Journal of Automated Reasoning

, Volume 36, Issue 1–2, pp 5–37 | Cite as

Verifying the SET Purchase Protocols

  • Giampaolo Bella
  • Fabio Massacci
  • Lawrence C. Paulson


SET (Secure Electronic Transaction) is a suite of protocols proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. The Purchase part of the suite is intended to guarantee the integrity and authenticity of the payment transaction while keeping the Cardholder's account details secret from the Merchant and his choice of goods secret from the Bank. This paper details the first verification results for the complete Purchase protocols of SET. Using Isabelle and the inductive method, we show that their primary goal is indeed met. However, a lack of explicitness in the dual signature makes some agreement properties fail: it is impossible to prove that the Cardholder meant to send his credit card details to the very payment gateway that receives them. A major effort in the verification went into digesting the SET documentation to produce a realistic model. The protocol's complexity and size make verification difficult, compared with other protocols. However, our effort has yielded significant insights.

Key words

electronic commerce security protocols inductive definitions deductive verification Isabelle 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M. and Gordon, A.: A calculus for cryptographic protocols: The spi calculus, in Proc. 4th ACM Conf. on Comm. and Comp. Sec. (CCS-97), ACM and Addison Wesley, 1997.Google Scholar
  2. 2.
    Abadi, M. and Needham, R. M.: Prudent engineering practice for cryptographic protocols, IEEE Trans. Softw. Eng. 22(1) (January 1996), 6–15.CrossRefGoogle Scholar
  3. 3.
    Basin, D., Mödersheim, S. and Viganò, L.: An on-the-fly model-checker for security protocol analysis, in E. Snekkenes and D. Gollmann (eds.), Proc. 8th Eur. Symp. on Res. in Comp. Sec., Volume 2000 of Lecture Notes in Comp. Sci., Springer, 2003, pp. 253–270.Google Scholar
  4. 4.
    Bella, G.: Inductive verification of smart card protocols, J. Comput. Secur. 11(1) (2003), 87–132.Google Scholar
  5. 5.
    Bella, G., Massacci, F. and Paulson, L. C.: The verification of an industrial payment protocol: The SET purchase phase, in V. Atluri (ed.), 9th ACM Conf. on Comp. and Comm. Sec., ACM, 2002, pp. 12–20.Google Scholar
  6. 6.
    Bella, G., Massacci, F. and Paulson, L. C.: Verifying the SET registration protocols, IEEE J. Sel. Areas Commun. 21(1) (2003), 77–87.CrossRefGoogle Scholar
  7. 7.
    Bella, G., Massacci, F. and Paulson, L. C.: An overview of the verification of SET, Int. J. Inf. Secur. 4(1–2)(2005),17–28.CrossRefGoogle Scholar
  8. 8.
    Bella, G., Massacci, F., Paulson, L. C. and Tramontano, P.: Formal verification of cardholder registration in SET, in F. Cuppens, Y. Deswarte, D. Gollman and M. Waidner (eds.), Computer Security – ESORICS 2000, volume 1895 of Lecture Notes in Comp. Sci., Springer, 2000, pp. 159–174.Google Scholar
  9. 9.
    Bella, G. and Paulson, L. C.: Kerberos version IV: Inductive analysis of the secrecy goals, in Quisquater et al. [32], pp. 361–375.Google Scholar
  10. 10.
    Bozzano M. and Delzanno G.: Automated protocol verification in linear logic, in Proc. 4th ACM Conf. on Principles and Practice of Declarative Programming (ACM PPDP'02), ACM and Addison, Wesley 2002, pp. 38–49.Google Scholar
  11. 11.
    Durgin, N., Mitchell, J. and Pavlovic, D.: A compositional logic for proving security properties of protocols, J. Comput. Secur. 11(4) (2004), 677–721.Google Scholar
  12. 12.
    Fábrega, F. J. T., Herzog, J. C. and Guttman, J. D.: Strand spaces: Proving security protocols correct, J. Comp. Secur. 7 (1999), 191–220.Google Scholar
  13. 13.
    Gollmann, D.: What do we mean by entity authentication? in Proc. 15th IEEE Symp. on Security and Privacy, IEEE Comp. Society Press, 1996, pp. 46–54.Google Scholar
  14. 14.
    Gong, L. and Syverson, P.: Fail-stop protocols: An approach to designing secure protocols, in Proc. 5th IFIP Working Conference on Dependable Computing for Critical Applications (DCCA-5), September 1995.Google Scholar
  15. 15.
    Guttman, J.: Security goals: Packet trajectories and strand spaces, in R. Focardi and F. Gorrieri (eds.), Foundations of Security Analysis and Design – Tutorial Lectures, volume 2171 of Lecture Notes in Comp. Sci., Springer, 2001, pp. 197–261.Google Scholar
  16. 16.
    Kessler, V. and Neumann, H.: A sound logic for analysing electronic commerce protocols, in Quisquater et al. [32].Google Scholar
  17. 17.
    Lowe, G.: A hierarchy of authentication specifications, in Proc. 10th IEEE Comp. Sec. Found. Workshop, IEEE Comp. Society Press, 1997, pp. 31–43.Google Scholar
  18. 18.
    Lowe, G. and Hui, M. L.: Fault-preserving simplifying transformations for security protocols, J. Comput. Secur. 9 (2001), 3–46.Google Scholar
  19. 19.
    Mastercard & VISA: SET Secure Electronic Transaction: External Interface Guide, May 1997. On the Internet at\_specifications.html.
  20. 20.
    Mastercard & VISA: SET Secure Electronic Transaction Specification: Business Description, May 1997. On the Internet at\_specifications.html.
  21. 21.
    Mastercard & VISA: SET Secure Electronic Transaction Specification: Formal Protocol Definition, May 1997. On the Internet at\_specifications.html.
  22. 22.
    Mastercard & VISA: SET Secure Electronic Transaction Specification: Programmer's Guide, May 1997. On the Internet at\_specifications.html.
  23. 23.
    Meadows, C.: Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer, in SSP-99, IEEE Comp. Society Press, 1999, pp. 216–231.Google Scholar
  24. 24.
    Meadows, C.: Formal methods for cryptographic protocol analysis: Emerging issues and trends, IEEE J. Sel. Areas Commun. 21(1) (2003), 44–54.CrossRefGoogle Scholar
  25. 25.
    Meadows, C. and Syverson, P.: A formal specification of requirements for payment transactions in the SET protocol, in R. Hirschfeld, (ed.), Proc. Financial Cryptography 98, volume 1465 of Lecture Notes in Comp. Sci. Springer, 1998.Google Scholar
  26. 26.
    Nipkow, T., Paulson, L. C. and Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Springer, 2002. LNCS Tutorial 2283.Google Scholar
  27. 27.
    Paller, A.: Alert: Large criminal hacker attack on Windows NTE-banking and E-commerce sites. On the Internet at, Mar. 2001. SANS Institute.
  28. 28.
    Paulson, L. C.: Generic automatic proof tools, in R. Veroff (ed.), Automated Reasoning and its Applications: Essays in Honor of Larry Wos, chapter 3. MIT Press, 1997.Google Scholar
  29. 29.
    Paulson, L. C.: The inductive approach to verifying cryptographic protocols, J. Comput. Secur. 6 (1998), 85–128.Google Scholar
  30. 30.
    Paulson, L. C.: A generic tableau prover and its integration with Isabelle, J. Univers. Comput. Sci. 5(3) (1999), 73–87.zbMATHMathSciNetGoogle Scholar
  31. 31.
    Paulson, L. C.: Inductive analysis of the internet protocol TLS, ACM Trans. Inf. Syst. Secur. 2(3) (1999), 332–351.CrossRefGoogle Scholar
  32. 32.
    Quisquater, J.-J., Deswarte, Y., Meadows, C. and Gollmann, D. (eds.), Computer Security – ESORICS 98, volume 1485 of Lecture Notes in Comp. Sci. Springer, 1998.Google Scholar
  33. 33.
    RSA Laboratories. PKCS-7: Cryptographic Message Syntax Standard, 1993. On the Internet at
  34. 34.
    Stoller, S. D.: A bound on attacks on payment protocols, in Proc. 16th Annual IEEE Symposium on Logic in Computer Science (LICS), June 2001.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2006

Authors and Affiliations

  • Giampaolo Bella
    • 1
  • Fabio Massacci
    • 2
  • Lawrence C. Paulson
    • 3
  1. 1.Dipartimento di Matematica e InformaticaUniversità di CataniaCataniaItaly
  2. 2.Dipartimento di Informatica e TelecomunicazioniUniversità di TrentoPovo (Trento)Italy
  3. 3.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations