CSE1004 - NETWORKS AND COMMUNICATION

LAB ASSESSMENT 6
ProVerif Tool
Mritunjay R. Pathak
Rishabh Singhvi
Sahil Gami

Introduction:

ProVerif is an Free to use tool to download for Linux and Windows. This software
can be used to prove secrecy, authenticity, equivalence properties of
cryptographic protocols.

Installation Instructions for Windows:

Uncompress the archives proverifbsd2.00.tar.gz downloaded from the official

website using Winzip, in the directory of your choice. This will create a
subdirectory named proverif2.00.

The system can run under Windows, but it is not very Windows-friendly:
you have to use the command line to run the programs. Improving the interface
is on the to-do list...

Working:

To run a particular cryptographic protocol, use

./proverif <filename>.pv
command in command prompt to execute the protocol.

ProVerif supports file types such as pitype for execution.

The syntax of the command-line is

./proverif options filename
where the options can be

• -in format:
Choose the input format (horn, horntype, pi, pitype). When the -in option is
absent, the input format is chosen according to the file extension, as detailed
below. The recommended input format is the typed pi calculus, which
corresponds to the option -in pitype, and is the default when the file extension is
.pv. It is described in manual.pdf. The other formats are no longer actively
developed. Input may also be provided using the untyped pi calculus (option -in
pi, the default when the file extension is .pi), typed Horn clauses (option -in
horntype, the default when the file extension is .horntype), and untyped Horn
clauses (option -in horn, the default for all other file extensions). This manual
documents the untyped Horn clauses and the untyped pi calculus input formats.
• -out format:
Choose the output format, either solve (analyze the protocol) or spass (stop the
analysis before resolution, and output the clauses in the format required for use
in the Spass first-order theorem prover, see http://www.spass-prover.org/). The
default is solve. When you select -out spass, you must add the option -o
hfilenamei to specify the file in which the clauses will be output.
• -TulaFale version:
For compatibility with the web service analysis tool TulaFale (see the tool
download at http: //research.microsoft.com/projects/samoa/). The version
number is the version of TulaFale with which you would like compatibility.
Currently, only version 1 is supported.
• -color
Display a colored output on terminals that support ANSI color codes. (Will result
in a garbage output on terminals that do not support these codes.) Unix terminals
typically support ANSI color codes. For emacs users, you can run ProVerif in a shell
buffer with ANSI color codes as follows:
– start a shell with M-x shell – load the ansi-color library with M-x load-library RET
ansi-color RET – activate ANSI colors with M-x ansi-color-for-comint-mode-on –
now run ProVerif in the shell buffer.
You can also activate ANSI colors in shell buffers by default by adding the
following to your .emacs:
(autoload ’ansi-color-for-comint-mode-on "ansi-color" nil t) (add-hook ’shell-
mode-hook ’ansi-color-for-comint-mode-on)
• -help or --help
Display a short summary of command-line options.

Outputs:

The system gives an output of the following form:

Starting rules:
Rule 10: attacker:c[]
Rule 9: attacker:k -> attacker:host(k)
...
Completing...
Completed rules:
attacker:encrypt(secretB[],k[Kas[],Kbs[],Na[],Nb[host(Kas[]),Na[]]]) attacker:v147
& attacker:v148 -> attacker:encrypt(v148,k[Kas[],v147,Na[],v148])
...
ok, secrecy assumption verified: fact unreachable attacker:Kbs[]
...
goal unreachable: attacker:secretB[]
...

First, it displays the Horn clauses representing the protocol. If you use the Horn
clauses input, these are the clauses you entered. If you use the pi calculus input,
these clauses are the result of a translation of the process, described in papers.
This translation uses mainly two predicates attacker: M meaning that the
adversary may have M, and mess:C,M meaning that the message M may be sent
on channel C. It uses moreover a predicate end and a blocking predicate begin for
proofs involving events. Some other predicates are used for modeling the
compromise of session keys. The clauses are numbered. These numbers are used
in the following of the output to reference the clauses.
18
Second, the system completes the clauses, using a resolution-based algorithm.
Depending on the verbose parameter, it prints all clauses it creates, or only
numbers of clauses every 200th clause created. Third, it outputs the list of clauses
obtained after completion (after the words Completed rules). Fourth, if you have
given secrecy assumptions, using the declaration not, the system checks them. In
case the secrecy assumption is not satisfied, it stops immediately. Fifth, the
system checks each goal you have given using query. If the fact mentioned on the
left of ==> in the query is derivable, for each found clause that derives it, the
system outputs goal reachable, and a derivation of the clause from the initial
clauses. The derivation is built according to the following format:

Title of research Paper : An improved authenticated key agreement protocol

for telecare medicine information system.

Abstract: In telecare medicine information systems (TMIS), identity

authentication of patients plays an important role and has been widely studied in
the research field. Generally, it is realized by an authenticated key agreement
protocol, and many such protocols were proposed in the literature. Recently,
Zhang et al. pointed out that Islam et al.’s protocol suffers from the following
security weaknesses: (1) Any legal but malicious patient can reveal other user’s
identity; (2) An attacker can launch off-line password guessing attack and the
impersonation attack if the patient’s identity is compromised. Zhang et al. also
proposed an improved authenticated key agreement scheme with privacy
protection for TMIS. However, in this paper, we point out that Zhang et al.’s
scheme cannot resist off-line password guessing attack, and it fails to provide the
revocation of lost/stolen smartcard. In order to overcome these weaknesses, we
propose an improved protocol, the security and authentication of which can be
proven using applied pi calculus based formal verification tool ProVerif. Keywords:
Authentication, Protocol, Biometrics, Smart card
CODE
(*-----channel-----*)
free sch: channel [private].
(*-----variables and constants-----*)
const ID: bitstring.
const PW: bitstring [private].
const Nc: bitstring [private].
const P: bitstring.
const zero: bitstring.
const one: bitstring.
free s: bitstring [private].
free sk: bitstring [private].
free sku: bitstring [private].
(*-----constructor-----*)
fun H(bitstring): bitstring.
fun senc(bitstring, bitstring): bitstring.
fun por(bitstring, bitstring): bitstring.
fun exp(bitstring, bitstring): bitstring.
fun xor(bitstring, bitstring): bitstring.
fun add(bitstring, bitstring): bitstring.
fun mult(bitstring, bitstring): bitstring.
(*-----destructors & equations-----*)
reduc forall m: bitstring, n: bitstring; sdec(senc(m, n), n) = m.
equation forall m: bitstring, n: bitstring; xor(xor(m, n), n) = m.
(*-----events-----*)
event userAuthed(bitstring).
event userStarted(bitstring).
(*-----query-----*)
query attacker(sku).
query attacker(sk).
query id: bitstring;
inj-event(userAuthed(id)) ==> inj-event(userStarted(id)).
(*-----process-----*)
let U=
new r: bitstring;
let l=H(por(r,PW)) in
out(sch,(ID,l));
in(sch,(d':bitstring,P':bitstring,Qs':bitstring,N'':bitstring,Nc':bitstring));
new Bio: bitstring;
let u=xor(r,H(Bio)) in
!
(
event userStarted(ID);
let r'=xor(u,H(Bio)) in
let u'=H(por(r',por(PW,ID))) in
if u=u' then
new a: bitstring;
new N1: bitstring;
let V=mult(a,P) in
let I=mult(a,Qs') in
let Ku=H(por(I,N1)) in
let f'=xor(d',l) in
let m1=(V,N'',N1,f',Nc) in
let r''=H(m1) in
let G1=senc(por(ID,por(N1,por(r'',Nc))),Ku) in
out(sch,(V,G1,N1));
in(sch,(W':bitstring,G2'':bitstring,N2':bitstring));
let J'=mult(a,W') in
let K'=H(por(J',N2')) in
let (Qs'':bitstring,N2'':bitstring)=sdec(G2'',K') in
if Qs'=Qs'' then
let sku= H(por(ID,por(Qs'',por(I,por(J',por(N1,N2'')))))) in
0
).
let S=
 in(sch, (ID': bitstring,l': bitstring));
new N: bitstring;
let N'=if ID'=ID then zero else add(N,one) in
let f=H(xor(s,ID')) in
let d=xor(f,l') in
let Qs=mult(s,P) in
out(sch,(d,P,Qs,N',Nc));
in(sch,(V': bitstring,G1': bitstring,N1': bitstring));
let I'=mult(s,V') in
let Ks=H(por(I',N1')) in
let (ID'': bitstring,N1': bitstring,r1: bitstring, Nc: bitstring)=sdec(G1',Ks) in
event userAuthed(ID'');
if ID'=ID'' then
let f2=H(xor(s,ID'')) in
let m2=(V',N',N1',f2) in
let r2=H(m2) in
if r1=r2 then
new c: bitstring;
new N2: bitstring;
let W=mult(c,P) in
let J=mult(c,V') in
let K=H(por(J,N2)) in
let G2=senc(por(Qs,N2),K) in
let sk=H(por(ID'',por(Qs,por(I',por(J,por(N1',N2)))))) in
out(sch,(W,G1',N2)).
process !U|S
Output images :-
Conclusion :- In this paper, we show that Zhang et al.’s protocol (Zhang and
Zhou 2015) is vulnerable to lost/stolen smartcard disguised attack and off-line
password guessing attack. And then we propose an improved protocol using
biometric keys (fingerprint, face and palmprint, etc.) to resolve the security
problems. Furthermore, we provide the simulation results of our scheme for the
formal security verification, using applied pi calculus based formal verification tool
ProVerif. Our protocol overcomes the weaknesses of Islam et al.’s scheme and
Zhang et al.’s scheme, and has the similar efficiency in comparison with their
schemes.