# Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif

@article{Blanchet2016ModelingAV, title={Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif}, author={Bruno Blanchet}, journal={Found. Trends Priv. Secur.}, year={2016}, volume={1}, pages={1-135} }

ProVerif is an automatic symbolic protocol verifier. It supports a wide range of cryptographic primitives, defined by rewrite rules or by equations. It can prove various security properties: secrecy, authentication, and process equivalences, for an unbounded message space and an unbounded number of sessions. It takes as input a description of the protocol to verify in a dialect of the applied pi calculus, an extension of the pi calculus with cryptography. It automatically translates this…

## Figures from this paper

## 187 Citations

Combining ProVerif and Automated Theorem Provers for Security Protocol Verification

- Computer Science, MathematicsCADE
- 2019

This work describes an integration of a state-of-the-art protocol verifier ProVerif, with automated first order theorem provers (ATP), which allows one to model directly algebraic properties of cryptographic operators as a first-order equational theory and the specified protocol can be exported to a first order logic specification in the standard TPTP format for ATP.

Relating Process Languages for Security and Communication Correctness (Extended Abstract)

- Computer ScienceFORTE
- 2018

This work connects two representative calculi, and establishes the correctness of the encoding, and shows how it enables the integrated analysis of security properties and communication correctness by re-using existing tools.

Verifpal: Cryptographic Protocol Analysis for the Real World

- Computer ScienceINDOCRYPT
- 2020

Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.

Protocol Insecurity with Assertions

- Computer Science, Mathematics
- 2022

This paper considers the insecurity problem for protocols with a class of assertions that includes equality on terms and existential quantification, and shows that this problem is in NP.

Equivalence Properties by Typing in Cryptographic Branching Protocols

- Computer Science, MathematicsPOST
- 2018

Recently, many tools have been proposed for automatically analysing, in symbolic models, equivalence of security protocols by proving a stronger notion of equivalence (diff-equivalence) that does not properly handle protocols with else branches.

Verifpal: Cryptographic Protocol Analysis for Students and Engineers

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.

Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach

- Computer Science, Mathematics2017 IEEE European Symposium on Security and Privacy (EuroS&P)
- 2017

This work uses ProVerif and CryptoVerif to find new and previously-known weaknesses in the protocol and suggest practical countermeasures, and demonstrates that, with disciplined programming and some verification expertise, the systematic analysis of complex cryptographic web applications is now becoming practical.

Project Team

- Computer Science‘Our Lincolnshire’: Exploring public engagement with heritage
- 2019

Many of the algorithms used in ProVerif (generation of clauses, resolution, subsumption, etc.), resulting in impressive speed-ups on large examples, are presented, for the computational veriﬁcation of security protocols at IEEE S&P [14].

Formal Analysis of QUIC Handshake Protocol Using Symbolic Model Checking

- Computer ScienceIEEE Access
- 2021

A formal model of the QUIC handshake protocol is developed and a comprehensive formal security analysis is performed by using two state-of-the-art model checking tools for cryptographic protocols, i.e., ProVeirf and Verifpal, showing that ProVerif is generally more powerful than VerifPal in terms of verifying authentication properties.

Decidable Inductive Invariants for Verification of Cryptographic Protocols with Unbounded Sessions

- Mathematics, Computer ScienceCONCUR
- 2020

We develop a theory of decidable inductive invariants for an infinite-state variant of the Applied pi-calculus, with applications to automatic verification of stateful cryptographic protocols with…

## References

SHOWING 1-10 OF 153 REFERENCES

Automatic Verification of Security Protocols in the Symbolic Model: The Verifier ProVerif

- Computer Science, MathematicsFOSAD
- 2013

This work focuses on the automatic symbolic protocol verifier ProVerif, which can prove secrecy, authentication, and observational equivalence properties of security protocols, for an unbounded number of sessions of the protocol.

Using Horn Clauses for Analyzing Security Protocols

- Computer ScienceFormal Models and Techniques for Analyzing Security Protocols
- 2011

This chapter presents a method for verifying security protocols based on an abstract representation of protocols by Horn clauses, which is the foundation of the protocol verifier ProVerif and supports various cryptographic primitives defined by rewrite rules or equations.

Automatic Verification of Privacy Properties in the Applied pi Calculus

- Computer Science, MathematicsIFIPTM
- 2008

We develop a formal method verification technique for cryptographic protocols. We focus on proving observational equivalences of the kind P ∼ Q, where the processes P and Q have the same structure…

Extracting and verifying cryptographic models from C protocol code by symbolic execution

- Computer Science, MathematicsCCS '11
- 2011

The results in this paper provide the first computationally sound verification of weak secrecy and authentication for (single execution paths of) C code.

A Computationally Sound Mechanized Prover for Security Protocols

- Computer Science, MathematicsIEEE Transactions on Dependable and Secure Computing
- 2008

This work presents a new mechanized prover for secrecy properties of security protocols that provides a generic method for specifying security properties of the cryptographic primitives, which can handle shared-key and public-key encryption, signatures, message authentication codes, and hash functions.

Automatic proof of strong secrecy for security protocols

- Computer Science, MathematicsIEEE Symposium on Security and Privacy, 2004. Proceedings. 2004
- 2004

A new automatic technique for proving strong secrecy for security protocols that relies on an automatic translation of the protocol into Horn clauses, and a resolution algorithm on the clauses.

Automated verification of selected equivalences for security protocols

- Computer Science20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05)
- 2005

Strong Invariants for the Efficient Construction of Machine-Checked Protocol Security Proofs

- Computer Science, Mathematics2010 23rd IEEE Computer Security Foundations Symposium
- 2010

We embed an operational semantics for security protocols in the interactive theorem prover Isabelle/HOL and derive two strong protocol-independent invariants. These invariants allow us to reason…

Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol

- Computer Science, Mathematics2008 IEEE Symposium on Security and Privacy (sp 2008)
- 2008

This work successfully used ProVerif to obtain the first mechanized analysis of (a simplified variant of) the Direct Anonymous Attestation (DAA) protocol, and proposes a revised variant of DAA that is successfully prove secure using Pro Verif.

Computational Soundness Results for ProVerif - Bridging the Gap from Trace Properties to Uniformity

- Computer Science, MathematicsPOST
- 2014

Dolev-Yao models of cryptographic operations constitute the foundation of many successful verification tools for security protocols, such as the protocol verifier ProVerif, but these models either only consider a limited class of protocols or are not amenable to fully automated verification.