Results 1 
2 of
2
Inductive Analysis of the Internet Protocol TLS
 ACM Transactions on Information and System Security
, 1997
"... Internet browsers use security protocols to protect confidential messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higherorder logic and make no assumptions concerning beliefs or finiteness. All the obvious sec ..."
Abstract

Cited by 127 (16 self)
 Add to MetaCart
(Show Context)
Internet browsers use security protocols to protect confidential messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higherorder logic and make no assumptions concerning beliefs or finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The analysis suggests modest changes to simplify the protocol. TLS, even at an abstract level, is much more complicated than most protocols that researchers have verified. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Nevertheless, the resources needed to verify TLS are modest. The inductive approach scales up. CONTENTS i Contents 1 Introduction 1 2 Overview of TLS 1 3 Proving Protocols Using Isabelle 5 4 Formalizing the Protocol in Isabelle 6 5 Properties Proved of TLS 12 5.1 Basic Lemmas . . . . . . . . . . . . . . . . . . . ...
Proving Safety of Authentication Protocols: A Minimal Approach
, 1999
"... Most work on proving or model checking the safety of authentication protocols is based on trace histories. We suggest that a simpler approach based on sets of messages sent is adequate and prove the correctness of the NeedhamSchroeder and Secure Socket Layer protocols as an example. A simpler appro ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Most work on proving or model checking the safety of authentication protocols is based on trace histories. We suggest that a simpler approach based on sets of messages sent is adequate and prove the correctness of the NeedhamSchroeder and Secure Socket Layer protocols as an example. A simpler approach reduces the problem of making hidden or unwarranted assumptions as well as simplifying the proofs.