@@ -4,17 +4,15 @@ Tamarin models for the paper "Integrating Privacy into the Electric Vehicle Char
In the paper, we propose a privacy-preserving extension to the existing Plug and Charge (PnC) architecture. Here, we provide the Tamarin models we use for formal verification of the security and privacy properties of our proposed extension.
Our models are based on the models from the following paper:
Stephan Wesemeyer, Christopher J.P. Newton, Helen Treharne, Liqun Chen, Ralf Sasse, and Jorden Whitefield. 2020. Formal Analysis and Implementation of a TPM 2.0-based Direct Anonymous Attestation Scheme. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20). Association for Computing Machinery, New York, NY, USA, 784–798. DOI:https://doi.org/10.1145/3320269.3372197
In the following, we first provide usage instructions for our model, then we list which model files are relevant for which property specified in our paper. Finally, we reference the original Tamarin models for DAA, which have been developed as part of another research, and describe the necessary changes for our models.
Their Tamarin models can be found at https://github.com/tamarin-prover/tamarin-prover/tree/dddaccbe981343dde1a321ce0c908585d4525918/examples/asiaccs20-eccDAA.
## Execution Instructions
The Tamarin prover (https://tamarin-prover.github.io/) is required to verify the model. Our files have been developed and verified with [Tamarin version 1.6.0](https://github.com/tamarin-prover/tamarin-prover/releases/tag/1.6.0). At the beginning of each model file, the command to generate the corresponding Tamarin proof(s) is given, together with its expected output and the verification times on our test machine, which can be used as an orientation. Please note that these instructions are for Tamarin 1.6.0, later versions of Tamarin might require minor modifications. For example, in Tamarin 1.6.1, the precedence of specified heuristics has been changed, affecting proof generation for the [Security_Properties](Security_Properties/) model files.
The [Tamarin prover](https://tamarin-prover.github.io/) is required to verify the model. Our files have been developed and verified with [Tamarin version 1.6.0](https://github.com/tamarin-prover/tamarin-prover/releases/tag/1.6.0). At the beginning of each model file, the command to generate the corresponding Tamarin proof(s) is given, together with its expected output and the verification times on our test machine, which can be used as an orientation. Please note that these instructions are for Tamarin 1.6.0, later versions of Tamarin might require minor modifications. For example, in Tamarin 1.6.1, the precedence of specified heuristics has been changed, affecting proof generation for the [Security_Properties](Security_Properties/) model files.
Please consult the [Tamarin-Prover Manual](https://tamarin-prover.github.io/manual/tex/tamarin-manual.pdf) for installation and usage instructions. In addition, Python is required for the oracles.
## Security and Privacy Properties
In the following, we list which property of our extension is addressed by which Tamarin model file.
...
...
@@ -27,9 +25,21 @@ In the following, we list which property of our extension is addressed by which
**Privacy_Properties**
The files with the keyword *anonymity* in their filename contain a model for a weaker version of the properties.
| _PR<sub>5</sub>_ - Unlinkability of EV Users and Locations | daa_pnc_anonymity_ev_users_locations.spthy <br> daa_pnc_unlinkability_ev_users_locations.spthy | oracle_ev_users_locations.py |
## Original Tamarin DAA model
Our models are based on the models from the following paper:
Stephan Wesemeyer, Christopher J.P. Newton, Helen Treharne, Liqun Chen, Ralf Sasse, and Jorden Whitefield. 2020. Formal Analysis and Implementation of a TPM 2.0-based Direct Anonymous Attestation Scheme. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20). Association for Computing Machinery, New York, NY, USA, 784–798. DOI:https://doi.org/10.1145/3320269.3372197
Their Tamarin models can be found at https://github.com/tamarin-prover/tamarin-prover/tree/dddaccbe981343dde1a321ce0c908585d4525918/examples/asiaccs20-eccDAA.
The changes/extension to their model can be summarized as follows: (i) Adaptions/additions to the model rules in order to represent the e-mobility-specific roles/processes within the context (e.g., the introduction of the CPS role between the host and issuer in the credential provisioning process or the validation of charge authorization via the EMSP in addition to the DAA-Signature verification by the CP/Verifier), (ii) changes to model rules in order to represent the changes to the base DAA Join and Certify processes; e.g., the possibility of no live interaction with the credential issuer during installation due to the use of credential pools or the binding of session keys to the ISO 15118 session), (iii) definition of new lemmas in order to verify correctness as well as the identified security/privacy requirements, and (iv) performance optimizations such that the new models terminate within a reasonable time frame via the adaption of oracles (to work with the new/changed rules) and the addition of source/reuse lemmas.
Our changes roughly amount to 54 new rules, 16 changed rules, 32 new lemmas, 18 changed lemmas, and 5 adapted oracles.
