Analysis of cryptographic protocols in the formal model

My work on cryptographic protocols is in the line of formal methods research: we assume perfect cryptographic primitives (for instance, one can decrypt a message only if one has the corresponding key). Based on this assumption, we can prove properties of the protocol. I have mainly been interested in a verification technique based on first order theorem proving.

I have also implemented a protocol verifier, which can handle many different cryptographic primitives, including shared- and public-key cryptography (encryption and signatures), hash functions, and Diffie-Hellman key agreements. This protocol verifier is based on a representation of the protocol by Horn clauses. An interesting novelty of this work with respect to classical model checking tools for the verification of cryptographic protocols is that it can handle an unbounded number of sessions of the protocol (even in parallel) and an unbounded message space. This result has been obtained thanks to some well-chosen approximations. This means that the verifier can give false attacks, but if it claims that the protocol preserves the secrecy of some value, then the secrecy is actually preserved. This verifier can prove the following properties:

secrecy (the adversary cannot obtain the secret, CSFW'01)
authentication (SAS'02) and more generally correspondence properties (SAS'03, with Martín Abadi)
strong secrecy (the adversary does not see the difference when the value of the secret changes, Oakland'04)
equivalences between processes that differ only by terms (LICS'05 with Martín Abadi and Cédric Fournet)

I have tested this verifier on protocols of the literature with very encouraging results: many examples of protocols can be verified by this tool with small resources. (All tested protocols have been analyzed in less than 1 s.) With Andreas Podelski, I have shown that the considered resolution algorithm terminates on a large class of protocols (the so-called "tagged" protocols, FoSSaCS'03 and TCS). With Martín Abadi and Cédric Fournet, I have also done a more ambitious case study, on the protocol JFK (ESOP'04).

In collaboration with Martín Abadi, I have also studied a verification technique based on typing (FoSSaCS'01 and TCS'03). These two approaches are compared in our POPL'2002 paper with Martín Abadi. We show that our FoSSaCS type system can be extended to handle more cryptographic primitives in a more flexible way, and that this new type system is equivalent to the protocol verifier for secrecy. Both techniques can prove exactly the same secrecy properties, even if they seem completely unrelated at first sight.

Publications on this topic

[1]: Bruno Blanchet. Using Horn Clauses for Analyzing Security Protocols. In Véronique Cortier and Steve Kremer, editors, Formal Models and Techniques for Analyzing Security Protocols. IOS Press, 2010. To appear.
[2]: Bruno Blanchet. Automatic Verification of Correspondences for Security Protocols. Journal of Computer Security, 17(4):363-434, July 2009.
[3]: Martín Abadi (invited speaker), Bruno Blanchet, and Hubert Comon-Lundh. Models and Proofs of Protocol Security: A Progress Report. In Ahmed Bouajjani and Oded Maler, editors, 21st International Conference on Computer Aided Verification (CAV'09), volume 5643 of Lecture Notes on Computer Science, pages 35-49, Grenoble, France, June 2009. Springer Verlag.
[4]: Bruno Blanchet. Vérification automatique de protocoles cryptographiques : modèle formel et modèle calculatoire. Automatic verification of security protocols: formal model and computational model. Mémoire d'habilitation à diriger des recherches, Université Paris-Dauphine, November 2008. En français avec publications en anglais en annexe. In French with publications in English in appendix.
[5]: Bruno Blanchet and Avik Chaudhuri. Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage. In IEEE Symposium on Security and Privacy, pages 417-431, Oakland, CA, May 2008. IEEE.
[6]: Bruno Blanchet. Automatic verification of correspondences for security protocols. Report arXiv:0802.3444v1, February 2008. Available at http://arxiv.org/abs/0802.3444v1.
[7]: Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. Journal of Logic and Algebraic Programming, 75(1):3-51, February-March 2008.
[8]: Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just Fast Keying in the Pi Calculus. ACM Transactions on Information and System Security (TISSEC), 10(3):1-59, July 2007.
[9]: Martín Abadi and Bruno Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming, 58(1-2):3-27, October 2005. Special issue SAS'03.
[10]: Bruno Blanchet. Security Protocols: From Linear to Classical Logic by Abstract Interpretation. Information Processing Letters, 95(5):473-479, September 2005.
[11]: Bruno Blanchet. An Automatic Security Protocol Verifier based on Resolution Theorem Proving (invited tutorial). In 20th International Conference on Automated Deduction (CADE-20), Tallinn, Estonia, July 2005.
[12]: Bruno Blanchet, Martín Abadi, and Cédric Fournet. Automated Verification of Selected Equivalences for Security Protocols. In 20th IEEE Symposium on Logic in Computer Science (LICS 2005), pages 331-340, Chicago, IL, June 2005. IEEE Computer Society.
[13]: Xavier Allamigeon and Bruno Blanchet. Reconstruction of Attacks against Cryptographic Protocols. In 18th IEEE Computer Security Foundations Workshop (CSFW-18), pages 140-154, Aix-en-Provence, France, June 2005. IEEE Computer Society.
[14]: Bruno Blanchet and Andreas Podelski. Verification of Cryptographic Protocols: Tagging Enforces Termination. Theoretical Computer Science, 333(1-2):67-90, March 2005. Special issue FoSSaCS'03.
[15]: Martín Abadi and Bruno Blanchet. Analyzing Security Protocols with Secrecy Types and Logic Programs. Journal of the ACM, 52(1):102-146, January 2005.
[16]: Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. Technical Report MPI-I-2004-NWG1-001, Max-Planck-Institut für Informatik, Saarbrücken, Germany, July 2004.
[17]: Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. In IEEE Symposium on Security and Privacy, pages 86-100, Oakland, California, May 2004.
[18]: Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just Fast Keying in the Pi Calculus. In David Schmidt, editor, Programming Languages and Systems: Proceedings of the 13th European Symposium on Programming (ESOP'04), volume 2986 of Lecture Notes on Computer Science, pages 340-354, Barcelona, Spain, March 2004. Springer Verlag.
[19]: Bruno Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. In Dagstuhl seminar Language-Based Security, October 2003.
[20]: Bruno Blanchet. Automatic Verification of Cryptographic Protocols: A Logic Programming Approach (invited talk). In 5th ACM-SIGPLAN International Conference on Principles and Practice of Declarative Programming (PPDP'03), pages 1-3, Uppsala, Sweden, August 2003. ACM.
[21]: Martín Abadi and Bruno Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. In Radhia Cousot, editor, Static Analysis, 10th International Symposium (SAS'03), volume 2694 of Lecture Notes on Computer Science, pages 316-335, San Diego, California, June 2003. Springer Verlag.
[22]: Martín Abadi and Bruno Blanchet. Secrecy Types for Asymmetric Communication. Theoretical Computer Science, 298(3):387-415, April 2003. Special issue FoSSaCS'01.
[23]: Bruno Blanchet and Andreas Podelski. Verification of Cryptographic Protocols: Tagging Enforces Termination. In Andrew Gordon, editor, Foundations of Software Science and Computation Structures (FoSSaCS'03), volume 2620 of Lecture Notes on Computer Science, pages 136-152, Warsaw, Poland, April 2003. Springer Verlag.
[24]: Bruno Blanchet. From Secrecy to Authenticity in Security Protocols. In Manuel Hermenegildo and Germán Puebla, editors, 9th International Static Analysis Symposium (SAS'02), volume 2477 of Lecture Notes on Computer Science, pages 342-359, Madrid, Spain, September 2002. Springer Verlag.
[25]: Martín Abadi and Bruno Blanchet. Analyzing Security Protocols with Secrecy Types and Logic Programs. In 29th Annual ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages (POPL 2002), pages 33-44, Portland, Oregon, January 2002. ACM Press.
[26]: Bruno Blanchet. Abstracting Cryptographic Protocols by Prolog Rules (invited talk). In Patrick Cousot, editor, 8th International Static Analysis Symposium (SAS'2001), volume 2126 of Lecture Notes on Computer Science, pages 433-436, Paris, France, July 2001. Springer Verlag.
[27]: Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 82-96, Cape Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society.
[28]: Martín Abadi and Bruno Blanchet. Secrecy Types for Asymmetric Communication. In F. Honsell and M. Miculan, editors, Foundations of Software Science and Computation Structures (FoSSaCS 2001), volume 2030 of Lecture Notes on Computer Science, pages 25-41, Genova, Italy, April 2001. Springer Verlag.
[29]: Martín Abadi and Bruno Blanchet. Secrecy Types for Asymmetric Communication. In Dagstuhl seminar Security through Analysis and Verification, December 2000.

Software: ProVerif

Bruno Blanchet