Skip to main content
SpringerLink
Log in

Verifpal: Cryptographic Protocol Analysis for the Real World

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2020 (INDOCRYPT 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12578))

Included in the following conference series:

Abstract

Verifpal is a new automated modeling framework and verifier for cryptographic protocols, optimized with heuristics for common-case protocol specifications, that aims to work better for real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. In order to achieve this, Verifpal introduces a new, intuitive language for modeling protocols that is easier to write and understand than the languages employed by existing tools. Its formal verification paradigm is also designed explicitly to provide protocol modeling that avoids user error.

Verifpal is able to model protocols under an active attacker with unbounded sessions and fresh values, and supports queries for advanced security properties such as forward secrecy or key compromise impersonation. Furthermore, Verifpal’s semantics have been formalized within the Coq theorem prover, and Verifpal models can be automatically translated into Coq as well as into ProVerif models for further verification. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3 as well as the first formal model for the DP-3T pandemic-tracing protocol, which we present in this work. Through Verifpal, we show that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Not to be confused with the bug/flying-type Pokémon of the same name, which, despite its “ninja-like agility and speed” [62], does not appear to have published work in formal verification.

  2. 2.

    The full Verifpal and ProVerif FFGG models are available at https://source.symbolic.software/verifpal/verifpal/-/tree/master/examples.

  3. 3.

    ProVerif is also capable of outputting graphical representations of attack traces, which could make them easier to read and understand.

References

  1. Abadi, M., Blanchet, B., Fournet, C.: The applied pi calculus: mobile values, new names, and secure communication. J. ACM 65(1), 1:1–1:41 (2018). https://doi.org/10.1145/3127586

    Article  MathSciNet  MATH  Google Scholar 

  2. Amin, R., Islam, S.H., Karati, A., Biswas, G.: Design of an enhanced authentication protocol and its verification using AVISPA. In: 2016 3rd International Conference on Recent Advances in Information Technology (RAIT), pp. 404–409. IEEE (2016)

    Google Scholar 

  3. Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28756-5_19

    Chapter  Google Scholar 

  4. Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). https://doi.org/10.1007/11513988_27

    Chapter  Google Scholar 

  5. Backes, M., Hritcu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: IEEE Computer Security Foundations Symposium, pp. 195–209. IEEE (2008)

    Google Scholar 

  6. Baelde, D., Delaune, S., Moreau, S.: A method for proving unlinkability of stateful protocols. Ph.D. thesis, Irisa (2020)

    Google Scholar 

  7. Barbosa, M., et al.: SoK: computer-aided cryptography. In: IEEE Symposium on Security and Privacy (S&P). IEEE (2021)

    Google Scholar 

  8. Basin, D., Cremers, C.: Modeling and analyzing security in the presence of compromising adversaries. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 340–356. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_21

    Chapter  Google Scholar 

  9. Basin, D., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., Stettler, V.: A formal analysis of 5G authentication. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1383–1396. ACM (2018)

    Google Scholar 

  10. Basin, D., Radomirovic, S., Schmid, L.: Alethea: a provably secure random sample voting protocol. In: IEEE 31st Computer Security Foundations Symposium (CSF), pp. 283–297. IEEE (2018)

    Google Scholar 

  11. Basin, D., Cremers, C.: Degrees of security: protocol guarantees in the face of compromising adversaries. In: Dawar, A., Veith, H. (eds.) CSL 2010. LNCS, vol. 6247, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15205-4_1

    Chapter  Google Scholar 

  12. Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. ACM Trans. Program. Lang. Syst. (TOPLAS) 33(2), 1–45 (2011)

    Article  Google Scholar 

  13. Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-07964-5

    Book  MATH  Google Scholar 

  14. Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: IEEE Symposium on Security and Privacy (S&P), pp. 535–552. IEEE (2015)

    Google Scholar 

  15. Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: IEEE Symposium on Security and Privacy (S&P), pp. 483–502. IEEE (2017)

    Google Scholar 

  16. Bhargavan, K., Delignat-Lavaud, A., Kobeissi, N.: Formal modeling and verification for domain validation and ACME. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 561–578. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_32

    Chapter  Google Scholar 

  17. Bhargavan, K., Lavaud, A.D., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (S&P), pp. 98–113. IEEE (2014)

    Google Scholar 

  18. Bhargavan, K., Leurent, G.: On the practical (in-) security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456–467 (2016)

    Google Scholar 

  19. Blanchet, B.: CryptoVerif: computationally sound mechanized prover for cryptographic protocols. In: Dagstuhl Seminar on Applied Formal Protocol Verification, p. 117 (2007)

    Google Scholar 

  20. Blanchet, B.: Security protocol verification: symbolic and computational models. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 3–29. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4_2

    Chapter  MATH  Google Scholar 

  21. Blanchet, B.: Automatic verification of security protocols in the symbolic model: the verifier ProVerif. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2012-2013. LNCS, vol. 8604, pp. 54–87. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10082-1_3

    Chapter  Google Scholar 

  22. Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends® Priv. Secur. 1(1–2), 1–135 (2016)

    Google Scholar 

  23. Blanchet, B., Chaudhuri, A.: Automated formal analysis of a protocol for secure file sharing on untrusted storage. In: IEEE Symposium on Security and Privacy (S&P), pp. 417–431. IEEE (2008)

    Google Scholar 

  24. Blum, J., et al.: E2E encryption for Zoom meetings (2020). https://github.com/zoom/zoom-e2e-whitepaper

  25. Bruni, A., Drewsen, E., Schürmann, C.: Towards a mechanized proof of selene receipt-freeness and vote-privacy. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 110–126. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68687-5_7

    Chapter  Google Scholar 

  26. Chandra, A.K., Harel, D.: Horn clause queries and generalizations. J. Log. Program. 2(1), 1–15 (1985)

    Article  MathSciNet  Google Scholar 

  27. Cheval, V., Blanchet, B.: Proving more observational equivalences with ProVerif. In: Basin, D., Mitchell, J.C. (eds.) POST 2013. LNCS, vol. 7796, pp. 226–246. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36830-1_12

    Chapter  Google Scholar 

  28. Cheval, V., Kremer, S., Rakotonirina, I.: DEEPSEC: deciding equivalence properties in security protocols theory and practice. Research report, INRIA, Nancy, May 2018. https://hal.inria.fr/hal-01698177

  29. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466. IEEE (2017)

    Google Scholar 

  30. Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: IEEE Computer Security Foundations Symposium (CSF), pp. 164–178. IEEE (2016)

    Google Scholar 

  31. Cortier, V., Wiedling, C.: A formal analysis of the norwegian E-voting protocol. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 109–128. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4_7

    Chapter  Google Scholar 

  32. Cremers, C., Dehnel-Wild, M.: Component-based formal analysis of 5G-AKA: channel assumptions and session confusion. In: 2019 Network and Distributed System Security Symposium (NDSS) (2019)

    Google Scholar 

  33. Cremers, C., Hirschi, L.: Improving automated symbolic analysis of ballot secrecy for E-voting protocols: a method based on sufficient conditions. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2019)

    Google Scholar 

  34. Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1773–1788. ACM (2017)

    Google Scholar 

  35. Cremers, C., Jackson, D.: Prime, order please! Revisiting small subgroup and invalid curve attacks on protocols using Diffie-Hellman. In: 2019 IEEE Computer Security Foundations Symposium (CSF) (2019)

    Google Scholar 

  36. Cremers, C.J.F., Lafourcade, P., Nadeau, P.: Comparing state spaces in automatic security protocol analysis. In: Cortier, V., Kirchner, C., Okada, M., Sakurada, H. (eds.) Formal to Practical Security. LNCS, vol. 5458, pp. 70–94. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02002-5_5

    Chapter  MATH  Google Scholar 

  37. Cremers, C.: Feasibility of multi-protocol attacks. In: Proceedings of the First International Conference on Availability, Reliability and Security (ARES), pp. 287–294. IEEE Computer Society, Vienna, April 2006. http://www.win.tue.nl/~ecss/downloads/mpa-ares.pdf

  38. Cremers, C.J.F.: The Scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545-1_38

    Chapter  Google Scholar 

  39. Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_18

    Chapter  Google Scholar 

  40. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

  41. Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17(4), 435–487 (2009)

    Article  Google Scholar 

  42. Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Searching for shapes in cryptographic protocols. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 523–537. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71209-1_41

    Chapter  MATH  Google Scholar 

  43. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  Google Scholar 

  44. Donenfeld, J.A.: WireGuard: next generation kernel network tunnel. In: Network and Distributed System Security Symposium (NDSS) (2017)

    Google Scholar 

  45. Donenfeld, J.A., Milner, K.: Formal verification of the WireGuard protocol. Technical report (2017)

    Google Scholar 

  46. Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03829-7_1

    Chapter  MATH  Google Scholar 

  47. Gibson-Robinson, T., Armstrong, P., Boulgakov, A., Roscoe, A.W.: FDR3—a modern refinement checker for CSP. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 187–201. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54862-8_13

    Chapter  MATH  Google Scholar 

  48. Girol, G., Hirschi, L., Sasse, R., Jackson, D., Cremers, C., Basin, D.: A spectral analysis of noise: a comprehensive, automated, formal analysis of Diffie-Hellman protocols. In: 29th USENIX Security Symposium (USENIX Security 2020). USENIX Association, Boston, August 2020. https://www.usenix.org/conference/usenixsecurity20/presentation/girol

  49. Hirschi, L., Baelde, D., Delaune, S.: A method for verifying privacy-type properties: the unbounded case. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 564–581. IEEE (2016)

    Google Scholar 

  50. Hoare, C.A.R.: Communicating sequential processes. In: Hansen, P.B. (ed.) The Origin of Concurrent Programming, pp. 413–443. Springer, New York (1978). https://doi.org/10.1007/978-1-4757-3472-0_16

    Chapter  Google Scholar 

  51. Jackson, D., Cremers, C., Cohn-Gordon, K., Sasse, R.: Seems legit: automated analysis of subtle attacks on protocols that use signatures. In: ACM CCS 2019 (2019)

    Google Scholar 

  52. Jakobsen, J., Orlandi, C.: On the CCA (in) security of MTProto. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 113–116 (2016)

    Google Scholar 

  53. Kobeissi, N.: An analysis of the protonmail cryptographic architecture. IACR Cryptology ePrint Archive 2018/1121 (2018)

    Google Scholar 

  54. Kobeissi, N., Bhargavan, K., Blanchet, B.: Automated verification for secure messaging protocols and their implementations: a symbolic and computational approach. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 435–450. IEEE (2017)

    Google Scholar 

  55. Kobeissi, N., Nicolas, G., Bhargavan, K.: Noise explorer: fully automated modeling and verification for arbitrary noise protocols. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2019)

    Google Scholar 

  56. Lafourcade, P., Puys, M.: Performance evaluations of cryptographic protocols verification tools dealing with algebraic properties. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds.) FPS 2015. LNCS, vol. 9482, pp. 137–155. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30303-1_9

    Chapter  Google Scholar 

  57. Lapiha, O.: A cryptographic investigation of secure scuttlebutt. Technical report, École Normale Supérieure (2019)

    Google Scholar 

  58. Lee, J., Choi, R., Kim, S., Kim, K.: Security analysis of end-to-end encryption in telegram. In: Simposio en Criptografía Seguridad Informática, Naha, Japón (2017). https://bit.ly/36aX3TK

  59. Lipp, B., Blanchet, B., Bhargavan, K.: A mechanised cryptographic proof of the WireGuard virtual private network protocol. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2019)

    Google Scholar 

  60. Miculan, M., Urban, C.: Formal analysis of Facebook connect single sign-on authentication protocol. In: SOFSEM, vol. 11, pp. 22–28. Citeseer (2011)

    Google Scholar 

  61. Millen, J.: A necessarily parallel attack. In: Workshop on Formal Methods and Security Protocols. Citeseer (1999)

    Google Scholar 

  62. Oak, P.: Kanto regional Pokédex. Kanto Region J. Pokémon Res. 19 (1996)

    Google Scholar 

  63. Pereira, O., Rochet, F., Wiedling, C.: Formal analysis of the FIDO 1.x protocol. In: Imine, A., Fernandez, J.M., Marion, J.-Y., Logrippo, L., Garcia-Alfaro, J. (eds.) FPS 2017. LNCS, vol. 10723, pp. 68–82. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75650-9_5

    Chapter  Google Scholar 

  64. Protzenko, J., Beurdouche, B., Merigoux, D., Bhargavan, K.: Formally verified cryptographic web applications in WebAssembly. In: IEEE Symposium on Security and Privacy (S&P). IEEE (2019)

    Google Scholar 

  65. Protzenko, J., et al.: Verified low-level programming embedded in F. In: 2017 Proceedings of the ACM on Programming Languages (ICFP), vol. 1 (2017)

    Google Scholar 

  66. Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: Chong, S. (ed.) IEEE Computer Security Foundations Symposium (CSF), Cambridge, MA, USA, 25–27 June 2012, pp. 78–94. IEEE (2012)

    Google Scholar 

  67. Steinbrecher, S., Köpsell, S.: Modelling unlinkability. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 32–47. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40956-4_3

    Chapter  Google Scholar 

  68. Tronosco, C., et al.: Decentralized privacy-preserving proximity tracing, April 2020

    Google Scholar 

  69. Woo-Sik, B.: Formal verification of an RFID authentication protocol based on hash function and secret code. Wireless Pers. Commun. 79(4), 2595–2609 (2014). https://doi.org/10.1007/s11277-014-1745-8

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Symbolic Software, Paris, France

    Nadim Kobeissi & Georgio Nicolas

  2. University of Melbourne, Melbourne, Australia

    Mukesh Tiwari

Authors
  1. Nadim Kobeissi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Georgio Nicolas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mukesh Tiwari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nadim Kobeissi .

Editor information

Editors and Affiliations

  1. Inria Paris, Paris, France

    Karthikeyan Bhargavan

  2. University of Klagenfurt, Klagenfurt, Austria

    Elisabeth Oswald

  3. Department of Computer Science and Engineering, Indian Institute of Technology Bombay, Mumbai, Maharashtra, India

    Manoj Prabhakaran

A Partial Extract of DP-3T Verifpal Model Automatic Coq Translation

A Partial Extract of DP-3T Verifpal Model Automatic Coq Translation

figure gw
figure gx
figure gy
figure gz
figure ha
figure hb
figure hc
figure hd
figure he
figure hf
figure hg
figure hh
figure hi
figure hj
figure hk
figure hl
figure hm
figure hn
figure ho
figure hp
figure hq
figure hr
figure hs
figure ht
figure hu
figure hv
figure hw

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kobeissi, N., Nicolas, G., Tiwari, M. (2020). Verifpal: Cryptographic Protocol Analysis for the Real World. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds) Progress in Cryptology – INDOCRYPT 2020. INDOCRYPT 2020. Lecture Notes in Computer Science(), vol 12578. Springer, Cham. https://doi.org/10.1007/978-3-030-65277-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65277-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65276-0

  • Online ISBN: 978-3-030-65277-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation