Transport Level Security: a proof using the Gong-Needham-Yahalom Logic

This paper provides a proof of the proposed Internet standard Transport Level Security protocol using the Gong{Needham{Yahalom logic. It is intended as a teaching aid and hopes to show to students: the potency of a formal method for protocol design; some of the subtleties of authenticating parties on a network where all messages can be intercepted; the design of what should be a widely accepted standard. 1 Transport Level Security Protocol This section provides an insight into the workings of the next generation of authentication protocol: the Transport Level Security Protocol version 1.0[DA97], the successor to the Secure Sockets Layer[FKK95]. To do this, the Gong{ Needham{Yahalom, GNY, logic [GNY90] is introduced which is a formal method for proving the safety of a cryptographically-based protocol. It is described at length in appendix A. When working through protocols the relevant rule of inference will be stated and will refer to those in the appendix. The Transport Level Security handshake protocol [DA97], TLS, has an unknown heritage, but it has a great deal of similarity to that described in [DS81]. It is predicated on the existence of readily available public keys: TLS’s predecessor made use of X.509 certi cates, see [CCI88], issued by a Certi cation Authority, CA, an example of which is Thawte[THA99]. A discussion of the limitations of certi cate technology can be found in R oscheisen’s on{line paper [Ros95]. TLS has three sub{protocols: Server anonymous Server named, client anonymous Server named, client named These di er by who is required to send their X.509 certi cates, the key exchange protocol is di erent only when the client is named and thus has a public{key that can be used. The messages are shown in gure 1 sent during a run of the protocol are more or less the same for all sub{protocols. As can be seen, no key issuing server is needed.