Strong Invariants for the Efficient Construction of Machine-Checked Protocol Security Proofs

Meier, Simon; Cremers, Cas; Basin, David

doi:10.1109/csf.2010.23

Cited by 22 publications

(23 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We found that proof generation times are similar, but our proof checking times are orders of magnitude faster, ranging from a factor 10 to a factor 1700. These results also apply here, as our new implementation is as fast as the one used in [32].…”

Section: Related Worksupporting

confidence: 52%

See 1 more Smart Citation

Efficient construction of machine-checked symbolic protocol security proofs

Meier

Cremers

Basin

2013

JCS

Self Cite

View full text Add to dashboard Cite

We embed an untyped security protocol model in the interactive theorem prover Isabelle/HOL and derive a theory for constructing proofs of secrecy and authentication properties. Our theory is based on two key ingredients. The first is an inference rule for enumerating the possible origins of messages known to the intruder. The second is a class of protocol-specific invariants that formalize type assertions about variables in protocol specifications. The resulting theory is well suited for interactively constructing human-readable, protocol security proofs. We additionally give an algorithm that automatically generates Isabelle/HOL proof scripts based on this theory. We provide case studies showing that both interactive and automatic proof construction are efficient. The resulting proofs provide strong correctness guarantees since all proofs, including those deriving our theory from the security protocol model, are machinechecked. S. Meier et al. / Efficient construction of machine-checked symbolic protocol security proofsprover Isabelle/HOL [34]. The protocols verified include the TLS handshake [36], Kerberos IV [8] and SET [7]. As reported in [35], the time required for an expert in interactive theorem proving to model and verify a protocol using this approach ranges from several days for small academic protocols to six weeks for a protocol like the TLS handshake [36].An alternative approach to security protocol verification is to use automatic tools such as ProVerif [11] or Scyther [15]. Such tools have two substantial advantages over interactive approaches: they require less user expertise and produce results orders of magnitude faster. However none of these tools produces machine-checked proofs.We combine the benefits of these two approaches to security protocol verification. We develop a tool-supported framework for the efficient construction of machinechecked protocol security proofs using automatic proof generation, where possible, and interactive proof construction, where required.

show abstract

Section: Related Worksupporting

confidence: 52%

“…In our previous work on decryption-chain reasoning [32], we provided a detailed timing comparison to their approach. We found that proof generation times are similar, but our proof checking times are orders of magnitude faster, ranging from a factor 10 to a factor 1700.…”

Section: Related Workmentioning

confidence: 98%

Efficient construction of machine-checked symbolic protocol security proofs

Meier

Cremers

Basin

2013

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…The interpretation mapping a message pattern to its corresponding message in the context of a thread i and the variable store σ is modeled by the family of partial functions inst σ,i : Pat Msg. In the semantics presented in [30,31], these functions were total. However, we now use partial functions because the lookup of a shared symmetric long-term key always fails if one of the variables is not instantiated to an agent name.…”

Section: A1 Bidirectional Keysmentioning

confidence: 99%

Provably repairing the ISO/IEC 9798 standard for entity authentication1

Basin

Cremers

Meier

2013

JCS

Self Cite

View full text Add to dashboard Cite

We formally analyze the family of entity authentication protocols defined by the ISO/IEC 9798 standard and find numerous weaknesses, both old and new, including some that violate even the most basic authentication guarantees. We analyze the cause of these weaknesses, propose repaired versions of the protocols, and provide automated, machine-checked proofs of their correctness. From an engineering perspective, we propose two design principles for security protocols that suffice to prevent all the weaknesses. Moreover, we show how modern verification tools can be used for the falsification and certified verification of security standards. Based on our findings, the ISO working group responsible for the ISO/IEC 9798 standard has released an updated version of the standard.

show abstract

“…The Scyther-proof tool [113] uses a variant of the algorithm presented in this book. The main additional feature is that it generates proof scripts for use with the Isabelle-HOL theorem prover [129].…”

Section: Scyther-proofmentioning

confidence: 99%