeder in applied pi-calculus 1 . C → T : C , S , Nc 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs 5 . C → S : { inc ( Ns ) } Kcs Client( C , S ) new Nc ; out ( net , � C , S , Nc � ); in ( net , x T ); let � = Nc , x kcs , x ciph � = dec( x T , k ( C )) in out ( net , x ciph ); in ( net , x S ); let x Ns = dec( x S , x kcs ) in out ( net , enc(inc( x Ns ) , x kcs ))

Needham-Schroeder in applied pi-calculus 1 . C → T : C , S , Nc 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs C → S { inc ( Ns ) } Kcs 5 . : Third Party in ( net , � x C , x S , x Nc � ); new k CS ; let y S = enc( � k CS , x C � , k ( x S )) in let y C = enc( � x Nc , c , y S � , k ( x C )) in out ( net , y C )

Needham-Schroeder in applied pi-calculus 1 . C → T : C , S , Nc 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst S → C { Ns } Kcs 4 . : 5 . C → S : { inc ( Ns ) } Kcs Server( S ) in ( net , x req ); let � x Kcs , x C � = dec( x req , k ( S ) in new Ns ; out ( net , enc( Ns , x Kcs )); in ( net , x resp ); if inc( Ns ) = dec( x resp , x Kcs ) then OK

Formal verification  Formalization       system S ⇒ M ( S )    environment E ⇒ M ( E ) Verification  properties P ⇒ M ( P )         does S satisfy P in E ? ⇒ M ( S ) | = M ( E ) M ( P )? ◮ Messages as terms ◮ Roles as processes ◮ Security properties as logical formulas

Security properties: secrecy as reachability ( N 0 , M 0 , { P 0 } ) � ∗ ( N , M , P ) and M ⊢ t ? � �� �

Security properties: secrecy as reachability ( N 0 , M 0 , { P 0 } ) � ∗ ( N , M , P ) and M ⊢ t ? � �� � P 0 | = att : t

Security properties: secrecy as reachability ( N 0 , M 0 , { P 0 } ) � ∗ ( N , M , P ) and M ⊢ t ? � �� � P 0 | = att : t  new k ; new s ; out ( c , enc( s , pub( k )))  P 0 = out ( c , pub( k )); in ( c , x );  let y = dec( x , k ) in out ( c , y ) P 0 �| = att : k P 0 | = att : s

Security properties: secrecy as reachability ( N 0 , M 0 , { P 0 } ) � ∗ ( N , M , P ) and M ⊢ t ? � �� � P 0 | = att : t  new k ; new s ; out ( c , enc( s , pub( k )))  P 0 = out ( c , pub( k )); in ( c , x );  let y = dec( x , k ) in out ( c , y ) P 0 �| = att : k P 0 | = att : s ( ∅ , ∅ , { P 0 } ) � ∗ ( N , M , P ) and M ⊢ s ◮ N = { k , s } ◮ M = { enc( s , pub( k )) , pub( k ) , s } ◮ P = ∅

Key secrecy in Needham-Schroeder 1 . C → T : C , S , Nc 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs C → S { inc ( Ns ) } Kcs 5 . : Demo

Security properties: privacy as equivalence Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 ) vs Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 )

Security properties: privacy as equivalence new r ; ! out ( c , enc( d , pub( k A ) , r )) | A | S 1 | S 2

Security properties: privacy as equivalence new r ; ! out ( c , enc( d , pub( k A ) , r )) | A | S 1 | S 2 ! new r ; out ( c , enc( d , pub( k A ) , r ))) | A | S 1 | S 2

Security properties: privacy as equivalence new r ; ! out ( c , enc( d , pub( k A ) , r )) | A | S 1 | S 2 ! new r ; out ( c , enc( d , pub( k A ) , r ))) | A | S 1 | S 2 P [ d ] ∼ P [ d ′ ] P [ d ] ∼ I [ d ] Examples: electronic voting, weak secrets, bids, reviews, like buttons, etc

Security properties: unlinkability as equivalence new r 1 ; new r 2 ; new r 1 ; new r 2 ; out ( c , enc( s 1 , pub( k A ) , r 1 )) | out ( c , enc( s 1 , pub( k A ) , r 1 )) | vs out ( c , enc( s 2 , pub( k A ) , r 2 )) | out ( c , enc( s 1 , pub( k A ) , r 2 )) | A | S 1 | S 2 | A | S 1 | S 2

Security properties: unlinkability as equivalence new r 1 ; new r 2 ; new r 1 ; new r 2 ; out ( c , enc( s 1 , pub( k A ) , r 1 )) | out ( c , enc( s 1 , pub( k A ) , r 1 )) | vs out ( c , enc( s 2 , pub( k A ) , r 2 )) | out ( c , enc( s 1 , pub( k A ) , r 2 )) | A | S 1 | S 2 | A | S 1 | S 2 P [ s 1 ] | P [ s 2 ] ∼ P [ s 1 ] | P [ s 1 ] Examples: RFID tags, location, healthcare, etc

Security properties: unlinkability as equivalence new r 1 ; new r 2 ; new r 1 ; new r 2 ; out ( c , enc( s 1 , pub( k A ) , r 1 )) | out ( c , enc( s 1 , pub( k A ) , r 1 )) | vs out ( c , enc( s 2 , pub( k A ) , r 2 )) | out ( c , enc( s 1 , pub( k A ) , r 2 )) | A | S 1 | S 2 | A | S 1 | S 2 P [ s 1 ] | P [ s 2 ] ∼ P [ s 1 ] | P [ s 1 ] Examples: RFID tags, location, healthcare, etc Client ( C , S 1 ) | Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 ) vs Client ( C , S 1 ) | Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 )

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ]

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] }

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] } Static equivalence: O ( N 1 , M 1 ) = O ( N 2 , M 2 ) ?

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] } Static equivalence: O ( N 1 , M 1 ) = O ( N 2 , M 2 ) ? M 1 = enc( s 1 , pub( k ) , r 1 ) , enc( s 1 , pub( k ) , r 2 ) , pub( k ) M 2 = enc( s 1 , pub( k ) , r 1 ) , enc( s 2 , pub( k ) , r 2 ) , pub( k ) ◮ N 1 = N 2 = { r 1 , r 2 } ?

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] } Static equivalence: O ( N 1 , M 1 ) = O ( N 2 , M 2 ) ? M 1 = enc( s 1 , pub( k ) , r 1 ) , enc( s 1 , pub( k ) , r 2 ) , pub( k ) M 2 = enc( s 1 , pub( k ) , r 1 ) , enc( s 2 , pub( k ) , r 2 ) , pub( k ) ◮ N 1 = N 2 = { r 1 , r 2 } ? ◮ N 1 = N 2 = { s 1 , s 2 } ?

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] } Static equivalence: O ( N 1 , M 1 ) = O ( N 2 , M 2 ) ? M 1 = enc( s 1 , pub( k ) , r 1 ) , enc( s 1 , pub( k ) , r 2 ) , pub( k ) M 2 = enc( s 1 , pub( k ) , r 1 ) , enc( s 2 , pub( k ) , r 2 ) , pub( k ) ◮ N 1 = N 2 = { r 1 , r 2 } ? ◮ N 1 = N 2 = { s 1 , s 2 } ? ◮ N 1 = N 2 = { r 2 } ?

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] } Static equivalence: O ( N 1 , M 1 ) = O ( N 2 , M 2 ) ? M 1 = enc( s 1 , pub( k ) , r 1 ) , enc( s 1 , pub( k ) , r 2 ) , pub( k ) M 2 = enc( s 1 , pub( k ) , r 1 ) , enc( s 2 , pub( k ) , r 2 ) , pub( k ) ◮ N 1 = N 2 = { r 1 , r 2 } ? ◮ N 1 = N 2 = { s 1 , s 2 } ? ◮ N 1 = N 2 = { r 2 } ? ◮ N 1 = N 2 = { r 1 } ?

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] } Static equivalence: O ( N 1 , M 1 ) = O ( N 2 , M 2 ) ? M 1 = enc( s 1 , pub( k ) , r 1 ) , enc( s 1 , pub( k ) , r 2 ) , pub( k ) M 2 = enc( s 1 , pub( k ) , r 1 ) , enc( s 2 , pub( k ) , r 2 ) , pub( k ) ◮ N 1 = N 2 = { r 1 , r 2 } ? ◮ N 1 = N 2 = { s 1 , s 2 } ? ◮ N 1 = N 2 = { r 2 } ? ◮ N 1 = N 2 = { r 1 } ? C 1 = enc ( s 1 , ǫ 2 , r 2 ) and C 2 = ǫ 3 ◮ N 1 = N 2 = { s 2 } ?

Static equivalence Term context: C [ ǫ 1 , . . . , ǫ n ] applied to t 1 , . . . , t n gives C [ t 1 , . . . , t n ] Observations: O ( N , M ) = { ( C 1 , C 2 ) | ( C 1 , C 2 ) ∩ N = ∅ and C 1 [ M ] = E C 2 [ M ] } Static equivalence: O ( N 1 , M 1 ) = O ( N 2 , M 2 ) ? M 1 = enc( s 1 , pub( k ) , r 1 ) , enc( s 1 , pub( k ) , r 2 ) , pub( k ) M 2 = enc( s 1 , pub( k ) , r 1 ) , enc( s 2 , pub( k ) , r 2 ) , pub( k ) ◮ N 1 = N 2 = { r 1 , r 2 } ? ◮ N 1 = N 2 = { s 1 , s 2 } ? ◮ N 1 = N 2 = { r 2 } ? ◮ N 1 = N 2 = { r 1 } ? C 1 = enc ( s 1 , ǫ 2 , r 2 ) and C 2 = ǫ 3 ◮ N 1 = N 2 = { s 2 } ? C 1 = enc ( s 1 , ǫ 2 , r 2 ) and C 2 = ǫ 3

Observational equivalence: P 1 ∼ P 2 ( N , M , P ∪ { out ( c , t ); P } ) � ( N , M ′ , P ∪ { P } ) (OUT) where M ′ = M ∪ { t } , if M ⊢ c ( N , M , P ∪ { in ( c , x ); Q } ) � ( N , M , P ∪ { Q [ x �→ t ] } ) (IN) if M ⊢ c and M ⊢ t

Observational equivalence: P 1 ∼ P 2 out ( c ,. ) → ( N , M ′ , P ∪ { P } ) ( N , M , P ∪ { out ( c , t ); P } ) − − − − (OUT) where M ′ = M ∪ { t } , if M ⊢ c in ( c , C ) ( N , M , P ∪ { in ( c , x ); Q } ) − − − − → ( N , M , P ∪ { Q [ x �→ t ] } ) (IN) if M ⊢ c and C [ M ] = E t

Observational equivalence: P 1 ∼ P 2 out ( c ,. ) → ( N , M ′ , P ∪ { P } ) ( N , M , P ∪ { out ( c , t ); P } ) − − − − (OUT) where M ′ = M ∪ { t } , if M ⊢ c in ( c , C ) ( N , M , P ∪ { in ( c , x ); Q } ) − − − − → ( N , M , P ∪ { Q [ x �→ t ] } ) (IN) if M ⊢ c and C [ M ] = E t α 1 ...α k Traces: ( N 0 , M 0 , { P } ) − − − − → ( N , M , P )

Observational equivalence: P 1 ∼ P 2 out ( c ,. ) → ( N , M ′ , P ∪ { P } ) ( N , M , P ∪ { out ( c , t ); P } ) − − − − (OUT) where M ′ = M ∪ { t } , if M ⊢ c in ( c , C ) ( N , M , P ∪ { in ( c , x ); Q } ) − − − − → ( N , M , P ∪ { Q [ x �→ t ] } ) (IN) if M ⊢ c and C [ M ] = E t α 1 ...α k Traces: ( N 0 , M 0 , { P } ) − − − − → ( N , M , P ) Observational equivalence: P ∼ Q iff for every trace α 1 ...α k ( N 0 , M 0 , { P 1 } ) − − − − → ( N 1 , M 1 , P 1 ) there is a trace α 1 ...α k ( N 0 , M 0 , { P 2 } ) − − − − → ( N 2 , M 2 , P 2 ) such that O ( N 1 , M 1 ) = O ( N 2 , M 2 )

Privacy and unlinkability with Needham-Schroeder 1 . C → T : C , S , Nc 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs 5 . C → S : { inc ( Ns ) } Kcs  Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  P vs  Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 )  Client ( C , S 1 ) | Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  U vs  Client ( C , S 1 ) | Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) Demo

Privacy and unlinkability with Needham-Schroeder 1 . C → T : C , { S } Kct , Nc 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs 5 . C → S : { inc ( Ns ) } Kcs  Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  P vs  Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 )  Client ( C , S 1 ) | Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  U vs  Client ( C , S 1 ) | Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) Demo

Privacy and unlinkability with Needham-Schroeder 1 . C → T : C , { S } Kct , Nc 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs 5 . C → S : { inc ( Ns ) } Kcs  Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  P vs  Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) [which is stronger?]  Client ( C , S 1 ) | Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  U vs  Client ( C , S 1 ) | Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) Demo

Privacy and unlinkability with Needham-Schroeder 1 . C → T : C , { S , Nc } Kct 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs 5 . C → S : { inc ( Ns ) } Kcs  Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  P vs  Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) [which is stronger?]  Client ( C , S 1 ) | Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  U vs  Client ( C , S 1 ) | Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) Demo

Privacy and unlinkability with Needham-Schroeder 1 . C → T : C , { C , S , Nc } Kct 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs 5 . C → S : { inc ( Ns ) } Kcs  Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  P vs  Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) [which is stronger?]  Client ( C , S 1 ) | Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  U vs  Client ( C , S 1 ) | Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) Demo

Privacy and unlinkability with Needham-Schroeder 1 . C → T : C ?? , { C , S , Nc } Kct 2 . T → C : { Nc , Kcs , { Kcs , C } Kst } Kct 3 . C → S : { Kcs , C } Kst 4 . S → C : { Ns } Kcs 5 . C → S : { inc ( Ns ) } Kcs  Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  P vs  Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) [which is stronger?]  Client ( C , S 1 ) | Client ( C , S 1 ) | T | Server ( S 1 ) | Server ( S 2 )  U vs  Client ( C , S 1 ) | Client ( C , S 2 ) | T | Server ( S 1 ) | Server ( S 2 ) Demo