Unifying Formally Verified and Cryptographically Sound Proofs of Security Protocols

We investigate how formal methods can be used for the verification of cryptographic protocols such that the verified properties are valid for the concrete implementation of the protocol using actual cryptography. We give an abstract deterministic specification for secure message transmission with ordered channels along with a possible implementation that we prove to be secure in the sense of simulatability, which is the cryptographic notion of a secure refinement. The correctness of this proof relies on a composition theorem and a deterministic bisimulation, which we formally verify using the theorem prover PVS. We further use PVS to formally verify that message reordering is in fact prevented in the specification. We finally show that integrity properties are preserved under simulatability, which allows for carrying over the proven property to the concrete implementation. This yields the first example ever of a formally verified but nevertheless cryptographically sound proof of a security protocol.

By: Michael Backes, Christian Jacobi, Birgit Pfitzmann

Published in: RZ3514 in 2003


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .