## Section: Software

Keywords : Security Protocols, Cryptography, Verification.

### Protocols verification tools

Participants : Laurent Vigneron, Pierre-Cyrille Héam, Heinrich Hördegen, Olga Kouchnarenko, Michaël Rusinowitch, Mathieu Turuani.

*AVISPA*

Cassis has been one of the 4 partners involved in the European project AVISPA, which has resulted in the distribution of a tool for automated verification of security protocols, named
*AVISPA* Tool. It is freely available on the web
(http://www.avispa-project.org )and supported. The
*AVISPA* Tool significantly extends its predecessor's scope, effectiveness, and performance, by (i) providing a modular and expressive formal language for specifying security protocols and properties, and (ii) integrating 4 back-ends that implement automatic analysis techniques ranging
from
*protocol falsification* (by finding an attack on the input protocol) to
*abstraction-based verification* methods for both finite and infinite numbers of sessions.

In 2007, we have extended the AVISPA Tool for handling non-repudiation protocols and also for verifying the computational soundness of protocols. The first extension has been done by extending the HLPSL2IF translator for handling intruder knowledge thanks to a new predicate,
*aknows* . The second extension has been done by adding a new module, permitting to transfer properties, proven in a formal model, to a computational model.

*CL-AtSe*

We develop
*CL-AtSe* , a Constraint Logic based Attack Searcher for cryptographic protocols. The
*CL-AtSe* approach to verification consists in a symbolic state exploration of the protocol execution, for a bounded number of sessions. This necessary restriction (for decidability, see
[77] ) allows
*CL-AtSe* to be correct and complete, i.e., any attack found by
*CL-AtSe* is a valid attack, and if no attack is found, then the protocol is secure for the given number of sessions. Each protocol step is represented by a constraint on the protocol state. These constraints are checked lazily for satisfiability, where satisfiability means reachability
of the protocol state.
*CL-AtSe* now includes a proper handling of sets (operations and tests), choice points, specification of any attack states through a language for expressing fairness, non-abuse freeness, etc..., advanced protocol simplifications and optimizations to reduce the problem complexity, and
protocol analysis modulo the algebraic properties of cryptographic operators. In particular,
*CL-AtSe* is now able to analyze protocols modulo the properties of XOR (exclusive or) or Exp (modular exponentiation). This has required to implement an optimized version of the combination algorithm of Baader & Schulz
[64] for solving unification problems in disjoint unions of arbitrary theories.

In particular,
*CL-AtSe* has been successfully used by Cassis members to analyse France Telecom R&D, Siemens AG, IETF, or Gemalto protocols in funded projects. It is also employed by external users, e.g., from the AVISPA's community. Moreover,
*CL-AtSe* achieves very good analysis times, comparable and sometimes better than state-of-the art tools in the domain like OFMC (see
[80] for tool details and precise benchmarks).

*TA4SP*

We have developed TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols), an automata based tool dedicated to the validation of security protocols for an unbounded number of sessions. This tool provides automatic computations of over and under approximations of the knowledge accessible by an intruder. This knowledge is encoded as a regular tree language and protocol steps and intruder abilities are encoded as a term rewriting system. Completions and tree automata computations are performed by Timbuk, a tool developed by project-team LANDE. When given a reachability problem such as secrecy, TA4SP reports that (1) the protocol is safe if it manages to compute an over-approximation of intruder's knowledge that does not contain a secret term or (2) the protocol is unsafe in the rewrite model if it manages to compute an underapproximation of intruder's knowledge containing a secret term or (3) I don't know otherwise. TA4SP has verified 28 industrial protocols and case (3) occurred only once, for Kaochow protocol version 2.

To efficiently handle protocols using operators with algebraic properties, TA4SP has been improved: a new quadratic completion algorithm has been implemented. Thanks to these improvements new experimental results have been obtained, for example for the Encrypted Key Exchange protocol (EKE2) using the exponential operator.

As far as we know, two teams – the project-team LANDE at IRISA and the National Institute of Advanced Industrial Science and Technology in Japan – are working on the verification of security protocols using tree automata approximations. Both use tree automata dedicated tools, respectively Timbuk and Ceta-ACTAS, that can be freely downloaded on the web. However, these tools are not connected to any high level protocol specification language, and over-approximations are not fully automatically computed.