Department of Computer Science and Technology

Technical reports

Inductive analysis of the internet protocol TLS

Lawrence C. Paulson

December 1997, 19 pages


Internet browsers use security protocols to protect confidential messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higher-order logic and make no assumptions concerning beliefs or finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The analysis suggests modest changes to simplify the protocol.

TLS, even at an abstract level, is much more complicated than most protocols that researchers have verified. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Nevertheless, the resources needed to verify TLS are modest. The inductive approach scales up.

Full text

PDF (0.2 MB)
PS (0.1 MB)

BibTeX record

  author =	 {Paulson, Lawrence C.},
  title = 	 {{Inductive analysis of the internet protocol TLS}},
  year = 	 1997,
  month = 	 dec,
  url = 	 {},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-440}