Introduction Formal Definitions Case Studies Conclusion Formal Verification of e-Auction protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Université Grenoble 1, CNRS, VERIMAG firstname.lastname@imag.fr Principles of Security and Trust (POST) 2013, Rome March 19, 2013 Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Case Studies Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Case Studies Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Case Studies Conclusion e-Auctions Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Case Studies Conclusion Challenges in e-Auctions Competing parties: Bidders/Buyers, Seller, Auctioneer, . . . Many possible (complex) mechanisms: English Dutch Sealed Bid First Price Second Price Bulk Goods . . . Here: Sealed Bid First Price auctions Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Case Studies Conclusion e-Auctions: Security Requirements Fairness Verifiability Non-Repudiation Non-Cancellation Security Requirements Secrecy of Bidding Price Receipt-Freeness Coercion-Resistance Anonymity of Bidders Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion The Applied π -Calculus [AF01] We use the Applied π -Calculus to model protocols: P , Q , R := processes 0 null process P | Q parallel composition ! P replication ν n . P name restriction (“new”) if M = N then P else Q conditional in ( u , x ) message input out ( u , x ) message output { M / x } substitution Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Events To express our properties, we use the following events: bid(p,id) : a bidder id bids the price p recBid(p,id) : a bid at price p by bidder id is recorded by the auctioneer/bulletin board/etc. won(p,id) : a bidder id wins the auction at price p Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Non-Repudiation On every trace: bid(p,id) won(p,id) Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Non-Cancellation recBid( b A , Alice) Alice Bob Alice reveals data to intruder > Bid b A b B won( b B , Bob) Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Strong Noninterference & Weak Noninterference Definition (Strong Noninterference (SN)) An auction protocol ensures Strong Noninterference (SN) if for any two auction processes AP A and AP B that halt at the end of the bidding phase (i.e. where we remove all code after the last recBid event) we have AP A ≈ l AP B . Definition (Weak Noninterference (WN)) Like Strong Noninterference, but we consider only processes with the same bidders. Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Highest Price Wins Alice Chuck (honest) (corrupted) bid( b A , Alice) won( b C , Chuck) > b A b C Bid Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Strong Bidding-Price Secrecy (SBPS) [DJP10] Main idea: Observational equivalence between two situations. Alice Carol Bid ≈ l Bid Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Bidding-Price Unlinkability (BPU) The list of bids can be public, but must be unlinkable to the bidders. Alice Bob Carol Bid ≈ l Bid Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Strong Anonymity (SA) The winner may stay anonymous. Alice Carol Bid ≈ l Bid Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion Weak Anonymity (WA) Unlinkability, but also for the winner. Alice Carol Bid ≈ l Bid Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion e-Auctions: Hierarchy of Privacy Notions SBPS[DJP10] SA BPU WA Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion e-Auctions: Hierarchy of Privacy Notions FPSBA SBPS[DJP10] SA P BPU WA Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Authentication Formal Definitions Fairness Case Studies Privacy Conclusion e-Auctions: Hierarchy of Privacy Notions FPSBA CR-BPS CR-SA CR CR-U CR-WA FPSBA RF-BPS RF-SA RF SRF[DJP10] RF-U RF-WA FPSBA SBPS[DJP10] SA P BPU WA Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Curtis et al. Case Studies Brandt Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Curtis et al. Case Studies Brandt Conclusion Plan 1 Introduction 2 Formal Definitions Authentication Fairness Privacy 3 Case Studies Curtis et al. Brandt 4 Conclusion Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Curtis et al. Case Studies Brandt Conclusion Protocol by Curtis et al. [CPS07]: Registration Main idea: a registration authority (RA) distributes pseudonyms, which are then used for bidding. Registration Authority Bidder Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Curtis et al. Case Studies Brandt Conclusion Protocol by Curtis et al. [CPS07]: Registration Main idea: a registration authority (RA) distributes pseudonyms, which are then used for bidding. Registration Authority Bidder , h( ), Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Introduction Formal Definitions Curtis et al. Case Studies Brandt Conclusion Protocol by Curtis et al. [CPS07]: Registration Main idea: a registration authority (RA) distributes pseudonyms, which are then used for bidding. Registration Authority Bidder , h( ), { , h( ), } pk ( Bidder ) Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Formal Verification of e-Auction protocols
Recommend
More recommend
