Compiling and Verifying Security Protocols

Conference paper
Part of the Lecture Notes in Artificial Intelligence book series (LNCS, volume 1955)


We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines non-ambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of acnarrowing. The rewrite rules are processed by the theorem-prover daTac. Multiple instances of a protocol can be run simultaneously as well as a model of the intruder (among several possible). The existence of flaws in the protocol is revealed by the derivation of an inconsistency. Our implementation of the compiler CASRUL, together with the prover daTac, permitted us to derive security flaws in many classical cryptographic protocols.


Authentication Protocol Security Protocol Protocol Execution Protocol Description Secrecy Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    R. Anderson. Programming Satan’s computer. volume 1000 of Lecture Notes in Computer Science. Springer-Verlag. 148Google Scholar
  2. 2.
    L. Bachmair, N. Dershowitz, and D. Plaisted. Completion without Failure. In H. Aït-Kaci and M. Nivat, editors, Resolution of Equations in Algebraic Structures, Volume 2: Rewriting Techniques, pages 1–30. Academic Press inc., 1989. 152Google Scholar
  3. 3.
    L. Bachmair and H. Ganzinger. Associative-Commutative Superposition. In N. Dershowitz and N. Lindenstrauss, editors, Proc. 4th CTRS Workshop, Jerusalem (Israel), volume 968 of LNCS, pages 1–14. Springer-Verlag, 1995. 153Google Scholar
  4. 4.
    D. Basin. Lazy infinite-state analysis of security protocols. In Secure Networking — CQRE [Secure]’ 99, LNCS 1740, pages 30–42. Springer-Verlag, Berlin, 1999. 132CrossRefGoogle Scholar
  5. 5.
    D. Bolignano. Towards the formal verification of electronic commerce protocols. In IEEE Computer Security Foundations Workshop, pages 133–146. IEEE Computer Society, 1997. 131, 142Google Scholar
  6. 6.
    D. Brand. Proving Theorems with the Modification Method. SIAM J. of Computing, 4:412–430, 1975. 152zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    J. Clark and J. Jacob. A survey of authentication protocol literature., 1997. 131, 150, 151, 155
  8. 8.
    G. Denker, J. Meseguer, and C. Talcott. Protocol specification and analysis in Maude. In Formal Methods and Security Protocols, 1998. LICS’ 98 Workshop. 131, 133, 152Google Scholar
  9. 9.
    G. Denker and J. Millen. Capsl intermediate language. In Formal Methods and Security Protocols, 1999. FLOC’ 99 Workshop. 131, 132Google Scholar
  10. 10.
    N. Dershowitz and J.-P. Jouannaud. Handbook of Theoretical Computer Science, volume B, chapter 6: Rewrite Systems, pages 244–320. North-Holland, 1990. 133, 139Google Scholar
  11. 11.
    D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, IT-29:198–208, 1983. Also STAN-CS-81-854, May 1981, Stanford U. 133, 137Google Scholar
  12. 12.
    E. Domenjoud. A technical note on AC-unification. the number of minimal unifiers of the equation áx1 + … + áxp =AC βy1 + … + βyq. JAR, 8:39–44, 1992. 153zbMATHMathSciNetGoogle Scholar
  13. 13.
    R. Focardi and R. Gorrieri. Cvs: A compiler for the analysis of cryptographic protocols. In 12th IEEE Computer Security Foundations Workshop. IEEE Computer Society, 1999. 131Google Scholar
  14. 14.
    J. Hsiang and M. Rusinowitch. Proving Refutational Completeness of Theorem-Proving Strategies: the Transfinite Semantic Tree Method. JACM, 38(3):559–587, July 1991. 152zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    J.-M. Hullot. Canonical forms and unification. In 5th International Conference on Automated Deduction, volume 87, pages 318–334. Springer-Verlag, LNCS, july 1980. 131, 137Google Scholar
  16. 16.
    D. E. Knuth and P. B. Bendix. Simple Word Problems in Universal Algebras. In J. Leech, editor, Computational Problems in Abstract Algebra, pages 263–297. Pergamon Press, Oxford, 1970. 152Google Scholar
  17. 17.
    G. Lowe. Casper: a compiler for the analysis of security protocols. Journal of Computer Security, 6(1):53–84, 1998. 131, 132, 132, 133, 136Google Scholar
  18. 18.
    G. Lowe. Towards a completeness result for model checking of security protocols. In 11th IEEE Computer Security Foundations Workshop, pages 96–105. IEEE Computer Society, 1998. 134Google Scholar
  19. 19.
    C. Meadows. Applying formal methods to the analysis of a key management protocol. Journal of Computer Security, 1(1):5–36, 1992. 133Google Scholar
  20. 20.
    C. Meadows. The NRL protocol analyzer: an overview. Journal of Logic Programming, 26(2):113–131, 1996. 133zbMATHCrossRefGoogle Scholar
  21. 21.
    J. Millen. CAPSL: Common Authentication Protocol Specification Language. Technical Report MP 97B48, The MITRE Corporation, 1997. 132, 132, 133Google Scholar
  22. 22.
    J. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using Murö. In IEEE Symposium on Security and Privacy, pages 141–154. IEEE Computer Society, 1997. 131Google Scholar
  23. 23.
    R. Nieuwenhuis and A. Rubio. Paramodulation-based theorem proving. In J.A. Robinson and A. Voronkov, editors, Handbook of Automated Reasoning. Elsevier Science Publishers, 2000. 152Google Scholar
  24. 24.
    L. Paulson. The inductive approach to verifying cryptographic protocols. Journal of Computer Security, 6(1):85–128, 1998. 131Google Scholar
  25. 25.
    G. Peterson and M. E. Stickel. Complete sets of reductions for some equational theories. JACM, 28:233–264, 1981. 153zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    G. Plotkin. Building-in equational theories. Machine Intelligence, 7:73–90, 1972. 152MathSciNetzbMATHGoogle Scholar
  27. 27.
    G. A. Robinson and L. T. Wos. Paramodulation and First-Order Theorem Proving. In B. Meltzer and D. Mitchie, editors, Machine Intelligence 4, pages 135–150. Edinburgh University Press, 1969. 152Google Scholar
  28. 28.
    A. W. Roscoe. Modelling and verifying key-exchange protocols using CSP and FDR. In 8th IEEE Computer Security Foundations Workshop, pages 98–107. IEEE Computer Society, 1995. 132Google Scholar
  29. 29.
    M. Rusinowitch and L. Vigneron. Automated Deduction with Associative-Commutative Operators. Applicable Algebra in Engineering, Communication and Computation, 6(1):23–56, January 1995. 152, 153zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    B. Schneier. Applied Cryptography. John Wiley, 1996. 133Google Scholar
  31. 31.
    J. R. Slagle. Automated Theorem-Proving for theories with Simplifiers, Commutativity and Associativity. JACM, 21(4):622–642, 1974. 152zbMATHCrossRefMathSciNetGoogle Scholar
  32. 32.
    P. Syverson, C. Meadows, and I. Cervesato. Dolev-Yao is no better than Machiavelli. In WITS’00. Workshop on Issues in the Theory of Security, 2000. 146Google Scholar
  33. 33.
    L. Vigneron. Positive deduction modulo regular theories. In Proceedings of Computer Science Logic, Paderborn (Germany), pages 468–485. LNCS 1092, Springer-Verlag, 1995. 131, 152, 152Google Scholar
  34. 34.
    C. Weidenbach. Towards an automatic analysis of security protocols. In Proceedings of the 16th International Conference on Automated Deduction, pages 378–382. LNCS 1632, Springer-Verlag, 1999. 131Google Scholar
  35. 35.
    U. Wertz. First-Order Theorem Proving Modulo Equations. Technical Report MPI-I-92-216, MPI Informatik, April 1992. 153Google Scholar
  36. 36.
    T. Woo and S. Lam. A semantic model for authentication protocols. In IEEE Symposium on Research in Security and Privacy, pages 178–194. IEEE Computer Society, 1993. 134, 147Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  1. 1.Campus ScientifiqueLORIA - INRIA LorraineNancy CedexFrance
  2. 2.Campus ScientifiqueLORIA - Universitè Nancy 2Nancy CedexFrance

Personalised recommendations