Pitfalls in Formal Reasoning about Security Protocols

Abstract

Formal verification can give more confidence in the security of cryptographic protocols. Application specific security properties like "The service providerdoes not loose money" can give even more confidence than standard propertieslike secrecy or authentication. However, it is surprisingly easy to get a meaningful property slightly wrong. The result is that an insecure protocol can be 'proven' secure. We illustrate the problem with a very small application, a copy card, that has only five different messages. The example is taken from a paper where the protocol is secure, but the proved property slightly wrong. We propose to solve the problemby incorporating more of the real-world application into the formal model.