A review of Proverif as an automatic security protocol verifier

Recommendations

Info

The exact capabilities of the attacker are modelled according to the threat model as proposed by Dolev and Yao, which is known as the Dolev-Yao threat model [21]. In short, this amounts to the following three assumptions: – Encryption schemes are perfect - no keys leak from the key infrastructure, the encrypted messages are unretrievable without the key, everybody has access to all public keys. – The parties in the network can perform the encryption and decryption operations themselves - they do not require an external party to perform these tasks for them. – The attacker assumes the role of an ‘active adversary’. More precisely, he can intercept and read any message that is sent on the network and inject any message that contains information he knows through previous actions. When studying the accuracy of a tool for assessing security properties, it is common to discuss the specificity and the sensitivity 5 of the tool. The specificity is the extent to which the tool is able to declare that no attacks exist for a protocol that indeed does not allow attacks, i.e. to prevent false positives. The sensitivity is the ability of the tool to correctly recognize insecure protocols. In a security context, it is clear that a high sensitivity is more important than a high specificity. After all, we would rather have a hundred false positives reported on our protocol than one potential attack that goes unnoticed. However, the usability of the tool greatly depends on both the sensitivity and the specificity. If a tool always reports that an attack exists, it would be prudent, yet not very useful. In ProVerif, certain assumptions and abstractions are introduced. All of these, however, only give more power to the attacker, thereby at most raising the number of false positives, yet never missing an attack that is indeed legitimate. For a discussion of approximations in ProVerif, see subsection 4.1. The algorithm behind ProVerif always terminates. This is not guaranteed automatically, but measures have been taken to assure its termination. The most notable of these measures is the limitation to the depth of the nesting of terms in protocol messages. If a message exceeds this limit, the message is replaced by a new variable. Like the other approximations, this does lessen the sensitivity, since any attack that exists in the non-limited case still exists in the depthlimited case. ProVerif is released under the GNU GPL 6 , which means that the source code of the program is freely available on the web. Works derived from the source of ProVerif must also be licensed under the GNU GPL. For such a program, this can be a great incentive for potential new users, since they can check the validity of the implementation. Second, it becomes possible to write additions and extensions for ProVerif. 5 These terms are frequently used in the medical world. A further explanation in that context can be found at [31]. 6 GNU General Public License version 2, see for more details http://www.gnu.org/ licenses/gpl-2.0.html.
3 Practical applications The verification of protocols with ProVerif is the subject of an extensive set of literature (e.g.: [2] [4] [8] [9] [11] [25] [36]). ProVerif is used in many different fields, such as secure file sharing, electronic voting and Bluetooth security. For each of these fields we will give a summary of how the authors used ProVerif in their research and try to find their reason to choose ProVerif. The list of practical examples is not exhaustive but does give an impression of where and how ProVerif is used. The fields that we discuss in more detail are selected because of their diversity and the wide impact of the verified protocols in the modern world. 3.1 Secure file sharing on unstrusted storage Private personal data, such as family documents and financial data, is stored in various ways, for example: on a laptop, USB-drives and shared mediums. It is important to secure this data because of the possibility that an attacker will use the data for other, possibly malicious, purposes. Plutus is a file system based on a storage design that does not rely on storage servers to provide strong secrecy and integrity guarantees [8]. Blanchet and Chaudhuri have used ProVerif to prove that secrecy is preserved by Plutus. They were not able to prove this for the integrity property. In this case, violating the integrity property of the protocol means that an attacker can store data in an older version while the honest readers think only newer versions are corrupted by an attacker [8]. The researchers used the analysis of ProVerif to construct a fix using server-verified writes, which were not present in the original protocol. Using ProVerif the authors proved the integrity property for the protocol after the fix and was also able to prove a strong integrity property, which stated that data read from the server was not only written by an authorized party, but also of the required freshness. The attacks found by ProVerif were not present in the fixed version of the authors, thereby preserving secrecy and restoring integrity in Plutus. We couldn’t find explicit reasons for choosing ProVerif to verify Plutus, but the authors did state that using the Dolev-Yao threat model allowed them to automate the proofs more easily than using the computational model, which they report to be more concrete [8]. 3.2 Electronic voting Electronic voting is a suitable alternative for regular paper-based voting [10]. It enables citizens in a democracy to elect their representatives by voting electronically. Verifying the protocols used by electronic voting machines is important, because the integrity of the election process is fundamental to the integrity of democracy itself [26]. The influence of attackers that are able to significantly
Page 1 and 2: A review of ProVerif as an automati
Page 3: ProVerif uses the concept of a Horn
Page 7 and 8: Bluetooth 2.1. In Bluetooth 2.1, Si
Page 9 and 10: have also published a tool, XOR-Pro
Page 11 and 12: Most existing protocol verifiers ba
Page 13 and 14: 5.3 Usability To our knowledge, no
Page 15 and 16: References 1. M. Abadi. Security Pr
Page 17: 33. C. Meadows. A Model of Computat

A review of Proverif as an automatic security protocol verifier

Create successful ePaper yourself

Delete template?

Save as template?