Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif

Focuses on the verification of specifications of protocols in the symbolic model. ProVerif is an automatic symbolic protocol verifier. This survey presents an overview of the research on ProVerif and is the most comprehensive text available on the topic.

---

The verification of security protocols has been an active research area since the 1990s. This topic is interesting for several reasons. Security protocols are ubiquitous: they are used for e-commerce, wireless networks, credit cards, e-voting, among others. The design of security protocols is notoriously error-prone. These errors can also have serious consequences. Hence, the formal verification or proof of protocols is particularly desirable.

This survey focuses on the verification of specifications of protocols in the symbolic model. Even though it is fairly abstract, this level of verification is relevant in practice as it enables the discovery of many attacks. ProVerif is an automatic symbolic protocol verifier. It supports a wide range of cryptographic primitives, defined by rewrite rules or by equations. It can prove various security properties: secrecy, authentication, and process equivalences, for an unbounded message space and an unbounded number of sessions. It takes as input a description of the protocol to verify in a dialect of the applied pi calculus, an extension of the pi calculus with cryptography. It automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses.

This survey presents an overview of the research on ProVerif and is the most comprehensive text available on the topic.