Transport Layer Security 1.0 handshake protocol formal verification case study: How to use a proof script generator for existing large proof scores

Tls handshake protocol and cafeobj formal specification

This section briefly describes the TLS handshake protocol being formally verified and its formal specification in CafeOBJ. Although they are mostly borrowed from the work of Ogata & Futatsugi (2005), we present them in this section because they are necessary to comprehend the remaining parts of the present article.

TLS handshake protocol

The handshake protocol that Ogata and Futatsugi conducted formal verification (Ogata & Futatsugi, 2005) is a slightly abstract version of the original TLS handshake protocol (Allen & Dierks, 1999). Figure 1 shows message exchanges between a client and a server in the handshake protocol. Let $K_{Server}$ denote the public key of $Server$ and ${\mathcal{E}}_K$ denote the encryption function, where K is an encryption key. In Fig. 1, the first six messages are messages exchanged in a full handshake, while the remaining ones are for an abbreviated handshake.

The client initially sends to the server a ClientHello message, which consists of a random number produced by the client ( $\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Client}$) and a list of cipher suites supported by the client ( $\mathrm{L}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{O}\mathrm{f}\mathrm{C}\mathrm{h}\mathrm{o}\mathrm{i}\mathrm{c}\mathrm{e}\mathrm{s}$).

Upon receiving the ClientHello message, a ServerHello message is sent back to the client. The message consists of a random number generated by the server ( $\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Server}$), a unique session ID ( $\mathrm{S}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\mathrm{I}\mathrm{D}$), and a cipher suite chosen from the list suggested by the client ( $\mathrm{C}\mathrm{h}\mathrm{o}\mathrm{i}\mathrm{c}\mathrm{e}$). The server then sends to the client his/her digital certificate via a Certificate message.

Upon receiving the Certificate message from the server, the client sends a KeyExchange message, whose content is a pre-master secret encrypted by the public key of the server. After that, the client sends to the server a ClientFinished message, which is a hash of handshake messages exchanged so far encrypted by the negotiated symmetric handshake key.

The server uses his/her symmetric handshake key to decrypt the ciphertext in the received ClientFinished message. If the server successfully checks the plaintext, he/she then replies to the client with a ServerFinished message.

Let H denote the hash function used in the protocol. The two kinds of composite data $\mathrm{C}\mathrm{l}\mathrm{i}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{F}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{h}$ & $\mathrm{S}\mathrm{e}\mathrm{r}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{F}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{h}$ and the two symmetric keys $\mathrm{C}\mathrm{l}\mathrm{i}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{K}\mathrm{e}\mathrm{y}$ & $\mathrm{S}\mathrm{e}\mathrm{r}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$ are calculated as follows:

• ClientFinish: $H($“client”, $Client,Server,\mathrm{S}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\mathrm{I}\mathrm{D},\mathrm{L}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{O}\mathrm{f}\mathrm{C}\mathrm{h}\mathrm{o}\mathrm{i}\mathrm{c}\mathrm{e}\mathrm{s},\mathrm{C}\mathrm{h}\mathrm{o}\mathrm{i}\mathrm{c}\mathrm{e}$, $\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Client}$, $\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Server}$, $\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{M}\mathrm{a}\mathrm{s}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{S}\mathrm{e}\mathrm{c})$

• ServerFinish: $H($“server”, $Client,Server,\mathrm{S}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\mathrm{I}\mathrm{D},\mathrm{L}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{O}\mathrm{f}\mathrm{C}\mathrm{h}\mathrm{o}\mathrm{i}\mathrm{c}\mathrm{e}\mathrm{s},\mathrm{C}\mathrm{h}\mathrm{o}\mathrm{i}\mathrm{c}\mathrm{e}$, $\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Client}$, $\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Server}$, $\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{M}\mathrm{a}\mathrm{s}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{S}\mathrm{e}\mathrm{c})$

• ClientKey: $H(Client,\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{M}\mathrm{a}\mathrm{s}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{S}\mathrm{e}\mathrm{c},\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Client},\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Server})$

• ServerKey: $H(Server,\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{M}\mathrm{a}\mathrm{s}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{S}\mathrm{e}\mathrm{c},\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Client},\mathrm{R}\mathrm{a}\mathrm{n}{\mathrm{d}}_{Server})$

The last four messages in Fig. 1 depict the messages exchanged in an abbreviated handshake, which is used to resume a previously established session.

Revising semantic-based case splittings

This section first explains what is semantic-based case splitting, and then shows where it is used in the existing proof scores, and finally describes how we revise the proof scores. Semantic-based case splittings are used many times in the existing proof scores of the protocol. For instance, a case is split into two sub-cases (i) and (ii) by the following two equations:

• (i) eq msg \in nw(p) = true .

• (ii) eq msg \in nw(p) = false .

In other words, the case is split into two sub-cases: (i) there exists a specific message msg in the network denoted by nw(p), and (ii) there does not exist such a message msg in nw(p). Because the network nw(p) is a soup of messages, (i) is equivalent to the following equation:

• (i’) eq nw(p) = msg , nw10 .

where nw10 is an arbitrary network (possibly empty). Therefore, it is semantically correct if we use the two equations (i’) and (ii) to split the case into the two sub-cases. However, the problem is that CiMPG does not allow us to use this kind of case splitting, but instead we need to use the two equations (i) and (ii) for this purpose. Therefore, we need to revise the existing proof scores, eliminating the use of semantic-based case splittings like the above-mentioned. In the following, we describe how to do that.

Let us consider another more complicated case of using semantic-based case splitting in the existing proof scores. The proof score of the induction case shello of inv1 consists of the following two open-close fragments:

open INV .

op p : -> Protocol.           op pms : -> Pms.

op b : -> Prin .                op c : -> Choice .

op r : -> Rand .                op i : -> Sid .

op nw10 : -> Network .         op m : -> Msg .

eq nw(p) = m , nw10 .          eq i \in ui(p) = false .

eq r \in ur(p) = false .     eq ch?(m) = true .

eq dst(m) = b .                eq c \in list(m) = true .

red inv1(p,pms) implies inv1(shello(p,b,r,i,c,m),pms) .

close

open INV .

op p : -> Protocol .        op pms : -> Pms .

op nw10 : -> Network .     op b : -> Prin .

op c : -> Choice .          op r : -> Rand .

op i : -> Sid .              op m : -> Msg .

eq c-shello(p,b,r,i,c,m) = false .

red inv1(p,pms) implies inv1(shello(p,b,r,i,c,m),pms) .

close

where INV is the module in which the specification of the protocol and the invariants are available. The proof is semantically split into two sub-cases as follows:

• (1) c-shello(p,b,r,i,c,m) = true, which corresponds to the first open-close fragment above. We show that c-shello(p,b,r,i,c,m) = true can be rewritten to the six equations in the first open-close fragment. Firstly, based on the definition of c-shello as already presented in “Formal Specification in CafeOBJ”, c-shello(p,b,r,i,c,m) = true can be rewritten to the following six equations:

eq m \in nw(p) = true. % message m is in the network

eq i \in ui(p) = false. % session ID i has not been used before

eq r \in ur(p) = false. % random r has not been used before

eq ch?(m) = true. % m is a ClientHello message

eq dst(m) = b. % the receiver of m is b

eq c \in list(m) = true. % choice c is in the cipher suite list sent in m

As already explained at the beginning of this section, the equation eq m \in nw(p) = true . can be rewritten to eq nw(p) = m , nw10 ., which is identical to the first equation in the first open-close fragment above.

• (2) c-shello(p,b,r,i,c,m) = false, which corresponds to the second open-close fragment above.

Therefore, this case splitting is semantically correct, but unfortunately, cannot be handled by CiMPG. In other words, CiMPG regards the case splitting as syntactically wrong even though it is semantically correct. In particular, if we try to ask CiMPG to generate a proof script for such a proof score of inv1, CiMPG will recognize that there are some missing open-close fragments, such as the following:

open INV .

ops p p′ : -> Protocol .    op pms : -> Pms .

op nw10 : -> Network .      op b : -> Prin .

op c : -> Choice .           op r : -> Rand .

op i : -> Sid .               op m : -> Msg .

eq (nw(p) = m , nw10) = false .

red inv1(p,pms) implies inv1(shello(p,b,r,i,c,m),pms) .

close

Note that in this case, precisely, the output of CiMPG is something like “sub-goal (1–2) is missing”, where number 1 in (1–2) associates the goal with the induction case shello. From the very first equation used for case splitting, i.e., eq nw(p) = m , nw10., it follows that the sub-goal (1–1) is characterized by nw(p) = (m , nw10), while the sub-goal (1–2) is characterized by (nw(p) = m , nw10) = false. In other words, the above-mentioned open-close fragment is the representation of the missing sub-goal (1–2).

To get rid of this situation, or to make CiMPG be able to generate a proof script for inv1, we need to modify the proof score for this induction case of inv1. The revised proof score consists of seven sub-cases as shown in Table 1. As an example, we show here the proof fragment associated with the sub-case (2.1) in the table as follows:

open INV .

op p : -> Protocol .           op pms : -> Pms .

op nw10 : -> Network .         op b : -> Prin .

op c : -> Choice .              op r : -> Rand .

op i : -> Sid .                  op m : -> Msg .

eq r \in ur(p) = false .

eq i \in ui(p) = true .

red inv1(p,pms) implies inv1(shello(p,b,r,i,c,m),pms) .

close

The remaining proof fragments are written likewise. Note that how to do case splitting has been briefly illustrated in “IFF and Formal Specification in CafeOBJ” (readers can find more in the article by Ogata & Futatsugi (2006)). Note also that there are some other possible ways of doing case splitting rather than the one shown in Table 1, for example by changing the order of the predicates $c1$ and $c2$. Semantic-based case splittings are used in not only the induction case shello of inv1 but also some other induction cases and proof scores of other invariants. Consequently, to get rid of using semantic-based case splittings, we need to revise most of the existing proof scores.

An additional lemma

Revising the existing proof scores makes us realize that there is a new lemma such that we cannot complete the formal verification without it. The lack of this lemma in the existing proof scores poses no problem essentially because semantic-based case splittings are used. However, once the proof scores are revised to which semantic-based case splittings are removed, the lemma is necessary to complete the verification. We will soon come back to discuss this problem at the end of this section. In the following, we explain how we have found that lemma.

Let us first show an invariant, namely inv14, which is a lemma required to complete the proof of the correspondence property:

op inv14 : Protocol Prin Prin Rand Rand Choice Sid Secret -> Bool

eq inv14(P,A,B,R,R2,C,I,S) =

  (sf2(B,B,A,esfin2(k(B,pms(A,B,S),R,R2), sfin2(A,B,I,C,R,R2,pms(A,B,S)))) \in nw(P)

   and not(A = intruder or B = intruder))

  implies sh2(B,B,A,R2,I,C) \in nw(P) .

where sh2 and sf2 are two constructors of sort Msg representing SeverHello2 and SeverFinished2 messages, respectively. They are declared as follows:

op sh2 : Prin Prin Prin Rand Sid Choice -> Msg {constr}

op sf2 : Prin Prin Prin EncSFin2 -> Msg {constr}

where EncSFin2 is the sort representing ciphertexts sent in SeverFinished2 messages. After revising semantic-based case splittings used in the proof score of inv14, there is a sub-case as follows:

open INV .

ops a b p2 : -> Prin .       op c : -> Choice .

ops r1 r2 : -> Rand .        op i : -> Sid .

op p : -> Protocol .         op s : -> Secret .

ops m1 m2 m3 : -> Msg .

eq m1 \in nw(p) = true .

eq m2 \in nw(p) = true .

eq m3 \in nw(p) = true .

eq ch2?(m1) = true .        eq sh2?(m2) = true .

eq cf2?(m3) = true .        eq crt(m2) = p2 .

eq src(m2) = p2 .             eq src(m1) = dst(m2) .

eq dst(m1) = p2 .            eq src(m3) = dst(m2) .

eq dst(m3) = p2 .            eq sid(m1) = sid(m2) .

eq (ss(p,dst(m2),p2,sid(m2)) = none) = false .

eq sh2(p2,p2,dst(m2),rand(m2),sid(m2),choice(m2)) \in nw(p) = false .

...

red inv14(p,a,b,r1,r2,c,i,s) implies inv14(sfin2(p,p2,m1,m2,m3),a,b,r1,r2,c,i,s).

close

There are some more equations placed in ... but they are omitted for the sake of simplicity. Note that sfin2 is a transition formalizing a ServerFinished2 message sent by a server to a client, whose constructor is declared as follows:

op sfin2 : Protocol Prin Msg Msg Msg -> Protocol {constr}

CafeOBJ returns false for the open-close fragment above. Focusing on the five blue equations, we see a contradiction here. Because of sh2?(m2) = true, crt(m2) = p2, and src(m2) = p2, it must be true that the two messages m2 and sh2(p2,p2,dst(m2),rand(m2),sid(m2),choice(m2)) are equal. However, while the first equation in the open-close fragment above states that the latter message (i.e., m2) is in the network, the last equation says that the former message is not in the network. This is indeed a contradiction. In other words, the source state (characterized by the equations in the above-mentioned open-close fragment) is unreachable. If we can show that, then we do not need to consider that state or the sub-case anymore. To this end, we define a trivial lemma as follows:

op lm1 : Msg Msg Network -> Bool

eq lm1(M,M2,NW) = (M = M2 and M \in NW) implies M2 \in NW .

The equation says that if there exists a message M in the network and a message M2 is equal to M, then M2 is also in the network. Using this lemma, the sub-case above can be discharged:

red lm1(m2,sh2(p2,p2,dst(m2),rand(m2),sid(m2),choice(m2)),nw(p))

  implies inv14(p,a,b,r1,r2,c,i,s)

  implies inv14(sfin2(p,p2,m1,m2,m3),a,b,r1,r2,c,i,s) .

The lemma can be simply proved without induction. In addition to inv14, we need to use the lemma in the proof of some other invariants including inv7, inv8, inv12, inv13, inv16, inv17, and inv18.

One question raised is why without the lemma lm1 the original proof scores were still able to complete the formal verification. Essentially, the reason is that the existing proof scores use semantic-based case splittings. Suppose that there are two messages denoted by two fresh constants m and m2 in which: (1) m = m2 and (2) m is in the network denoted by nw. (1) and (2) form the premise of lm1, we show that the conclusion of lm1 can be derived if semantic-based is allowed to be used. As mentioned in “Revising Semantic-Based Case Splittings”, it is semantically correct to represent (2) by nw = (m , nw′), where nw′ is a fresh constant of sort Network, representing an arbitrary network. After that, m2 \in nw is rewritten to m2 \in (m , nw′). Because of (1), it is one more step rewritten to m2 \in (m2 , nw′), and finally is reduced to true based on the definition of operator \in. Therefore, if proof scores are written with the use of semantic-based case splittings, the lack of lm1 poses no problem.

A way to use cimpg for existing large proof scores

From the existing proof scores, using CiMPG allows us to confirm the correctness of the proof scores. We have conducted an experiment in which we put all proof scores of TLS (after revising semantic-based case splittings) into CiMPG and asked it to generate proof scripts like what is presented in “Proof Score Checking with CiMPG” with the IFF case study. However, even though we waited for more than eight days, CiMPG still did not terminate. This is because the input proof scores are not simple like those of the IFF case study, but really complicated and large, making an unreasonable amount of time for CiMPG to generate the proof scripts. This section presents how we handle each proof score one by one, and how we handle each induction case one by one, as two ways to mitigate the running time of CiMPG.

Related work

From a CafeOBJ specification and an invariant property, while CiMPG requires the complete proof score of the property to generate the corresponding proof script, CiMPG+F (Riesco & Ogata, 2020) (CafeInMaude Proof Generator & Fixer-upper), which is another tool implemented on top of CafeInMaude, can infer proof scripts even some proof fragments in the input proof scores are missing. Precisely, CiMPG+F can (i) generate complete proof scripts from scratch and (ii) fix incomplete proof scores. Human users need to indicate invariant properties that want to be proven and the variable on which structural induction is used. When the proof scores provided are incomplete, CiMPG+F tries to correct them by leveraging the provided information to narrow the search space. Besides, when proof scripts cannot be inferred entirely from scratch, CiMPG+F allows human users to give a partial proof score to guide the fixing algorithm. Thus, we can say that CiMPG+F handles the mechanical work while leaving human users to resolve the creative tasks. The article (Riesco & Ogata, 2020) has reported experiments with several protocols, such as NSLPK (Lowe, 1995), showing that CiMPG+F can completely generate proof scripts for all case studies. TLS case study, whose formal specification is more complicated than all case studies used in the article, has not been tackled.

It is worth mentioning some case studies on symbolically formal verification of TLS. In the case study of Paulson (1999), the TLS 1.0 handshake protocol has also been verified by using the proof assistant Isabelle (Nipkow, Paulson & Wenzel, 2002). The verification confirmed the protocol enjoys three properties, two of which have informal descriptions similar to our secrecy property and correspondence property, while the remaining property states that no attacker is able to alter the negotiation communication without the parties noticing. His verification additionally considered session key compromises, while we do not take this case into account. From that, he has verified the secrecy of session resumptions even if the previous session keys were compromised. The verification presented in that article is basically based on an inductive approach to verifying cryptographic protocols (Paulson, 1998). The protocol is modeled as a set of traces, where each trace is a list of communication events, and then the security properties are proved by using induction on such traces. Roughly speaking, events and traces in that approach correspond to transitions and sequences of transitions, respectively, in our CafeOBJ specification.

In the case study of Tankink & Vullers (2008), the TLS 1.1 handshake protocol has been verified by using the ProVerif tool (Blanchet, 2013), a well-known tool for analyzing cryptographic protocols. Two properties similar to our secrecy property and correspondence property have been proved with respect to the built-in intruder of ProVerif. However, they did not consider the abbreviated handshake mode. Moreover, they made some more abstractions, for example, they did not model the public key infrastructure lying behind digital certificates, but simply assumed that a certificate of principal X is in form of $cert(p{k}_X,X)$, where $p{k}_X$ denotes the public key of X.

In the work of Bhargavan et al. (2012), the authors have devoted modeling cryptographic protocols by some specification languages since that way of modeling generally lacks some aspects of details, and then they proposed to verify the detailed TLS 1.0 protocol implementation. Precisely, from a part of the TLS protocol implementation written in F# (Syme, Petricek & Lomov, 2011), they compiled the code to a specification written in a variant of the $\pi$-calculus (Blanchet, 2016). This specification is accepted by ProVerif (Blanchet, 2013), a well-known tool for analyzing cryptographic protocols, and then ProVerif compiled it to Horn clauses, running a resolution algorithm to prove security properties. Human users needed to specify the intruder capabilities, the security assumptions, the desired properties, and especially, some parts of the code that the compilation could not automatically translate them, such as the core libraries that provide cryptographic primitives. On the one hand, verification of actual implementations is advantageous in there is no worry that some potentially flawed details of a protocol implementation code are missed. On the other hand, it may become a burden to carry out the verification of a huge implementation. With the TLS 1.0 case study reported in his article, only a small functional implementation of the protocol (but not the complete protocol) is programmed in F# to then conduct the verification.

To address the drawback of the proof score writing approach to formal invariant property verification, an approach to automatically proof score generation has been proposed (Tran & Ogata, 2022), and a tool supporting it - IPSG (Invariant Proof Score Generator) has been implemented. The intuitive idea is as follows: when we feed a proof score fragment into CafeOBJ and it returns a term $t$, which is neither true nor false, a sub-term of $t$, say $t^{\mathrm{\prime }}$ (both $t$ and $t^{\mathrm{\prime }}$ are Boolean terms), is selected to split the current case into two sub-cases, one is when $t^{\mathrm{\prime }}$ holds and the other is when it does not. For each sub-case, the same procedure is applied. Eventually, a list of open-close fragments is obtained in which the reduction commands return either true or false. If true is returned, the associated case is done. If false is returned, the tool tries to find a lemma from a collection of all possible lemmas provided by human users that can be used to discharge the current case. By using the tool, human errors can be avoided and human users only need to focus on solving non-trivial sub-cases, which normally require additional lemmas, but trivial sub-cases are already discharged by the tool. In the article, the practicability of the tool has been demonstrated through several protocol case studies including the TLS protocol version 1.2 (Rescorla & Dierks, 2008). To confirm the correctness of the generated proof scores for the TLS case study, the proof generator CiMPG and the proof assistant CiMPA have also been employed.

Talking about a class of systems, i.e., cryptosystems like the TLS protocol, there exist several tools for automatically verifying their security, such as Maude-NPA (Escobar, Meadows & Meseguer, 2007), ProVerif (Blanchet, 2013), and Tamarin (Meier et al., 2013). Maude-NPA is a tool for reasoning about the security of cryptographic protocols in which cryptosystems satisfy different equational properties. The tool was implemented in Maude and can be used not only to prove the security but also to look for attacks. From a final insecure pattern that represents insecure states (called attack pattern, specified by human users), the tool uses backward searching to check whether it is reachable from an initial state, which has no further backward steps. If that is the case, the attack concerned can be conducted for the protocol under verification; otherwise, the attack cannot. The advantage of Maude-NPA is that it supports verification for an unbounded number of sessions and it is fully automatic. However, the most challenging problem is how to deal with a huge or even infinite state space. Some techniques have been proposed and implemented in Maude-NPA to address this issue (Escobar, Meadows & Meseguer, 2008). For example, Maude-NPA uses the super lazy intruder model to postpone the expansion of substitution instances, consequently scaling down the search space size. Another extensive technique used by Maude-NPA is to generate formal grammar representing states that are unreachable from initial states. ProVerif (Blanchet, 2013), as we have mentioned before, is also a well-known automatic verification tool of security protocols. ProVerif uses the applied $\pi$-calculus (Blanchet, 2016) to model a cryptographic protocol, where the execution of the protocol is encoded as a set of Horn clauses. The tool automatically determines whether the model satisfies a set of security requirements in the presence of the Dolev-Yao intruder (Dolev & Yao, 1983). Security analysis is performed basically based on Horn clauses resolution. ProVerif has been used to analyze many protocols, such as LINE (Shi & Yoneyama, 2019), Signal (Kobeissi, Bhargavan & Blanchet, 2017), and the ARINC823 avionic protocols (Blanchet, 2017). Along with ProVerif, Tamarin (Meier et al., 2013) is also known as one of the state-of-the-art tools for formal analysis of security protocols. Tamarin is the successor version of Scyther (Cremers, 2008), exposing a number of improvements. For instance, Tamarin allows user-specified equational theories in the input protocol specification, while Scyther does not allow them. One key feature of Tamarin is that it offers an interactive mode when the tool cannot terminate in the automated mode to prove some desired properties. In particular, human users can input some extra lemmas to help the tool pass over some non-trivial sub-goals, or can write proof manually. Using Tamarin, a number of protocols have been analyzed, such as the Authentication and Key Agreement (AKA) protocol for 5G Authentication (Basin et al., 2018) and the IEEE 802.11 WPA2 protocol (Cremers, Kiesl & Medinger, 2020).

Conclusion

This article has presented a case study on the formal verification of the TLS 1.0 handshake protocol with CiMPG and CiMPA. We have used the existing proof scores but we needed to revise the proof scores so that CiMPG could handle them. The modification essentially aims to get rid of case splittings based on semantics. When revising the existing proof scores, we have also recognized that a new additional lemma is required to complete the verification. The generation of proof scripts by CiMPG from proof scores usually takes a long time when the size of input proof scores is huge. It is not reasonable to handle all proof scores at the same time with CiMPG. Thus, we handled each proof score one-by-one with CiMPG. There is one proof score it took a long time to handle with CiMPG. With that proof score, we handled each induction case one by one to reduce the time taken. We have described how to revise the existing proof scores, how to find the new lemma, how to handle each proof score one by one, and how to handle each induction case one by one as tips on handling existing large proof scores. A combination of writing proof scores and checking them with CiMPG would be a promising way of formal verification, hence, for future work, we are interested in conducting some other verification case studies, confirming the usefulness of the method used in “A Way to use Cimpg for Existing Large Proof Scores” in reducing the time taken by CiMPG.