Advertisement

Formal Methods in System Design

, Volume 34, Issue 1, pp 1–36 | Cite as

Safely composing security protocols

  • Véronique Cortier
  • Stéphanie Delaune
Article

Abstract

Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of an active attacker that may block, intercept and send new messages. However even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols are executed, possibly sharing some common keys like public keys or long-term symmetric keys.

In this paper, we show that security of protocols can be easily composed. More precisely, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols satisfying a reasonable (syntactic) condition are executed. This result holds for a large class of security properties that encompasses secrecy and various formulations of authentication.

Keywords

Composition Security protocols Verification 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi M, Needham RM (1996) Prudent engineering practice for cryptographic protocols. IEEE Trans Softw Eng 22(1):6–15 CrossRefGoogle Scholar
  2. 2.
    Abadi M, Rogaway P (2000) Reconciling two views of cryptography. In: Proc of the international conference on theoretical computer science (IFIP TCS2000), August 2000, pp 3–22 Google Scholar
  3. 3.
    Amadio R, Charatonik W (2002) On name generation and set-based analysis in the Dolev-Yao model. In: Proc international conference on concurrency theory (CONCUR’02). LNCS, vol 2421. Springer, Berlin, pp 499–514 Google Scholar
  4. 4.
    Andova S, Cremers C, Steen KG, Mauw S, lsnes SM, Radomirović S (2008) Sufficient conditions for composing security protocols. Inf Comput 206(2–4):425–459 MATHCrossRefGoogle Scholar
  5. 5.
    Arapinis M, Delaune S, Kremer S (2008) From one session to many: Dynamic tags for security protocols. In: Cervesato I (ed) Proc 15th international conference on logic for programming, artificial intelligence, and reasoning (LPAR’08), Doha, Qatar, LNAI. Springer, Berlin (to appear) Google Scholar
  6. 6.
    Arapinis M, Duflot M (2007) Bounding messages for free in security protocols. In: Proc 27th conference on foundations of software technology and theoretical computer science (FSTTCS’07). LNCS, vol 4855. Springer, Berlin, pp 376–387 CrossRefGoogle Scholar
  7. 7.
    Armando A, Basin D, Boichut Y, Chevalier Y, Compagna L, Cuellar J, Drielsma PH, Héam P, Kouchnarenko O, Mantovani J, Mödersheim S, von Oheimb D, Rusinowitch M, Santiago J, Turuani M, Viganò L, Vigneron L (2005) The Avispa tool for the automated validation of Internet security protocols and applications. In: Proc 17th international conference on computer aided verification (CAV’05). LNCS, vol 3576. Springer, Berlin Google Scholar
  8. 8.
    Backes M, Pfitzmann B, Waidner M (2003) A composable cryptographic library with nested operations (extended abstract). In: Proc of 10th ACM conference on computer and communications security (CCS’05), pp 220–230 Google Scholar
  9. 9.
    Barak B, Canetti R, Nielsen J, Pass R (2004) Universally composable protocols with relaxed set-up assumptions. In: Proc 45th symposium on foundations of computer science (FOCS’04). IEEE Comput Soc Press, Los Alamitos, pp 186–195 CrossRefGoogle Scholar
  10. 10.
    Blanchet B (2001) An efficient cryptographic protocol verifier based on Prolog rules. In: Proc 14th computer security foundations workshop (CSFW’01). IEEE Comput Soc Press, Los Alamitos, pp 82–96 CrossRefGoogle Scholar
  11. 11.
    Blanchet B, Podelski A (2003) Verification of cryptographic protocols: Tagging enforces termination. In: Proc 6th international conference on foundations of software science and computation structures (FoSSaCS’03). LNCS, vol 2620. Springer, Berlin CrossRefGoogle Scholar
  12. 12.
    Canetti R (2001) Universally composable security: A new paradigm for cryptographic protocols. In: Proc 42nd annual symposium on foundations of computer science (FOCS’01). IEEE Comput Soc, Los Alamitos, pp 136–145 Google Scholar
  13. 13.
    Canetti R, Dodis Y, Pass R, Walfish S (2007) Universally composable security with global setup. In: Proc 4th theory of cryptography conference (TCC’07). LNCS. Springer, Berlin, pp 61–85 Google Scholar
  14. 14.
    Canetti R, Meadows C, Syverson PF (2002) Environmental requirements for authentication protocols. In: Proc symposium on software security—theories and systems. LNCS, vol 2609. Springer, Berlin, pp 339–355 Google Scholar
  15. 15.
    Canetti R, Rabin T (2003) Universal composition with joint state. In: Proc 23rd international cryptology conference (CRYPTO’03). LNCS. Springer, Berlin, pp 265–281 Google Scholar
  16. 16.
    Chevalier Y (2003) Résolution de problèmes d’accessibilité pour la compilation et la validation de protocoles cryptographiques. PhD thesis, Université Henri Poincaré, Nancy, France Google Scholar
  17. 17.
    Clulow J (2003) The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban, South Africa. Chap 3 Google Scholar
  18. 18.
    Comon-Lundh H, Cortier V (2003) New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Proc 14th int conf on rewriting techniques and applications (RTA’2003), June 2003. LNCS, vol 2706. Springer, Berlin, pp 148–164 CrossRefGoogle Scholar
  19. 19.
    Comon-Lundh H, Cortier V (2004) Security properties: two agents are sufficient. Sci Comput Program 50(1-3):51–71 MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Comon-Lundh H, Shmatikov V (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proc 18th annual symposium on logic in comput sci (LICS’03). IEEE Comput Soc Press, Los Alamitos, pp 271–280 CrossRefGoogle Scholar
  21. 21.
    Corin R (2006) Analysis models for security protocols. PhD thesis, University of Twente Google Scholar
  22. 22.
    Cortier V, Delaitre J, Delaune S (2007) Safely composing security protocols. In: Proc 27th conference on foundations of software technology and theoretical computer science (FSTTCS’07). LNCS, vol 4855. Springer, Berlin, pp 352–363 CrossRefGoogle Scholar
  23. 23.
    Cortier V, Zalinescu E (2006) Deciding key cycles for security protocols. In: Proc. 13th international conference on logic for programming, artificial intelligence, and reasoning (LPAR’06). LNCS, vol 4246. Springer, Berlin, pp 317–331 CrossRefGoogle Scholar
  24. 24.
    Cremers C (2006) Scyther—semantics and verification of security protocols. PhD dissertation, Eindhoven University of Technology Google Scholar
  25. 25.
    Datta A, Derek A, Mitchell JC, Roy A (2007) Protocol composition logic (PCL). Electr Not Theor Comput Sci 172:311–358 CrossRefMathSciNetGoogle Scholar
  26. 26.
    Delaune S, Kremer S, Ryan MD (2008) Composition of password-based protocols. In: Proc of the 21st IEEE computer security foundations symposium (CSF’08), Pittsburgh, PA, USA, 2008. IEEE Computer Society Press, Los Alamitos, pp 239–251 Google Scholar
  27. 27.
    Durgin N, Lincoln P, Mitchell J, Scedrov A (1999) Undecidability of bounded security protocols. In: Proc of the workshop on formal methods and security protocols Google Scholar
  28. 28.
    Gong L, Syverson P (1995) Fail-stop protocols: An approach to designing secure protocols. In: Proc 5th international working conference on dependable computing for critical applications, pp 44–55 Google Scholar
  29. 29.
    Guttman JD, Thayer FJ (2000) Protocol independence through disjoint encryption. In: Proc 13th computer security foundations workshop (CSFW’00). IEEE Comput Soc Press, Los Alamitos, pp 24–34 CrossRefGoogle Scholar
  30. 30.
    Kelsey J, Schneier B, Wagner D (1997) Protocol interactions and the chosen protocol attack. In: Proc 5th international workshop on security protocols. LNCS, vol 1361. Springer, Berlin, pp 91–104 Google Scholar
  31. 31.
    Küsters R, Tuengerthal M (2008) Joint state theorems for public-key encryption and digital signature functionalities with local computation. In: Proceedings of the 21st IEEE computer security foundations symposium (CSF 2008). IEEE Comput Soc Press, Los Alamitos Google Scholar
  32. 32.
    Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Proc 2nd international workshop on tools and algorithms for the construction and analysis of systems (TACAS’96), Berlin Germany, 1996. LNCS, vol 1055. Springer, Berlin, pp 147–166 Google Scholar
  33. 33.
    Lowe G (1997) Casper: A compiler for the analysis of security protocols. In: Proc 10th computer security foundations workshop (CSFW’97). IEEE Comput Soc Press, Los Alamitos Google Scholar
  34. 34.
    Lowe G (1997) A hierarchy of authentication specifications. In: Proceedings of the 10th computer security foundations workshop (CSFW’97), Rockport, Massachusetts, USA, 1997. IEEE Computer Society Press, Los Alamitos, pp 18–30 CrossRefGoogle Scholar
  35. 35.
    Martelli A, Montanari U (1982) An efficient unification algorithm. ACM Trans Program Lang Syst 4(2):258–282 MATHCrossRefGoogle Scholar
  36. 36.
    Millen JK, Shmatikov V (2001) Constraint solving for bounded-process cryptographic protocol analysis. In Proc 8th ACM conference on computer and communications security (CCS’01), pp 166–175 Google Scholar
  37. 37.
    Needham R, Schroeder M (1978) Using encryption for authentication in large networks of computers. Commun ACM 21(12):993–999 MATHCrossRefGoogle Scholar
  38. 38.
    Rusinowitch M, Turuani M (2003) Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theor Comput Sci 299:451–475 MATHCrossRefMathSciNetGoogle Scholar
  39. 39.
    Schneider S (1996) Security properties and CSP. In: Proc of the symposium on security and privacy, Oakland, 1996. IEEE Computer Society Press, Los Alamitos, pp 174–187 Google Scholar
  40. 40.
    Seidl H, Verma KN (2005) Flat and one-variable clauses: Complexity of verifying cryptographic protocols with single blind copying. In: Proc 11th international conference on logic for programming, artificial intelligence, and reasoning (LPAR’04). LNCS, vol 3452. Springer, Berlin Google Scholar
  41. 41.
    Song DX (1999) Athena: A new efficient automatic checker for security protocol analysis. In: Proc 12th computer security foundations workshop (CSFW’99), Mordano, Italy, June 1999. IEEE Computer Society Press, Los Alamitos Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  1. 1.LORIA, CNRS & INRIA project CassisNancyFrance
  2. 2.LSV, CNRS & INRIA project Secsi & ENS de CachanCachanFrance

Personalised recommendations