Strands Rocq: Why is a Security Protocol Correct, Mechanically?

TL;DR

StrandsRocq is a mechanized, Coq-based framework for formal verification of security protocols, enhancing proof reliability, reusability, and compositionality compared to traditional pen-and-paper methods.

Contribution

It introduces a faithful, modular Coq mechanization of strand spaces with new proof techniques and a novel maximal penetrator concept for protocol analysis.

Findings

Validated multiple authentication protocols with high proof reuse.

Improved static analysis precision for key management.

Provided compositional security proofs using the maximal penetrator.

Abstract

Strand spaces are a formal framework for symbolic protocol verification that allows for pen-and-paper proofs of security. While extremely insightful, pen-and-paper proofs are error-prone, and it is hard to gain confidence on their correctness. To overcome this problem, we developed StrandsRocq, a full mechanization of the strand spaces in Coq (soon to be renamed Rocq). The mechanization was designed to be faithful to the original pen-and-paper development, and it was engineered to be modular and extensible. StrandsRocq incorporates new original proof techniques, a novel notion of maximal penetrator that enables protocol compositionality, and a set of Coq tactics tailored to the domain, facilitating proof automation and reuse, and simplifying the work of protocol analysts. To demonstrate the versatility of our approach, we modelled and analyzed a family of authentication protocols, drawing inspiration from ISO/IEC 9798-2 two-pass authentication, the classical Needham-Schroeder-Lowe protocol, as well as a recently-proposed static analysis for a key management API. The analyses in StrandsRocq confirmed the high degree of proof reuse, and enabled us to distill the minimal requirements for protocol security. Through mechanization, we identified and addressed several issues in the original proofs and we were able to significantly improve the precision of the static analysis for the key management API. Moreover, we were able to leverage the novel notion of maximal penetrator to provide a compositional proof of security for two simple authentication protocols.