Formalizing some combinatorial attacks in security protocols

Context. Security protocols are distributed programs that aim at ensuring security properties, such as confidentiality, authentication or anonymity, by the means of cryptography. Such protocols are widely deployed, e.g., for electronic commerce on the Internet, in banking networks, mobile phones and more recently electronic elections. As properties need to be ensured, even if the protocol is executed over untrusted networks (such as the Internet), these protocols have shown extremely difficult to get right. Formal methods have shown very useful to detect errors and ensure their correctness. Many results exist in literature for analyzing reachability properties, such as confidentiality and authentication. These results generally rely on the assumption that cryptographic primitives work perfectly and there is essentially no chance of guessing any data. However, these assumptions are unrealistic in some situations. Indeed, recent protocols attempt to achieve authentication by using an out of band channel (e.g. SMS) and require comparison of strings which are short enough for humans to compare or retype them easily. This novel sort of authentication protocols is used in many daily life applications (e.g. bank transfer) and it is important to ensure their security [NR11]. However, the use of weak data and/or weak primitives means that new types of attacks can be achieved by guessing the weak data or by discovering an alternative way to produce it. As a consequence, the standard attacker model used by most of the existing protocol analysis tools is not suitable for analyzing these protocols.