Internet browsers use security protocols to protect confidential messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higher-order logic and make no assumptions concerning beliefs or finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The analysis suggests modest changes to simplify the protocol. TLS, even at an abstract level, is much more complicated than most protocols that researchers have verified. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Nevertheless, the resources needed to verify TLS are modest. The inductive approach scales up. CONTENTS i Contents 1 Introduction 1 2 Overview of TLS 1 3 Proving Protocols Using Isabelle 5 4 Formalizing the Protocol in Isabelle 6 5 Properties Proved of TLS 12 5.1 Basic Lemmas . . . . . . . . . . . . . . . . . . . ...

Most work on proving or model checking the safety of authentication protocols is based on trace histories. We suggest that a simpler approach based on sets of messages sent is adequate and prove the correctness of the Needham-Schroeder and Secure Socket Layer protocols as an example. A simpler approach reduces the problem of making hidden or unwarranted assumptions as well as simplifying the proofs.