Skip to navigation Skip to content

Oxford University – Cyber Security Oxford


Creating of a safe, secure and prosperous cyberspace through internationally leading research and educational programmes


Provably Repairing the ISO/IEC 9798 Standard for Entity Authentication

We formally analyze the family of entity authentication protocols defined by the ISO/IEC 9798 standard and find numerous weaknesses, both old and new, including some that violate even the most basic authentication guarantees. We analyze the cause of these weaknesses, propose repaired versions of the protocols, and provide automated, machine-checked proofs of their correctness. From an engineering perspective, we propose two design principles for security protocols that suffice to prevent all the weaknesses. Moreover, we show how modern verification tools can be used for the falsification and certified verification of security standards. Based on our findings, the ISO working group responsible for the ISO/IEC 9798 standard has released an updated version of the standard. Read the rest