Cryptographic protocol analysis with Verifpal
Most software projects avoid formal verification due to time constraints and expertise requirements. Tools like the Coq proof assistant, commonly used to introduce the topic to computer science students, can appear too cumbersome for real-world applications and therefore hard to justify.
In contrast, in the field of cryptography specialised tools such as ProVerif have been regularly used for the last two decades for verifying important properties of cryptographic protocols, but these still involve writing scarily long proofs.
However, in recent years, multiple similar tools that try simplify the process have been developed. One that caught my attention was Verifpal, whose creators have prioritised user-friendliness in its design. Created by Nadim Kobeissi, Georgio Nicolas and Mukesh Tiwari, it was first released in 20191.
The Verifpal User Manual is really fun and it only requires some undergraduate-level knowledge of cryptography. In this post, I will show you a short exercise from the manual (“Challenge-Response Protocol”) to illustrate what automated formal verification looks like with Verifpal.
So, first thing our model will need is an adversary, which in this case is an active attacker that has total control of the network2:
attacker[active]
Yup, that’s all. Now we need some principals, this is, the parties who are trying to communicate:
principal Server [
knows private s
gs = G^s
]
principal Client [
knows private c
gc = G^c
generates nonce
]
Here we have two principals, a client named Client
and a server named Server
. The server has a secret s
that in this example represents a Diffie-Hellman secret exponent, and its derived public key named gs
. Similarly, the client knows its own secret exponent and public key, plus a random nonce
that the client will use as a challenge for the server:
Client->Server: nonce
principal Server[
proof = SIGN(s, nonce)
]
The first line means that Client
sends the nonce
to Server
through the network. Then Server
digitally signs the nonce
using its secret exponent s
.
Server->Client: gs, proof // uh-oh
principal Client[
valid = SIGNVERIF(gs, nonce, proof)?
generates attestation
signed = SIGN(c, attestation)
]
Now Server
sends its public key gs
and the signed challenge proof
to Client
. The // uh-oh
is just a code comment (ignore it for now ;p). Then Client
validates the signed challenge (the ?
after SIGNVERIF
tells that the execution should end here if the signature verification fails), generates an attestation message and signs it.
Client->Server: [gc], attestation, signed
principal Server[
storage = SIGNVERIF(gc, attestation, signed)?
]
In the final part of our protocol Client
sends its public key gc
, the attestation message and the digital signature. Then Server
verifies that attestation
was signed by Client
.
Note the square brackets wrapping gc
: it means that this value cannot be tempered by an attacker, only read. Why? Well, let’s just assume the principals are able to share public keys through some other channel that they consider secure, so basically we want to keep this part out of the scope of our model.
Our protocol is now defined. Let’s see if there is any way an attacker could impersonate the server or the client. For that we need to check if an attacker can do anything interesting with our signatures:
queries[
authentication? Server->Client: proof
authentication? Client->Server: signed
]
A query is the way you ask Verifpal to verify properties of your protocol. Here we care about the authenticity of some values; could anyone perform a successful MITM? Let’s run the following command in the shell to see:
$ verifpal verify challenge-response.vp
Verifpal 0.27.2 - https://verifpal.com
Warning • Verifpal is Beta
Verifpal • Parsing model 'challenge-response.vp'...
[...]
Analysis • Initializing Stage 2 mutation map for Client...
Result • authentication? Server -> Client: proof — When:
[...]
gs → G^nil ← mutated by Attacker (originally G^s)
proof → SIGN(nil, nonce) ← mutated by Attacker (originally SIGN(s, nonce))
valid → nil ← obtained by Attacker
storage → nil ← obtained by Attacker
proof (SIGN(nil, nonce)), sent by Attacker and not by Server, is successfully used in SIGNVERIF(G^nil, nonce, SIGN(nil, nonce))? within Client's state.
[...]
The full output is a bit long for a blog post, but as you can see an attacker was able to impersonate the server by swapping the server’s public key gs
for its own and then using it to sign a new proof!
This happened because we forgot to indicate that gs
, like gc
, can’t be tempered; remember the “uh-oh”? Let’s fix that:
Server->Client: [gs], proof
Now if we run the verify
command again we will get this instead:
[...]
Verifpal • All queries pass.
Verifpal • Thank you for using Verifpal.
Nice! This confirms that the properties we wanted to verify are true ^_^