Practical 3

SPAN+AVISPA
INTRODUCTION:
SPAN IS a Security Protocol ANimator for AVISPA. AVISPA stands for Automated
Validation of Internet Security Protocols and Applications The AVISPA project aims at
developing a push-button, industrial-strength technology for the analysis of large-scale Internet
security-sensitive protocols and applications.
SPAN is designed to help protocol developers in writing HLPSL specifications. From an
HLPSL specification SPAN helps in interactively buiding Message Sequence Charts (MSC) of
the protocol execution. Since SPAN implements an active intruder, it can also be used to
interactively find and build attacks over protocols
OBJECTIVE:
The objective of practical is to show how to use SPAN to understand and debug HLPSL
specifications used in the AVISPA cryptographic protocol verification tool.

IMPLEMENTATION:

1. Installing and starting SPAN+AVISPA

Download SPAN+AVISPA from http://www.irisa.fr/celtique/genet/span/.

1
Figure 1: The full SPAN main graphical interface.

2
3
Protocol: NeedhamSchroederSymmetricKey;
Identifiers
A, B, S : user;
Na, Nb : number;
Kas, Kbs, Kab : symmetric_key;
Dec : function;
messages

1. A -> S : A, B, Na
2. S -> A : {Na, B, Kab, {Kab, A}Kbs}Kas
3. A -> B : {Kab,A}Kbs
4. B -> A : {Nb}Kab
5. A -> B : {Dec(Nb)}Kab

knowledge
A : A,B,S,Kas,Dec;
B : A,B,S,Kbs,Dec;
S : A,B,S,Kas,Kbs,Dec;

4
session_instances

[A:alice,B:bob,S:server,Kas:key1,Kbs:key2,De
c:dec]; goal secrecy_of Kab [];

Using the CAS+ syntax:

CAS+ is a simple protocol specification syntax very close to the usual Alice & Bob notation
SPAN provides a last tool which translates CAS+ specifications to HLPSL. Once you loaded
the simpleProtocol.cas file, you are asked if you want to generate HLPSL. Say yes. If there are
mistakes in your CAS+ file, they are displayed in the editing window. Otherwise the CAS+
file loads and the HLPSL is generated. You can consult the generated HLPSL code by clicking
on the “View HLPSL” button. As usual, you can also simulate the protocol using
“Protocol simulation”. Beware: the CAS+ language permits to state some verification goals,
but the translator does not correctly translate them! So, do not define the verification goals in
the CAS+ file. Once you are happy with your CAS+ specification in the protocol simulation,
save the generated HLPSL file and add by hand all the needed verification tags in the HLPSL
file.

5
 Practical 4
Scyther
INTRODUCTION:
Scyther is a tool for the automatic verification of security protocols. scyther can verify
protocols with an unbounded number of sessions and nonces. Scyther can characterize
protocols, yielding a finite representation of all possible protocol behaviours.
OBJECTIVE:
Objective of this practical is to analyse the security of Needham Schroeder protocol and find
out possible known attacks.

IMPLEMENTATION:
Installation and usage of the Scyther tool
Requirements
To be able to use Scyther, you need the following three things:
1. The GraphViz library.
This library is used by the Scyther tool to draw graphs. It can be freely downloaded from:
http://www.graphviz.org/ Download the latest stable release and install it.
The graphical user interface of Scyther is written in the Python language. Therefore, the GUI
requires the following two items:
2. Python
Stable releases of the Python interpreter are available
from: http://www.python.org/download Scyther does not support Python 3. You are
therefore recommended to choose the latest production release of Python 2, e.g., Python
2.7. Mac OS X: If the package yields an error when you try to install it,please use the
following, in the directory where you downloadedit: $ sudo installer -pkg graphviz-2.34.0.pkg
-target /
3. wxPython libraries.
The GUI user interface uses the wxPython libraries. <a
href="http://www.wxpython.org/download.php"> There are many different wxPython
packages. You should choose a 32-bit package that matches your Python version (e.g.,
2.7). It is recommended to select the unicode version from the stable releases.
wxPython packages for Python 2.7:
Windows : http://downloads.sourceforge.net/wxpython/wxPython2.8-win32-unicode-
2.8.12.1-py27.exe
Mac OS X: http://downloads.sourceforge.net/wxpython/wxPython2.8-osx-unicode-
2.8.12.1universal-py2.7.dmg
Note that this package is in an old format and you will probably get a warning "Package
is damaged". This can be resolved by:

6
 $ sudo installer -pkg /Volume/.../wxPython2.8-osx-unicode-universal-py2.7.pkg/ -target /
Ubuntu/Debian Linux:
<a href="http://wiki.wxpython.org/InstallingOnUbuntuOrDebian">

Running Scyther
Start Scyther by executing the file scyther-gui.py in
the directory where you found this file.

Fig 4.1 Welcome screen of Scyther tool

7
Analysis of Needham Schroeder protocol

Fig 4.2 SLDL representation of N.S. Protocol

8
Result and Analysis:
After analysing the Needham Schroeder protocol in Scyther tool, we have found following
four attack patterns in this protocol.

Fig 4.3 Output screen of Scyther

9
 Practical 5
Proverif
INTRODUCTION:
ProVerif is an automatic cryptographic protocol verifier, in the formal model (so called Dolev-
Yao model). This protocol verifier is based on a representation of the protocol by Horn clauses.
Its main features are:

• It can handle many different cryptographic primitives, including shared- and public-
key cryptography (encryption and signatures), hash functions, and Diffie-Hellman
key agreements, specified both as rewrite rules or as equations.
• It can handle an unbounded number of sessions of the protocol (even in parallel) and
an unbounded message space. This result has been obtained thanks to some well-
chosen approximations. This means that the verifier can give false attacks, but if it
claims that the protocol satisfies some property, then the property is actually satisfied.
The considered resolution algorithm terminates on a large class of protocols (the so-
called "tagged" protocols). When the tool cannot prove a property, it tries to
reconstruct an attack, that is, an execution trace of the protocol that falsifies the
desired property.

ProVerif can prove the following properties:

• secrecy (the adversary cannot obtain the secret)

• authentication and more generally correspondence properties
• strong secrecy (the adversary does not see the difference when the value of the secret
changes)

• Equivalence between processes that differ only by terms

OBJECTIVE:

Objective of this practical is to describe the working of ProVerif tool and analysis
Needham Schroeder protocol.

IMPLEMENTAITON:

o To install ProVerif, you need to download:

• Either:
o the source package ProVerif version 2.00 source (gzipped tar file) under GNU
General Public License o or the binary package ProVerif version 2.00,
for Windows, under BSD license (64 bits executable; works on Windows 64
bits)
• and the documentation package ProVerif version 2.00, documentation.

10
 Or:

o For Opam users, ProVerif can also be installed via Opam.

Analysis of Needham Schroeder protocol

11
RESULT AND ANALYSIS:

After analysing the Needham Schroeder protocol in ProVerif, we have successfully verified
this protocol and we found following information about it.

Fig. 5.1 Diagram of Needham Schroeder protocol

12