## Inductive Analysis of the Internet Protocol TLS (1997)

Venue: | ACM Transactions on Information and System Security |

Citations: | 110 - 16 self |

### BibTeX

@ARTICLE{Paulson97inductiveanalysis,

author = {Lawrence C. Paulson},

title = {Inductive Analysis of the Internet Protocol TLS},

journal = {ACM Transactions on Information and System Security},

year = {1997},

volume = {2},

pages = {332--351}

}

### Years of Citing Articles

### OpenURL

### Abstract

Internet browsers use security protocols to protect confidential messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higher-order logic and make no assumptions concerning beliefs or finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The analysis suggests modest changes to simplify the protocol. TLS, even at an abstract level, is much more complicated than most protocols that researchers have verified. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Nevertheless, the resources needed to verify TLS are modest. The inductive approach scales up. CONTENTS i Contents 1 Introduction 1 2 Overview of TLS 1 3 Proving Protocols Using Isabelle 5 4 Formalizing the Protocol in Isabelle 6 5 Properties Proved of TLS 12 5.1 Basic Lemmas . . . . . . . . . . . . . . . . . . . ...

### Citations

420 | Isabelle: A generic theorem prover
- Paulson
- 1994
(Show Context)
Citation Context ...the concrete protocol, but it is still more complex than the protocols typically verified. We have not reached the limit of what can be analyzed formally. The proofs were conducted using Isabelle/HOL =-=[4]-=-, an interactive theorem prover for higher-order logic. They follow the inductive method [7], which has a clear semantics and treats infinite-state systems. Modelchecking is not used, so there are no ... |

406 | The inductive approach to verifying cryptographic protocols. Journal of computer security - Paulson - 1998 |

369 |
The TLS Protocol Version 1.0
- Dierks, Allen
- 1999
(Show Context)
Citation Context ...t a flaw of previous versions, where an attacker could induce the parties into choosing an unnecessarily weak cryptosystem. The latest version of the protocol is called TLS (Transport Layer Security) =-=[1]-=-; it closely resembles SSL 3.0. Is TLS really secure? My proofs suggest that it is, but one should draw no conclusions without reading the rest of this report, which describes how the protocol was mod... |

357 | Prudent engineering practice for cryptographic protocois - Abadi, Needham - 1996 |

150 | Proving properties of security protocols by induction
- Paulson
- 1997
(Show Context)
Citation Context ...e have not reached the limit of what can be analyzed formally. The proofs were conducted using Isabelle/HOL [4], an interactive theorem prover for higher-order logic. They follow the inductive method =-=[7]-=-, which has a clear semantics and treats infinite-state systems. Modelchecking is not used, so there are no restrictions on the agent population, numbers of concurrent runs, etc. The paper gives an ov... |

120 |
The SSL protocol (version 3.0
- FREIER, KARLTON, et al.
- 1996
(Show Context)
Citation Context ...hed message and compared it with her own, she is assured that both sides agree on all critical parameters, including M , Pa and P b. Now she may begin sending confidential data. The SSL specification =-=[2]-=- erroneously states that she can send data immediately after sending her own finished message, before confirming these parameters. For session resumption, the hello messages are the same. After checki... |

73 | Kerberos version IV: Inductive analysis of the secrecy goals,” ESORICS ’98 - Bella, Paulson - 1998 |

55 | What do we mean by entity authentication - Gollmann - 1996 |

52 | The TLS Protocol, Version 1.0 Request for Comments 2246 - Dierks, Allen - 1999 |

34 | An Attack on a Recursive Authentication Protocol. A Cautionary Tale - Ryan, Schneider - 1998 |

29 | Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys
- Paulson
- 1997
(Show Context)
Citation Context ...ic keys from a triple of nonces. Modelling the underlying pseudo-random-number generator causes some complications compared with the treatment of simple public-key protocols such as Needham-Schroeder =-=[5]. The-=- common properties of clientK and serverK are captured in the constantssessionK, which is merely assumed to be injective and to generate session keys. consts sessionK :: "(nat*nat*nat)*nat =? key... |

11 |
Finite-State analysis of SSL 3.0 and related protocols
- Mitchell, Shmatikov, et al.
- 1997
(Show Context)
Citation Context ...ch considers the latter and shows them to be secure against a passive eavesdropper. Although NCP is a formal logic, Dietrich appears to have generated his lengthy derivations by hand. Mitchell et al. =-=[3]-=- apply model checking to a number of simple protocols derived from SSL 3.0. Most of the protocols are badly flawed (no nonces, for example) and the model checker finds many attacks. The final protocol... |

6 |
On Two Formal Analyses of the Yahalom Protocol
- Paulson
- 1997
(Show Context)
Citation Context ...s turned up. This outcome might be expected in a protocol already so thoroughly examined. No unusual lines of reasoning were required to establish the results, unlike the case of the Yahalom protocol =-=[6]-=-. The proofs did yield some insights into TLS, such as the possibility of strengthening client key exchange by including A's identity (x5). In several places, the protocol requires computing the hash ... |

3 | A Formal Analysis of the Secure Sockets Layer Protocol - Dietrich - 1997 |

2 |
Analysis of the SSL 3.0 protocol. On the internet at http://www.cs.berkeley.edu/daw/ssl3.0.ps
- Wagner, Schneier
- 1996
(Show Context)
Citation Context ...t B, Nonce PMS--- 2 set evs ---] =) 8 A. Says A Spy (Key(clientK(Na,Nb,PRF(PMS,NA,NB)))) 62 set evs Under similar assumptions, the rightful owner of a serverK is B. 6 Related Work Wagner and Schneier =-=[8]-=- analyze SSL 3.0 in detail. Much of their discussion concerns cryptanalytic attacks. Attempting repeated session resumptions causes the hashing of large amounts of known plaintext with the mastersecre... |