Automatic Verification of Correspondences for Security Protocols

We present a new technique for verifying correspondences in security protocols. In particular, correspondences can be used to formalize authentication. Our technique is fully automatic, it can handle an unbounded number of sessions of the protocol, and it is efficient in practice. It significantly extends a previous technique for the verification of secrecy. The protocol is represented in an extension of the pi calculus with fairly arbitrary cryptographic primitives. This protocol representation includes the specification of the correspondence to be verified, but no other annotation. This representation is then translated into an abstract representation by Horn clauses, which is used to prove the desired correspondence. Our technique has been proved correct and implemented. We have tested it on various protocols from the literature. The experimental results show that these protocols can be verified by our technique in less than 1 s.

💡 Research Summary

The paper introduces a fully automatic method for verifying authentication properties—formalized as correspondence assertions—in security protocols, even when an unbounded number of sessions is considered. The authors build on their earlier work on secrecy verification, extending it to handle a rich class of correspondences, both non‑injective (an event must have occurred at least once before another) and injective (the number of occurrences must be preserved).

The starting point is a process calculus that extends the π‑calculus with constructors and destructors for arbitrary cryptographic primitives and a new “event” construct. Protocols are written as processes; the only annotation required is the placement of events that describe the intended authentication goals. No additional typing or manual proof obligations are needed.

The core technical contribution is a translation from these processes into a set of Horn clauses. This translation generalizes the earlier secrecy‑only translation by (i) preserving the distinction between different nonces and keys through tagging, (ii) encoding the semantics of events as logical facts, and (iii) handling non‑deterministic destructors needed for Diffie‑Hellman key agreement. The resulting Horn clause system captures all possible behaviors of the protocol under the Dolev‑Yao adversary model, without imposing any bound on the number of sessions or on term sizes.

A resolution‑based solver then attempts to prove that, whenever a target event is derivable, the corresponding prerequisite events are also derivable. For non‑injective correspondences the solver checks existence; for injective correspondences it additionally tracks counters to ensure that each occurrence of the target event is matched by a distinct occurrence of the prerequisite. The authors prove soundness of the whole pipeline: if the Horn clauses entail the correspondence, the original protocol satisfies the authentication property.

Termination is not guaranteed for arbitrary protocols, but the authors identify a large class called “tagged protocols” for which they can prove that the solver always terminates. Tagging assigns a fresh identifier to each message component, preventing the infinite reuse of the same clause and thus bounding the search space. Most practical protocols, including those that use shared‑key encryption, public‑key encryption, digital signatures, hash functions, and Diffie‑Hellman key exchange, fall into this class.

The technique has been implemented in the ProVerif tool, which is publicly available. The authors evaluate it on a selection of protocols from the literature (e.g., Needham‑Schroeder, TLS, Just Fast Keying). In all cases the tool either proves the desired correspondences or produces a concrete attack trace, and the total verification time is under one second. The only observed failures occur for protocols that first keep a secret and later reveal it; the abstraction that forgets the number of repetitions of actions prevents the proof in these rare cases, but does not lead to false positives.

Compared with related work, the paper highlights several advantages: (1) minimal user effort—only the protocol and events need to be written; (2) support for a broader range of cryptographic primitives than many type‑based systems; (3) a more abstract Horn‑clause representation than the NRL analyzer, leading to better termination behavior; and (4) the ability to reconstruct attacks when a proof fails. Limitations include occasional non‑termination for ill‑designed protocols and the incompleteness introduced by the abstraction of action counts.

In summary, the authors deliver a theoretically grounded, practically efficient, and widely applicable framework for automatic authentication verification in security protocols, pushing the state of the art beyond secrecy‑only analysis and offering a valuable tool for protocol designers and analysts.