The authentication protocol for HTTP proposed in RFC 8120 has been model checked under different assumptions. Four security properties have been taken into account: (1) Key Secrecy Property (K-SEC), (2) Key Sharing Property (K-SHR), (3) Correspondence Property from a client point of view (C-CORR), and (4) Correspondence Property from a server point of view (S-CORR). In each assumption, we suppose that there exists an intruder that eavesdrops on the network and forges messages based on any pieces of information available. Under the assumption (a) that the cryptosystem used is perfect, the formal analysis concludes that the protocol is likely to enjoy K-SEC and K-SHR, but reveals that it enjoys neither C-CORR nor S-CORR. Under the assumption (b) that pseudo-random numbers generated by clients are leaked to the intruder, the results are the same. Under the assumption (c) that pseudo-random numbers generated by servers are leaked to the intruder, however, the protocol enjoys neither K-SEC nor K-SHR. To discover a realistic counterexample for K-SHR, a model checking experiment has been divided into multiple smaller ones. We then propose a revised version, which is likely to enjoy all four properties even under the assumption (c).

RFC 8120中提出的HTTP身份验证协议已在不同的假设下进行了模型检查。考虑了四个安全属性：（1）密钥保密属性（K-SEC），（2）密钥共享属性（K-SHR），（3）从客户端角度来看的通信属性（C-CORR）， （4）从服务器的角度来看的对应属性（S-CORR）。在每个假设中，我们假设都有一个入侵者在网络上进行窃听并根据任何可用信息伪造消息。在假设（a）使用的密码系统是完美的情况下，形式分析得出的结论是该协议很可能享受K-SEC和K-SHR，但显示该协议既不享受C-CORR也不享受S-CORR。在假设（b）客户端生成的伪随机数泄露给入侵者的情况下，结果是相同的。但是，在假设（c）中，服务器生成的伪随机数会泄露给入侵者，该协议既不享受K-SEC也不享受K-SHR。为了发现K-SHR的实际反例，已将模型检查实验分为多个较小的实验。然后，我们提出一个修订版本，即使在假设（c）下，该版本也可能具有全部四个属性。