Finite Models in FOL-Based Crypto-Protocol Verification

  • Jan Jürjens
  • Tjark Weber
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5511)


Cryptographic protocols can only be secure under certain inequality assumptions. Axiomatizing these inequalities explicitly is problematic: stating too many inequalities may impair soundness of the verification approach. To address this issue, we investigate an alternative approach (based on first-order logic) that does not require inequalities to be axiomatized. A derivation of the negated security property exhibits a protocol attack, and absence of a derivation amounts to absence of the investigated kind of attack.

We establish a fragment of FOL strictly greater than Horn formulas in which the approach is sound. We then show how to use finite model generation in this context to prove the absence of attacks. To demonstrate its practicality, the approach is applied to several well-known protocols, including ones relying on non-trivial algebraic properties. We show that it can be used to deal with infinitely many principals (and thus sessions).


Theorem Prover Authentication Protocol Free Algebra Cryptographic Protocol Finite Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6(1-2), 85–128 (1998)CrossRefGoogle Scholar
  2. 2.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL – A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  3. 3.
    Weidenbach, C.: Towards an automatic analysis of security protocols in first-order logic. In: Ganzinger, H. (ed.) CADE 1999. LNCS, vol. 1632, pp. 314–328. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: CSFW-14, pp. 82–96. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  5. 5.
    Jürjens, J.: A domain-specific language for cryptographic protocols based on streams. Journal of Logic and Algebraic Programming (JLAP) (2009)Google Scholar
  6. 6.
    Blanchet, B.: From secrecy to authenticity in security protocols. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 342–359. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Comon, H., Nieuwenhuis, R.: Induction = I-axiomatization + first-order consistency. Technical report, ENS Cachan (1998)Google Scholar
  8. 8.
    Steel, G., Bundy, A., Maidl, M.: Attacking a protocol for group key agreement by refuting incorrect inductive conjectures. In: Basin, D., Rusinowitch, M. (eds.) IJCAR 2004. LNCS, vol. 3097, pp. 137–151. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Hodges, W.: Model Theory. Cambridge University Press, Cambridge (1993)CrossRefzbMATHGoogle Scholar
  10. 10.
    Adámek, J., Rosický, J.: Locally Presentable and Accessible Categories. London Math. Soc. Lect. Note Ser., vol. 189. Cambridge University Press, Cambridge (1994)CrossRefzbMATHGoogle Scholar
  11. 11.
    Jürjens, J.: On a problem of Gabriel and Ulmer. Journal of Pure and Applied Algebra 158, 183–196 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Schumann, J.: Automatic verification of cryptographic protocols with SETHEO. In: CADE (1999)Google Scholar
  13. 13.
    Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. Sci. Comput. Program. 50(1-3), 51–71 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Cohen, E.: First-order verification of cryptographic protocols. Journal of Computer Security 11(2), 189–216 (2003)CrossRefGoogle Scholar
  15. 15.
    Lassez, J.L., Maher, M.J., Marriott, K.: Elimination of negation in term algebras. In: Tarlecki, A. (ed.) MFCS 1991. LNCS, vol. 520, pp. 1–16. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  16. 16.
    Comon, H., Fernández, M.: Negation elimination in equational formulae. In: Havel, I.M., Koubek, V. (eds.) MFCS 1992. LNCS, vol. 629. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  17. 17.
    Weber, T.: SAT-based Finite Model Generation for Higher-Order Logic. PhD thesis, Technische Universität München (2008)Google Scholar
  18. 18.
    RSA Laboratories: PKCS #1: RSA Cryptography Standard Version 2.1. (June 2002)Google Scholar
  19. 19.
    Institute of Electrical and Electronics Engineers: IEEE Std 802.11-1997 (1997)Google Scholar
  20. 20.
    Lowe, G.: An attack on the Needham-Schroeder public key authentication protocol. Information Processing Letters 56(3), 131–136 (1995)CrossRefzbMATHGoogle Scholar
  21. 21.
    Sutcliffe, G., Suttner, C.B.: The TPTP problem library: CNF release v1.2.1. Journal of Automated Reasoning 21(2), 177–203 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Claessen, K., Sörensson, N.: New techniques that improve MACE-style finite model finding. In: CADE, Workshop W4 (2003)Google Scholar
  23. 23.
    Sutcliffe, G.: System on TPTP, (accessed January 9, 2009)
  24. 24.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Bellare, M., Rogaway, P.: The exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  26. 26.
    Lindenberg, C., Wirt, K.: SHA1, RSA, PSS and more. In: Klein, G., Nipkow, T., Paulson, L. (eds.) The Archive of Formal Proofs (May 2005),, Formal proof development
  27. 27.
    Cortier, V., Delaune, S., Lafourcade, P.: A survey of algebraic properties used in cryptographic protocols. Journal of Computer Security 14(1), 1–43 (2006)CrossRefGoogle Scholar
  28. 28.
    Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: The insecurity of 802.11. In: MOBICOM, pp. 180–188 (2001)Google Scholar
  29. 29.
    Selinger, P.: Models for an adversary-centric protocol logic. Electr. Notes Theor. Comput. Sci. 55(1) (2001)Google Scholar
  30. 30.
    Goubault-Larrecq, J.: Towards producing formally checkable security proofs, automatically. In: Computer Security Foundations (CSF), pp. 224–238 (2008)Google Scholar
  31. 31.
    Jürjens, J.: Security analysis of crypto-based java programs using automated theorem provers. In: ASE, pp. 167–176. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  32. 32.
    Jürjens, J.: Secure information flow for concurrent processes. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 395–409. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jan Jürjens
    • 1
  • Tjark Weber
    • 2
  1. 1.Microsoft Research, Cambridge, and Robinson College (Univ. Cambridge)Open University (UK)UK
  2. 2.Computer LaboratoryUniversity of CambridgeUK

Personalised recommendations