Security protocols aims at securing communications over untrusted networks such as Internet. Their design is notoriously error-prone, with flaws discovered years later. Formal methods have been successful in reasoning about the security of protocols and detect attacks. Automatic tools have been designed and applied to many protocols, from academic ones to deployed protocols such as SSL or Kerberos. In these lectures, we explain how security protocols can be modeled in symbolic models such as Horn clauses (a fragment of first-order logic) or applied-pi calculus (a process algebra). We describe and discuss decision techniques to automatically verify properties such as authentication or confidentiality.

• How to install ProVerif is explained here. Alternatively, you may use the online demo.
• Follow the user manual.
• Your goal is to model protocols and retrieve attacks
• Needham-Schroeder protocol. You may use the following file to begin with.
• Here's a list of toy protocols. Which ones are flawed (you don't need to read French)?
  • Protocol 1
  • Protocol 2
  • Protocol 3
  • Protocol 4