Using Horn Clauses for Analyzing Security Protocols

This chapter presents a method for verifying security protocols based on an abstract representation of protocols by Horn clauses. This method is the foundation of the protocol verifier ProVerif. It is fully automatic, efficient, and can handle an unbounded number of sessions and an unbounded message space. It supports various cryptographic primitives defined by rewrite rules or equations. Even if we focus on secrecy in this chapter, this method can also prove other security properties, including authentication and process equivalences.

[1]  Martn Abadi,et al.  Security Protocols and their Properties , 2000 .

[2]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[3]  Yassine Lakhnech,et al.  Pattern-based abstraction for verifying secrecy in protocols , 2005, International Journal on Software Tools for Technology Transfer.

[4]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Martín Abadi,et al.  Secrecy Types for Asymmetric Communication , 2001, FoSSaCS.

[6]  Harald Ganzinger,et al.  Resolution Theorem Proving , 2001, Handbook of Automated Reasoning.

[7]  Bruno Blanchet Security protocols: from linear to classical logic by abstract interpretation , 2005, Inf. Process. Lett..

[8]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[9]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[10]  Martín Abadi,et al.  Computer-Assisted Verification of a Protocol for Certified Email , 2003, SAS.

[11]  Marie Duflot,et al.  Bounding Messages for Free in Security Protocols , 2007, FSTTCS.

[12]  Carl A. Gunter,et al.  WSEmail: secure Internet messaging based on Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[13]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[14]  Jean Goubault-Larrecq,et al.  Deciding H1 by resolution , 2005, Inf. Process. Lett..

[15]  Bruno Blanchet,et al.  Vérification automatique de protocoles cryptographiques : modèle formel et modèle calculatoire. Automatic verification of security protocols: formal model and computational model , 2008 .

[16]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[17]  Himanshu Khurana,et al.  Certified mailing lists , 2006, ASIACCS '06.

[18]  Bruno Blanchet,et al.  Reconstruction of attacks against cryptographic protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[19]  J. MeseguerComputer Protocol Speci cation and Analysis in Maude , 1998 .

[20]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.

[21]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[22]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[23]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[24]  Agostino Cortesi,et al.  Causality-based Abstraction of Multiplicity in Security Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[25]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[26]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[27]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[28]  Andrew D. Gordon,et al.  Verifying policy-based security for web services , 2004, CCS '04.

[29]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols , 2006, TCC.

[30]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[31]  Christoph Weidenbach,et al.  Towards an Automatic Analysis of Security Protocols in First-Order Logic , 1999, CADE.

[32]  Flemming Nielson,et al.  Static validation of security protocols , 2005, J. Comput. Secur..

[33]  Bruno Blanchet,et al.  Automatic proof of strong secrecy for security protocols , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[34]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[35]  Luca Cardelli,et al.  Secrecy and group creation , 2005, Inf. Comput..

[36]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[37]  J.M.G.G. de Nivelle Ordering Refinements of Resolution , 1995 .

[38]  Véronique Cortier,et al.  New Decidability Results for Fragments of First-Order Logic and Application to Cryptographic Protocols , 2003, RTA.

[39]  Thomas Y. C. Woo,et al.  Authentication for distributed systems , 1997, Computer.

[40]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[41]  Christopher Lynch,et al.  Oriented Equational Logic Programming is Complete , 1995, J. Symb. Comput..

[42]  Jonathan K. Millen,et al.  The Interrogator: Protocol Secuity Analysis , 1987, IEEE Transactions on Software Engineering.

[43]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[44]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[45]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[46]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[47]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[48]  Jean Goubault-Larrecq A Method for Automatic Cryptographic Protocol Verification ( Extended , 2000 .

[49]  José Meseguer,et al.  A rewriting-based inference system for the NRL Protocol Analyzer and its meta-logical properties , 2006, Theor. Comput. Sci..

[50]  John C. Mitchell,et al.  Multiset rewriting and the complexity of bounded security protocols , 2004, J. Comput. Secur..

[51]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[52]  Martín Abadi,et al.  Certified email with a light on-line trusted third party: design and implementation , 2002, WWW.

[53]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2005, Theor. Comput. Sci..

[54]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[55]  Michael Backes,et al.  Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[56]  Mark Ryan,et al.  Analysis of an Electronic Voting Protocol in the Applied Pi Calculus , 2005, ESOP.

[57]  Martín Abadi,et al.  Just fast keying in the pi calculus , 2004, TSEC.

[58]  David Monniaux Abstracting cryptographic protocols with tree automata , 2003, Sci. Comput. Program..

[59]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[60]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[61]  Véronique Cortier,et al.  Security properties: two agents are sufficient , 2004, Sci. Comput. Program..

[62]  Ramaswamy Ramanujam,et al.  Tagging Makes Secrecy Decidable with Unbounded Nonces as Well , 2003, FSTTCS.

[63]  Andreas Podelski,et al.  Verification of cryptographic protocols: tagging enforces termination , 2003, Theor. Comput. Sci..

[64]  Andrew D. Gordon,et al.  Verified implementations of the information card federated identity-management protocol , 2008, ASIACCS '08.

[65]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[66]  Gavin Lowe,et al.  How to prevent type flaw attacks on security protocols , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[67]  Dominique Bolignano,et al.  Towards a Mechanization of Cryptographic Protocal Verification , 1997, CAV.

[68]  Andrew D. Gordon,et al.  TulaFale: A Security Tool for Web Services , 2003, FMCO.

[69]  Gilberto Filé,et al.  Expressive Power of Definite Clauses for Verifying Authenticity , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[70]  Roger M. Needham,et al.  Authentication revisited , 1987, OPSR.

[71]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2003 .

[72]  Jean Goubault-Larrecq,et al.  Abstraction and resolution modulo AC: How to verify Diffie-Hellman-like protocols automatically , 2005, J. Log. Algebraic Methods Program..

[73]  Andrew D. Gordon,et al.  Secure sessions for web services , 2007, SWS '04.

[74]  Thomas Genet,et al.  Rewriting for Cryptographic Protocol Verification , 2000, CADE.

[75]  Ralf Küsters,et al.  Reducing protocol analysis with XOR to the XOR-free case in the horn theory based approach , 2008, CCS.

[76]  Flemming Nielson,et al.  Control Flow Analysis for the pi-calculus , 1998, CONCUR.

[77]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[78]  Ross J. Anderson,et al.  Programming Satan's Computer , 1995, Computer Science Today.

[79]  Vitaly Shmatikov,et al.  Symbolic protocol analysis with an Abelian group operator or Diffie-Hellman exponentiation , 2005, J. Comput. Secur..

[80]  Laurent Vigneron,et al.  Validation of Prouve Protocols using the Automatic Tool TA4SP , 2006 .

[81]  Avik Chaudhuri,et al.  Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[82]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.