A Formal Security Analysis of ERTMS Train to Trackside Protocols

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9707)


This paper presents a formal analysis of the train to trackside communication protocols used in the European Railway Traffic Management System (ERTMS) standard, and in particular the EuroRadio protocol. This protocol is used to secure important commands sent between train and trackside, such as movement authority and emergency stop messages. We perform our analysis using the applied pi-calculus and the ProVerif tool. This provides a powerful and expressive framework for protocol analysis and allows to check a wide range of security properties based on checking correspondence assertions. We show how it is possible to model the protocol’s counter-style timestamps in this framework. We define ProVerif assertions that allow us to check for secrecy of long and short term keys, authenticity of entities, message insertion, deletion, replay and reordering. We find that the protocol provides most of these security features, however it allows undetectable message deletion and the forging of emergency messages. We discuss the relevance of these results and make recommendations to further enhance the security of ERTMS.


Application Layer Authentication Protocol Security Property Safety Feature Cryptographic Primitive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Maria Vigliotti and Florent Pepin from the UK’s Rail Safety and Standards Board (RSSB) for helpful discussion regarding the security of ERTMS. Funding for this paper was provided by the UK’s Centre for the Protection of National Infrastructure (CPNI) and Engineering and Physical Sciences Research Council (EPSRC) via the SCEPTICS: A SystematiC Evaluation Process for Threats to Industrial Control Systems project.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Symposium on Principles of Programming Languages (POPL) (2001)Google Scholar
  2. 2.
    Ansaldo STS Group. Product portfolio and ERTMS/RTCS projects of Ansaldo Segnalamento Ferroviario (2008).
  3. 3.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied pi calculus. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 107–121 (2010)Google Scholar
  4. 4.
    Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: Computer Security Foundations Workshop (CSFW), pp. 82–96. IEEE (2001)Google Scholar
  5. 5.
    Blanchet, B., Smyth, B., Cheval, V.: ProVerif 1.88: Automatic cryptographic protocol verifier, user manual and tutorial (2013)Google Scholar
  6. 6.
    Bloomfield, R., Bloomfield, R., Gashi, I., Stroud, R.: How secure Is ERTMS? In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP Workshops 2012. LNCS, vol. 7613, pp. 247–258. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Cheval, V., Cortier, V.: Timing attacks in security protocols: symbolic framework and proof techniques. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 280–299. Springer, Heidelberg (2015)Google Scholar
  8. 8.
    Chothia, T., Garcia, F.D., de Ruiter, J., van den Breekel, J., Thompson, M.: Relay cost bounding for contactless EMV payments. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 189–206. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  9. 9.
    ERA: SUBSET-026: System requirements specification, version 3.5.0. Technical report (2015)Google Scholar
  10. 10.
    Esposito, R., Lazzaro, A., Marmo, P., Sanseviero, A.: Formal verification of ERTMS EuroRadio safety critical protocol. In: Proceedings 4th Symposium on Formal Methods for Railway Operation and Control Systems (FORMS 2003) (2003)Google Scholar
  11. 11.
    Franekova, M., Rastocny, K., Janota, A., Chrtiansky, P.: Safety analysis of cryptography mechanisms used in GSM for railway. Int. J. Eng. 11(1), 207–212 (2011). Google Scholar
  12. 12.
    GSM-R Functional Group: EIRENE Functional Requirements Specification, version 7.4.0. Technical report (2014)Google Scholar
  13. 13.
    GSM-R Functional Group: EIRENE System Requirements Specification, version 15.4.0. Technical report (2014)Google Scholar
  14. 14.
    Hongjie, L., Lijie, C., Bin, N.: Petrinet based analysis of the safety communication protocol. TELKOMNIKA Indonesian J. Electr. Eng. 11(10), 6034–6041 (2013)Google Scholar
  15. 15.
    Li, L., Sun, J., Liu, Y., Sun, M., Dong, J.S.: A formal specification and verification framework for timed security protocols. TSE (2015, in submission)Google Scholar
  16. 16.
    RSSB: GSM-R User Procedures, issue 7.1. Technical report (2015)Google Scholar
  17. 17.
    UNISIG: SUBSET-037 - EuroRadio FIS, version 3.2.0. Technical report (2015)Google Scholar
  18. 18.
    Zhang, Y., Tang, T., Li, K., Mera, J.M., Zhu, L., Zhao, L., Xu, T.: Formal verification of safety protocol in train control system. Sci. China Technol. Sci. 54(11), 3078–3090 (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.School of Computer ScienceUniversity of BirminghamBirminghamUK

Personalised recommendations