Course description

Lecture notes








CS 395T - Design and Analysis of Security Protocols (54302)

Fall 2004

Protocol analysis tools


Murphi is a description language and verifier for finite-state machines, developed at Stanford.

Local installation of Murphi: /projects/shmat/Murphi3.1
Some examples of security protocols: /projects/shmat/Murphi3.1/ex/secur
Main Murphi page: http://verify.stanford.edu/dill/murphi.html
Additional examples (by Uli Stern): http://sprout.stanford.edu/uli/research.html
Some tips on using Murphi are here.

SRI Constraint Solver

The Constraint Solver is a symbolic analysis tool for security protocols, developed at SRI. It can handle unbounded message spaces created by the attacker.

Homepage: http://www.csl.sri.com/users/millen/capsl/constraints.html
Optimized version and online demo: http://wwwhome.cs.utwente.nl/~corin/verif/


PRISM is an experimental probabilistic model checker being developed at the University of Birmingham.

Main PRISM page: http://www.cs.bham.ac.uk/~dxp/prism/index.html
Case studies: http://www.cs.bham.ac.uk/~dxp/prism/casestudies/index.html


MOCHA is a verification system for alternating temporal logic, and can be used for analyzing game-theoretic models of security protocols. It has been developed at UC Berkeley, University of Pennsylvania, and SUNY Stony Brook.

MOCHA homepage: http://www-cad.eecs.berkeley.edu/~mocha/


ProVerif is a protocol verifier developed by Bruno Blanchet. It can handle an unbounded number of sessions and unbounded message spaces.

ProVerif page: http://www.di.ens.fr/~blanchet/crypto-eng.html (downloadables at the bottom)


Isabelle is a generic theorem proving environment. It has been used by Larry Paulson and others to prove security protocols correct using the inductive method.

Isabelle homepage: http://www.cl.cam.ac.uk/Research/HVG/Isabelle/
Case studies of security protocols: http://www.cl.cam.ac.uk/users/lcp/papers/protocols.html

Process algebras for protocol analysis

Protocol composition logic