Security protocols are distributed programs that aim at securing communications by the means of cryptography. They are for instance used to secure electronic payments, home banking and more recently electronic elections. Given the financial and societal impact in case of failure, and the long history of design flaws in such protocols, formal verification is a necessity. A major difference from other safety critical systems is that the properties of security protocols must hold in the presence

more »

... an arbitrary adversary. The aim of this paper is to provide a tutorial to some modern approaches for formally modeling protocols, their goals and automatically verifying them. • We first present an informal description of our running example, the Needham Schroeder public key protocol that we used for illustration purposes in the remainder of the paper. • Then, we explain how protocol messages can be modeled as first order terms, and how adversary capabilities can be modeled by an inference system. We also provide a decision algorithm for deduction, i.e. the adversary's capability to construct new messages. Running example We first introduce our running example, the Needham Schroeder public key protocol [Needham and Schroeder, 1978] . We will also describe the famous man in the middle attack, discovered by Lowe [1996] 17 years after the publication of the original paper. This property was first noticed by Abadi and Cortier [2004] and the existence of a context C such that t = E C[t 1 , . . . , t n ] has been later called the cap unification problem [Anantharaman et al., 2007] .