Verifying the SET Protocol: Overview

  • Lawrence C. Paulson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2629)


The project to verify SET, an e-commerce protocol, is described. The main tasks are to comprehend the written documentation, to produce an accurate formal model, to identify specific protocol goals, and finally to prove them. The main obstacles are the protocol’s complexity (due in part to its use of digital envelopes) and its unusual goals involving partial information sharing. Brief examples are taken from the registration and purchase phases. The protocol does not completely satisfy its goals, but only minor flaws have been found. The primary outcome of the project is experience with handling enormous and complicated protocols.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R.: Why cryptosystems fail. Comm. of the ACM 37(11), 32–40 (1994)CrossRefGoogle Scholar
  2. 2.
    Bella, G., Massacci, F., Paulson, L.C.: The verification of an industrial payment protocol: The SET purchase phase. In: Atluri, V. (ed.) 9th ACM Conference on Computer and Communications Security, pp. 12–20. ACM Press, New York (2002)CrossRefGoogle Scholar
  3. 3.
    Bella, G., Massacci, F., Paulson, L.C.: Verifying the SET registration protocols. IEEE J. of Selected Areas in Communications 21(1) (2003) (in press)Google Scholar
  4. 4.
    Bella, G., Massacci, F., Paulson, L.C., Tramontano, P.: Formal verification of cardholder registration in SET. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 159–174. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Bella, G., Paulson, L.C.: Kerberos version IV: Inductive analysis of the secrecy goals. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 361–375. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Cohen, E.: TAPS: A first-order verifier for cryptographic protocols. In: Proc. of the 13th IEEE Comp. Sec. Found. Workshop, pp. 144–158. IEEE Comp. Society Press, Los Alamitos (2000)CrossRefGoogle Scholar
  7. 7.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Mastercard & VISA. SET Secure Electronic Transaction Specification: Business Description (May 1997), Available electronically at
  9. 9.
    Mastercard & VISA. SET Secure Electronic Transaction Specification: Formal Protocol Definition (May 1997), Available electronically at
  10. 10.
    Mastercard & VISA. SET Secure Electronic Transaction Specification: Programmer’s Guide (May 1997), Available electronically at
  11. 11.
    Meadows, C.: Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer. In: SSP 1999, pp. 216–231. IEEE Comp. Society Press, Los Alamitos (1999)Google Scholar
  12. 12.
    Nipkow, T., Paulson, L.C., Wenzel, M.T. (eds.): Isabelle/HOL: A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002)MATHGoogle Scholar
  13. 13.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. of Comp. Sec. 6, 85–128 (1998)Google Scholar
  14. 14.
    Paulson, L.C.: Inductive analysis of the internet protocol TLS. ACM Trans. on Inform. and Sys. Sec. 2(3), 332–351 (1999)CrossRefGoogle Scholar
  15. 15.
    Paulson, L.C.: Relations between secrets: Two formal analyses of the Yahalom protocol. J. of Comp. Sec. 9(3), 197–216 (2001)MathSciNetGoogle Scholar
  16. 16.
    Ryan, P., Schneider, S.: An attack on a recurive authentication protocol. a cautionary tale. Inform. Processing Lett. 65(15), 7–16 (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Lawrence C. Paulson
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeEngland

Personalised recommendations