Formal Analysis of EAP-TLS Protocol Based on Logic of Events

Abstract

The Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) is a critical authentication protocol for wireless networks and secure IoT communications. However, it faces significant challenges from man-in-the-middle attacks, including message tampering, replay, and certificate forgery. Although model checking techniques have been applied to verify its security properties, the complexity of the EAP-TLS handshake often prevents accurate formal modeling; existing studies rarely assess the communication overhead of protocol enhancements. Moreover, traditional Logic of Events Theory (LoET) struggles to handle transport-layer protocols like EAP-TLS due to their intricate interaction processes. This study proposes a novel formal analysis approach, extending LoET by expanding five event classes, formulating corresponding rules, and introducing new axioms. Formal verification reveals attack paths involving plaintext theft, message tampering, and entity impersonation. The research proposes an enhanced strategy to mitigate these vulnerabilities through hash merging, encryption, and signature methods, alongside analyzing their communication costs to ensure feasibility. Using the extended LoET, the improved protocol is rigorously proven to satisfy strong authentication, thereby enhancing practical security. The proposed method achieves a time complexity of O(n²) and demonstrates superior performance in resisting state explosion compared with related approaches, thus establishing a more efficient and robust framework for EAP-TLS security analysis.

1. Introduction

With the widespread adoption of wireless communication, the Internet of Things (IoT), cloud computing, and 5G networks are evolving toward high concurrency, low latency, and distributed architectures, posing increasingly severe challenges to the security of network protocols. Authentication protocols play a vital role in safeguarding data security, user privacy, and system stability. Ensuring the security properties of such protocols is a significant issue in maintaining overall network security [1].

As a certificate-based authentication protocol, EAP-TLS is widely deployed in enterprise wireless networks, Virtual Private Network (VPN) remote access, and secure IoT communications. Its primary objective is to ensure the authentication of communicating entities and prevent unauthorized access. However, when facing man-in-the-middle attacks such as message tampering, replay, and identity forgery, the entity authentication mechanism in EAP-TLS exhibits significant security vulnerabilities [2]. Although extensive research has applied automatic verification tools to verify the protocol’s security properties. Moreover, due to the state explosion problem in automatic verification tools, it is difficult for researchers to model them accurately, and they have to simplify the protocol interaction model, or in order to solve the state explosion problem, the use of automatic verification tools still requires a lot of manual work. Consequently, a formal method with strong expressive power is needed to establish the complex model of the EAP-TLS protocol, but the existing LoET cannot describe the complex model. Therefore, this study extends the LoET and proposes a new method to verify the authentication of the EAP-TLS protocol based on the extended LoET. This method can accurately model the protocol and verify the properties of the protocol to improve the security of the protocol.

Formal methods are among the most successful approaches for proving protocol security. They use mathematical models to describe and reason about the concepts in computer systems, with a core architecture consisting of specification languages and formal reasoning. Specification languages include four main paradigms: abstract model specification, algebraic specification, state transition specification, and axiomatic specification. This methodological system encompasses three key dimensions: formal specification, formal design, and formal verification. Researchers worldwide have made significant breakthroughs in these areas over recent decades. In particular, the field of formal verification has given rise to two typical technical approaches for reasoning about and verifying formal specifications: theorem proving [3] and model checking [4].

Theorem-proving-based methods enable precise modeling of protocols and prove whether the protocol models satisfy security properties. Theorem proving is a logical method and algorithm used to describe distributed and concurrent systems, focusing on protocol correctness, but it is often difficult to fully automate. As a subclass of theorem proving, LoET exhibits distinct advantages over other formal methods in network protocol security analysis. Unlike traditional verification methods [5], LoET constructs behavioral trace models of trusted entities, which effectively reduce explicit reasoning about attacker behavior and simplify the complexity of the verification system [6]. Therefore, applying LoET to formally verify EAP-TLS allows the complexity of reasoning to be reduced while rigorously proving the protocol’s authentication properties. This ensures that the protocol remains secure even when facing malicious attacks, providing a strong theoretical foundation for modern network security [7,8]. Although the event system of LoET can accurately describe the protocol interaction process, its modeling ability needs to be improved in the face of the EAP-TLS protocol with its special interaction mechanism. Therefore, this study extends the event classes for transport-layer protocols with the handshake process and establishes relevant axioms and rules. LoET can accurately model such protocols and use logical formulas to strictly deduce the protocol’s authentication, thereby enhancing security.

In summary, the main contributions are as follows:

• We propose a novel method for the formal analysis of the EAP-TLS protocol based on extended LoET, identifying potential man-in-the-middle attack paths and introducing an improved strategy using hash merging, encryption, and signatures, with feasibility validated through communication cost analysis.
• The present study extends the Logic of Events Theory by expanding five event classes, i.e., $\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}$, $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$, $\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}$, $\mathrm{P}\mathrm{R}\mathrm{F}$, and $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$, by defining corresponding event rules. At the same time, the causal axioms in the axiom system were extended, and new axioms were introduced.
• The extended Logic of Events Theory was used to construct a formal model of the EAP-TLS protocol and applied to formally verify the protocol model, ensuring that the improved protocol satisfies strong mutual authentication. The time complexity of this research method is O(n²). In terms of time complexity and ability to resist state explosion, it is better than related research methods.

The organization of this study is arranged as follows: Section 2 discusses recent related work on the EAP-TLS protocol. Section 3 provides an overview of the Logic of Events Theory, including its fundamental symbols, event classes, core axioms, and the rules required for derivations in proofs. Section 4 presents the extensions and innovations in the Logic of Events Theory, specifically the event classes, related rules, and the expanded axiom system. Section 5 describes the EAP-TLS protocol, constructs its interaction model, and performs a formal analysis based on the Logic of Events Theory to identify potential man-in-the-middle attack paths and propose an improved strategy. Section 6 constructs the formal model of the improved protocol and uses the extended Logic of Events Theory to rigorously verify its strong authentication. Section 7 summarizes the work presented in this study, identifies its limitations, and outlines future research directions to continue advancing this work.

2. Related Work

The previous work on the EAP-TLS protocol can be roughly divided into three types: deployment and optimization studies, formal security verification work, and adjustment for specific industry scenarios. Although this research plays a key role in the development of the protocol, it often lacks systematic formal analysis, and the modeling of the specific interaction process of the protocol is often not accurate enough, which makes it difficult to strictly protect the security properties of the EAP-TLS protocol in the face of man-in-the-middle attacks. The improvement strategy of the protocol is bound to bring additional communication costs, but the existing related work does not analyze the communication cost, so that even the improved protocol that satisfies the security properties cannot be guaranteed to be applied to the actual communication environment.

2.1. Deployment and Optimization Efforts

Early work mainly focused on the deployment and verification of the EAP-TLS protocol in WLAN. Yue Ma et al. used the EAP-TLS authentication mechanism in WLAN to achieve transparent authentication and support session-specific encryption and integrity protection. Although these methods improve the security of the protocol, they have not been tested under the adversarial model [9]. Saberi et al. adopted the Elliptic Curve Digital Signature Algorithm (ECDSA) and Secure Hash Algorithm (SHA-256) to replace the mainstream EAP-TLS algorithm, which can balance the security performance with the load rate of resources and time and enhance the security of the EAP-TLS protocol. However, their proposed scheme lacks formal verification, and the protocol is still at risk due to the existence of potential security vulnerabilities [10]. On this basis, Yue Ma et al. optimized the operation efficiency, security, and memory usage of the EAP-TLS protocol under the IEEE 802.11i framework and improved the handshake structure to reduce the number of interactions. This method improves communication efficiency, but it is difficult to model security attributes through formal methods [11].

Some studies proposed theoretical enhancements to EAP-TLS but did not perform formal verification. A. Ghilen et al. proposed a quantum key distribution mechanism based on the EAP-TLS protocol, which enables the exchange of encryption keys and the secure authentication of remote clients. This provided theoretical security, but it has not been verified under formal models [12]. Jacobsen et al. used the ACCE security model to analyze the key derivation function of EAP-TLS and proved that the EAP-TLS protocol is a secure AKE protocol under the Bellare model. However, they only focused on the key derivation process and did not fully focus on the authentication process [13]. C. Wang et al. proposed a pre-authentication mechanism based on the white frequency switching scenario of inter-WRAN TV, which reduces the delay of the EAP framework in the switching process while ensuring security and improves the versatility and security of the EAP framework. However, the previous work did not consider the security of the protocol, such as resistance to man-in-the-middle attacks [14].

2.2. Formal Security Verification Work

Many studies have used automated verification tools to check the security properties of the protocol. Zhang et al. formally modeled the EAP-TLS protocol and used the automatic verification tool Scyther to formally verify the EAP-TLS protocol model and found out the security vulnerabilities of the protocol. They proposed the improvement strategy according to the vulnerability, but they did not calculate the communication consumption brought by the improvement strategy [15]. Chen assumed that the channel was an insecure channel and used ProVerif to verify the formal model of the EAP-TLS protocol. It was found that the authentication between user equipment and network could not be satisfied under the insecure channel. They also did not calculate the communication consumption brought by the improved strategy [16]. Wang et al. used the Diffie–Hellman interaction model and the extended Dolev–Yao attacker model to find the security risks of the protocol in confidentiality and authentication through the automatic verification tool SmartVerif. However, the high complexity of the tool resulted in limited scalability [17].

Wang used the automatic verification tool SPIN to verify the formal model of the EAP-TLS protocol and used the message field to mention the hash in the modeling process, which enhanced the expression ability of Promela and found the vulnerability of authentication. However, this method used to start with simplified assumptions and lacked support for advanced attacker models [18]. Zhu et al. formally modeled the 1.3 version of the EAP-TLS protocol and verified the protocol through the automatic verification tool ProVerif and found that the protocol did not meet the confidentiality [19]. Ma et al. used the Tamarin verification tool to formally verify the protocol, proposed an evidence search strategy to solve the problem of first-out state explosion in the protocol verification process, and found that the protocol had the risk of denial of service attack and data leakage [20].

Shi et al. used the Tamarin verification tool to verify the certificate distribution and session key agreement process in the EAP-TLS protocol model and proposed an improved strategy to enhance the security of the protocol [21]. Although the accuracy of the model is improved by Tamarin, a lot of manual processing has to be conducted due to the complexity of the model, which leads to the appearance of state explosion, so that the automatic verification also requires a lot of manual work.

2.3. Adjust the EAP-TLS Protocol for Specific Industry Scenarios

Some studies combined the EAP-TLS protocol with vertical industry requirements. Q. Hao et al. used Open Air Interface to build an experimental platform, proposed a secondary authentication scheme, and tested and analyzed the scheme [22]. On this basis, they introduced a pseudonym mechanism to group IDs and replace real identity information, which improved the privacy security of the EAP-TLS protocol in the 5G network. Although these works can improve identity privacy, their solutions mainly focus on identity management rather than focusing on protocol-level security guarantees [22]. A. Yadav et al. proposed a lightweight and efficient EAP framework to meet the authentication requirements of the combination of Internet of Things (IoT) and WLAN. The verification tools Scyther and BAN logic are used to verify the robustness of the protocol [23], reducing the consumption of computing and communication resources of the protocol [24]. On this basis, A. Yadav et al. optimized the authentication algorithm to reduce the memory burden and improve the practicability of the protocol in the Internet of Things [25]. Their optimizations reduced communication and memory costs but relied on limited logic models and lacked robustness against active attacks. Zhou [26] proposed an edge server placement algorithm, ISC-QL, to optimize edge computing infrastructure in the Intelligent Internet of Vehicles (IoV). Their method integrates Improved Spectral Clustering (ISC) to group base stations based on spatial and user-density factors and applies Q-learning to dynamically refine deployment decisions. Its attention to task distribution and dynamic optimization mechanisms aligns with this study’s goal of evaluating the communication and computational overhead introduced by improved protocol strategies. Therefore, insights from edge server deployment optimization indirectly support the broader goal of protocol efficiency under constrained, real-time systems.

To establish a universal evaluation mechanism for EAP methods, P. Kumar et al. proposed the Degree of Mutual Trust (DoMT) framework, comparing EAP-TLS with mainstream methods such as EAP-LEAP and EAP-TTLS, and confirmed that EAP-TLS maintains an advantage in mutual trust level assessments [27]. In response to authentication needs for power terminals under 5G networks, Hu et al. incorporated an aggregate signature mechanism with the 5G EAP-TLS protocol model and used ProVerif to verify its security and low computational complexity, making it suitable for large-scale access scenarios [28].

In the framework of EAP authentication, the security of another key protocol, EAP-AKA, is also studied. M. Ajit et al. used the automatic verification tool ProVerif to formally verify the 5G EAP-AKA protocol and found the password parameter leakage problem [29]. Schwenk summarized the authentication mechanism and security evolution of Point-to-Point Protocol (PPP) and Point-to-Point Tunneling Protocol (PPTP) and found out the serious vulnerability of PPTP due to compatibility [30]. Walz et al. studied the hierarchical security design of the PROFINET protocol and proposed a scheme supporting key refresh and uninterrupted communication, which improved EAP access security in industrial environments [31]. These works further demonstrate the importance of formal methods, but it is difficult to apply them directly to the EAP-TLS protocol.

2.4. Comparison of Analysis Methods for EAP-TLS Protocol

This work compares with several typical verification tools in related research literature according to the two indicators of modeling accuracy and communication consumption analysis to highlight the superiority of the extended LoET (a more detailed comparison is in Section 6.2).

Although Zhang et al. formally validated the EAP-TLS protocol using Scyther [15], they made errors in modeling the protocol fields. They abstracted the temporary session key K_session as K_SEAF, which rendered the model inaccurate and did not analyze the communication consumption caused by the improved protocol. ProVerif was effectively used for automatic verification of the EAP-TLS protocol, but for the complex EAP-TLS handshake phase, its abstraction mechanism sacrificed modeling accuracy and did not address communication overhead [16].

The expressive power of the protocol model was enhanced through Tamarin’s multiset rewriting rules, enabling precise modeling of the protocol. However, for complex protocols such as EAP-TLS, state explosion problems were prone to occur during the verification process, requiring extensive manual effort to guide the verification. The SmartVerif method [17] utilized an automatic inference strategy, but its exponential time complexity severely limited scalability and did not provide an analysis of protocol communication costs. The SPIN model checker [18] was well suited for validating concurrent systems, but it was difficult to capture encryption properties with high fidelity, and it could not quantify the communication overhead during the validation process.

This study accurately modeled each handshake process of the protocol through event class modeling and calculated the communication consumption caused by improving the protocol to ensure the feasibility of the proposed strategy. The specific analysis is shown in

Table 1. Comparison of analysis methods for EAP-TLS protocol.

Reference	Research Method	Modeling Accuracy	Communication Overhead Consideration
The present study	LoET (Extended)	High—handshake fully modeled	✔Analyzes communication cost of improvements
Ref. [15]	Scyther	Limited	✖ Not considered
Ref. [16]	ProVerif	Limited	✖ Not considered
Ref. [17]	SmartVerif	Moderate	✖ Not considered
Ref. [18]	SPIN	Limited	✖ Not considered
Ref. [20]	Tamarin	High	✖ Not considered

below.

In summary, although there have been extensive studies on the EAP-TLS protocol, most methods either simplify the complex handshake process of the protocol or rely on automated tools with limited expressive power. This study extends the Logic of Events Theory and enhances the expression ability of LoET for the protocol interaction process. LoET can accurately model the protocol interaction process, accurately describe the details of the protocol subject interaction, and ensure that the protocol meets the strong authentication property through strict mathematical formula derivation, so as to improve the security of the protocol.

3. Logic of Events Theory

The Logic of Events Theory is a branch of theorem-proving logic designed to characterize message actions in the interaction processes of cryptographic protocols. By using an event system, it enables the formal modeling of security protocols. The theory comprises inference rules for deriving security properties and a set of predicate formulas, providing new proof rules and mechanisms for protocol operations. It facilitates rigorous logical reasoning about the security properties of protocols, thereby ensuring their security.

3.1. Basic Symbols and Event Classes

The Logic of Events Theory uses basic symbols to describe the protocol participants, the information exchanged between them, and the logical relationships among events. It classifies protocols by defining events and constructs the protocol through sequences of events and event classes. The semantics of predicate and event classes are specifically shown in

Table 2. Basic symbols, predicates, and event class semantics.

Basic Symbols, Predicates, and Event Classes	Semantics
Id	The subjects participating in the agreement
Atom	A class representing confidential information
Data	All plaintext and messages
e/event Nonce	Represent an event
E	Event set
Nonce	Random number
n	Represents a challenge number in a Nonce event
has	Logical relation contains
||	Logical relation independence
$\le$	Represents a locally finite partial order
loc(e)	Represent the subject where event e occurs
key(e)	The subject key of event e
Thread	An ordered list of actions
bss	the parameter list of basic protocol actions
$\mathrm{Pr}(\mathrm{A})$	Subject A participates in the protocol Pr
${\mathrm{m}}_1\sim {\mathrm{m}}_2$	Messages m1 and m2 have a weak matching relationship
${\mathrm{m}}_1|-{\mathrm{m}}_2$	Messages m1 and m2 have a strong matching relationship
$\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}(\mathrm{b}\mathrm{s}\mathrm{s},\mathrm{n})$	The basic sequence bss authenticates n messages
$\mathrm{N}\mathrm{e}\mathrm{w}(\mathrm{e})$	Event e generates a number of challenges
$\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(\mathrm{e})$	The Data class message sent by event e
$\mathrm{R}\mathrm{c}\mathrm{v}(\mathrm{e})$	The Data class message received in event e
$\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(\mathrm{e})=<\mathrm{x},\mathrm{k},\mathrm{c}>$	The subject encrypts the plaintext x with the key k to obtain the ciphertext c
$\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{e}}^{\prime })=<\mathrm{x},{\mathrm{k}}^{\prime },\mathrm{c}>$	The subject decrypts the ciphertext c with the key k to obtain the plaintext x
$\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}(\mathrm{e})=<\mathrm{x},\mathrm{A},\mathrm{s}>$	The subject signs the plaintext x to obtain the signature message s
$\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}({\mathrm{e}}^{\prime })=<\mathrm{x},\mathrm{A},\mathrm{s}>$	The subject verifies the signed message s to obtain the plaintext x
${\mathrm{e}}_1<{\mathrm{e}}_2$	$\mathrm{The} \mathrm{event} {\mathrm{e}}_1$$\mathrm{occurs} \mathrm{before} \mathrm{the} \mathrm{event} {\mathrm{e}}_2$
$<\mathrm{E},\mathrm{l}\mathrm{o}\mathrm{c},<,\mathrm{i}\mathrm{n}\mathrm{f}\mathrm{o}>$	Presentation Event language
${\mathrm{e}}_1\stackrel{\mathrm{a}}{\to }{\mathrm{e}}_2$	$\mathrm{Atom} \mathrm{a} \mathrm{flows} \mathrm{from} \mathrm{the} \mathrm{event} \mathrm{class} {\mathrm{e}}_1$$\mathrm{to} \mathrm{the} \mathrm{event} \mathrm{class} {\mathrm{e}}_2$

.

3.2. Axiom System

The axioms of the Logic of Events formalize the definitions of message types and specify the proof rules for cryptographic protocols, serving as the core of using the Logic of Events Theory to prove the security of these protocols. This study will introduce the relevant axioms and rules employed in the protocol analysis.

3.2.1. Honest Axiom

During the interaction of the protocol, the honest party does not release its private key, and the signing events, encryption events, and decryption events all occur on the honest party. The properties of the honest signer are described by the honesty axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{S}$ as follows:

$$\begin{array}{c}\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{S}:\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\forall \mathrm{s}:\mathrm{E}(\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}).\forall \mathrm{e}:\mathrm{E}(\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}).\forall \mathrm{d}:\mathrm{E}(\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}).\mathrm{H}\mathrm{o}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{t}(\mathrm{A})\Rightarrow \\ \left(\begin{array}{l}\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}\mathrm{e}\mathrm{r}(\mathrm{s})=\mathrm{A}\Rightarrow (\mathrm{l}\mathrm{o}\mathrm{c}(\mathrm{s})=\mathrm{A})\wedge \\ \mathrm{k}\mathrm{e}\mathrm{y}(\mathrm{e})=\mathrm{P}\mathrm{r}\mathrm{i}\mathrm{v}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{K}\mathrm{e}\mathrm{y}(\mathrm{A})\Rightarrow (\mathrm{l}\mathrm{o}\mathrm{c}(\mathrm{e})=\mathrm{A})\wedge \\ \mathrm{k}\mathrm{e}\mathrm{y}(\mathrm{d})=\mathrm{P}\mathrm{r}\mathrm{i}\mathrm{v}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{K}\mathrm{e}\mathrm{y}(\mathrm{A})\Rightarrow (\mathrm{l}\mathrm{o}\mathrm{c}(\mathrm{d})=\mathrm{A})\end{array}\right)\end{array}$$

(1)

3.2.2. Key Axiom

The key axiom defines the relationships between keys, specifying that matching keys form a symmetric relationship: a symmetric key matches only itself, and the private key assigned to a party matches only the corresponding public key. In the Logic of Events Theory, public keys are defined as identifiers, ensuring that two different parties cannot share the same public key. The key axiom is expressed as follows:

$$\left(\begin{array}{l}\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{K}:\forall \mathrm{A},\mathrm{B}:\mathrm{I}\mathrm{d}.\forall \mathrm{k},{\mathrm{k}}^{\prime }:\mathrm{K}\mathrm{e}\mathrm{y}.\forall \mathrm{a}:\mathrm{A}\mathrm{t}\mathrm{o}\mathrm{m}\\ \mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{s}(\mathrm{k},{\mathrm{k}}^{\prime })\iff \mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{s}({\mathrm{k}}^{\prime },\mathrm{k})\wedge \\ \mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{s}(\mathrm{S}\mathrm{y}\mathrm{m}\mathrm{m}(\mathrm{a}),\mathrm{k})\iff \mathrm{k}=\mathrm{S}\mathrm{y}\mathrm{m}\mathrm{m}(\mathrm{a})\wedge \\ \mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{s}(\mathrm{P}\mathrm{r}\mathrm{i}\mathrm{v}\mathrm{K}\mathrm{e}\mathrm{y}(\mathrm{A}),\mathrm{k})\iff \mathrm{k}=\mathrm{A}\wedge \\ \mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{s}(\mathrm{A},\mathrm{k})\iff \mathrm{k}=\mathrm{P}\mathrm{r}\mathrm{i}\mathrm{v}\mathrm{K}\mathrm{e}\mathrm{y}(\mathrm{A})\wedge \\ \mathrm{P}\mathrm{r}\mathrm{i}\mathrm{v}\mathrm{K}\mathrm{e}\mathrm{y}(\mathrm{A})=\mathrm{P}\mathrm{r}\mathrm{i}\mathrm{v}\mathrm{K}\mathrm{e}\mathrm{y}(\mathrm{B})\iff \mathrm{A}=\mathrm{B}\end{array}\right)$$

(2)

3.2.3. Causal Axioms

The causal axioms consist of three axioms: the Receive Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{R}$, the Verify Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}$, and the Decrypt axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}$. These three axioms link the event classes $\mathrm{R}\mathrm{c}\mathrm{v}$, $\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}$, and $\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}$ to their corresponding and causally preceding events in the $\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}$, $\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}$, and $\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}$ event classes. Among them, $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{R}$ and $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}$ are similar in that they both describe the matching behavior of protocol operations: before any receive event or corresponding digital signature verification event occurs, there must exist a corresponding send or sign event carrying identical message content. $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}$ is generally analogous to $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{R}$ and $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}$, with the only difference being that $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}$ explicitly involves key elements. The causal axioms are presented as follows:

$$\left(\begin{array}{c}\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{R}:\forall \mathrm{e}:\mathrm{E}(\mathrm{R}\mathrm{c}\mathrm{v}).\exists {\mathrm{e}}^{\prime }:\mathrm{E}(\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}).{\mathrm{e}}^{\prime }<\mathrm{e}\wedge \mathrm{R}\mathrm{c}\mathrm{v}(\mathrm{e})=\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{e}}^{\prime })\\ \mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}:\forall \mathrm{e}:\mathrm{E}(\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}).\exists {\mathrm{e}}^{\prime }:\mathrm{E}(\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}).{\mathrm{e}}^{\prime }<\mathrm{e}\wedge \mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}(\mathrm{e})=\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}({\mathrm{e}}^{\prime })\\ \mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}:\forall \mathrm{e}:(\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}).\exists {\mathrm{e}}^{\prime }:\mathrm{E}(\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}).{\mathrm{e}}^{\prime }<\mathrm{e}\wedge \mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}(\mathrm{e},{\mathrm{e}}^{\prime }){\equiv }_{\mathrm{d}\mathrm{e}\mathrm{f}}\\ \mathrm{p}\mathrm{l}\mathrm{a}\mathrm{i}\mathrm{n}\mathrm{t}\mathrm{e}\mathrm{x}\mathrm{t}(\mathrm{e})=\mathrm{p}\mathrm{l}\mathrm{a}\mathrm{i}\mathrm{n}\mathrm{t}\mathrm{e}\mathrm{x}\mathrm{t}({\mathrm{e}}^{\prime })\wedge \mathrm{c}\mathrm{i}\mathrm{p}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{t}\mathrm{e}\mathrm{x}\mathrm{t}(\mathrm{e})=\mathrm{c}\mathrm{i}\mathrm{p}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{t}\mathrm{e}\mathrm{x}\mathrm{t}({\mathrm{e}}^{\prime })\wedge \\ \mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{s}(\mathrm{k}\mathrm{e}\mathrm{y}(\mathrm{e}),\mathrm{k}\mathrm{e}\mathrm{y}({\mathrm{e}}^{\prime }))\end{array}\right)$$

(3)

3.3. Verification Rules

In the Logic of Events Theory, events follow specific rules governing their relationships. The rules concerning the order of events are presented as follows.

3.3.1. Freshness Rule $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}$

$\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}$ is defined as a Boolean type to describe the fresh state of an atomic type a in a certain event. If the fresh state of atomic a in an event ${\mathrm{e}}_{\mathrm{n}}$ is $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}({\mathrm{e}}_{\mathrm{n}},\mathrm{a})$, it indicates that only the subject of the event ${\mathrm{e}}_{\mathrm{n}}$ can see atomic a and the messages containing atomic a. The detailed definition is as follows:

$$\left(\begin{array}{c}\mathrm{D}\mathrm{e}\mathrm{f}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n} \mathrm{o}\mathrm{f} \mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}:\\ (\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{e}}_0)=\mathrm{a}\Rightarrow \mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}({\mathrm{e}}_0,\mathrm{a}))\\ \left(\begin{array}{l}\forall \mathrm{A}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_1:\mathrm{E}(\mathrm{n}\mathrm{e}\mathrm{w}).\forall {\mathrm{e}}_2:{\mathrm{E}}_1.\exists {\mathrm{e}}_3:{\mathrm{E}}_2.\\ \mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}_1)=\mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}_2)=\mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}_3)=\mathrm{A}\wedge \\ {\mathrm{e}}_1<{\mathrm{e}}_2<{\mathrm{e}}_3\wedge \mathrm{n}\mathrm{e}\mathrm{w}({\mathrm{e}}_1)=\mathrm{a}\wedge {\mathrm{E}}_2({\mathrm{e}}_3) \mathrm{h}\mathrm{a}\mathrm{s} \mathrm{a}\wedge \\ \neg (\mathrm{s}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{e}}_2) \mathrm{h}\mathrm{a}\mathrm{s} \mathrm{a})\vee \neg ({\mathrm{e}}_2=\mathrm{E}(\mathrm{s}\mathrm{e}\mathrm{n}\mathrm{d}))\end{array}\right)\Rightarrow \\ \mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}({\mathrm{e}}_3,\mathrm{a})\end{array}\right)$$

(4)

This definition is based on Rule ${\mathrm{e}}_0$, which specifies that if event is the event where atomic a is generated, then atomic a maintains freshness $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}({\mathrm{e}}_0,\mathrm{a})$ with respect to event ${\mathrm{e}}_0$. Alternatively, if ${\mathrm{e}}_3$ occurs after the generation event ${\mathrm{e}}_1$ of atomic a, and every event between ${\mathrm{e}}_1$ and ${\mathrm{e}}_3$ is either not a send event or a send event that does not contain atomic a, then atomic a maintains freshness $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}({\mathrm{e}}_3,\mathrm{a})$ with respect to ${\mathrm{e}}_3$.

3.3.2. FirstSend Rule

$\mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}$ indicates that the send event ${\mathrm{e}}_{\mathrm{n}}$ by the entity is the first event to include atomic a, and that all preceding send events do not contain atomic a. This is defined as a Boolean predicate, with the detailed definition given below.

$$\left(\begin{array}{c}\mathrm{D}\mathrm{e}\mathrm{f}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n} \mathrm{o}\mathrm{f} \mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}:\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_1:\mathrm{E}(\mathrm{N}\mathrm{e}\mathrm{w}).\exists {\mathrm{e}}_2:\mathrm{E}(\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}).\mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}_1)=\mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}_2)=\mathrm{A}\wedge \\ {\mathrm{e}}_1<{\mathrm{e}}_2\wedge \mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}({\mathrm{e}}_2,\mathrm{a})\Rightarrow \mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{e}}_2,\mathrm{a})\end{array}\right)$$

(5)

This definition is based on the rule of $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}$, indicating that there are no send events containing atomic a between event ${\mathrm{e}}_1$ and event ${\mathrm{e}}_2$, where event ${\mathrm{e}}_2$ is the first send event transmitting a message containing atomic a.

3.3.3. RuleF Rule

$\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{F}$ specifies the ordering relationship between the $\mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}$ event containing atomic a and other events. This rule enables the inference of the temporal order among events, as detailed below:

$$\left(\begin{array}{c}\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{F}:\\ \left(\begin{array}{l}\forall \mathrm{A},\mathrm{B}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_1:\mathrm{E}(\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}).\forall {\mathrm{e}}_2:\mathrm{E}.\mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}_1)=\mathrm{A}\wedge \\ \mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}_2)=\mathrm{B}\wedge \mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{e}}_1,\mathrm{a})\wedge \neg (\mathrm{E}({\mathrm{e}}_2)\parallel \mathrm{a})\end{array}\right)\Rightarrow \\ {\mathrm{e}}_1<{\mathrm{e}}_2\end{array}\right)$$

(6)

$\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{F}$ specifies the temporal ordering relationship between events involving two entities. Assuming that event ${\mathrm{e}}_1$ represents the send event ${\mathrm{e}}_2$ where entity A transmits a message containing atomic a to entity B, and event is an event of entity B, it can be inferred that the send event ${\mathrm{e}}_1$ on entity A must occur before event ${\mathrm{e}}_2$ on entity B. By applying $\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{F}$, the inference process for strong matching sessions can be significantly simplified.

3.4. Protocol Definition

The Logic of Events Theory defines a protocol using a basic sequence relation table $\mathrm{b}\mathrm{s}\mathrm{s}$. The protocol is represented as an assertion on storage locations of type $\mathrm{I}\mathrm{d}\to \mathrm{{\rm P}}$. The specific definition of protocol $\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{t}\mathrm{o}\mathrm{c}\mathrm{o}\mathrm{l}(\mathrm{b}\mathrm{s}\mathrm{s})$ is given as follows:

$$\left(\begin{array}{c}\mathrm{\lambda }\mathrm{A}.\forall \mathrm{e}:\mathrm{A}\mathrm{c}\mathrm{t}.\mathrm{l}\mathrm{o}\mathrm{c}(\mathrm{e})=\mathrm{A}\Rightarrow (\exists \mathrm{t}\mathrm{h}\mathrm{r}.\mathrm{i}\mathrm{n}\mathrm{O}\mathrm{n}\mathrm{e}\mathrm{o}\mathrm{f}(\mathrm{e},\mathrm{t}\mathrm{h}\mathrm{r},\mathrm{b}\mathrm{s}\mathrm{s},\mathrm{A}))\wedge \\ \forall \mathrm{t}\mathrm{h}{\mathrm{r}}_1,\mathrm{t}\mathrm{h}{\mathrm{r}}_2.(\mathrm{i}\mathrm{n}\mathrm{O}\mathrm{n}\mathrm{e}\mathrm{o}\mathrm{f}(\mathrm{e},\mathrm{t}\mathrm{h}{\mathrm{r}}_1,\mathrm{b}\mathrm{s}\mathrm{s},\mathrm{A})\wedge \mathrm{i}\mathrm{n}\mathrm{O}\mathrm{n}\mathrm{e}\mathrm{o}\mathrm{f}(\mathrm{e},\mathrm{t}\mathrm{h}{\mathrm{r}}_1,\mathrm{b}\mathrm{s}\mathrm{s},\mathrm{A}))\\ \Rightarrow \mathrm{t}\mathrm{h}{\mathrm{r}}_1\simeq \mathrm{t}\mathrm{h}{\mathrm{r}}_2\end{array}\right)$$

(7)

3.5. Strong Authentication

The strong authentication property of the protocol is defined through the establishment of matching sessions between entities. Due to space constraints, detailed explanations of the concepts of threads, basic sequences, matching sessions, and protocol actions are provided in Appendixes A.1–A.4. Entities A and B are assumed to be honest and compliant with the protocol specifications. Entity A initiates a session sequence, and a corresponding response sequence from entity B constitutes a legitimate matching session. When entity B executes an instance of the complete response sequence, a matching session with entity A is formed, ensuring that each received message aligns precisely with its corresponding sent message. This process enables both parties to complete mutual authentication and prevents adversaries from exploiting previously intercepted messages to launch impersonation or replay attacks. The matching session process satisfies the strong matching property. In protocol $\mathrm{P}\mathrm{r}$, the basic sequence $\mathrm{b}\mathrm{s}\mathrm{s}$ authenticates n messages, and the authentication procedure adheres to the following conditions.

$$\left(\begin{array}{l}\mathrm{Pr}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}(\mathrm{b}\mathrm{s}\mathrm{s},\mathrm{n}){\equiv }_{\mathrm{d}\mathrm{e}\mathrm{f}}\forall \mathrm{A},\mathrm{B}.\forall \mathrm{t}\mathrm{h}{\mathrm{r}}_1.\\ (\mathrm{H}\mathrm{o}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{t}(\mathrm{A})\wedge \mathrm{H}\mathrm{o}\mathrm{n}\mathrm{e}\mathrm{s}\mathrm{t}(\mathrm{B})\wedge \mathrm{Pr}(\mathrm{A})\wedge \mathrm{Pr}(\mathrm{B})\\ \wedge \mathrm{A}\ne \mathrm{B}\wedge \mathrm{l}\mathrm{o}\mathrm{c}(\mathrm{t}\mathrm{h}{\mathrm{r}}_1)=\mathrm{A}\wedge \mathrm{b}\mathrm{s}\mathrm{s}(\mathrm{A},\mathrm{B},\mathrm{t}\mathrm{h}{\mathrm{r}}_1))\\ \Rightarrow \exists \mathrm{t}\mathrm{h}{\mathrm{r}}_2.\mathrm{l}\mathrm{o}\mathrm{c}(\mathrm{t}\mathrm{h}{\mathrm{r}}_2)=\mathrm{B}\wedge \mathrm{t}\mathrm{h}{\mathrm{r}}_1\stackrel{\mathrm{n}}{\approx }\mathrm{t}\mathrm{h}{\mathrm{r}}_2\end{array}\right)$$

(8)

3.6. Proof Procedure

The verification steps of the strong authentication property of the protocol using the Logic of Events Theory are summarized as follows:

Construct a formal model of the protocol’s interaction behavior using the Logic of Events Theory, decompose it into basic sequences, and identify the strong authentication properties that require proof.

Conduct a unidirectional proof of the strong authentication properties. Under the assumption that honest entities strictly follow the protocol, consider a thread as an instance of the basic sequence, and incrementally analyze to prove the occurrence of matching events.

Determine whether the matching events conform to the definition of a matching session. If they do, perform a proof from the innermost to the outermost parts of the session to verify whether the entire matching session satisfies the weak matching property.

Determine the length of the matching session, and based on the relevant axioms, prove that the strong matching dialog fulfills the required strong authentication properties.

After completing the unidirectional proof, carry out bidirectional proof of the strong authentication properties. If the proof is successful, it confirms the security of the protocol; otherwise, it indicates the potential for adversaries to launch impersonation attacks, compromising the security of the protocol’s entities.

The verification process based on the Logic of Events Theory to verify the strong authentication of security protocols for two-party entities is shown in Figure 1.

3.7. Limitations of the Logic of Events Theory

The Logic of Events Theory represents a branch of theorem-proving methodologies, which have been widely employed in the security analysis of network protocols. Many advantages of theorem proving are embodied within the Logic of Events Theory; however, this approach also exhibits notable limitations. Specifically, proofs based on the Logic of Events Theory often rely heavily on manual processes, rendering the verification procedure complex and labor-intensive. Therefore, to achieve automated proofs of network protocol authentication properties, it is crucial to both simplify the proof workflow and enhance verification efficiency. As network protocols evolve, the Logic of Events Theory faces challenges in formally modeling certain unique interaction characteristics inherent to modern protocols. Consequently, the theory itself requires further extension. In this study, the Logic of Events Theory is expanded and successfully applied to conduct a formal analysis of the EAP-TLS protocol, which involves multiple handshake processes. This work broadens the application scope of the Logic of Events Theory by adapting it to accommodate diverse protocol characteristics.

4. Extension of the Logic of Events Theory (LoET)

The Logic of Events Theory has been applied to formally analyze security protocols in areas such as IoT, wireless networks, and composite protocols, successfully verifying their security properties. However, when considering the EAP-TLS protocol, the Logic of Events Theory faces difficulties in formally modeling transport-layer protocols that involve handshake processes, limiting its ability to capture the interactive procedures of the protocol. Therefore, this study extends the Logic of Events Theory by broadening the event classes, associated rules, and axiom system.

4.1. Extension of Event Classes and Associated Rules

The Logic of Events Theory encompasses seven event classes: $\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}$, $\mathrm{R}\mathrm{c}\mathrm{v}$, $\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}$, $\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}$, $\mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}$, and $\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}$. However, these event classes are insufficient to fully capture the detailed formal modeling of the interactions involved in the EAP-TLS authentication protocol. Therefore, it is necessary to extend the set of event classes within the Logic of Events Theory and to establish corresponding rules for the newly introduced event classes. The original event classes are listed as follows:

$$\left\{\begin{array}{l}\mathrm{N}\mathrm{e}\mathrm{w}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(\mathrm{A}\mathrm{t}\mathrm{o}\mathrm{m})\\ \mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d},\mathrm{R}\mathrm{c}\mathrm{v}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a})\\ \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t},\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a})\\ \mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n},\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a})\end{array}\right.$$

(9)

4.1.1. Definition of the Event Class $\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}$

Two data elements of Data type are compared; if they are equal, the result is true; otherwise, it is false. The formal definition and associated rules of the Compare event class are given as follows:

$$\left(\begin{array}{l}\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a}\times \mathrm{B}\mathrm{o}\mathrm{o}\mathrm{l})\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\exists \mathrm{e}:\mathrm{E}(\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}).\mathrm{e} \mathrm{h}\mathrm{a}\mathrm{s} <\mathrm{a},\mathrm{b}>.\\ \mathrm{a}=\mathrm{b}\Rightarrow \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{e})=<<\mathrm{a},\mathrm{b}>,\mathrm{t}\mathrm{r}\mathrm{u}\mathrm{e}>.\\ \mathrm{a}\ne \mathrm{b}\Rightarrow \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{e})=<<\mathrm{a},\mathrm{b}>,\mathrm{f}\mathrm{a}\mathrm{l}\mathrm{s}\mathrm{e}>.\end{array}\right)$$

(10)

4.1.2. Definition of the Event Class $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$

By applying a pseudorandom function algorithm to multiple random number inputs, secure key material is generated to derive a temporary session key. These keys typically have a defined security lifetime. The communicating entities jointly derive the temporary session key, which is then used to generate authentication messages or verify the peer’s authentication messages. The formal definition of the $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$ event class is provided as follows:

$$\left(\begin{array}{l}\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(<\mathrm{A}\mathrm{t}\mathrm{o}{\mathrm{m}}_1,\mathrm{A}\mathrm{t}\mathrm{o}{\mathrm{m}}_2,\dots ,\mathrm{A}\mathrm{t}\mathrm{o}{\mathrm{m}}_{\mathrm{n}}>\times \mathrm{K}\mathrm{e}\mathrm{y})\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\forall {\mathrm{e}}_1:\mathrm{E}(\mathrm{R}\mathrm{c}\mathrm{v})\vee \mathrm{E}(\mathrm{N}\mathrm{e}\mathrm{w}).{\mathrm{e}}_1 \mathrm{h}\mathrm{a}\mathrm{s} <{\mathrm{R}}_1,{\mathrm{R}}_2,{\mathrm{R}}_3>.\\ \exists {\mathrm{e}}_2:\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}.\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}({\mathrm{e}}_2)=(<{\mathrm{R}}_1,{\mathrm{R}}_2,{\mathrm{R}}_3>,\mathrm{K}).\end{array}\right)$$

(11)

4.1.3. Definition of the Event Class $\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}$

Information is iteratively combined through the $\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}$ event by applying a hash function, ensuring that no data are lost or overwritten during the process. The formal definition of the $\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}$ event class is given as follows:

$$\left(\begin{array}{c}\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(<\mathrm{D}\mathrm{a}\mathrm{t}{\mathrm{a}}_1,\mathrm{D}\mathrm{a}\mathrm{t}{\mathrm{a}}_2,\dots ,\mathrm{D}\mathrm{a}\mathrm{t}{\mathrm{a}}_{\mathrm{n}}>\times \mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a})\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_1:\mathrm{E}.{\mathrm{e}}_1 \mathrm{has} <\mathrm{a},\mathrm{b}>.\exists {\mathrm{e}}_2:\mathrm{Merge}.{\mathrm{e}}_1\stackrel{<\mathrm{a},\mathrm{b}>}{\to }{\mathrm{e}}_2\\ \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({\mathrm{e}}_2)=<<\mathrm{a},\mathrm{b}>,\mathrm{c}>.\end{array}\right)$$

(12)

The Merge event class satisfies the following rules:

$$\left(\begin{array}{c}\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{M}:\\ \mathrm{A}:\mathrm{I}\mathrm{d}.\forall {\mathrm{e}}_1:\mathrm{E}(\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}).\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({\mathrm{e}}_1)=<<\mathrm{a},\mathrm{b}>,\mathrm{c}>.\\ \exists {\mathrm{e}}_2:\mathrm{E}\wedge {\mathrm{e}}_1\stackrel{\mathrm{c}}{\to }{\mathrm{e}}_2\Rightarrow ({\mathrm{e}}_2 \mathrm{h}\mathrm{a}\mathrm{s} \mathrm{a})\wedge ({\mathrm{e}}_2 \mathrm{h}\mathrm{a}\mathrm{s} \mathrm{b})\end{array}\right)$$

(13)

If data elements a and b of type $\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a}$ are combined through event $\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({\mathrm{e}}_1)$ to produce c, and there exists an event ${\mathrm{e}}_2$ that is a successor of event ${\mathrm{e}}_1$, with data c flowing from event ${\mathrm{e}}_1$ to event ${\mathrm{e}}_2$, then it can be deduced that event ${\mathrm{e}}_2$ possesses both a and b.

4.1.4. Definition of the Event Class $\mathrm{P}\mathrm{R}\mathrm{F}$

In the protocol interaction process, entities may generate verification information not only using their own private keys but also by employing derived temporary keys. By applying a pseudorandom number algorithm and the entity’s temporary session key generated through event $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$, $\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a}$ is computed to produce ${\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a}}^{\prime }$. The precise definition of event class $\mathrm{P}\mathrm{R}\mathrm{F}$ is given as follows:

$$\left(\begin{array}{l}\mathrm{P}\mathrm{R}\mathrm{F}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a}\times \mathrm{I}\mathrm{d}\times \mathrm{K}\mathrm{e}\mathrm{y}\times {\mathrm{Data}}^{\prime })\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_1:\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}.\exists {\mathrm{e}}_2:\mathrm{P}\mathrm{R}\mathrm{F}.{\mathrm{e}}_1\stackrel{\mathrm{K}}{\to }{\mathrm{e}}_2\wedge \\ {\mathrm{e}}_2 \mathrm{has} \mathrm{a}.\mathrm{P}\mathrm{R}\mathrm{F}({\mathrm{e}}_2)=(\mathrm{a},\mathrm{A},\mathrm{K},{\mathrm{a}}^{\prime })\end{array}\right)$$

(14)

4.1.5. Definition of the Event Class $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$

After entity A generates the proof information using the temporary session key and the $\mathrm{P}\mathrm{R}\mathrm{F}$ event class, entity B verifies the proof information by employing the same temporary session key along with the $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$ event class. The formal definition of the $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$ event class is presented as follows:

$$\left(\begin{array}{c}\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}:\mathrm{E}\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}(\mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a}\times \mathrm{I}\mathrm{d}\times \mathrm{K}\mathrm{e}\mathrm{y}\times {\mathrm{Data}}^{\prime })\\ \exists \mathrm{A}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_1:\mathrm{E}(\mathrm{P}\mathrm{R}\mathrm{F}).\exists \mathrm{B}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_{\mathrm{n}}:\mathrm{E}(\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}).\\ {\mathrm{e}}_1\stackrel{{\mathrm{a}}^{\prime }}{\to }{\mathrm{e}}_2\dots \stackrel{{\mathrm{a}}^{\prime }}{\to }{\mathrm{e}}_{\mathrm{n}}.\\ \mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}({\mathrm{e}}_{\mathrm{n}})=<\mathrm{a},\mathrm{B},\mathrm{K},{\mathrm{a}}^{\prime }>\end{array}\right)$$

(15)

4.2. Extension of Axiom System

4.2.1. Definition of the $\mathrm{AxiomTra}$

Based on the rules of the Compare event, the transitivity axiom can be derived as follows:

$$\left(\begin{array}{c}\text{AxiomTra1}:\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\forall {\mathrm{e}}_1:\mathrm{E}(\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}).\exists {\mathrm{e}}_2:\mathrm{E}(\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}).\\ ({\mathrm{e}}_1 \mathrm{has} <\mathrm{a},\mathrm{b}>)\wedge ({\mathrm{e}}_2 \mathrm{has} <\mathrm{b},\mathrm{c}>)\wedge \mathrm{Compare}({\mathrm{e}}_1)=<\mathrm{a},\mathrm{b},\mathrm{true}>\wedge \\ \mathrm{Compare}({\mathrm{e}}_2)=<\mathrm{b},\mathrm{c},\mathrm{true}>\Rightarrow \exists {\mathrm{e}}_3:\mathrm{E}(\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}).\mathrm{a}=\mathrm{c}\wedge \\ \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}({\mathrm{e}}_3)=<\mathrm{a},\mathrm{c},\mathrm{t}\mathrm{r}\mathrm{u}\mathrm{e}>\end{array}\right)$$

(16)

$$\left(\begin{array}{c}\text{AxiomTra2}:\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\forall {\mathrm{e}}_1:\mathrm{E}(\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}).\exists {\mathrm{e}}_2:\mathrm{E}(\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}).\\ ({\mathrm{e}}_1 \mathrm{has} <\mathrm{a},\mathrm{b}>)\wedge ({\mathrm{e}}_2 \mathrm{has} <\mathrm{b},\mathrm{c}>)\wedge \mathrm{Compare}({\mathrm{e}}_1)=<\mathrm{a},\mathrm{b},\mathrm{true}>\wedge \\ \mathrm{Compare}({\mathrm{e}}_2)=<\mathrm{b},\mathrm{c},\mathrm{flase}>\Rightarrow \exists {\mathrm{e}}_3:\mathrm{E}(\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}).\mathrm{a}\ne \mathrm{c}\wedge \\ \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}({\mathrm{e}}_3)=<\mathrm{a},\mathrm{c},\mathrm{f}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{e}>\end{array}\right)$$

(17)

The transitivity axiom $\mathrm{Tra}1$ states that for any event $\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}$ of type ${\mathrm{e}}_1$ belonging to entity A containing data elements a and b, and for another event ${\mathrm{e}}_2$ of the same type containing data elements b and c, if the comparison result of event $\mathrm{Compare}({\mathrm{e}}_1)$ is true and the comparison result of event $\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}({\mathrm{e}}_3)=$ $<\mathrm{a},\mathrm{c},\mathrm{t}\mathrm{r}\mathrm{u}\mathrm{e}>$ is also true, then $\mathrm{a}=\mathrm{c}$ holds.

The transitivity axiom $\mathrm{Tra}2$ states that for any event ${\mathrm{e}}_1$ of type $\mathrm{Compare}$ belonging to entity A containing data elements a and b, and another event ${\mathrm{e}}_1$ of the same type containing data elements b and c, if the comparison result of event $\mathrm{Compare}({\mathrm{e}}_1)$ is true while the comparison result of event $\mathrm{Compare}({\mathrm{e}}_2)$ is false, then $\mathrm{a}\ne \mathrm{c}$ holds, and the comparison result of event $\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}({\mathrm{e}}_3)=$ $<\mathrm{a},\mathrm{c},\mathrm{f}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{e}>$ is also false.

4.2.2. Definition of the Non-Derivability Axiom

Based on the definition of the $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$ event, the non-derivability axiom can be derived as follows:

$$\left(\begin{array}{c}\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{N}\mathrm{D}\mathrm{e}\mathrm{r}:\\ \forall \mathrm{A}:\mathrm{I}\mathrm{d}.\forall {\mathrm{e}}_1:\mathrm{E}(\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}).\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}({\mathrm{e}}_1)=<<{\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{r}}_3\dots {\mathrm{r}}_{\mathrm{n}}>,\mathrm{K}>\\ \exists \mathrm{I}:\mathrm{I}\mathrm{d}.\exists {\mathrm{e}}_2:\mathrm{E}(\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}).{\mathrm{e}}_2\parallel {\mathrm{r}}_1\vee {\mathrm{e}}_2\parallel {\mathrm{r}}_2\vee {\mathrm{e}}_2\parallel {\mathrm{r}}_3\vee \dots {\mathrm{e}}_2\parallel {\mathrm{r}}_{\mathrm{n}}\Rightarrow {\mathrm{e}}_2\parallel \mathrm{K}\end{array}\right)$$

(18)

For any temporary session key derivation event ${\mathrm{e}}_1$ of entity A, where $<{\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{r}}_3,\dots {\mathrm{r}}_{\mathrm{n}}>$ serves as the derivation material for the temporary session key, and for any entity I with a temporary session key derivation event ${\mathrm{e}}_2$, if the event ${\mathrm{e}}_2$ does not simultaneously possess all derivation materials in $<{\mathrm{r}}_1,{\mathrm{r}}_2,{\mathrm{r}}_3,\dots ,{\mathrm{r}}_{\mathrm{n}}>$—that is, if any part of the derivation material is missing—it will be impossible to independently derive the key K.

4.2.3. Extension of the Causal Axioms

Based on the relationships among the event classes $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$, $\mathrm{P}\mathrm{R}\mathrm{F}$, and $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$, the Verify Axiom within the causal axioms is extended, and the Derive Axiom is introduced. The $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}\mathrm{e}\mathrm{r}$ is formally presented as follows:

$$\left(\begin{array}{c}\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}\mathrm{e}\mathrm{r}:\\ \forall {\mathrm{e}}_1:\mathrm{E}(\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F})\vee \mathrm{E}(\mathrm{P}\mathrm{R}\mathrm{F}).\exists {\mathrm{e}}_2:\mathrm{E}(\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}).\\ ({\mathrm{e}}_1 \mathrm{h}\mathrm{a}\mathrm{s} {\mathrm{k}}_1)\wedge ({\mathrm{e}}_2 \mathrm{h}\mathrm{a}\mathrm{s} {\mathrm{k}}_2).{\mathrm{e}}_2<{\mathrm{e}}_1\wedge {\mathrm{k}}_1={\mathrm{k}}_2\end{array}\right)$$

(19)

For any event class $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$ or $\mathrm{P}\mathrm{R}\mathrm{F}$, since both require the use of a temporary session key, a temporary session key derivation event must exist prior to the occurrence of either event. Moreover, the temporary session key utilized by the $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$ or $\mathrm{P}\mathrm{R}\mathrm{F}$ event classes is derived by the $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$ event class.

The extension of the $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}$ within the causal axioms is presented as follows:

$$\left(\begin{array}{c}\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}\mathrm{P}:\\ \forall \mathrm{e}:\mathrm{E}(\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}).\exists {\mathrm{e}}^{\prime }:\mathrm{E}(\mathrm{P}\mathrm{R}\mathrm{F}).{\mathrm{e}}^{\prime }<\mathrm{e}\wedge \mathrm{V}\mathrm{P}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}(\mathrm{e},{\mathrm{e}}^{\prime })\end{array}\right)$$

(20)

Similar to the Verify Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}$, for any event of type $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$, there must exist a corresponding event of type $\mathrm{P}\mathrm{R}\mathrm{F}$, which generates the verification information. This $\mathrm{P}\mathrm{R}\mathrm{F}$ event occurs prior to the $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$ event, and the contents of the two events must match.

5. Formal Analysis of the EAP-TLS Protocol

The EAP-TLS protocol is a certificate-based security authentication protocol operating at the transport layer, with four main entities involved: the User Equipment (UE), the Security Anchor Function (SEAF), the Authentication Server Function (AUSF), and the Unified Data Management (UDM). Among them, SEAF serves as the security anchor function module within the Serving Name (SN), acting as an “intermediary” during the authentication process between the UE and the home network, and relying on the UE’s home network for identity verification. AUSF and UDM are two key functional modules within the HN (Home Network); the AUSF, functioning as the authentication server, is responsible for making decisions during the UE’s authentication process, while the UDM handles unified data management functions.

The communication among SEAF and HN modules is through a secure wired link. Even if the intruder can eavesdrop on the channel, the key credentials and the decision logic of the protocol are protected by the cryptographic mechanism, and the attacker needs to break through the event-dependent path of the model, so it is difficult for the intruder to break the authentication mechanism of the protocol. The correctness of the authentication verification is not affected by abstracting the communication channel of the core network internal module as a trusted channel, and the SEAF, AUSF, and UDM modules are abstracted as core network (NW) entities and the UE as another entity. The following analysis formally examines the security of communications between these two entities: the UE and the NW.

5.1. Introduction to the Protocol Model

Based on the protocol development documentation and the modeling approach described in Reference [15], the specific interaction model of the EAP-TLS protocol is depicted in Figure 2.

The user UE encrypts its unique subscription identifier SUPI and the generated random number ${\mathrm{R}}_{\mathrm{U}\mathrm{E}1}$ through the public key of the core network NW and then sends it to NW for verification. After verification is completed, NW sends TLS to start the handshake process. UE generates a random number ${\mathrm{R}}_{\mathrm{U}\mathrm{E}2}$ and selects the method $\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}\mathrm{s}\_\mathrm{N}\mathrm{W}$ used in the authentication process for NW. Subsequently, NW sends its own random number ${\mathrm{R}}_{\mathrm{N}\mathrm{W}}$, certificate $\mathrm{C}\mathrm{e}\mathrm{r}\_\mathrm{N}\mathrm{W}$, and authentication method $\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}\mathrm{s}\_\mathrm{N}\mathrm{W}$ to UE. After UE verifies NW’s certificate, it derives a temporary key ${\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}$ through the PRF algorithm and random numbers ${\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}}$.

During the derivation of the temporary session key, Zhang et al. [15] abstracted the key as a session key ${\mathrm{K}}_{\mathrm{S}\mathrm{E}\mathrm{A}\mathrm{F}}$. However, according to the development documentation, ${\mathrm{K}}_{\mathrm{S}\mathrm{E}\mathrm{A}\mathrm{F}}$ is the session key generated only after both entities complete mutual authentication; the key derived at this stage should actually be the temporary key ${\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}$.

UE generates handshake information and encrypts it with the temporary key ${\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}$, then encrypts the random number ${\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}}$ with NW’s public key and sends it to NW. After receiving it, NW verifies the UE certificate in the same way, derives a temporary session key ${\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}$, generates handshake information, and compares it with the other party’s handshake information to complete the other party’s identity verification, and then sends its own handshake information to UE. UE verifies the handshake information. After success, both parties use the KDF algorithm and a random number ${\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}}$ to generate a session key ${\mathrm{K}}_{\mathrm{S}\mathrm{E}\mathrm{A}\mathrm{F}}$ for both parties to conduct sessions and complete two-way authentication. The specific field information definitions and explanations in the figure are shown as

Table 3. EAP-TLS protocol field information.

Field	Semantics	Field	Semantics
UE	User Equipment	NW	Core network
SUPI	The permanent unique identifier of the subscriber	$\mathrm{H}\mathrm{S}\_\mathrm{U}\mathrm{E}$	Handshake messages from UE
${\mathrm{R}}_{\mathrm{U}\mathrm{E}1}$	The random number generated by the UE	${\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}}$	Pre-master key random number generated by the UE
$\mathrm{p}{\mathrm{k}}_{\mathrm{N}\mathrm{W}}$	Public key of the core network (NW)	$\mathrm{C}\mathrm{e}\mathrm{r}\_\mathrm{U}\mathrm{E}$	Certificate of the UE
TLS	The handshake process initiation flag, which is subsequently abstracted as a random number	$\mathrm{H}\mathrm{S}\_\mathrm{N}\mathrm{W}$	Handshake messages from the NW
${\mathrm{R}}_{\mathrm{U}\mathrm{E}2}$	The random number generated by the UE	$\mathrm{C}\mathrm{e}\mathrm{r}\_\mathrm{N}\mathrm{W}$	Certificate of the NW
$\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}\mathrm{s}\_\mathrm{U}\mathrm{E}$	Authentication method chosen by the User Equipment (UE)	$\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}\mathrm{s}\_\mathrm{N}\mathrm{W}$	Authentication method of the NW
${\mathrm{R}}_{\mathrm{N}\mathrm{W}}$	Random number generated by the core network (NW)	${\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}$	Derived temporary session key

.

5.2. Verification of Strong Authentication of the Protocol Based on the Logic of Events Theory

Based on the interaction model of the EAP-TLS protocol, the protocol’s formal model constructed using the Logic of Events Theory is illustrated in Figure 3.

The strong authentication requirements that the protocol must satisfy are defined using the Logic of Events Theory, and a bidirectional strong authentication verification is performed on the EAP-TLS protocol. First, according to the concept of basic sequences, the protocol’s basic sequences are arranged, with the basic sequence of the sender UE designated as ${\mathrm{I}}_{\mathrm{n}}$, as formally expressed below:

$$\left(\begin{array}{l}{\mathrm{I}}_1=\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{U}\mathrm{E}1}),\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<\mathrm{S}\mathrm{U}\mathrm{P}\mathrm{I},{\mathrm{R}}_{\mathrm{U}\mathrm{E}1}>,\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I}),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I})\\ {\mathrm{I}}_2={\mathrm{I}}_1,\mathrm{R}\mathrm{c}\mathrm{v}({\mathrm{R}}_{\mathrm{T}\mathrm{L}\mathrm{S}})\\ {\mathrm{I}}_3={\mathrm{I}}_2,\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{U}\mathrm{E}2}),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{U}\mathrm{E}}>)\\ {\mathrm{I}}_4={\mathrm{I}}_3,\mathrm{R}\mathrm{c}\mathrm{v}(<{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{N}\mathrm{W}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>)\\ {\mathrm{I}}_5={\mathrm{I}}_4,\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}},{{\mathrm{Cer}}^{\prime }}_{\mathrm{N}\mathrm{W}},\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{\mathrm{t}}_1),\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}}),\\ \mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}),\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_1),\\ \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{U}\mathrm{E}),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{S}}_2),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(<{\mathrm{S}}_1,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},{\mathrm{S}}_2>)\\ {\mathrm{I}}_6={\mathrm{I}}_5,\mathrm{R}\mathrm{c}\mathrm{v}({\mathrm{S}}_3)\\ {\mathrm{I}}_7={\mathrm{I}}_6,\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{N}\mathrm{W},{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{S}}_3),\\ \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{U}\mathrm{E}),\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{N}\mathrm{W}),\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{\mathrm{t}}_4)\end{array}\right)$$

(21)

The basic sequence of the responder NW is designated as ${\mathrm{R}}_{\mathrm{n}}$, as formally expressed below:

$$\left(\begin{array}{l}{\mathrm{R}}_1=\mathrm{R}\mathrm{c}\mathrm{v}(\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I})\\ {\mathrm{R}}_2={\mathrm{R}}_1,\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<\mathrm{S}\mathrm{U}\mathrm{P}\mathrm{I},{\mathrm{R}}_{\mathrm{U}\mathrm{E}1}>,\mathrm{S}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I}),\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{T}\mathrm{L}\mathrm{S}}),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{R}}_{\mathrm{T}\mathrm{L}\mathrm{S}})\\ {\mathrm{R}}_3={\mathrm{R}}_2,\mathrm{R}\mathrm{c}\mathrm{v}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{U}\mathrm{E}}>) \\ {\mathrm{R}}_4={\mathrm{R}}_3,\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{N}\mathrm{W}}),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(<{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{N}\mathrm{W}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>)\\ {\mathrm{R}}_5={\mathrm{R}}_4,\mathrm{R}\mathrm{c}\mathrm{v}(<{\mathrm{S}}_1,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},{\mathrm{S}}_2>) \\ {\mathrm{R}}_6={\mathrm{R}}_5,\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},{{\mathrm{Cer}}^{\prime }}_{\mathrm{U}\mathrm{E}},\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{\mathrm{t}}_2),\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},\mathrm{S}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_1),\\ \mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}),\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{U}\mathrm{E},{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{S}}_2),\\ \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{U}\mathrm{E}),\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{N}\mathrm{W}),\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{\mathrm{t}}_3),\\ \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}(\mathrm{H}\mathrm{S}\_\mathrm{N}\mathrm{W}),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{S}}_3),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{S}}_3)\end{array}\right)$$

(22)

After dividing the basic sequence of the protocol, the proof is carried out according to the core axioms and rules of the LoET, and the specific proof process is shown in Appendix B.1. Based on the verification of LoET, it can be concluded that the EAP-TLS protocol does not satisfy the strong authentication property.

5.3. Protocol Attack Path

Based on the analysis using the Logic of Events Theory, since there are no matching events in basic sequences ${\mathrm{R}}_2$ and ${\mathrm{I}}_3$ and ${\mathrm{R}}_4$ and ${\mathrm{I}}_5$, the EAP-TLS protocol transmits messages in plaintext during the authentication process; the resulting man-in-the-middle attack paths are shown in Figure 4.

The present study adopted the Dolev–Yao threat model [2], in which the attacker has the following capabilities: the attacker can intercept and modify any plaintext message in the network; the attacker can act as a legitimate entity within the network and initiate conversations with other users; the attacker can receive messages sent by any entity in the network; and the attacker can impersonate any entity to send messages to other honest entities.

The information highlighted in red in the figure represents abnormal messages intercepted and modified by the intruder, as well as the erroneous handshake messages.

In the first step, UE encrypts its SUPI along with a random number R_UE1 and sends them to NW. The intruder can only forward the encrypted message. After receiving the encrypted message, the NW sends the TLS start message in plaintext during the third step, resulting in interception by the intruder and tampering as TLS′ to send to the UE in the fourth step.

In step 5, UE sends its own verification method (Methods_UE) and random number R_UE2 in plaintext, and the intruder intercepts and tampers with the tampered messages R′_UE2 and Methods′_UE to NW. NW sends its own random number R_NW, certificate Cer_NW, and verification method Methods_NW in plaintext at step 7.

The intruder intercepts the message at step 8 and tampers with the random number of NW to R′_NW, verifying method Methods′_NW. The UE generates the wrong temporary session key K′_session and the wrong handshake information based on the tampering information of the intruder in step 9.

The intruder tampered with the derived key K′_session to K″_session in step 10, and then NW derived the wrong temporary session key K′_session based on the tampered information and verified the tampered handshake information. Then, the wrong handshake information is sent to the intruder in step 13 to establish a session with the intruder, and the session key K_SEAF is derived, and the intruder succeeds in the attack.

5.4. Protocol Improvement Strategy

This study addresses vulnerabilities in the protocol interaction process by referencing the development documentation and the method described in [20], which involves progressively hashing and merging handshake messages to generate handshake verification information. The specific operations for improving the protocol regarding the attack path are marked in green font. The specific improved model is illustrated in Figure 5.

Messages 2, 3, and 4 at the handshake initiation phase are encrypted using the counterpart entities’ public keys to protect TLS, random numbers ${\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{N}\mathrm{W}}$, the UE’s authentication method $\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}\mathrm{s}\_\mathrm{U}\mathrm{E}$, and the NW’s authentication method $\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}\mathrm{s}\_\mathrm{N}\mathrm{W}$ from tampering by adversaries. In steps 5 and 7, UE and NW, respectively, sign the handshake messages, iteratively compute the signature information through hash merging, and generate verification information, significantly enhancing message integrity and security. In step 7, NW verifies the verification information ${{\mathrm{M}}_2}^{\prime }$ sent by UE using the temporary key; upon successful verification, NW generates handshake verification information ${{\mathrm{M}}_3}^{\prime }$ using the temporary key and sends it to UE. After UE completes verification, both parties derive the session key ${\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}}$ from the pre-master key ${\mathrm{K}}_{\mathrm{S}\mathrm{E}\mathrm{A}\mathrm{F}}$ via the KDF algorithm to communicate, thus successfully completing mutual authentication.

The strong authentication property of the improved protocol will be formally analyzed and verified using the Logic of Events Theory in the next section.

6. Formal Analysis of the Improved EAP-TLS Protocol

6.1. Proof of Strong Authentication for EAP-TLS

The protocol model is abstracted using the Logic of Events Theory, as illustrated in the following Figure 6.

To verify the strong authentication property of the improved EAP-TLS protocol, it is necessary to define the protocol’s basic sequences. By analyzing the EAP-TLS protocol shown in the figure above, the following basic sequences for the initiator and responder can be identified. The basic sequence for the initiator is illustrated below:

$$\left(\begin{array}{l}{\mathrm{I}}_1=\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{U}\mathrm{E}1}),\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<\mathrm{S}\mathrm{U}\mathrm{P}\mathrm{I},{\mathrm{R}}_{\mathrm{U}\mathrm{E}1}>,\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I}),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I})\\ {\mathrm{I}}_2={\mathrm{I}}_1,\mathrm{R}\mathrm{c}\mathrm{v}({{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}})\\ {\mathrm{I}}_3={\mathrm{I}}_2,\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{R}}_{\mathrm{T}\mathrm{L}\mathrm{S}},\mathrm{S}{\mathrm{K}}_{\mathrm{U}\mathrm{E}},{{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}}),\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{U}\mathrm{E}2}),\\ \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{U}\mathrm{E}}>,\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_1),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{S}}_1)\\ {\mathrm{I}}_4={\mathrm{I}}_3,\mathrm{R}\mathrm{c}\mathrm{v}(<{\mathrm{S}}_2,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>)\\ {\mathrm{I}}_5={\mathrm{I}}_4,\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{N}\mathrm{W}}>,\mathrm{S}{\mathrm{K}}_{\mathrm{U}\mathrm{E}},{\mathrm{S}}_2),\\ \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}},{{\mathrm{Cer}}^{\prime }}_{\mathrm{N}\mathrm{W}},\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{\mathrm{t}}_1),\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}})\\ \mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}),\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_3),\\ \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{M}}_1)\\ \mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_1),\mathrm{U}\mathrm{E},{{\mathrm{M}}_1}^{\prime }),\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}(<{\mathrm{M}}_1,{{\mathrm{M}}_1}^{\prime }>,{\mathrm{M}}_2),\\ \mathrm{P}\mathrm{R}\mathrm{F}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_2),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},\mathrm{U}\mathrm{E},{{\mathrm{M}}_2}^{\prime }),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(<{\mathrm{S}}_3,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},{{\mathrm{M}}_1}^{\prime },{{\mathrm{M}}_2}^{\prime }>)\\ {\mathrm{I}}_6={\mathrm{I}}_5,\mathrm{R}\mathrm{c}\mathrm{v}({{\mathrm{M}}_3}^{\prime })\\ {\mathrm{I}}_7={\mathrm{I}}_6,\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}(<{\mathrm{M}}_2,{{\mathrm{M}}_2}^{\prime }>,{\mathrm{M}}_3),\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_3),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},\mathrm{N}\mathrm{W},{{\mathrm{M}}_3}^{\prime })\end{array}\right)$$

(23)

The basic sequence for the responder is given as follows:

$$\left(\begin{array}{l}{\mathrm{R}}_1=\mathrm{R}\mathrm{c}\mathrm{v}(\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I})\\ {\mathrm{R}}_2={\mathrm{R}}_1,\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<\mathrm{S}\mathrm{U}\mathrm{P}\mathrm{I},{\mathrm{R}}_{\mathrm{U}\mathrm{E}1}>,\mathrm{S}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I}),\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{T}\mathrm{L}\mathrm{S}}),\\ \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{R}}_{\mathrm{T}\mathrm{L}\mathrm{S}},\mathrm{P}{\mathrm{K}}_{\mathrm{U}\mathrm{E}},{{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}}),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}})\\ {\mathrm{R}}_3={\mathrm{R}}_2,\mathrm{R}\mathrm{c}\mathrm{v}({\mathrm{S}}_1) \\ {\mathrm{R}}_4={\mathrm{R}}_3,\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{U}\mathrm{E}}>,\mathrm{S}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_1),\mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{R}}_{\mathrm{N}\mathrm{W}}),\\ \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(<{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{N}\mathrm{W}}>,\mathrm{P}{\mathrm{K}}_{\mathrm{U}\mathrm{E}},{\mathrm{S}}_2),\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}(<{\mathrm{S}}_2,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>)\\ {\mathrm{R}}_5={\mathrm{R}}_4,\mathrm{R}\mathrm{c}\mathrm{v}(<{\mathrm{S}}_3,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},{{\mathrm{M}}_1}^{\prime },{{\mathrm{M}}_2}^{\prime }>) \\ {\mathrm{R}}_6={\mathrm{R}}_5,\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}(\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},{{\mathrm{Cer}}^{\prime }}_{\mathrm{U}\mathrm{E}},\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{\mathrm{t}}_2),\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},\mathrm{S}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_3),\\ \mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}),\\ \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}(<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{M}}_1),\\ \mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_1),\mathrm{U}\mathrm{E},{{\mathrm{M}}_1}^{\prime }),\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}(<{\mathrm{M}}_1,{{\mathrm{M}}_1}^{\prime }>,{\mathrm{M}}_2),\\ \mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_2),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},\mathrm{U}\mathrm{E},{{\mathrm{M}}_2}^{\prime }),\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}(<{\mathrm{M}}_2,{{\mathrm{M}}_2}^{\prime }>,{\mathrm{M}}_3),\\ \mathrm{P}\mathrm{R}\mathrm{F}(\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_3),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},\mathrm{N}\mathrm{W},{{\mathrm{M}}_3}^{\prime }) ,\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({{\mathrm{M}}_3}^{\prime })\end{array}\right)$$

(24)

The EAP-TLS protocol (abbreviated as ET protocol) can be defined as $\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{t}\mathrm{o}\mathrm{c}\mathrm{o}\mathrm{l}([{\mathrm{I}}_1,{\mathrm{I}}_2,{\mathrm{I}}_3,{\mathrm{I}}_4,{\mathrm{I}}_5,{\mathrm{I}}_6,{\mathrm{I}}_7,{\mathrm{R}}_1,{\mathrm{R}}_2.{\mathrm{R}}_3.{\mathrm{R}}_4.{\mathrm{R}}_5.{\mathrm{R}}_6])$ according to the partitioning of the basic sequences I and R. In the Logic of Events Theory, both protocol entities must simultaneously satisfy the strong authentication property to ensure that the protocol as a whole achieves strong authentication. The strong authentication property to be verified is $\mathrm{E}\mathrm{T}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}({\mathrm{I}}_6,6)\wedge \mathrm{E}\mathrm{T}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}({\mathrm{R}}_6,5)$. The following provides the bidirectional proof of the protocol:

First, $\mathrm{E}\mathrm{T}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}({\mathrm{I}}_6,6)$ is proved by assuming honest entities $\mathrm{U}\mathrm{E}\ne \mathrm{N}\mathrm{W}$ (hereafter denoted as A and B), both of whom follow the ET mutual authentication protocol. According to the definition of basic sequences, a thread is an instance of a basic sequence. Let $\mathrm{t}\mathrm{h}{\mathrm{r}}_1$ be an instance of ${\mathrm{I}}_7$, defined as the sequence of events on thread $\mathrm{t}\mathrm{h}{\mathrm{r}}_1$, with the event sequence given as follows:

$$\left(\begin{array}{c}{\mathrm{e}}_0{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{\mathrm{e}}_1{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{\mathrm{e}}_2{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{\mathrm{e}}_3{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{\mathrm{e}}_4{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{\mathrm{e}}_5\dots {<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{\mathrm{e}}_{20}\\ \mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{e}}_0)={\mathrm{R}}_{\mathrm{U}\mathrm{E}1}\wedge \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{e}}_1)=<<\mathrm{S}\mathrm{U}\mathrm{P}\mathrm{I},{\mathrm{R}}_{\mathrm{U}\mathrm{E}1}>,\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I}>\wedge \\ \mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{e}}_2)=\mathrm{S}\mathrm{U}\mathrm{C}\mathrm{I}\wedge \mathrm{R}\mathrm{c}\mathrm{v}({\mathrm{e}}_3)={{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}}\wedge \mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{e}}_4)=<{\mathrm{R}}_{\mathrm{T}\mathrm{L}\mathrm{S}},\mathrm{S}{\mathrm{K}}_{\mathrm{U}\mathrm{E}},{{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}}>\wedge \\ \mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{e}}_5)={\mathrm{R}}_{\mathrm{U}\mathrm{E}2}\wedge \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{e}}_6)=<<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{U}\mathrm{E}}>,\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_1>\wedge \\ \mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{e}}_7)={\mathrm{S}}_1\wedge \mathrm{R}\mathrm{c}\mathrm{v}({\mathrm{e}}_8)=<{\mathrm{S}}_2,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>\wedge \mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{e}}_9)=\\ <<{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{\mathrm{s}}_{\mathrm{N}\mathrm{W}}>,\mathrm{S}{\mathrm{K}}_{\mathrm{U}\mathrm{E}},{\mathrm{S}}_2>\wedge \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}({\mathrm{e}}_{10})=\\ <\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}},{{\mathrm{Cer}}^{\prime }}_{\mathrm{N}\mathrm{W}},\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{\mathrm{t}}_1>\wedge \mathrm{N}\mathrm{e}\mathrm{w}({\mathrm{e}}_{11})={\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}}\wedge \mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}({\mathrm{e}}_{12})=\\ <<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}>\wedge \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({\mathrm{e}}_{13})=<{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},\mathrm{P}{\mathrm{K}}_{\mathrm{N}\mathrm{W}},{\mathrm{S}}_3>\wedge \\ \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({\mathrm{e}}_{14})=<<{\mathrm{R}}_{\mathrm{U}\mathrm{E}2},{\mathrm{R}}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{\mathrm{R}}_{\mathrm{N}\mathrm{W}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{N}\mathrm{W}}>,{\mathrm{M}}_1>\wedge \mathrm{S}\mathrm{i}\mathrm{g}\mathrm{n}({\mathrm{e}}_{15})=\\ <\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_1),\mathrm{U}\mathrm{E},{{\mathrm{M}}_1}^{\prime }>\wedge \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({\mathrm{e}}_{16})=<<{\mathrm{M}}_1,{{\mathrm{M}}_1}^{\prime }>,{\mathrm{M}}_2>\wedge \\ \mathrm{P}\mathrm{R}\mathrm{F}({\mathrm{e}}_{17})=<\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_2),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},\mathrm{U}\mathrm{E},{{\mathrm{M}}_2}^{\prime }>\wedge \mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({\mathrm{e}}_{18})=\\ <{\mathrm{S}}_3,\mathrm{C}\mathrm{e}{\mathrm{r}}_{\mathrm{U}\mathrm{E}},{{\mathrm{M}}_1}^{\prime },{{\mathrm{M}}_2}^{\prime }>\wedge \mathrm{R}\mathrm{c}\mathrm{v}({\mathrm{e}}_{19})={{\mathrm{M}}_3}^{\prime }\wedge \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({\mathrm{e}}_{20})=\\ <<{\mathrm{M}}_2,{{\mathrm{M}}_2}^{\prime }>,{\mathrm{M}}_3>\wedge \mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}({\mathrm{e}}_{21})=<\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_3),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},\mathrm{N}\mathrm{W},{{\mathrm{M}}_3}^{\prime }>\end{array}\right)$$

(25)

According to the Honest Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{S}$ and the Verify Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}\mathrm{P}$, there exists an event such that the formula holds. Since entity B follows the ET-based mutual authentication protocol, event ${\mathrm{e}}^{\prime }<{\mathrm{e}}_{21}\wedge \mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}({\mathrm{e}}_{21})=\mathrm{P}\mathrm{R}\mathrm{F}({\mathrm{e}}^{\prime })$ $\wedge \mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}^{\prime })$ $=\mathrm{B}\vee \mathrm{l}\mathrm{o}\mathrm{c}({\mathrm{e}}^{\prime })=\mathrm{A}$ must be an instance member of the protocol’s basic sequence. The basic sequence ${\mathrm{I}}_5,{\mathrm{R}}_6$ includes the action $\mathrm{P}\mathrm{R}\mathrm{F}()$. Given that the event classes between entities must involve either bilateral or multilateral interactions, ${\mathrm{I}}_5$ is excluded. Assuming ${\mathrm{e}}^{\prime }$ is an instance within ${\mathrm{R}}_6$, entity B exhibits the following event sequence:

$$\left(\begin{array}{c}{{\mathrm{e}}^{\prime }}_0{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{{\mathrm{e}}^{\prime }}_1{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{{\mathrm{e}}^{\prime }}_2{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{{\mathrm{e}}^{\prime }}_3{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{{\mathrm{e}}^{\prime }}_4{<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{{\mathrm{e}}^{\prime }}_5\dots {<}_{\mathrm{l}\mathrm{o}\mathrm{c}}{{\mathrm{e}}^{\prime }}_{20}\\ \mathrm{R}\mathrm{c}\mathrm{v}({{\mathrm{e}}^{\prime }}_0)={\mathrm{SUCI}}^{\prime }\wedge \mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({{\mathrm{e}}^{\prime }}_1)=<<{\mathrm{SUPI}}^{\prime },{{\mathrm{R}}^{\prime }}_{\mathrm{U}\mathrm{E}1}>,{{\mathrm{SK}}^{\prime }}_{\mathrm{N}\mathrm{W}},{\mathrm{SUCI}}_{\prime }>\wedge \\ \mathrm{N}\mathrm{e}\mathrm{w}({{\mathrm{e}}^{\prime }}_2)={{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}}\wedge \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({{\mathrm{e}}^{\prime }}_3)=<{{\mathrm{R}}^{\prime }}_{\mathrm{T}\mathrm{L}\mathrm{S}},{{\mathrm{PK}}^{\prime }}_{\mathrm{U}\mathrm{E}},{{\mathrm{R}}^{″}}_{\mathrm{T}\mathrm{L}\mathrm{S}}>\wedge \mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({{\mathrm{e}}^{\prime }}_4)=\\ {\mathrm{R}″}_{\mathrm{T}\mathrm{L}\mathrm{S}}\wedge \mathrm{R}\mathrm{c}\mathrm{v}({{\mathrm{e}}^{\prime }}_5)={{\mathrm{S}}^{\prime }}_1\wedge \mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({{\mathrm{e}}^{\prime }}_6)=<<{{\mathrm{R}}^{\prime }}_{\mathrm{U}\mathrm{E}2},{{\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}\mathrm{s}}^{\prime }}_{\mathrm{U}\mathrm{E}}>,\mathrm{S}{{\mathrm{K}}^{\prime }}_{\mathrm{N}\mathrm{W}},{{\mathrm{S}}^{\prime }}_1>\wedge \\ \mathrm{N}\mathrm{e}\mathrm{w}({{\mathrm{e}}^{\prime }}_7)=\mathrm{R}{\prime }_{\mathrm{N}\mathrm{W}}\wedge \mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({{\mathrm{e}}^{\prime }}_8)=<<{{\mathrm{R}}^{\prime }}_{\mathrm{N}\mathrm{W}},\mathrm{M}\mathrm{e}\mathrm{t}\mathrm{h}\mathrm{o}\mathrm{d}{{\mathrm{s}}^{\prime }}_{\mathrm{N}\mathrm{W}}>,\mathrm{P}{{\mathrm{K}}^{\prime }}_{\mathrm{U}\mathrm{E}},{{\mathrm{S}}^{\prime }}_2>\wedge \\ \mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({{\mathrm{e}}^{\prime }}_9)=<{{\mathrm{S}}^{\prime }}_2,{{\mathrm{Cer}}^{\prime }}_{\mathrm{N}\mathrm{W}}>\wedge \mathrm{R}\mathrm{c}\mathrm{v}({{\mathrm{e}}^{\prime }}_{10})=<\mathrm{S}{\prime }_3,{{\mathrm{Cer}}^{\prime }}_{\mathrm{U}\mathrm{E}},{\mathrm{M}}_1″,{\mathrm{M}}_2″>\wedge \\ \mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}({{\mathrm{e}}^{\prime }}_{11})=<{{\mathrm{Cer}}^{\prime }}_{\mathrm{U}\mathrm{E}},{\mathrm{C}\mathrm{e}{\mathrm{r}}^{″}}_{\mathrm{U}\mathrm{E}},\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{u}\mathrm{l}{{\mathrm{t}}^{\prime }}_2>\wedge \mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}({{\mathrm{e}}^{\prime }}_{12})=\\ <\mathrm{R}{\prime }_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},\mathrm{S}{{\mathrm{K}}^{\prime }}_{\mathrm{N}\mathrm{W}},{{\mathrm{S}}^{\prime }}_3>\wedge \mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}({{\mathrm{e}}^{\prime }}_{13})=<<{{\mathrm{R}}^{\prime }}_{\mathrm{U}\mathrm{E}2},\mathrm{R}{\prime }_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{{\mathrm{R}}^{\prime }}_{\mathrm{N}\mathrm{W}}>,{{\mathrm{K}}^{\prime }}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}>\wedge \\ \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({{\mathrm{e}}^{\prime }}_{14})=<<{{\mathrm{R}}^{\prime }}_{\mathrm{U}\mathrm{E}2},{{\mathrm{R}}^{\prime }}_{\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{k}\mathrm{e}\mathrm{y}},{{\mathrm{R}}^{\prime }}_{\mathrm{N}\mathrm{W}},\mathrm{C}\mathrm{e}{{\mathrm{r}}^{\prime }}_{\mathrm{U}\mathrm{E}},\mathrm{C}\mathrm{e}{{\mathrm{r}}^{\prime }}_{\mathrm{N}\mathrm{W}}>,{{\mathrm{M}}^{\prime }}_1>\wedge \mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}({{\mathrm{e}}^{\prime }}_{15})=\\ <\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({{\mathrm{M}}^{\prime }}_1),{\mathrm{UE}}^{\prime },{\mathrm{M}}_1″>\wedge \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({{\mathrm{e}}^{\prime }}_{16})=<<{{\mathrm{M}}^{\prime }}_1,{\mathrm{M}}_1″>,{{\mathrm{M}}_2}^{\prime }>\wedge \mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}({{\mathrm{e}}^{\prime }}_{17})=\\ <\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}{({\mathrm{M}}_2)}^{\prime },{{\mathrm{K}}^{\prime }}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{UE}}^{\prime },{\mathrm{M}}_2″>\wedge \mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}({{\mathrm{e}}^{\prime }}_{18})=<<{{\mathrm{M}}^{\prime }}_2,{\mathrm{M}}_2″>,{{\mathrm{M}}_3}^{\prime }>\wedge \\ \mathrm{P}\mathrm{R}\mathrm{F}({{\mathrm{e}}^{\prime }}_{19})=<\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({{\mathrm{M}}_3}^{\prime }),{{\mathrm{K}}^{\prime }}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{NW}}^{\prime },{\mathrm{M}}_3″>\wedge \mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}({{\mathrm{e}}^{\prime }}_{20})={\mathrm{M}}_3″\end{array}\right)$$

(26)

From the above equation, it can be deduced that the following equality holds:

$$\left(\begin{array}{l}\mathrm{P}\mathrm{R}\mathrm{F}({\mathrm{e}}^{\prime })=<\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_3),{\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},\mathrm{N}\mathrm{W},{{\mathrm{M}}_3}^{\prime }>=\\ <\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({{\mathrm{M}}_3}^{\prime }),{{\mathrm{K}}^{\prime }}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{NW}}^{\prime },{\mathrm{M}}_3″>=\mathrm{P}\mathrm{R}\mathrm{F}({{\mathrm{e}}_{19}}^{\prime })\end{array}\right)$$

(27)

From the above equation, the following equality can be derived:

$$\left(\begin{array}{l}\mathrm{V}\mathrm{P}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_{21},{{\mathrm{e}}^{\prime }}_{19}),{{\mathrm{e}}_{19}}^{\prime }={\mathrm{e}}^{\prime },\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({{\mathrm{M}}_3}^{\prime })=\mathrm{h}\mathrm{a}\mathrm{s}\mathrm{h}({\mathrm{M}}_3),\\ {{\mathrm{K}}^{\prime }}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}}={\mathrm{K}}_{\mathrm{s}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}},{\mathrm{NW}}^{\prime }=\mathrm{N}\mathrm{W},{\mathrm{M}}_3″={{\mathrm{M}}_3}^{\prime }\end{array}\right)$$

(28)

Thus, a weak matching session can be established. By applying the Verify Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}\mathrm{P}$, Decrypt Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}$, Receive Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{R}$, and Honest Axiom $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{S}$ to identify matching events, and following a similar proof process as above, the matching events for entities A and B can be obtained: $\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_1,{{\mathrm{e}}_1}^{\prime })$, $\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({{\mathrm{e}}_3}^{\prime },{\mathrm{e}}_4)$, $\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_6,{{\mathrm{e}}_6}^{\prime })$, $\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({{\mathrm{e}}_8}^{\prime },{\mathrm{e}}_9)$, and $\mathrm{V}\mathrm{S}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_{15},{{\mathrm{e}}^{\prime }}_{15})$. This yields a weak matching session of length six.

To prove the strong matching session, it is necessary to verify ${\mathrm{e}}_2<{{\mathrm{e}}_0}^{\prime }$, ${{\mathrm{e}}_4}^{\prime }<{\mathrm{e}}_3$, ${\mathrm{e}}_7<{{\mathrm{e}}_5}^{\prime }$, ${{\mathrm{e}}_9}^{\prime }<{\mathrm{e}}_8$, ${\mathrm{e}}_{18}<{{\mathrm{e}}_{10}}^{\prime }$, and ${{\mathrm{e}}_{20}}^{\prime }<{\mathrm{e}}_{19}$. Taking ${\mathrm{e}}_2<{{\mathrm{e}}_0}^{\prime }$ as an example for the proof: since ${\mathrm{e}}_0$ is a random number generation event and there are no sending events between ${\mathrm{e}}_0$ and ${\mathrm{e}}_2$, $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}({\mathrm{e}}_2,{\mathrm{R}}_{\mathrm{U}\mathrm{E}1})$ can be derived, with the send event ${\mathrm{e}}_2$ identified as $\mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}$. Based on events ${{\mathrm{e}}_0}^{\prime } \mathrm{h}\mathrm{a}\mathrm{s} { \mathrm{R}}_{\mathrm{U}\mathrm{E}1}$, and applying $\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{F}$, ${\mathrm{e}}_2<{{\mathrm{e}}_0}^{\prime }$ can be further derived. Similarly, by using $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}$, $\mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}$, $\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{F}$, and $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{R}$, the chronological order of the events can be sequentially deduced: ${{\mathrm{e}}_4}^{\prime }<{\mathrm{e}}_3$, ${\mathrm{e}}_7<{{\mathrm{e}}_5}^{\prime }$, ${{\mathrm{e}}_9}^{\prime }<{\mathrm{e}}_8$, ${\mathrm{e}}_{18}<{{\mathrm{e}}_{10}}^{\prime }$, and ${{\mathrm{e}}_{20}}^{\prime }<{\mathrm{e}}_{19}$. This results in a strong matching session of length six. The specific proof details and outcomes are summarized in the following

Table 4. Formal verification process and results.

Steps	Matching Events and Event Ordering	Proof Basis	Results
1	$\mathrm{V}\mathrm{P}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_{21},{{\mathrm{e}}^{\prime }}_{19})$	$\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{S}$, $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}\mathrm{P}$	By applying the axioms, six matching events are identified, resulting in a weak matching session of length six.
2	$\mathrm{V}\mathrm{S}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_{15},{{\mathrm{e}}^{\prime }}_{15})$	$\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{S}$, $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{V}$
3	$\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({{\mathrm{e}}_8}^{\prime },{\mathrm{e}}_9)$	$\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{S}$, $\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{D}$
4	$\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_6,{{\mathrm{e}}_6}^{\prime })$
5	$\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({{\mathrm{e}}_3}^{\prime },{\mathrm{e}}_4)$
6	$\mathrm{D}\mathrm{E}\mathrm{M}\mathrm{a}\mathrm{t}\mathrm{c}\mathrm{h}({\mathrm{e}}_1,{{\mathrm{e}}_1}^{\prime })$
7	${\mathrm{e}}_2<{{\mathrm{e}}_0}^{\prime }$	$\mathrm{A}\mathrm{x}\mathrm{i}\mathrm{o}\mathrm{m}\mathrm{R}$, $\mathrm{F}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}$, $\mathrm{F}\mathrm{i}\mathrm{r}\mathrm{s}\mathrm{t}\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{d}$, $\mathrm{R}\mathrm{u}\mathrm{l}\mathrm{e}\mathrm{F}$	By applying the axioms and rules, the chronological order of six events is proven, resulting in a strong matching session of length six.
8	${{\mathrm{e}}_4}^{\prime }<{\mathrm{e}}_3$
9	${\mathrm{e}}_7<{{\mathrm{e}}_5}^{\prime }$
10	${{\mathrm{e}}_9}^{\prime }<{\mathrm{e}}_8$
11	${\mathrm{e}}_{18}<{{\mathrm{e}}_{10}}^{\prime }$
12	${{\mathrm{e}}_{20}}^{\prime }<{\mathrm{e}}_{19}$

, completing the proof $\mathrm{E}\mathrm{T}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}({\mathrm{I}}_6,6)$.

Similarly, by applying the aforementioned axioms and rules, it can be demonstrated that $\mathrm{E}\mathrm{T}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}({\mathrm{R}}_6,5)$ holds, and the protocol satisfies $\mathrm{E}\mathrm{T}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}({\mathrm{I}}_6,6)\wedge \mathrm{E}\mathrm{T}|=\mathrm{a}\mathrm{u}\mathrm{t}\mathrm{h}({\mathrm{R}}_6,5)$, ensuring mutual strong authentication. Therefore, there is no possibility of impersonation attacks or message replay.

6.2. Evaluation and Discussion

The present study compares and analyzes the related literature and research methods of EAP-TLS protocol analysis from the time complexity of the reasoning process and the ability to resist state explosion so as to verify the effectiveness of the LoET proposed in this study in the formal verification method of EAP-TLS. There are large differences in the ability of these methods to verify protocol models with high complexity.

The time complexity of LoET for protocol reasoning mainly comes from the matching analysis process of events. For a protocol containing n events, the derivation process depends on the causality of events, the axiom system, and related rules, which we quantify. The axioms and related rules of each event are at constant level K, and the number is small. Since the manual derivation can pry the events that are not likely to have a causal relationship according to the matching relationship, the derivation time is greatly shortened. Even in the worst case, the time complexity of matching events one by one is only O(n²). The comparison of EAP-TLS protocol analysis methods is shown in

Table 5. The comparison of EAP-TLS analysis methods.

Reference	Research Method	Resistance to State Explosion	Time Complexity	Verification Efficiency
The present study	LoET (Extended)	High	$\mathbf{O}({\mathbf{n}}^2)$	✔ Precisely models handshake chains; avoids state explosion caused by attacker interactions; and successfully verifies strong mutual authentication.
Refs. [16,19]	ProVerif	Low	$\mathrm{O}(2^{\mathrm{n}})$	✖ Difficult to handle handshake complex structures; incomplete modeling of the certificate mechanism.
Refs. [20,21]	Tamarin	Medium	$\mathrm{O}(2^{\mathrm{n}})$	✖ Modeling overhead is high; requires manual lemma assistance; time-consuming for full handshake analysis; and struggles with complex identity chain verification.
Ref. [17]	SmartVerif	Medium	$\mathrm{O}({\mathrm{n}}^{\mathrm{k}})$	✖ Efficiency drops sharply when pruning fails; completeness cannot be guaranteed.
Ref. [18]	SPIN	Low	$\mathrm{O}(\mathrm{n}!)$	✖ Frequent state explosion; difficult to model handshake loops.

.

ProVerif converts protocol actions into Horn clauses and takes a parse-based approach, symbolically trying to parse queries [16]. For EAP-TLS protocols with complex branching conditions, the time complexity of the derivation process is usually exponential. Similarly, Tamarin’s multiset rewriting and symbolic rules make the time complexity of deriving the security properties of the protocol also exponential [20]. Hence, the best case of ProVerif and Tamarin is to analyze a two-branch structure, and its lowest time complexity is O(2ⁿ). Due to the introduction of the path selection mechanism based on reinforcement learning, SmartVerif can reduce the complexity to O(n^k), where K is the proof depth. However, when facing the EAP-TLS protocol model with complex structure, due to the numerous state branches and the difficulty of path convergence, the reinforcement learning agent has difficulty obtaining an effective strategy quickly. In practice, the verification time may increase exponentially, and O(n^k) is already the lowest space complexity [17]. The verification process of SPIN relies on explicit state enumeration of Promela, which exhibits factorial time complexity O(n!) in complex protocol models, which makes it particularly vulnerable to state explosion [18].

The great advantage of LoET is that it has a strong ability to resist state explosion. In the actual derivation process, the events that do not produce a causal order can be pruned in advance, which greatly reduces the time complexity of the derivation process. In the process of verifying complex protocol models, automatic verification tools will inevitably face the problem of state explosion, which leads to a great reduction in verification efficiency even if the verification process is an automatic analysis process.

When reasoning through unsafe channels, ProVerif may produce incomplete results [19], and Tamarin is prone to encounter the problem of state explosion in the verification process. Even if the analysis can be guided manually, the manual workload is huge, and the derivation efficiency is still low [21]. SPIN is most vulnerable to state explosion due to the process of displaying state enumeration.

In summary, the LoET method has great advantages in the verification of the EAP-TLS protocol with a complex handshake structure. The LoET method can not only reduce the time complexity of protocol verification and have a strong ability to resist state explosion but also accurately model the protocol model. The interaction details of the protocol model are not ignored because of the complexity of the protocol model, which provides a guarantee for the proof of strong authentication security properties of the protocol.

7. Conclusions and Future Work

This research applies the Logic of Events Theory to formally analyze the EAP-TLS protocol, identifies the man-in-the-middle attack path, and proposes an improved strategy for the protocol. Based on the extended Logic of Events Theory, the strong authentication of the improved EAP-TLS protocol is verified, and the strong matching session is found. It is proved that the improved EAP-TLS protocol satisfies strong authentication, and the improved strategy is practical and reliable. The main contributions and innovations of this study are as follows:

• The present study proposes a new formal analysis method of the EAP-TLS protocol based on LoET. This approach formally analyzes the traditional EAP-TLS protocol, identifies the man-in-the-middle attack path in the protocol, and puts forward the enhanced strategy to mitigate the vulnerabilities through hash merging, encryption, and signature methods, alongside analyzing their communication costs to ensure feasibility.
• The five event classes $\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}$, $\mathrm{D}\mathrm{e}\mathrm{r}\mathrm{K}\mathrm{e}\mathrm{y}$, $\mathrm{M}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{e}$, $\mathrm{P}\mathrm{R}\mathrm{F}$, and $\mathrm{V}\mathrm{P}\mathrm{R}\mathrm{F}$ are extended, and the corresponding rules of the event classes are formulated. The causal axioms in the axiom system are extended. Through the extended Logic of Events Theory, the EAP-TLS protocol can be better formally modeled and analyzed, which improves the application scope of the Logic of Events Theory and the ability of formal analysis of security protocols.
• Due to the complexity of the handshake process of the EAP-TLS protocol, the existing LoET has difficulty in formally modeling this transport layer protocol. Through the extended LoET, the improved EAP-TLS protocol is formally modeled to determine the basic sequence and find the matching sessions and event sequences. It has been proved that the improved EAP-TLS protocol satisfies strong authentication, ensuring that the improved strategy is feasible. The time complexity of this research method is O(n²). In terms of time complexity and ability to resist state explosion, it is better than related research methods.
• This research method has significant advantages in terms of time complexity and resistance to state explosion and can perform pruning operations by eliminating events that are unlikely to have causal relationships, thereby accelerating the verification efficiency. Although this research method is more efficient in verifying complex protocols than traditional verification tools, it requires researchers to have a certain logical reasoning ability and a large knowledge reserve of LoET.
• Currently, the development of automatic verification tools is rapid. An important task in the future is to combine the LoET method proposed in this paper with the automatic verification tool Tamarin. Tamarin is an automatic protocol verification tool that uses multi-set rewrite rules and symbolic reasoning. LoET can map its event classes and axiom systems into facts and multi-set rewrite rules in Tamarin and can deduce causal relationships through the sequential relationship and dependency rules between facts. This enables Tamarin to avoid searching for event states that cannot have matching relationships during the verification search process. Compared with using the Tamarin tool alone, it can improve verification efficiency and enhance the ability to resist state explosion. This combination approach enables Tamarin to serve as the automatic reasoning backend for LoET, integrating the precise expression and rigorous reasoning capabilities of LoET with Tamarin’s automatic verification capabilities, significantly enhancing the efficiency and rigor of protocol analysis.

This study conducts a strict analysis of the strong authentication of the EAP-TLS protocol, proving that the improved protocol can resist man-in-the-middle attacks such as message tampering, identity disguise, and message replay. This protocol satisfies strong authentication. Future work can continue to explore, study, and prove other properties of the improved protocol, such as secrecy and the secrecy of K_SEAF. In the event of long-term key leakage in the future, the confidentiality of historical session keys will not be threatened either, thereby ensuring that past communication messages can still remain secure in the event of future communication key leakage. However, the existing LoET is mainly used for strict verification of authentication. In terms of relevant lemmas and rules, it still needs to be expanded to prove other security properties and enhance the ability to analyze the security of protocols.

Since the core network is connected through wired links, its channel is relatively secure. However, in future work, we can also assume that the core network is in an untrusted channel to verify the security property of the EAP-TLS protocol.

In order to extend LoET to the verification of transport layer protocols, subsequent work will verify the strong authentication property of another transport layer security protocol, the Quick UDP Internet Connections (QUIC) protocol. The QUIC protocol, released by Google in 2021, is a security protocol for various scenarios such as video and multimedia transmission, cloud computing and microservices, and mobile network optimization. Due to its relatively short release time and the lack of systematic research literature on it, the security of the protocol needs to be verified. Subsequently, LoET will be used to prove the security properties of the protocol systematically and ensure the security of the protocol in practical applications.