Journal of Automated Reasoning

, Volume 46, Issue 3–4, pp 353–388 | Cite as

Multi-Attacker Protocol Validation

  • Wihem Arsac
  • Giampaolo BellaEmail author
  • Xavier Chantry
  • Luca Compagna


Security protocols have been analysed focusing on a variety of properties to withstand the Dolev-Yao attacker. The Multi-Attacker treat model allows each protocol participant to behave maliciously intercepting and forging messages. Each principal may then behave as a Dolev-Yao attacker while neither colluding nor sharing knowledge with anyone else. This feature rules out the applicability of existing equivalence results in the Dolev-Yao model. The analysis of security protocols under the Multi-Attacker threat model brings forward yet more insights, such as retaliation attacks and anticipation attacks, which formalise currently realistic scenarios of principals competing each other for personal profit. They are variously demonstrated on a classical protocol, Needham-Schroeder’s, and on a modern deployed protocol, Google’s SAML-based single sign-on protocol. The general threat model for security protocols based on set-rewriting that was adopted in AVISPA (Armando et al. 2005) is extended to formalise the Multi-Attacker. The state-of-the-art model checker SATMC (Armando and Compagna, Int J Inf Secur 6(1):3–32, 2007) is then used to automatically validate the protocols under the new threats, so that retaliation and anticipation attacks can automatically be found. The tool support scales up to the Multi-Attacker threat model at a reasonable price both in terms of human interaction effort and of computational time.


Security protocols Attacker models Automated reasoning 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Gordon, A.: A calculus for cryptographic protocols: the spi calculus. Inf. Comput. 148(1), 1–70 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). In: Proc. of the International Conference IFIP on Theoretical Computer Science (TCS’00), pp. 3–22. Springer, Heidelberg (2000)Google Scholar
  3. 3.
    Aiyer, A.S., Alvisi, L., Clement, A., Dahlin, M., Martin, J.-P., Porth, C.: Bar fault tolerance for cooperative services. ACM SIGOPS Oper. Syst. Rev. 39(5), 45–58 (2005)CrossRefGoogle Scholar
  4. 4.
    Anderson, R.: Why cryptosystems fail. In: CCS93, pp. 217–227. ACMP (1993)Google Scholar
  5. 5.
    Armando, A., Basin, D.A., Boichut, Y., Chevalier, Y., Compagna, L., Cuéllar, J., Drielsma, P.H., Héam, P.-C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV. Lecture Notes in Computer Science, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Armando, A., Carbone, R., Compagna, L.: LTL model checking for security protocols. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF20), 6–8 July 2007, Venice, Italy. LNCS. Springer, Heidelberg (2007)Google Scholar
  7. 7.
    Armando, A., Carbone, R., Compagna, L., Cuellar, J., Abad, L.T.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering (FMSE 2008). ACM, New York (2008)Google Scholar
  8. 8.
    Armando, A., Compagna, L.: SATMC: a SAT-based model checker for security protocols. In: Proceedings of the 9th European Conference on Logics in Artificial Intelligence (JELIA’04). LNAI, vol. 3229, pp. 730–733, Lisbon, Portugal. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Armando, A., Compagna, L.: SAT-based model-checking for security protocols analysis. Int. J. Inf. Secur. 6(1), 3–32 (2007)Google Scholar
  10. 10.
    Arsac, W., Bella, G., Chantry, X., Compagna, L.: Attacking each other. In: Proc. of the 17th International Workshop on Security Protocols (CIWSP’09). Springer, Heidelberg (2009)Google Scholar
  11. 11.
    Arsac, W., Bella, G., Chantry, X., Compagna, L.: Validating security protocols under the general attacker. In: Proc. of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA-WITS’09). Springer, Heidelberg (2009)Google Scholar
  12. 12.
    AVISPA: AVISPA Library of security protocols.
  13. 13.
    Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic secrecy. In: IEEE Symposium on Security and Privacy (2005)Google Scholar
  14. 14.
    Bella, G.: Formal Correctness of Security Protocols. Information Security and Cryptography. Springer (2007)Google Scholar
  15. 15.
    Bella, G.: The rational attacker. Invited talk at SAP Research France, Sophia Antipolis (2008)
  16. 16.
    Bella, G.: What is correctness of security protocols? Springer J. Univers. Comput. Sci. 14(12), 2083–2107 (2008)Google Scholar
  17. 17.
    Bella, G., Bistarelli, S.: Confidentiality levels and deliberate/indeliberate protocol attacks. In: Christianson, B., Crispo, B., Harbison, W.S., Roe, M. (eds.) Proc. of the 10th Security Protocols Workshop (SPW’02). LNCS 2845, pp. 104–119. SV (2004)Google Scholar
  18. 18.
    Bella, G., Bistarelli, S., Massacci, F.: Retaliation: can we live with flaws? In: Essaidi, M., Thomas, J. (eds.) Proc. of the Nato Advanced Research Workshop on Information Security Assurance and Security. Nato Through Science, vol. 6, pp. 3–14. IOS, Amsterdam (2006).
  19. 19.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: Proceedings 27th Annual Symposium on the Theory of Computing, pp. 57–66. ACM (1995)Google Scholar
  20. 20.
    Blanchet, B.: Automatic verification of cryptographic protocols: a logic programming approach. In: Proceedings of the 5th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, 27–29 August 2003, pp. 1–3. Uppsala, Sweden (2003)Google Scholar
  21. 21.
    Buttyán, L., Hubaux, J.-P., Čapkun, S.: A formal model of rational exchange and its application to the analysis of syverson’s protocol. J. Comput. Secur. 12(3,4), 551–587 (2004)Google Scholar
  22. 22.
    Caleiro, C., Viganò, L., Basin, D.: Metareasoning about security protocols using distributed temporal logic. In: Electronic Notes in Theoretical Computer Science (Proceedings of the Workshop on Automated Reasoning for Security Protocol Analysis, ARSPA 2004), vol. 125(1), pp. 67–89. (2005)
  23. 23.
    Caleiro, C., Viganò, L., Basin, D.: Relating strand spaces and distributed temporal logic for security protocol analysis. Log. J. IGPL 13(6), 637–663 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Compagna, L.: SAT-based model-checking of security protocols. Phd, Università degli Studi di Genova, Italy, and University of Edinburgh, Scotland (2005). Available at
  25. 25.
    Dolev, D., and Yao, A.: On the security of public-key protocols. IEEE Trans. Inf. Theory 2(29) 350–357 (1981)Google Scholar
  26. 26.
    Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7, 191–230 (1999)Google Scholar
  27. 27.
    Gollmann, D.: On the verification of cryptographic protocols—a tale of two committees. In: Proc. of the Workshop on Secure Architectures and Information Flow, ENTCS 32. Elsevier Science (2000)Google Scholar
  28. 28.
    Jacquemard, F., Rusinowitch, M., Vigneron, L.: Compiling and verifying security protocols. In: Parigot, M., Voronkov, A. (eds.) Proceedings of LPAR 2000. LNCS 1955, pp. 131–160. Springer, Heidelberg (2000)Google Scholar
  29. 29.
    Kremer, S., Raskin, J.-F.: Game analysis of abuse-free contract signing. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW’02), pp. 206–230. IEEE, New York (2002)Google Scholar
  30. 30.
    Lowe, G.: Breaking and fixing the needham-shroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) Proceedings of TACAS’96. LNCS 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  31. 31.
    Lowe, G.: Towards a completeness result for model checking of security protocols. J. Comput. Secur. 7(2–3), 89–146 (1999)Google Scholar
  32. 32.
    Maurer, U.M., Schmid, P.E.: A calculus for security bootstrapping in distributed systems. J. Comput. Secur. 4(1), 55–80 (1996)Google Scholar
  33. 33.
    Needham, R.M.: Keynote address: the changing environment. In: Christianson, B., Crispo, B., Malcolm, J.A., Michael, R. (eds.) Proc. of the 7th Security Protocols Workshop (SPW’99). LNCS 1796, pp. 1–5. Springer, Heidelberg (2000)Google Scholar
  34. 34.
    Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks, from IEEE communications magazine, september (1994). In: Stallings, W. (ed.) Practical Cryptography for Data Internetworks. IEEE, New York (1996)Google Scholar
  35. 35.
    OASIS. Security assertion markup language (SAML) v2.0. Available at (2005)
  36. 36.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6, 85–128 (1998)Google Scholar
  37. 37.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theor. Comput. Sci. 299, 451–475 (2003).
  38. 38.
    Ryan, P.Y.A., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, A.W.: Modelling and Analysis of Security Protocols. AW (2001)Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2010

Authors and Affiliations

  • Wihem Arsac
    • 1
  • Giampaolo Bella
    • 2
    • 3
    Email author
  • Xavier Chantry
    • 1
  • Luca Compagna
    • 1
  1. 1.SAP ResearchSophia AntipolisFrance
  2. 2.Dipartimento di Matematica e InformaticaUniversità di CataniaCataniaItaly
  3. 3.Software Technology Research LaboratoryDe Montfort UniversityLeicesterUK

Personalised recommendations