Theory and tool support for the formal verification of cryptographic protocols

Cryptographic protocols are an essential component of network communications. Despite their relatively small size compared to other distributed algorithms, they are known to be error-prone. This is due to the obligation to behave robustly in the context of unknown hostile attackers who might want to act against the security objectives of the jointly interacting entities. The need for techniques to verify the correctness of cryptographic protocols has stimulated the development of new frameworks and tools during the last decades. Among the various models is the spi calculus: a process calculus which is an extension of the pi calculus that incorporates cryptographic primitives. Process calculi such as the spi calculus offer the possibility to describe in a precise and concise way distributed algorithms such as cryptographic protocols. Moreover, spi calculus offers an elegant way to formalise some security properties of cryptographic protocols via behavioural equivalences. At the time this thesis began, this approach lacked tool support. Inspired by the situation in the pi calculus, we propose a new notion of behavioural equivalence for the spi calculus that is close to an algorithm. Besides, we propose a "coq" formalisation of our results that not only validates our theoretical developments but also will eventually be the basis of a certified tool that would automate equivalence checking of spi calculus terms. To complete the toolchain, we propose a formal semantics for an informal notation to describe cryptographic protocols, so called protocol narrations. We give a rigorous procedure to translate protocol narrations into spi calculus terms; this constitutes the foundations of our automatic translation tool "spyer".