Verifying Privacy Enhanced Mail Functions with Higher Order Logic

. Security properties such as privacy, authentication, and integrity are of increasing importance to networked systems([KAU]). Systems with security requirements typically must operate with a high degree of confidence. We show how the message structures of Privacy Enhanced Mail (PEM, [LIN, BAL]) and the functions on PEM structures have the desired implementation -independent security properties. Higher-order logic ([AND]) and the HOL theorem-prover([GOR]) are used to precisely relate security properties to system specifications. The structures of MIC-CLEAR and ENCRYPTED messages are modeled as tuples of fields. Each of these fields is modeled as a type which takes only a limited set of values as valid ([MEL]). Security functions for checking privacy, integrity, source authentication and non-repudiation of received messages are defined in HOL. They take as parameters a subset of fields defined above. It is proved that mail messages have these security properties if-and-only-if mail mess..