ProVerif 2.02pl1: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial Bruno Blanchet, Ben Smyth, Vincent Cheval, and Marc Sylvestre [email protected], [email protected], [email protected], [email protected] September 2, 2020 ii Acknowledgements This manual was written with support from the Direction G´en´eralepour l'Armement (DGA) and the EPSRC project UbiVal (EP/D076625/2). ProVerif was developed while Bruno Blanchet was affiliated with INRIA Paris-Rocquencourt, with CNRS, Ecole Normale Sup´erieure,Paris, and with Max-Planck- Institut f¨urInformatik, Saarbr¨ucken. This manual was written while Bruno Blanchet was affiliated with INRIA Paris-Rocquencourt and with CNRS, Ecole Normale Sup´erieure,Paris, Ben Smyth was affiliated with Ecole Normale Sup´erieure,Paris and with University of Birmingham, Vincent Cheval was affiliated with CNRS and Inria Nancy, and Marc Sylvestre was affiliated with INRIA Paris. The development of ProVerif would not have been possible without the helpful remarks from the research community; their contributions are greatly appreciated and further feedback is encouraged. iii iv Contents 1 Introduction 1 1.1 Applications of ProVerif . .1 1.2 Scope of this manual . .2 1.3 Support . .2 1.4 Installation . .2 1.4.1 Installation via OPAM . .3 1.4.2 Installation from sources (Linux/Mac/cygwin) . .3 1.4.3 Installation from binaries (Windows) . .4 1.4.4 Emacs . .5 1.4.5 Atom . .5 1.5 Copyright . .5 2 Getting started 7 3 Using ProVerif 11 3.1 Modeling protocols . 11 3.1.1 Declarations . 11 3.1.2 Example: Declaring cryptographic primitives for the handshake protocol . 13 3.1.3 Process macros . 14 3.1.4 Processes . 15 3.1.5 Example: handshake protocol . 17 3.2 Security properties . 18 3.2.1 Reachability and secrecy . 19 3.2.2 Correspondence assertions, events, and authentication . 19 3.2.3 Example: Secrecy and authentication in the handshake protocol . 20 3.3 Understanding ProVerif output . 22 3.3.1 Results . 22 3.3.2 Example: ProVerif output for the handshake protocol . 23 3.4 Interactive mode . 30 3.4.1 Interface description . 30 3.4.2 Manual and auto-reduction . 31 3.4.3 Execution of 0, P j Q,!P , new, let, if, and event . 31 3.4.4 Execution of inputs and outputs . 32 3.4.5 Button \Add a term to public" . 33 3.4.6 Execution of insert and get . 33 3.4.7 Handshake run in interactive mode . 33 3.4.8 Advanced features . 34 4 Language features 35 4.1 Primitives and modeling features . 35 4.1.1 Constants . 35 4.1.2 Data constructors and type conversion . 35 4.1.3 Natural numbers . 36 4.1.4 Enriched terms . 37 v vi CONTENTS 4.1.5 Tables and key distribution . 39 4.1.6 Phases . 39 4.1.7 Synchronization . 40 4.2 Further cryptographic operators . 41 4.2.1 Extended destructors . 41 4.2.2 Equations . 42 4.2.3 Function macros . 45 4.2.4 Process macros with fail . 46 4.2.5 Suitable formalizations of cryptographic primitives . 46 4.3 Further security properties . 49 4.3.1 Complex correspondence assertions, secrecy, and events . 50 4.3.2 Observational equivalence . 55 5 Needham-Schroeder: Case study 63 5.1 Simplified Needham-Schroeder protocol . 64 5.1.1 Basic encoding . 64 5.1.2 Security properties . 65 5.2 Full Needham-Schroeder protocol . 68 5.3 Generalized Needham-Schroeder protocol . 70 5.4 Variants of these security properties . 74 5.4.1 A variant of mutual authentication . 74 5.4.2 Authenticated key exchange . 77 5.4.3 Full ordering of the messages . 82 6 Advanced reference 85 6.1 Proving correspondence queries by induction . 85 6.1.1 Single query . 85 6.1.2 Group of queries . 87 6.2 Axioms, restrictions, and lemmas . 89 6.3 Predicates . 95 6.4 Referring to bound names in queries . 98 6.5 Exploring correspondence assertions . 99 6.6 ProVerif options . 100 6.6.1 Command-line arguments . 100 6.6.2 Settings . 102 6.7 Theory and tricks . 111 6.7.1 The resolution strategy of ProVerif . 111 6.7.2 Performance and termination . 112 6.7.3 Alternative encodings of protocols . 118 6.7.4 Applied pi calculus encodings . 119 6.7.5 Sources of incompleteness . 120 6.7.6 Misleading syntactic constructs . 122 6.8 Compatibility with CryptoVerif . 123 6.9 Additional programs . 125 6.9.1 test ............................................ 125 6.9.2 analyze .......................................... 126 6.9.3 addexpectedtags .................................... 127 7 Outlook 129 A Language reference 131 B Semantics 139 List of Figures 3.1 Handshake protocol . 12 3.2 Term and process grammar . 16 3.3 Pattern matching grammar . 16 3.4 Messages and events for authentication . 21 3.5 Handshake protocol attack trace . 28 3.6 Handshake protocol - Initial simulator window . 31 3.7 Handshake protocol - Simulator window 1 . 33 3.8 Handshake protocol - Simulator window 2 . 34 3.9 Handshake protocol - Simulator window 3 . 34 4.1 Natural number grammar . 36 4.2 Enriched terms grammar . 38 4.3 Grammar for correspondence assertions . 51 A.1 Grammar for terms . ..