Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif

Blanchet, Bruno

doi:10.1561/3300000004

Cited by 196 publications

(70 citation statements)

References 144 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ProVerif [28,31] analyzes symbolic protocol models, whereas CryptoVerif [27] verifies computational models. The input languages of both tools are similar.…”

Section: Secrecymentioning

confidence: 99%

See 1 more Smart Citation

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Bhargavan

Blanchet

Kobeissi

2017

2017 IEEE Symposium on Security and Privacy (SP)

Self Cite

150

View full text Add to dashboard Cite

TLS 1.3 is the next version of the Transport Layer Security (TLS) protocol. Its clean-slate design is a reaction both to the increasing demand for low-latency HTTPS connections and to a series of recent high-profile attacks on TLS. The hope is that a fresh protocol with modern cryptography will prevent legacy problems; the danger is that it will expose new kinds of attacks, or reintroduce old flaws that were fixed in previous versions of TLS. After 18 drafts, the protocol is nearing completion, and the working group has appealed to researchers to analyze the protocol before publication. This paper responds by presenting a comprehensive analysis of the TLS 1.3 Draft-18 protocol. We seek to answer three questions that have not been fully addressed in previous work on TLS 1.3: (1) Does TLS 1.3 prevent well-known attacks on TLS 1.2, such as Logjam or the Triple Handshake, even if it is run in parallel with TLS 1.2? (2) Can we mechanically verify the computational security of TLS 1.3 under standard (strong) assumptions on its cryptographic primitives? (3) How can we extend the guarantees of the TLS 1.3 protocol to the details of its implementations? To answer these questions, we propose a methodology for developing verified symbolic and computational models of TLS 1.3 hand-in-hand with a high-assurance reference implementation of the protocol. We present symbolic ProVerif models for various intermediate versions of TLS 1.3 and evaluate them against a rich class of attacks to reconstruct both known and previously unpublished vulnerabilities that influenced the current design of the protocol. We present a computational CryptoVerif model for TLS 1.3 Draft-18 and prove its security. We present RefTLS, an interoperable implementation of TLS 1.0-1.3 and automatically analyze its protocol core by extracting a ProVerif model from its typed JavaScript code. Résumé : TLS 1.3 est la prochaine version du protocole TLS (Transport Layer Security). Sa conception à partir de zéro est une réaction à la fois à la demande croissante de connexions HTTPS à faible latence et à une série d'attaques récentes de haut niveau sur TLS. L'espoir est qu'un nouveau protocole avec de la cryptographie moderne éviterait d'hériter des problèmes des versions précédentes; le danger est que cela pourrait exposer à de nouveaux types d'attaques ou réintroduire d'anciens défauts corrigés dans les versions précédentes de TLS. Après 18 versions préliminaires, le protocole est presque terminé, et le groupe de travail a appelé les chercheurs à analyser le protocole avant publication. Cet article répond en présentant une analyse globale du protocole TLS 1.3 Draft-18.Nous cherchons à répondre à trois questions qui n'ont pas été entièrement traitées dans les travaux antérieurs sur TLS 1.3: (1) TLS 1.3 empêche-t-il les attaques connues sur TLS 1.2, comme Logjam ou Triple Handshake, même s'il est exécuté en parallèle avec TLS 1.2 ? (2) Peuton vérifier mécaniquement la sécurité calculatoire de TLS 1.3 sous des hypothèses standard (fortes) sur ses primitives...

show abstract

“…ProVerif [28,31] analyzes symbolic protocol models, whereas CryptoVerif [27] verifies computational models. The input languages of both tools are similar.…”

Section: Secrecymentioning

confidence: 99%

“…We present symbolic protocol models for TLS 1.3 written in ProVerif [31]. They incorporate a novel security model (described in §2) that accounts for all recent attacks on TLS, including those relying on weak cryptographic algorithms.…”

Section: Introductionmentioning

confidence: 99%

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Bhargavan

Blanchet

Kobeissi

2017

2017 IEEE Symposium on Security and Privacy (SP)

Self Cite

150

View full text Add to dashboard Cite

show abstract

“…For our formal analysis, we model protocols in a dialect of the applied pi calculus [17], [18] that is used as input language by the PROVERIF tool [19] which we use to automate the analysis. We will only give a brief, informal overview here, which should be sufficient to explain our modelling of TLS sessions and threat scenarios.…”

Section: The Formal Modelmentioning

confidence: 99%

An extensive formal analysis of multi-factor authentication protocols

Jacomme¹,

Kremer²

2018

EasyChair Preprints

View full text Add to dashboard Cite

Abstract-Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms used in so-called multifactor authentication protocols. In this paper we define a detailed threat model for this kind of protocols: while in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malwares, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols -variants of Google 2-step and FIDO's U2F. The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the PROVERIF tool for automated protocol analysis. Our analysis highlights weaknesses and strengths of the different protocols, and allows us to suggest several small modifications of the existing protocols which are easy to implement, yet improve their security in several threat scenarios.

show abstract

“…The specification for the trusted authority T is as follows: ((2, t)). νsk(T ); t [3]! {1, 2}, pk(sk(T )) .y [1]?…”

Section: Process Specificationmentioning

confidence: 99%

“…In future work, we intend to explore our approach to process specification and verification in the setting of ProVerif [3], whose input language is a typed applied π-calculus. We also plan to connect our approach with existing type systems for secure information flow and access control in multiparty sessions [4].…”

Section: Related Work and Concluding Remarksmentioning

confidence: 99%

Relating Process Languages for Security and Communication Correctness (Extended Abstract)

Nantes

Pérez

2018

Formal Techniques for Distributed Objects, Components, and Systems

View full text Add to dashboard Cite

Abstract. Process calculi are expressive specification languages for concurrency. They have been very successful in two research strands: (a) the analysis of security protocols and (b) the enforcement of correct messagepassing programs. Despite their shared foundations, languages and reasoning techniques for (a) and (b) have been separately developed. Here we connect two representative calculi from (a) and (b): we encode a (high-level) π-calculus for multiparty sessions into a (low-level) applied π-calculus for security protocols. We establish the correctness of our encoding, and we show how it enables the integrated analysis of security properties and communication correctness by re-using existing tools.

show abstract

Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif

Cited by 196 publications

References 144 publications

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

An extensive formal analysis of multi-factor authentication protocols

Relating Process Languages for Security and Communication Correctness (Extended Abstract)

Contact Info

Product

Resources

About