# Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif

@article{Blanchet2016ModelingAV, title={Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif}, author={Bruno Blanchet}, journal={Found. Trends Priv. Secur.}, year={2016}, volume={1}, pages={1-135} }

ProVerif is an automatic symbolic protocol verifier. It supports a wide range of cryptographic primitives, defined by rewrite rules or by equations. It can prove various security properties: secrecy, authentication, and process equivalences, for an unbounded message space and an unbounded number of sessions. It takes as input a description of the protocol to verify in a dialect of the applied pi calculus, an extension of the pi calculus with cryptography. It automatically translates this…

## Figures from this paper

## 198 Citations

### Combining ProVerif and Automated Theorem Provers for Security Protocol Verification

- Computer Science, MathematicsCADE
- 2019

This work describes an integration of a state-of-the-art protocol verifier ProVerif, with automated first order theorem provers (ATP), which allows one to model directly algebraic properties of cryptographic operators as a first-order equational theory and the specified protocol can be exported to a first order logic specification in the standard TPTP format for ATP.

### The Security Protocol Veriﬁer ProVerif and its Horn Clause Resolution Algorithm

- Computer Science, Mathematics
- 2022

An overview of ProVerif is presented and some speciﬁcities of its resolution algorithm, related to the particular application domain and the particular clauses that proVerif generates are discussed.

### Relating Process Languages for Security and Communication Correctness (Extended Abstract)

- Computer ScienceFORTE
- 2018

This work connects two representative calculi, and establishes the correctness of the encoding, and shows how it enables the integrated analysis of security properties and communication correctness by re-using existing tools.

### Verifpal: Cryptographic Protocol Analysis for the Real World

- Computer ScienceINDOCRYPT
- 2020

Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.

### Protocol Insecurity with Assertions

- Computer Science, Mathematics
- 2022

This paper considers the insecurity problem for protocols with a class of assertions that includes equality on terms and existential quantification, and shows that this problem is in NP.

### Equivalence Properties by Typing in Cryptographic Branching Protocols

- Computer Science, MathematicsPOST
- 2018

Recently, many tools have been proposed for automatically analysing, in symbolic models, equivalence of security protocols by proving a stronger notion of equivalence (diff-equivalence) that does not properly handle protocols with else branches.

### Verifpal: Cryptographic Protocol Analysis for Students and Engineers

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

Through Verifpal, it is shown that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.

### Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach

- Computer Science, Mathematics2017 IEEE European Symposium on Security and Privacy (EuroS&P)
- 2017

This work uses ProVerif and CryptoVerif to find new and previously-known weaknesses in the protocol and suggest practical countermeasures, and demonstrates that, with disciplined programming and some verification expertise, the systematic analysis of complex cryptographic web applications is now becoming practical.

### Project Team

- Computer Science‘Our Lincolnshire’: Exploring public engagement with heritage
- 2019

Many of the algorithms used in ProVerif (generation of clauses, resolution, subsumption, etc.), resulting in impressive speed-ups on large examples, are presented, for the computational veriﬁcation of security protocols at IEEE S&P [14].

### Cracking the Stateful Nut Computational Proofs of Stateful Security Protocols using the S QUIRREL Proof Assistant

- Computer Science, Mathematics
- 2022

S QUIRREL’s proof system is extended to be able to express the complex proof arguments that are sometimes required for protocols with mutable states, including a proof of the YubiKey and YubiHSM protocols.

## References

SHOWING 1-10 OF 149 REFERENCES

### Automatic Verification of Security Protocols in the Symbolic Model: The Verifier ProVerif

- Computer Science, MathematicsFOSAD
- 2013

This work focuses on the automatic symbolic protocol verifier ProVerif, which can prove secrecy, authentication, and observational equivalence properties of security protocols, for an unbounded number of sessions of the protocol.

### Using Horn Clauses for Analyzing Security Protocols

- Computer ScienceFormal Models and Techniques for Analyzing Security Protocols
- 2011

This chapter presents a method for verifying security protocols based on an abstract representation of protocols by Horn clauses, which is the foundation of the protocol verifier ProVerif and supports various cryptographic primitives defined by rewrite rules or equations.

### Automatic Verification of Privacy Properties in the Applied pi Calculus

- Computer Science, MathematicsIFIPTM
- 2008

We develop a formal method verification technique for cryptographic protocols. We focus on proving observational equivalences of the kind P ∼ Q, where the processes P and Q have the same structure…

### A Computationally Sound Mechanized Prover for Security Protocols

- Computer Science, MathematicsIEEE Transactions on Dependable and Secure Computing
- 2008

This work presents a new mechanized prover for secrecy properties of security protocols that provides a generic method for specifying security properties of the cryptographic primitives, which can handle shared-key and public-key encryption, signatures, message authentication codes, and hash functions.

### Automatic proof of strong secrecy for security protocols

- Computer Science, MathematicsIEEE Symposium on Security and Privacy, 2004. Proceedings. 2004
- 2004

A new automatic technique for proving strong secrecy for security protocols that relies on an automatic translation of the protocol into Horn clauses, and a resolution algorithm on the clauses.

### Automated verification of selected equivalences for security protocols

- Computer Science20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05)
- 2005

### Strong Invariants for the Efficient Construction of Machine-Checked Protocol Security Proofs

- Computer Science, Mathematics2010 23rd IEEE Computer Security Foundations Symposium
- 2010

We embed an operational semantics for security protocols in the interactive theorem prover Isabelle/HOL and derive two strong protocol-independent invariants. These invariants allow us to reason…

### Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol

- Computer Science, Mathematics2008 IEEE Symposium on Security and Privacy (sp 2008)
- 2008

This work successfully used ProVerif to obtain the first mechanized analysis of (a simplified variant of) the Direct Anonymous Attestation (DAA) protocol, and proposes a revised variant of DAA that is successfully prove secure using Pro Verif.

### Computational Soundness Results for ProVerif - Bridging the Gap from Trace Properties to Uniformity

- Computer Science, MathematicsPOST
- 2014

Dolev-Yao models of cryptographic operations constitute the foundation of many successful verification tools for security protocols, such as the protocol verifier ProVerif, but these models either only consider a limited class of protocols or are not amenable to fully automated verification.

### ASPIER: An Automated Framework for Verifying Security Protocol Implementations

- Computer Science2009 22nd IEEE Computer Security Foundations Symposium
- 2009

The ASPIER tool is implemented and used to verify authentication and secrecy properties of a part of an industrial strength protocol implementation -- the handshake in OpenSSL -- for configurations consisting of up to 3 servers and 3 clients.