The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Transcription

1 The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC Formal Methods for the Science of Security Summer School, University of Illinois, July 22-26, / 51

2 Asymmetric Unification and the Finite Variant Property Background Outline 2/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of

3 Asymmetric Unification and the Finite Variant Property Background The Problem 3/51 Protocol analysis tools often depend on syntactic properties of terms that fail to be invariant under equational theories Check for nonces appearing as subterms Logical systems: CPSA, PCL, PDL, to determine which actions should precede others Maude-NPA: to rule out unreachable states Depth of terms ProVerif : option to ensure termination Syntactic pattern matching Maude-NPA : to rule out infinite search paths In this lecture I ll describe how we re dealing with this problem in Maude-NPA, and how we think our techniques could be applied to other unification tools

4 Asymmetric Unification and the Finite Variant Property Background An Example 4/51 Start with exclusive-or is AC, with additional equations x 0 = x and x x = 0. Consider the following protocol 1 A B : pke(b, N A ) 2 B A : N B N A A checks that the message she receives is Z N A for some Z How it works in Maude-NPA ::r::[nil, +(pke(b,n(a,r))),-(z [+] n(a,r)), nil ] Unify Z [+] n(a,r) with some term in the intruder s knowledge So, what if Z = Y N A?

5 Asymmetric Unification and the Finite Variant Property Background How We Handle This in Maude-NPA 5/51 Express equational theory as R = {X 0 X, X X 0, X X X X } = AC nonce containment invariant under AC R is a set of rewrite rules convergent and terminating wrt AC Find all the possible reduced forms of Z [+] n(a,r) wrt R There are two: < Z [+] n(a,r), id > < Y, Z / Y [+] n(a,r) > One strand for each reduced form ::r::[nil, +(pke(b,n(a,r))),-(z [+] n(a,r)), nil ] ::r::[nil, +(pke(b,n(a,r))),-(y), nil ] Include constraints that negative terms in strands are irreducible wrt R Any further substitution made in the search process must obey these constraints

6 Asymmetric Unification and the Finite Variant Property Background Three Things we need to make this work 6/51 1 Characterize theories in which every term has a finite number of reduced forms We understand this: this is equivalent to the finite variant property 2 Unification algorithms giving a set of mgu s Σ x =?y such that for all σ Σ, σy is irreducible We call this asymmetric unification Variant narrowing has this property, we are looking for more efficient algorithms 3 Combine these into a sound and complete search strategy These lectures will concern 1 and 2; 3 will be covered in Santiago Escobar s lecture

7 Asymmetric Unification and the Finite Variant Property Background Variants and the Finite Variant Property Let (Σ, R, ) be a an equational theory, where R is a set of rewrite rules confluent, terminating and coherent wrt. Let t be a term. A variant of t is a pair (θ, θt ). A set of most general variants of t is a set of variants V such that for every variant (θ, θt ) there is a variant (σ, σt ) V such that θ = τσ and θt = τ(σt ). A theory (Σ, E = R ) has the finite variant property if every term has a finite most general set of variants. Example: Find a set of most general variants d(y, Z) in ({e/2.d/2}, {d(k, e(k, X )) W }, ) We already know how to do it : narrowing! Perform all possible narrowing steps on d(y, Z) The set is {(ι, d(y, Z)), (Z/e(K, X ), X )} Note: concept of variants and finite variants originally due to Comon and Delaune, 2005; we use a slightly stronger definition of variant due to Escobar et al., /51

8 Asymmetric Unification and the Finite Variant Property Background What Has the Finite Variant Property, and What Hasn t 8/51 Finite Variant Theories R = {X + 0 = X, X + (X ) = 0} = AC R = {exp(exp(x, Y ), Z)) = exp(x, Y Z)}, = AC (for *) Various forms of cancellation of encryption-decryption Non Finite Variant Theory h homomorphic over operator * (doesn t matter whether it s free or AC) If t = h(x ), then Σ = {ι, X /X 1 X 2, X /X 1 X 2 X 3,...} Sufficient and/or necessary conditions for finite variant property studied by Escobar, Sasse, and Meseguer, 2008 A method for using narrowing to compute a most general set of variants, guaranteed to terminate for theories with the finite variant property, is given in Escobar, Sasse, and Meseguer, 2012.

9 Asymmetric Unification and the Finite Variant Property Background Using Variant Narrowing to Satisfy Irreducibility Constraints in Protocol Analysis 9/51 For each strand St in a specification, compute a most general set of variants V of the the negative terms For each variant (σ, t) create a new strand σst Each time a positive term s is unified with a term t in the intruder knowledge, user asymmetric unification to find a complete set of unifiers of s and t that leave t irreducible, as well as all negative terms already present in the state

10 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Outline 10/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of

11 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Asymmetric Unification 11/51 Let (Σ, R, ) be a an equational theory, where R is a set of rewrite rules confluent, terminating and coherent wrt. A solution to an asymmetric unification problem s 1 = t 1... s k = t k is a substitution σ such that 1 For each i, σs i = σt i 2 For each i, σt i is irreducible A set Θ is a most general set of asymmetric unifiers of P if for any asymmetric unifier σ there is a θ Θ such that σ = τθ for some τ

12 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Some Examples from XOR 12/51 1 c =?X Y, S-unifiable, but not A-unifiable 2 a b =?X Y σ = [X Y a b] is a most general S-unifier, but not an A-unifier [X a, Y b], [X b, Y a] is a set of most general A-unifiers 3 X =?Y Z [Y X Z] an a most general S-unifier but not an A-unifier [X Y Z] is equivalent, but is an A-unifier,

13 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Using Variant Narrowing to Find Most General Set of Asymmetric Unifiers 13/51 Let (Σ, R, ) be a an equational theory, where R is a set of rewrite rules confluent, terminating and coherent wrt. Furthermore, assume that (Σ, R, ) has the finite variant property Given a problem s = t 1 Use variant narrowing to find a set of most general variants V of s. 2 Discard any (σ, σs ) V such that σt is reducible 3 For each remaining (σ, σs ) find set of mgu s of σs =?σt. 4 Discard any unifier θ such that θσt or θσs reducible 5 Remaining set is a set of most general asymmetric unifiers Can we do better (e.g. faster)?

14 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Outline 14/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of

15 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Next Step: Asymmetric Unification (AU) as a Problem in its Own Right 15/51 As far as we can tell, no-one had studied this before Variant narrowing only existing AU-algorithm we found What we do have found so far AU at least as hard as symmetric unification (SU) Any SU problem s =?t can be turned into AU problem s =?X, t =?X. AU strictly harder than SU - XOR without any other symbols is in P for SU but NP-complete for AU SU can be unitary while AU is not (XOR) There exist theories for which SU is decidable but AU is not We are working on a general approach for converting symmetric unification algorithms to asymmetric unification algorithms Have applied it to unification in XOR theory

16 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Outline for a General Procedure 16/51 Start with a decomposition R and a unification algorithm GIven a problem x = y, find a complete set of unifiers Σ using the symmetric algorithm For each σ Σ 1 If σ is an A-unifier, keep it 2 If not, see if there is an equivalent A-unifier σ and if so, replace σ with σ 3 If not, apply 1) and 2) to more completely instantiated versions of σ and replace it with those 4 If none of those work, discard σ Application to exclusive-or given in Ertabur et al Paper also includes experimental results

17 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Open Questions 17/51 How much will we be able to improve on performance of variant narrowing? How applicable is the general approach to finding complete sets of A-unifiers? What are the best ways of decomposing theories?

18 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification How do we choose decompose a theory into R 18/51 Constraint 1: R must be have finite variant property wrt Constraint 2: should be regular Any variable on rhs of rewrite rule should also appear on lhs Regularity of necessary so that any nonce sub term appears in all members of a -equivalence class

19 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification A Case in Which These Constraints Cause Problems: Homomorphic Encryption Over Abelian Groups 19/51 operators are Abelian group operator *, encryption operator e, inverse operator inv, unary operator 0 * is AC Other equations are e(k, X ) e(k, Y ) = e(k, X Y ), X 0 = 0, X inv(x ) = 0 Plus others added to get coherence What Goes in? Commutativity can t be a rewrite rule, so it goes in Associativity w/o commutativity is not finitary, so it goes in too e(k, X ) e(k, Y ) = e(k, X Y ) doesn t have finite variant property, so it goes in too X inv(x ) = 0 must go in R, because it s not regular Unification in resulting -theory is undecidable!

20 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Solutions We re Investigating 20/51 Force homomorphic encryption theory to have finite variant properties by limiting the number of times the equation can be applied Gives completeness when can put bounds on number of encryptions needed to break protocol Modify state space reduction methods to allow some non-regular rules to appear in E.g. don t judge state unreachable based on nonce underneath homomorphic encryption operator Embed equational theory in larger decidable theory

21 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Some Experimental Results 21/51 Unif. Problem T. V # V T. D # D % T. % # NS 1 NS 2 = NS 3 N A NS 1 N A = NS 2 NS NS 1 NS 2 = NS 3 NS 4 NS NS 1 NS 2 = NS 3 NS 4 N A NS 1 NS 2 = N A NS 1 NS 2 = null NS 1 NS 2 = null NS

22 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Some More Experimental Results 22/51 Unif. Problem T. A-V # A-V T. D-A # D-A % T. % # SP4 SP1 SP SP5 SP1 SP SP6 SP1 SP SP7 SP1 SP SP8 SP1 SP2 SP SP9 SP1 SP2 SP SP10 SP1 SP2 SP SP11 SP1 SP2 SP SP12 SP1 SP2 SP SP1 = M 1 M 2 = M 1 M 2 SP2 = M 1 M 3 = M 1 M 3 SP3 = M 1 M 4 = M 1 M 4 SP4 = M 1 M 2 M 3 = a b SP5 = M 1 M 2 M 3 = a b c SP6 = M 1 M 2 M 3 = a b c d Cuadro: Other Unification Problems SP7 = M 1 M 2 M 3 = a b c d e SP8 = M 1 M 2 M 3 M 4 = a SP9 = M 1 M 2 M 3 M 4 = a b SP10 = M 1 M 2 M 3 M 4 = a b c SP11 = M 1 M 2 M 3 M 4 = a b c d SP12 = M 1 M 2 M 3 M 4 = a b c d e

23 23/51 Outline 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of

24 24/51 What is? Concept used to reason about security in cryptographic algorithms and protocols Example: Chosen plaintext security Attacker chooses messages m 1 and m 2 Receives encrypted message that could be e(k, m 1 ) or e(k, m 2 ) Performs tests on message, then tries to guess which one it is particularly useful for reasoning about protocols that protect low-entropy data Defense against password guessing attacks Voting Anonymous routing Privacy-preserving database queries

25 Background in Symbolic Outline 25/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of

26 Background in Symbolic The Dolev-Yao Model and Symbolic Verification 26/51 Gives a way of reasoning about crypto protocols symbolically Messages represented by a message algebra Built out of variables, constants, and function symbols Function symbols satisfy equational theory describing algebraic properties of cryptosystems Principals interact with an intruder who can create, alter, and redirect messages Amenable to verification via model-checkers Properties traditionally verified in the Dolev-Yao model Attacker can t get secrets in the clear Authentication What about indistinguishability?

27 Background in Symbolic and the Dolev-Yao Model 27/51 Two main sources Abadi and Fournet s definition of observational equivalence and its realization in terms of labeled bisimulation Lowe s work on password guessing attacks Basic idea: Represent tests by Attacker applying function symbols to terms and comparing results [x 1, h(x 1)] and [x2, h(x1)] are distinguishable from each other First list satisfies h(l 1) = l 2, but not the second Attacker sending messages to principals and seeing what happens Same thing should happen for the two different versions of the protocol

28 Background in Symbolic State of the Art Now 28/51 A number of approaches following same general paradigm Trace equivalence: can attacker distinguish between two traces? Algebraic properties of cryptosystems that can be handled are limited Main tool: ProVerif under restricted algebraic properties Uses a stronger notion than observational equivalence, uniformity, defined in terms of state reachability Two instances of the protocol are run in lockstep, bad state is one in which they diverge Subterm convergent rewrite rules, but not AC rules Work on extensions of ProVerif for special cases Extensions implement methods for representing equational theories in theories that can be handled by ProVerif

29 Background in Symbolic Research Problems we are Addressing 29/51 Can indistinguishability be formally defined in terms of state reachabiity in general and easy to understand terms? Are there sound and complete methods for verifying indistinguishability modulo algebraic properties? How general can we make an approach based on state reachability? Can such methods be integrated into the Maude-NPA tool?

30 Our Notion of Outline 30/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of

31 Our Notion of Our Approach 31/51 Like ProVerif, run two instances of the protocol in lockstep We introduce a pairing operation on protocols, For us, a bad state is one in one half of the pair can is reachable, and the isn t

32 Our Notion of Protocol Pairing 32/51 Given two protocols P 1 and P 2, we define a protocol pairing P 1,P 2 in terms of the strand representation iff 1 P 1 and P 2 share the same equational theory of messages and message functions 2 P 1 and P 2 share the same intruder strands 3 Correspondence between protocol strands of P 1 and P 2 such that two corresponding strands Have the same length Have output and input messages in the same order Can differ in the actual messages

33 Our Notion of Synchronous Product of Protocols 33/51 Given a protocol pairing P 1,P 2, s.t. P 1 = (Σ P, E P, T P1 ) P 2 = (Σ P, E P, T P2 ) A synchronous product of P 1 and P 2, P 1 P 2 = (Σ P { }, E P, T P1 T P2 ) is a new protocol where the strands of P 1 P 2 are obtained by zipping together each strand of P 1 and its corresponding strand from P 2

34 Our Notion of Example of Synchronous Product of Protocols 34/51 Protocol P 1 (Alice) :: r 1, r 2 ::[ +(k(a, B, r 1 )),+(e(k(a, B, r 1 ), n(a, r 2 ))) ] (Bob) :: nil :: [ (Key), (e(key, N A )) ] Protocol P 2 (Alice) :: r 1, r 2, r 3 ::[ +(k(a, B, r 3 )),+(e(k(a, B, r 1 ), n(a, r 2 ))) ] (Bob) :: nil :: [ (Key 1 ), (e(key 2, N A )) ] Synchronous product P 1 P 2 (Alice) :: r 1, r 2, r 3 :: [ +(k(a, B, r 1 ) k(a, B, r 3 )), + (e(k(a, B, r 1 ), n(a, r 2 )) e(k(a, B, r 1 ), n(a, r 2 ))) ] & (Bob) :: nil :: [ (Key Key 1 ), (e(key, N A ) e(key 2, N A )) ]

35 Our Notion of Properties of Synchronous Product Operator 35/51 Introduce a new type SingleMessage. : SingleMessage SingleMessage Message This means that can never be applied twice For any function f on messages add rewrite rule f (x 1 y 1,..., x k y k ) f (x 1,..., x k ) f (y 1,... y k ) Allows principals in synchronous product to apply functions to messages of the form s t and produce another message of the form s t Result: Adding synchronous product does not affect rewrite semantics of Maude-NPA; it only extends the signature and equational theory!

36 Our Notion of There s More... 36/51 Maude-NPA unification makes extensive use of decomposition of the equational theory into (Σ, R, E) where R is confluent, terminating, and coherent over E and has the finite variant property over E Finite variant property means each term has a finite number of R-irreducible variants Theorem: If (Σ, R, E) has the finite variant property, so does its extension by Main difference: resulting theory is strongly right irreducible only if R is empty Strongly right irreducible: right side of every rewrite rule remains irreducible under any irreducible substation Strongly right irreducibility requirement for Maude-NPA 2.0 But not for Maude-NPA 3.0, being developed on new version of Maude with built-in variant narrowing Currently experimenting with this

37 Our Notion of Projections on Synchronous Product of Protocols 37/51 Given a synchronous product of protocols P 1 P 2, there are projections π 1 : P 1 P 2 P 1 π 2 : P 1 P 2 P 2 from the states of the synchronous product to the states of each of these protocols such that π 1 and π 2 are simulation maps Example: π 1 : {[ (m 1 m 1) ±,..., (m n m n) ± ] &...} {[m ± 1,..., m± n ] &...}

38 Our Notion of Protocol 38/51 We propose a formal definition of indistinguishability of two protocols as the conjunction of two more basic properties over a protocol pairing P 1,P 2 First, some preliminaries are required.

39 Our Notion of Attacker Event Sequences 39/51 The attacker has complete control over the network Therefore, behavior of a protocol for an attacker can be reduced to a sequence of attacker events that are either (i) Message sent/received events, or (ii) Message manipulation actions Transitions from an initial state to any reachable state are performed via a sequence of attacker events of category (i) or (ii), called attacker event sequence (AES) In Maude-NPA this corresponds to the fact any state transition corresponds to an attacker event of either category (i) or (ii)

40 Our Notion of notion in Maude-NPA 40/51 Two protocols P 1 and P 2 are indistinguishable iff: 1 P 1 and P 2 have indistinguishable attacker event sequences (IAES), and 2 P 1 and P 2 have indistinguishable messages (IM)

41 Our Notion of Indistinguishable Attacker Event Sequences (IAES) 41/51 Intuitive Definition P 1 and P 2 have indistinguishable AESs (IAES) if from any initial state the attacker is able to perform exactly the same type of event sequences for each protocol Transitions of the same type if involve same actions appearing in synchronous products of strands at same point of execution Formal Definition Let P 1,P 2 be a protocol pairing, then P 1 and P 2 satisfy the IAES property iff projections π 1 : P 1 P 2 P 1, and π 2 : P 1 P 2 P 2 are both labeled bisimulations, where type of transition corresponds to label

42 Our Notion of Indistinguishable Messages (IM) 42/51 Intuitive Definition The intruder can never perform two different AESs, say, α and β, so that as a result of α and β the intruder either learns (i) the same message from P 1 but different messages from P 2, or (ii) different messages from P 1 but the same message from P 2 Formal Definition A protocol pairing P 1,P 2 satisfies the IM property iff from any initial state there is not any reachable state in P 1 P 2 with and intruder knowledge of either the form (i) {(M N I) & (M N I) & N N & IK}, or (ii) {(M N I) & (M N I) & M M & IK} (*) Equality here is modulo the equational theroy (Σ P, E P)

43 Our Notion of Implementing in Maude-NPA 43/51 No need to change the rewrite rule semantics The completeness of the Maude-NPA indistinguishability analysis is based on two facts

44 Our Notion of Fact 1: Satisfiability of IM 44/51 P 1 and P 2 satisfy the IM property iff no initial state can be backwards reached from an attack state of either the form { {(M N I) & (M N I) & N N }}, or { {(M N I) & (M N I) & M M }}

45 Our Notion of Example 45/51 :: r 1, r 2 :: [ +((n(a, r 1 ); h(n(a, r 1 )))) (n(a, r 2 ); h(n(a, r 1 ))) ] does not satisfy IM since the following initial state can be found in Maude-NPA :: r 1, r 2 :: [ +((n(a, r 1 ); h(n(a, r 1 )))) (n(a, r 2 ); h(n(a, r 1 ))) nil ] & :: nil :: [ ((n(a, r 1 ); h(n(a, r 1 ))) (n(a, r 2 ); h(n(a, r 1 ))), + ((n(a, r 1 ) n(a, r 2 )) nil ] & :: nil :: [ ((n(a, r 1 ); h(n(a, r 1 )))) (n(a, r 2 ); h(n(a, r 1 ))) + ((h(n(a, r 1 )) h(n(a, r 1 ))) nil ] & :: nil :: [ ((n(a, r 1 ) n(a, r 2 )), +((h(n(a, r 1 )) h(n(a, r 2 ))) nil ] & {((n(a, r 1 ) ; h(n(a, r 1 )))) (n(a, r 2 ) ; h(n(a, r 1 ))) I) & (n(a, r 1 ) n(a, r 2 ) I) & (h(n(a, r 1 )) h(n(a, r 1 )) I) & (h(n(a, r 1 )) h(n(a, r 2 )) I) & h(n(a, r 1 )) h(n(a, r 2 ))}

46 Our Notion of Fact 2: Satisfiability of IAES 46/51 If P 1 and P 2 satisfy the the IM property in Maude-NPA, then they satisfy the IAES property iff no initial state can be backwards reached from any attack state of the form 1 {[ L (m 1 m 2 ), L ] & {(m 1 m 2 ) I, m 2 m 2 }}, or 2 {[ L (m 1 m 2 ), L ] & {(m 1 m 2) I, m 1 m 1 }} Idea of Proof: If one of the above conditions holds, then IAES can hold only if (m 1 m 2 ) I, which would violate IM.

47 Our Notion of What Does Need to Be Changed In Maude-NPA to Make this Word 47/51 State space reduction techniques need to be reformulated to take properties of paired protocols into account Need to revamp Maude-NPA to handle theories that are not strongly right irreducible This was already planned and is under way Finding states defined in such generality is challenging for Maude-NPA Increases state explosion and may require further improvements to state space reduction techniques Techniques that would allow us to find use more specialized state descriptions and maintain completeness would be useful

48 Our Notion of Current Status and Future Work 48/51 Have developed new theoretical foundations and new analysis techniques for indistinguishability modulo algebraic properties Have used Maude-NPA to experiment with these techniques on simple examples Have begun experimenting with more complex examples with development version of Maude-NPA In future plan to Further develop the theoretical foundations How does our definition of indistinguishability relate to others? Investigate how to adapt state space reduction techniques to theory Explore use of Maude-NPA on privacy-preserving protocols

49 Our Notion of Finite Variant Property and Narrowing References 49/51 Hubert Comon-Lundh, Stéphanie Delaune: The Finite Variant Property: How to Get Rid of Some Algebraic Properties. RTA 2005: Santiago Escobar, José Meseguer, Ralf Sasse: Effectively Checking the Finite Variant Property. RTA 2008: Santiago Escobar, Ralf Sasse, José Meseguer: Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program. 81(7-8): (2012).

50 Our Notion of Asymmetric Unification References 50/51 Serdar Erbatur, Santiago Escobar, Deepak Kapur, Zhiqiang Liu, Christopher Lynch, Catherine Meadows, José Meseguer, Paliath Narendran, Sonia Santiago, Ralf Sasse. Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions.. In Proceedings of ESORICS 2012, Springer-Verlag, Serdar Erbatur, Santiago Escobar, Deepak Kapur, Zhiqiang Liu, Christopher Lynch, Catherine Meadows, José Meseguer, Paliath Narendran, Sonia Santiago, Ralf Sasse. Asymmetric unification: A new unification paradigm for cryptographic protocol analysis. In proceedings of CADE 2013, Springer-Verlag, 2013.

51 Our Notion of References 51/51 Martin Abadi and Cedric Fournet. Mobile values, new names, and secure communication. In POPL, pages , [Definition of observational equivalence for applied pi calculus] Gavin Lowe. Analysing protocol subject to guessing attacks. Journal of Computer Security, 12(1):83-98, Bruno Blanchet, Martin Abadi, and Cedric Fournet. Automated Verification of Selected Equivalences for Security Protocols. Journal of Logic and Algebraic Programming, 75(1):3-51, February-March (shows how indistinguishability is handled in ProVerif)