Team Cassis

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: Software

Keywords : Security Protocols, Cryptography, Verification.

Protocols verification tools

Participants : Laurent Vigneron, Pierre-Cyrille Héam, Heinrich Hördegen, Olga Kouchnarenko, Michaël Rusinowitch, Mathieu Turuani.


Cassis has been one of the 4 partners involved in the European project AVISPA, which has resulted in the distribution of a tool for automated verification of security protocols, named AVISPA Tool. It is freely available on the web  ( )and supported. The AVISPA Tool significantly extends its predecessor's scope, effectiveness, and performance, by (i) providing a modular and expressive formal language for specifying security protocols and properties, and (ii) integrating 4 back-ends that implement automatic analysis techniques ranging from protocol falsification (by finding an attack on the input protocol) to abstraction-based verification methods for both finite and infinite numbers of sessions.

In 2007, we have extended the AVISPA Tool for handling non-repudiation protocols and also for verifying the computational soundness of protocols. The first extension has been done by extending the HLPSL2IF translator for handling intruder knowledge thanks to a new predicate, aknows . The second extension has been done by adding a new module, permitting to transfer properties, proven in a formal model, to a computational model.


We develop CL-AtSe , a Constraint Logic based Attack Searcher for cryptographic protocols. The CL-AtSe approach to verification consists in a symbolic state exploration of the protocol execution, for a bounded number of sessions. This necessary restriction (for decidability, see  [77] ) allows CL-AtSe to be correct and complete, i.e., any attack found by CL-AtSe is a valid attack, and if no attack is found, then the protocol is secure for the given number of sessions. Each protocol step is represented by a constraint on the protocol state. These constraints are checked lazily for satisfiability, where satisfiability means reachability of the protocol state. CL-AtSe now includes a proper handling of sets (operations and tests), choice points, specification of any attack states through a language for expressing fairness, non-abuse freeness, etc..., advanced protocol simplifications and optimizations to reduce the problem complexity, and protocol analysis modulo the algebraic properties of cryptographic operators. In particular, CL-AtSe is now able to analyze protocols modulo the properties of XOR (exclusive or) or Exp (modular exponentiation). This has required to implement an optimized version of the combination algorithm of Baader & Schulz  [64] for solving unification problems in disjoint unions of arbitrary theories.

In particular, CL-AtSe has been successfully used by Cassis members to analyse France Telecom R&D, Siemens AG, IETF, or Gemalto protocols in funded projects. It is also employed by external users, e.g., from the AVISPA's community. Moreover, CL-AtSe achieves very good analysis times, comparable and sometimes better than state-of-the art tools in the domain like OFMC (see  [80] for tool details and precise benchmarks).


We have developed TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols), an automata based tool dedicated to the validation of security protocols for an unbounded number of sessions. This tool provides automatic computations of over and under approximations of the knowledge accessible by an intruder. This knowledge is encoded as a regular tree language and protocol steps and intruder abilities are encoded as a term rewriting system. Completions and tree automata computations are performed by Timbuk, a tool developed by project-team LANDE. When given a reachability problem such as secrecy, TA4SP reports that (1) the protocol is safe if it manages to compute an over-approximation of intruder's knowledge that does not contain a secret term or (2) the protocol is unsafe in the rewrite model if it manages to compute an underapproximation of intruder's knowledge containing a secret term or (3) I don't know otherwise. TA4SP has verified 28 industrial protocols and case (3) occurred only once, for Kaochow protocol version 2.

To efficiently handle protocols using operators with algebraic properties, TA4SP has been improved: a new quadratic completion algorithm has been implemented. Thanks to these improvements new experimental results have been obtained, for example for the Encrypted Key Exchange protocol (EKE2) using the exponential operator.

As far as we know, two teams – the project-team LANDE at IRISA and the National Institute of Advanced Industrial Science and Technology in Japan – are working on the verification of security protocols using tree automata approximations. Both use tree automata dedicated tools, respectively Timbuk and Ceta-ACTAS, that can be freely downloaded on the web. However, these tools are not connected to any high level protocol specification language, and over-approximations are not fully automatically computed.


Logo Inria