Verification of security protocols protocols in the formal model

• It is based on the formal model of protocols: one assumes perfect cryptographic primitives (for example, one can decrypt only when one has the key). The messages are terms on these primitives, and the adversary is restricted to apply only these primitives. Based on this assumption, we can prove properties of the protocol.
• It can handle many different cryptographic primitives, defined by rewrite rules or equations, including shared- and public-key cryptography (encryption and signatures), hash functions, and Diffie-Hellman key agreements.
• It is based on a representation of the protocol by Horn clauses. An interesting novelty of this work with respect to classical model checking tools for the verification of cryptographic protocols is that it can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space. This result has been obtained thanks to some well-chosen approximations. This means that the verifier can give false attacks, but if it claims that the protocol satisfies some security property, then the security property is true.
• This verifier can prove the following properties:
  • secrecy (the adversary cannot obtain the secret, CSFW'01)
  • authentication (SAS'02) and more generally correspondence properties (SAS'03, with Martín Abadi; JCS)
  • strong secrecy (the adversary does not see the difference when the value of the secret changes, Oakland'04)
  • equivalences between processes that differ only by terms (LICS'05 and JLAP with Martín Abadi and Cédric Fournet)
• I have tested this verifier on protocols of the literature with very encouraging results: many examples of protocols can be verified by this tool with small resources. (Protocols of literature can typically be analyzed in less than 1 s.)
• With Andreas Podelski, I have shown that the considered resolution algorithm terminates on a large class of protocols (the so-called "tagged" protocols, FoSSaCS'03 and TCS).
• Xavier Allamigeon designed an attack reconstruction algorithm during an internship under my supervision (CSFW'05).
• I have also done more ambitious case studies, with Martín Abadi and Cédric Fournet on the protocol JFK (ESOP'04), and with Avik Chaudhuri on the filesystem Plutus (Oakland'08).

In collaboration with Martín Abadi, I have also studied a verification technique based on typing (FoSSaCS'01 and TCS'03). These two approaches are compared in our POPL'2002 paper with Martín Abadi. We show that our FoSSaCS type system can be extended to handle more cryptographic primitives in a more flexible way, and that this new type system is equivalent to the protocol verifier for secrecy. Both techniques can prove exactly the same secrecy properties, even if they seem completely unrelated at first sight.

Publications on this topic

[1]

Miriam Paiola and Bruno Blanchet. Verification of security protocols with lists: from length one to unbounded length. In Pierpaolo Degano and Joshua Guttman, editors, First Conference on Principles of Security and Trust (POST'12), Lecture Notes on Computer Science, Tallinn, Estonia, March 2012. Springer Verlag. To appear. Available at http://www.di.ens.fr/~paiola/publications/PaiolaBlanchetPOST12.html.

[2]

Bruno Blanchet. Security Protocol Verification: Symbolic and Computational Models. In Pierpaolo Degano and Joshua Guttman, editors, First Conference on Principles of Security and Trust (POST'12), Lecture Notes on Computer Science, Tallinn, Estonia, March 2012. Springer Verlag. To appear.

[3]

Bruno Blanchet. Using Horn Clauses for Analyzing Security Protocols. In Véronique Cortier and Steve Kremer, editors, Formal Models and Techniques for Analyzing Security Protocols, volume 5 of Cryptology and Information Security Series, pages 86-111. IOS Press, March 2011.

[4]

Bruno Blanchet. Automatic Verification of Correspondences for Security Protocols. Journal of Computer Security, 17(4):363-434, July 2009.

[5]

Martín Abadi (invited speaker), Bruno Blanchet, and Hubert Comon-Lundh. Models and Proofs of Protocol Security: A Progress Report. In Ahmed Bouajjani and Oded Maler, editors, 21st International Conference on Computer Aided Verification (CAV'09), volume 5643 of Lecture Notes on Computer Science, pages 35-49, Grenoble, France, June 2009. Springer Verlag.

[6]

Bruno Blanchet. Vérification automatique de protocoles cryptographiques : modèle formel et modèle calculatoire. Automatic verification of security protocols: formal model and computational model. Mémoire d'habilitation à diriger des recherches, Université Paris-Dauphine, November 2008. En français avec publications en anglais en annexe. In French with publications in English in appendix.

[7]

Bruno Blanchet and Avik Chaudhuri. Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage. In IEEE Symposium on Security and Privacy, pages 417-431, Oakland, CA, May 2008. IEEE.

[8]

Bruno Blanchet. Automatic verification of correspondences for security protocols. Report arXiv:0802.3444v1, February 2008. Available at http://arxiv.org/abs/0802.3444v1.

[9]

Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. Journal of Logic and Algebraic Programming, 75(1):3-51, February-March 2008.

[10]

Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just Fast Keying in the Pi Calculus. ACM Transactions on Information and System Security (TISSEC), 10(3):1-59, July 2007.

[11]

Martín Abadi and Bruno Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming, 58(1-2):3-27, October 2005. Special issue SAS'03.

[12]

Bruno Blanchet. Security Protocols: From Linear to Classical Logic by Abstract Interpretation. Information Processing Letters, 95(5):473-479, September 2005.

[13]

Bruno Blanchet. An Automatic Security Protocol Verifier based on Resolution Theorem Proving (invited tutorial). In 20th International Conference on Automated Deduction (CADE-20), Tallinn, Estonia, July 2005.

[14]

Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. In 20th IEEE Symposium on Logic in Computer Science (LICS 2005), pages 331-340, Chicago, IL, June 2005. IEEE Computer Society.

[15]

Xavier Allamigeon and Bruno Blanchet. Reconstruction of Attacks against Cryptographic Protocols. In 18th IEEE Computer Security Foundations Workshop (CSFW-18), pages 140-154, Aix-en-Provence, France, June 2005. IEEE Computer Society.

[16]

Bruno Blanchet and Andreas Podelski. Verification of Cryptographic Protocols: Tagging Enforces Termination. Theoretical Computer Science, 333(1-2):67-90, March 2005. Special issue FoSSaCS'03.

[17]

Martín Abadi and Bruno Blanchet. Analyzing Security Protocols with Secrecy Types and Logic Programs. Journal of the ACM, 52(1):102-146, January 2005.

[18]

Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. Technical Report MPI-I-2004-NWG1-001, Max-Planck-Institut für Informatik, Saarbrücken, Germany, July 2004.

[19]

Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. In IEEE Symposium on Security and Privacy, pages 86-100, Oakland, California, May 2004.

[20]

Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just Fast Keying in the Pi Calculus. In David Schmidt, editor, Programming Languages and Systems: Proceedings of the 13th European Symposium on Programming (ESOP'04), volume 2986 of Lecture Notes on Computer Science, pages 340-354, Barcelona, Spain, March 2004. Springer Verlag.

[21]

Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. In Dagstuhl seminar Language-Based Security, October 2003.

[22]

Bruno Blanchet. Automatic Verification of Cryptographic Protocols: A Logic Programming Approach (invited talk). In 5th ACM-SIGPLAN International Conference on Principles and Practice of Declarative Programming (PPDP'03), pages 1-3, Uppsala, Sweden, August 2003. ACM.

[23]

Martín Abadi and Bruno Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. In Radhia Cousot, editor, Static Analysis, 10th International Symposium (SAS'03), volume 2694 of Lecture Notes on Computer Science, pages 316-335, San Diego, California, June 2003. Springer Verlag.

[24]

Martín Abadi and Bruno Blanchet. Secrecy Types for Asymmetric Communication. Theoretical Computer Science, 298(3):387-415, April 2003. Special issue FoSSaCS'01.

[25]

Bruno Blanchet and Andreas Podelski. Verification of Cryptographic Protocols: Tagging Enforces Termination. In Andrew Gordon, editor, Foundations of Software Science and Computation Structures (FoSSaCS'03), volume 2620 of Lecture Notes on Computer Science, pages 136-152, Warsaw, Poland, April 2003. Springer Verlag.

[26]

Bruno Blanchet. From Secrecy to Authenticity in Security Protocols. In Manuel Hermenegildo and Germán Puebla, editors, 9th International Static Analysis Symposium (SAS'02), volume 2477 of Lecture Notes on Computer Science, pages 342-359, Madrid, Spain, September 2002. Springer Verlag.

[27]

Martín Abadi and Bruno Blanchet. Analyzing Security Protocols with Secrecy Types and Logic Programs. In 29th Annual ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages (POPL 2002), pages 33-44, Portland, Oregon, January 2002. ACM Press.

[28]

Bruno Blanchet. Abstracting Cryptographic Protocols by Prolog Rules (invited talk). In Patrick Cousot, editor, 8th International Static Analysis Symposium (SAS'2001), volume 2126 of Lecture Notes on Computer Science, pages 433-436, Paris, France, July 2001. Springer Verlag.

[29]

Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 82-96, Cape Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society.

[30]

Martín Abadi and Bruno Blanchet. Secrecy Types for Asymmetric Communication. In F. Honsell and M. Miculan, editors, Foundations of Software Science and Computation Structures (FoSSaCS 2001), volume 2030 of Lecture Notes on Computer Science, pages 25-41, Genova, Italy, April 2001. Springer Verlag.

[31]

Martín Abadi and Bruno Blanchet. Secrecy Types for Asymmetric Communication. In Dagstuhl seminar Security through Analysis and Verification, December 2000.

Software: ProVerif