verifying privacy-type properties in a modular wayverifying privacy-type properties in a modular way...
TRANSCRIPT
![Page 1: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/1.jpg)
VERIFYING PRIVACY-TYPEPROPERTIES IN A MODULAR WAY
M.Arapinis (1), V.Cheval (2), S. Delaune (2)(1) School of Computer Science, Birmingham, UK
(2) LSV, ENS Cachan, CNRS, INRIA Saclay
25 June 2012
25th IEEE Computer Security Foundations Symposium
![Page 2: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/2.jpg)
CONTEXT
To verify security properties on protocols, we model protocols in isolation
Protocols are never alone
Possible problems:•Protocols may share same keys•Protocols may share same cryptographic primitives•Tools may not be able to prove the security property
![Page 3: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/3.jpg)
Our goal
Verifying S on P
Verifying S on P and Q running in parallel
and Verifying S on Q
where- P and Q may share secrets and cryptographic primitives- S is a security property
CONTEXT
![Page 4: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/4.jpg)
Security properties
CONTEXT
![Page 5: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/5.jpg)
Security properties
CONTEXT
Reachability properties• Secrecy, Authentication, ...
![Page 6: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/6.jpg)
Security properties
CONTEXT
Reachability properties• Secrecy, Authentication, ...
Equivalence properties• Anonymity, Privacy, Receipt-Freeness, ...
![Page 7: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/7.jpg)
Example of equivalence property : anonymity
CONTEXT
Alice Intruder Unknown
![Page 8: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/8.jpg)
Example of equivalence property : anonymity
CONTEXT
Alice Intruder Unknown
Alice Intruder Unknown
Can the intruder distinguish the two situations ?
Bob
Charlene
![Page 9: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/9.jpg)
PREVIOUS WORKS
• J.D. Guttman and F.J. Thayer. Protocol independence through disjoint encryption.
• S. Ciobâca and V. Cortier. Protocol composition for arbitrary primitives.
• S. Andova, C. Cremers, K. Gosteen, S. Mauw. S. M. Isnes and S. Radomirovic. A framework for compositional verification of security protocols.
On reachability properties
• S. Delaune, S. Kremer and M.D. Ryan. Composition of password-based protocols.
• C. Chevalier, S. Delaune and S. Kremer. Transforming password protocols to compose.
On equivalence properties : Tagged protocol
![Page 10: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/10.jpg)
MOTIVATION
Privacy-type properties: Anonymity and unlinkability
Concrete example: e-passport protocols• Basic Access Control (BAC) : establishes sessions keys between reader
and a passport• Passive Authentication (PA)• Active Authentication (AA)
Passive Authentication and Active Authentication are executed in parallel
![Page 11: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/11.jpg)
Composition context for anonymity
FORMALISM
P : A ! S : {idA}rpk(kS)
![Page 12: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/12.jpg)
Composition context for anonymity
FORMALISM
P : A ! S : {idA}rpk(kS)
Definition from : M. Arapinis, T. Chothia and M. Ryan. Analysing unlinkability and anonymity using the applied pi calculus.
![Page 13: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/13.jpg)
Composition context for anonymity
FORMALISM
C[P,P{idO/idA}] ⇡ C 0[P]
P : A ! S : {idA}rpk(kS)
C 0[ ]def= new kS . !new idA. !
C[ 1, 2]def= new kS .((!new idA. ! 1) |! 2)
Definition from : M. Arapinis, T. Chothia and M. Ryan. Analysing unlinkability and anonymity using the applied pi calculus.
![Page 14: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/14.jpg)
Composition context for anonymity
FORMALISM
C[P,P{idO/idA}] ⇡ C 0[P]
C[Q,Q{idO/idA}] ⇡ C 0[Q]
P : A ! S : {idA}rpk(kS)
C 0[ ]def= new kS . !new idA. !
C[ 1, 2]def= new kS .((!new idA. ! 1) |! 2)
Definition from : M. Arapinis, T. Chothia and M. Ryan. Analysing unlinkability and anonymity using the applied pi calculus.
![Page 15: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/15.jpg)
Composition context for anonymity
FORMALISM
C[P,P{idO/idA}] ⇡ C 0[P]
C[Q,Q{idO/idA}] ⇡ C 0[Q]
C[Q | P, (Q | P){idO/idA}] ⇡ C 0[Q | P]
P : A ! S : {idA}rpk(kS)
C 0[ ]def= new kS . !new idA. !
C[ 1, 2]def= new kS .((!new idA. ! 1) |! 2)
Definition from : M. Arapinis, T. Chothia and M. Ryan. Analysing unlinkability and anonymity using the applied pi calculus.
![Page 16: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/16.jpg)
No shared key revealed
CONDITIONS
preserves the anonymity of A preserves the anonymity of APQ
P | Q does not preserve the anonymity of A
Q : S ! A : kS
P : A ! S : {idA}rpk(kS)
![Page 17: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/17.jpg)
Tag shared cryptographic primitives
CONDITIONS
preserves the anonymity of A preserves the anonymity of APQ
P | Q does not preserve the anonymity of A
Q : A ! S : {Na}rpk(kS)
S ! A : Na
P : A ! S : {idA}rpk(kS)
![Page 18: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/18.jpg)
Public key revealed at the beginning
CONDITIONS
Pi : A ! S : {taga(idi)}pk(kS)
Q : S ! A : pk(kS)
C[ ]def= new kS .
![Page 19: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/19.jpg)
Public key revealed at the beginning
CONDITIONS
and
But
Pi : A ! S : {taga(idi)}pk(kS)
Q : S ! A : pk(kS)
C[ ]def= new kS .
C[P1] ⇡ C[P2] C[Q] ⇡ C[Q]
C[P1 | Q] 6⇡ C[P2 | Q]
![Page 20: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/20.jpg)
MAIN THEOREM
If :-The shared keys of C and C’ are not revealed-The public keys are revealed at the beginning-The protocols A and B are tagged
C[PA] ⇡ C 0[P0A]
C[PB ] ⇡ C 0[P0B ]
C[PA | PB ] ⇡ C 0[P0A | P0
B ]
![Page 21: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/21.jpg)
Passive Authentication (PA)
E-PASSPORT
Passport Tagksenc, ksmac, skP
Readerksenc, ksmac, vk(skP )
xenc senc(read, ksenc)xmac mac(xenc, ksmac)
hxenc, xmaci
yenc senc(hdg1, . . . , dg19, sodi, ksenc)ymac mac(yenc, ksmac)
hyenc, ymaci
![Page 22: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/22.jpg)
Active Authentication (AA)
E-PASSPORT
Passport Tagksenc, ksmac, skP
Readerksenc, ksmac, vk(skP )
new rndxenc senc(hinit, rndi, ksenc))xmac mac(xenc, ksmac)
hxenc, xmaci
new ncesigma sign(hnce, rndi, skP )yenc senc(sigma, ksenc)ymac mac(yenc, ksmac)
hyenc, ymaci
![Page 23: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/23.jpg)
Result
E-PASSPORT
With ProVerif,•we prove anonymity for•we can not prove anonymity for •we can not prove anonymity for
AAPAPA | AA
![Page 24: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/24.jpg)
Result
E-PASSPORT
With ProVerif,•we prove anonymity for•we can not prove anonymity for •we can not prove anonymity for
AAPAPA | AA
proving anonymity for
proving anonymity for
PA
PA | AA
implies
![Page 25: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/25.jpg)
SKETCH OF PROOF
andC[PA] ⇡ C 0[P0A] C[PB ] ⇡ C 0[P0
B ]
![Page 26: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/26.jpg)
SKETCH OF PROOF
⇡C[PA] | C[PB ]
and
C 0[P0A] | C 0[P0
B ]
C[PA] ⇡ C 0[P0A] C[PB ] ⇡ C 0[P0
B ]
![Page 27: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/27.jpg)
SKETCH OF PROOF
⇡
⇡C[PA | PB ]
C[PA] | C[PB ]
and
C 0[P0A] | C 0[P0
B ]
C 0[P0A | P0
B ]
C[PA] ⇡ C 0[P0A] C[PB ] ⇡ C 0[P0
B ]
![Page 28: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/28.jpg)
SKETCH OF PROOF
⇡
⇡⇡
C[PA | PB ]
C[PA] | C[PB ]
and
C 0[P0A] | C 0[P0
B ]
C 0[P0A | P0
B ]
C[PA] ⇡ C 0[P0A] C[PB ] ⇡ C 0[P0
B ]
![Page 29: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/29.jpg)
SKETCH OF PROOF
⇡
⇡⇡ ⇡
C[PA | PB ]
C[PA] | C[PB ]
and
C 0[P0A] | C 0[P0
B ]
C 0[P0A | P0
B ]
C[PA] ⇡ C 0[P0A] C[PB ] ⇡ C 0[P0
B ]
![Page 30: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/30.jpg)
SKETCH OF PROOF
⇡
⇡⇡ ⇡
C[PA | PB ]
C[PA] | C[PB ]
and
C 0[P0A] | C 0[P0
B ]
C 0[P0A | P0
B ]
C[PA] ⇡ C 0[P0A] C[PB ] ⇡ C 0[P0
B ]
![Page 31: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/31.jpg)
SKETCH OF PROOF
new k.PA | new k.PB
new k.[PA | PB ]
⇡ C[PA | PB ]C[PA] | C[PB ]
![Page 32: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/32.jpg)
SKETCH OF PROOF
P1 Pn
new k.PA | new k.PB
new k.[PA | PB ]
⇡ C[PA | PB ]C[PA] | C[PB ]
![Page 33: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/33.jpg)
SKETCH OF PROOF
Mk
k
k
P1 Pn
new k.PA | new k.PB
new k.[PA | PB ]
⇡ C[PA | PB ]C[PA] | C[PB ]
![Page 34: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/34.jpg)
SKETCH OF PROOF
Mk
kk
kk
k
�(M)
P1 Pn
new k.PA | new k.PB
new k.[PA | PB ]
⇡ C[PA | PB ]C[PA] | C[PB ]
![Page 35: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/35.jpg)
SKETCH OF PROOF
Mk
kk
kk
k
�(M)
P1 Pn
�(Pn)�(P1)new k.PA | new k.PB
new k.[PA | PB ]
⇡ C[PA | PB ]C[PA] | C[PB ]
![Page 36: VERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAYVERIFYING PRIVACY-TYPE PROPERTIES IN A MODULAR WAY M.Arapinis (1), V.Cheval (2), S. Delaune (2) (1) School of Computer Science, Birmingham,](https://reader033.vdocuments.mx/reader033/viewer/2022041912/5e6816f02b7b2457d911fe38/html5/thumbnails/36.jpg)
CONCLUSION & FUTURE WORK
Future work : Sequential composition
Future work : Removing the tags
E-passport protocols• Basic Access Control (BAC) : establishes sessions keys between reader
and a passport• Passive Authentication (PA)• Active Authentication (AA)
• Tags imply heavy transformation of the protocol• Almost no current protocol tags all their message• Protocols may behave as if they were tagged (ex: nonce exchange)
Parallel composition theorem for equivalence propertiesConditions:
• The shared keys are not revealed• The public keys are revealed at the beginning• The protocols are tagged