A review of Proverif as an automatic security protocol verifier
A review of Proverif as an automatic security protocol verifier
A review of Proverif as an automatic security protocol verifier
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ProVerif uses the concept <strong>of</strong> a Horn clause 3 <strong>as</strong> the unit <strong>of</strong> its specification<br />
l<strong>an</strong>guage. In this context, a Horn clause is <strong>an</strong> inference rule about knowledge<br />
<strong>of</strong> the adversary. An example <strong>of</strong> such a Horn clause might be “If one h<strong>as</strong> a<br />
ciphertext <strong>an</strong>d the corresponding key, one might also know the plaintext”. A set<br />
<strong>of</strong> Horn clauses is called a Horn theory. Therefore, one could say that <strong>protocol</strong><br />
specifications in ProVerif are Horn theories. The developers <strong>of</strong> ProVerif created<br />
the possibility to specify the <strong>protocol</strong> in <strong>an</strong> alternative l<strong>an</strong>guage, the applied pi<br />
calculus 4 , which is convenient for people already familiar with this specification<br />
framework.<br />
When a user tr<strong>an</strong>slates a <strong>protocol</strong> definition to a ProVerif <strong>protocol</strong> specification,<br />
he specifies the possible ways <strong>an</strong> attacker c<strong>an</strong> gather more knowledge. In<br />
ProVerif, this amounts to three different types <strong>of</strong> declaration:<br />
– The user models initial knowledge <strong>of</strong> the attacker <strong>as</strong> a tautology, a logical<br />
statement without conditions. An example <strong>of</strong> such a clause would be initial<br />
knowledge <strong>of</strong> the public keys <strong>of</strong> all particip<strong>an</strong>ts <strong>of</strong> the <strong>protocol</strong>.<br />
– Computational capabilities are modelled in separate clauses. For example, if<br />
the attacker h<strong>as</strong> posession <strong>of</strong> a (decryption) key <strong>an</strong>d a ciphertext, he may<br />
use it to decrypt the ciphertext if it is encrypted with that key.<br />
– A <strong>protocol</strong> definition that is written in the arrow notation contains a list <strong>of</strong><br />
<strong>protocol</strong> steps which necessesarily occur in that order. The user adds rules<br />
that describe these steps - one for each step in the <strong>protocol</strong> definition. To<br />
ensure the proper order <strong>of</strong> messages is preserved, the application <strong>of</strong> such a<br />
rule may only occur if the previous steps have already occurred.<br />
The first <strong>an</strong>d the third step in the tr<strong>an</strong>slation <strong>of</strong> the <strong>protocol</strong> definition are<br />
straightforward. Each element in the <strong>protocol</strong> definition corresponds with a rule<br />
in the <strong>protocol</strong> specification. However, the second step might require some additional<br />
work, especially if mathematical properties are directly related to the<br />
functionality <strong>of</strong> the <strong>protocol</strong>. Examples <strong>of</strong> such constructs are Diffie-Hellm<strong>an</strong> key<br />
exch<strong>an</strong>ge <strong>an</strong>d the use <strong>of</strong> the XOR-operator. The difficulties <strong>an</strong>d limitations <strong>of</strong><br />
the implementation <strong>of</strong> such constructs is discussed at length in 4.<br />
The user formulates <strong>an</strong> <strong>as</strong>sertion about the knowledge <strong>of</strong> the attacker, such <strong>as</strong><br />
‘The attacker knows the secret s’. Now, ProVerif will try to construct a sequence<br />
<strong>of</strong> steps for the attacker to achieve the fact that is stated in the <strong>as</strong>sertion. The<br />
idea behind the algorithm at the heart <strong>of</strong> ProVerif is that it applies the rules<br />
stated in the <strong>protocol</strong> specification in <strong>an</strong> efficient way. However, for the algorithm<br />
to terminate when no attack exists, it is necessary to apply some unification, i.e.<br />
to recognize when two states <strong>of</strong> <strong>protocol</strong> execution are effectively ‘the same’. If<br />
we merge two such effectively identical states, we could limit the space we need<br />
to search. The intermediate representation <strong>of</strong> the states <strong>of</strong> the <strong>protocol</strong> run in<br />
ProVerif are simple enough to enable it to effectively unify such states [7].<br />
3<br />
Horn clauses are a concept from Prolog programming <strong>an</strong>d are introduced at length<br />
in [13].<br />
4<br />
Fournet <strong>an</strong>d Abadi describe the applied pi calculus in [23].