Using State Space Exploration and a Natural Deduction Style Message Derivation Engine to Verify Security Protocols

  • E. M. Clarke
  • S. Jha
  • W. Marrero
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT)


As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers have proposed the use of security protocols to provide these security guarantees. In this paper, we develop a method of verifying these protocols using a special purpose model checker which executes an exhaustive state space search of a protocol model. Our tool also includes a natural deduction style derivation engine which models the capabilities of the adversary trying to attack the protocol. Because our models are necessarily abstractions, we cannot prove a protocol correct. However, our tool is extremely useful as a debugger. We have used our tool to analyze 14 different authentication protocols, and have found the previously reported attacks for them.


Model checking security protocols authentication natural deduction 


  1. [1]
    M. Abadi and A. Gordon. A calculus for cryptographic protocols the spi calculus. In Proceedings of the Fourth ACM Conference on Computer and Communications Security, April 1997. To appear.Google Scholar
  2. [2]
    M. Bellare and P. Rogaway. Provably secure session key distribution—the three party case. In Proceedings of the 27th Annual ACM Symposium on Theory of Computing, pages 57–66, 1995.Google Scholar
  3. [3]
    D. Bolignano. An approach to the formal verification of cryptographic protocols. In Proceedings of the 3rd ACM Conference on Computer and Communication Security, 1996.Google Scholar
  4. [4]
    M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Technical Report 39, DEC Systems Research Center, February 1989.Google Scholar
  5. [5]
    D. Craigen and M. Saaltink. Using EVES to analyze authentication protocols. Technical Report TR–96–5508–05, ORA Canada, 1996.Google Scholar
  6. [6]
    D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29 (2): 198–208, March 1989.MathSciNetCrossRefGoogle Scholar
  7. [7]
    J. W. Gray and J. McLean. Using temporal logic to specify and verify cryptographic protocols (progress report). In Proceedings of the 8th IEEE Computer Security Workshop, 1995.Google Scholar
  8. [8]
    N. Heintze, D. Tygar, J. Wing, and H. Wong. Model checking electronic commerce protocols. In Proceedings of the USENIX 1996 Workshop on Electronic Commerce, pages 146–164, 1996.Google Scholar
  9. [9]
    N. Heintze and J. Tygar. A model for secure protocols and their compositions. IEEE Transactions on Software Engineering, 22 (1): 16–30, January 1996.CrossRefGoogle Scholar
  10. [10]
    R. Kailar. Accountability in electronic commerce protocols. IEEE Transactions on Software Engineering, 22 (5), May 1996.Google Scholar
  11. [11]
    D. Kindred and J. M. Wing. Fast, automatic checking of security protocols. In USENIX 2nd Workshop on Electronic Commerce, 1996.Google Scholar
  12. [12]
    G. Leduc, O. Bonaventure, E. Koerner, L. Léonard, C. Pecheur, and D. Zanetti. Specification and verification of a TTP protocol for the conditional access to services. In Proceedings of the 12th J. Cartier Workshop on Formal Methods and their Applications: Telecommunications, VLSI and Real-Time Computerized Control System, October 1996.Google Scholar
  13. [13]
    G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems, volume 1055 of Lecture Notes in Computer Science, pages 147–166. Springer-Verlag, 1996.Google Scholar
  14. [14]
    G. Lowe. Casper: A compiler for the analysis of security protocols. In Proceedings of the 1997 IEEE Computer Society Symposium on Research in Security and Privacy, pages 18–30, 1997.Google Scholar
  15. [15]
    W. Marrero, E. Clarke, and S. Jha. Model checking for security protocols. Technical Report CMU-CS-97–139, Carnegie Mellon University, 1997.Google Scholar
  16. [16]
    C. Meadows. A model of computation for the NRL protocol analyzer. In Proceedings of the 1994 Computer Security Foundations Workshop. IEEE Computer Society Press, June 1994.Google Scholar
  17. [17]
    C. Meadows. The NRL protocol analyzer: An overview. In Proceedings of the Second International Conference on the Practical Applications of Prolog, 1994.Google Scholar
  18. [18]
    J. Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 251–260. IEEE Computer Society Press, 1995.Google Scholar
  19. [19]
    J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using muríti. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1997.Google Scholar
  20. [20]
    L. Paulson. Proving properties of security protocols by induction. In Proceedings of the 1997 IEEE Computer Society Symposium on Research in Security and Privacy, pages 70–83, 1997.Google Scholar
  21. [21]
    D. Peled. All from one, one for all, on model-checking using representatives. In Proceedings of the Fifth International Conference on Computer Aided Verification, Lecture Notes in Computer Science, pages 409–423. Springer-Verlag, 1993.Google Scholar
  22. [22]
    D. Prawitz. Natural Deduction: A Proof-Theoretical Study. Almqvist & Wiksell, 1965.Google Scholar
  23. [23]
    A. W. Roscoe. Intensional specifications of security protocols. In 9th Computer Security Foundations Workshop, 1996.Google Scholar
  24. [24]
    S. Schneider. Security properties and CSP. In Proceedings of the 1996 IEEE Computer Society Symposium on Research in Security and Privacy, 1996.Google Scholar
  25. [25]
    S. Schneider. Verifying authentication protocols with CSP. In Proceedings of the 1997 IEEE Computer Society Symposium on Research in Security and Privacy, 1997.Google Scholar
  26. [26]
    V. Shoup and A. Rubin. Session key distribution using smart cards. In Proceedings of Eurocrypt, 1996.Google Scholar
  27. [27]
    T. Y. C. Woo and S. S. Lam. A semantic model for authentication protocols. In Proceedings of the IEEE Symposium on Research in Security and Privacy, 1993.Google Scholar
  28. [28]
    T. Y. C. Woo and S. S. Lam. A lesson on authentication protocol design. In Operating Systems Review, pages 24–37, 1994.Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 1998

Authors and Affiliations

  • E. M. Clarke
    • 1
  • S. Jha
    • 1
  • W. Marrero
    • 1
  1. 1.Carnegie Mellon UniversityUSA

Personalised recommendations