Abstract
Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of an active attacker that may block, intercept and send new messages. However even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols are executed, possibly sharing some common keys like public keys or long-term symmetric keys.
In this paper, we show that security of protocols can be easily composed. More precisely, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols satisfying a reasonable (syntactic) condition are executed. This result holds for a large class of security properties that encompasses secrecy and various formulations of authentication.
Similar content being viewed by others
References
Abadi M, Needham RM (1996) Prudent engineering practice for cryptographic protocols. IEEE Trans Softw Eng 22(1):6–15
Abadi M, Rogaway P (2000) Reconciling two views of cryptography. In: Proc of the international conference on theoretical computer science (IFIP TCS2000), August 2000, pp 3–22
Amadio R, Charatonik W (2002) On name generation and set-based analysis in the Dolev-Yao model. In: Proc international conference on concurrency theory (CONCUR’02). LNCS, vol 2421. Springer, Berlin, pp 499–514
Andova S, Cremers C, Steen KG, Mauw S, lsnes SM, Radomirović S (2008) Sufficient conditions for composing security protocols. Inf Comput 206(2–4):425–459
Arapinis M, Delaune S, Kremer S (2008) From one session to many: Dynamic tags for security protocols. In: Cervesato I (ed) Proc 15th international conference on logic for programming, artificial intelligence, and reasoning (LPAR’08), Doha, Qatar, LNAI. Springer, Berlin (to appear)
Arapinis M, Duflot M (2007) Bounding messages for free in security protocols. In: Proc 27th conference on foundations of software technology and theoretical computer science (FSTTCS’07). LNCS, vol 4855. Springer, Berlin, pp 376–387
Armando A, Basin D, Boichut Y, Chevalier Y, Compagna L, Cuellar J, Drielsma PH, Héam P, Kouchnarenko O, Mantovani J, Mödersheim S, von Oheimb D, Rusinowitch M, Santiago J, Turuani M, Viganò L, Vigneron L (2005) The Avispa tool for the automated validation of Internet security protocols and applications. In: Proc 17th international conference on computer aided verification (CAV’05). LNCS, vol 3576. Springer, Berlin
Backes M, Pfitzmann B, Waidner M (2003) A composable cryptographic library with nested operations (extended abstract). In: Proc of 10th ACM conference on computer and communications security (CCS’05), pp 220–230
Barak B, Canetti R, Nielsen J, Pass R (2004) Universally composable protocols with relaxed set-up assumptions. In: Proc 45th symposium on foundations of computer science (FOCS’04). IEEE Comput Soc Press, Los Alamitos, pp 186–195
Blanchet B (2001) An efficient cryptographic protocol verifier based on Prolog rules. In: Proc 14th computer security foundations workshop (CSFW’01). IEEE Comput Soc Press, Los Alamitos, pp 82–96
Blanchet B, Podelski A (2003) Verification of cryptographic protocols: Tagging enforces termination. In: Proc 6th international conference on foundations of software science and computation structures (FoSSaCS’03). LNCS, vol 2620. Springer, Berlin
Canetti R (2001) Universally composable security: A new paradigm for cryptographic protocols. In: Proc 42nd annual symposium on foundations of computer science (FOCS’01). IEEE Comput Soc, Los Alamitos, pp 136–145
Canetti R, Dodis Y, Pass R, Walfish S (2007) Universally composable security with global setup. In: Proc 4th theory of cryptography conference (TCC’07). LNCS. Springer, Berlin, pp 61–85
Canetti R, Meadows C, Syverson PF (2002) Environmental requirements for authentication protocols. In: Proc symposium on software security—theories and systems. LNCS, vol 2609. Springer, Berlin, pp 339–355
Canetti R, Rabin T (2003) Universal composition with joint state. In: Proc 23rd international cryptology conference (CRYPTO’03). LNCS. Springer, Berlin, pp 265–281
Chevalier Y (2003) Résolution de problèmes d’accessibilité pour la compilation et la validation de protocoles cryptographiques. PhD thesis, Université Henri Poincaré, Nancy, France
Clulow J (2003) The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban, South Africa. Chap 3
Comon-Lundh H, Cortier V (2003) New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Proc 14th int conf on rewriting techniques and applications (RTA’2003), June 2003. LNCS, vol 2706. Springer, Berlin, pp 148–164
Comon-Lundh H, Cortier V (2004) Security properties: two agents are sufficient. Sci Comput Program 50(1-3):51–71
Comon-Lundh H, Shmatikov V (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proc 18th annual symposium on logic in comput sci (LICS’03). IEEE Comput Soc Press, Los Alamitos, pp 271–280
Corin R (2006) Analysis models for security protocols. PhD thesis, University of Twente
Cortier V, Delaitre J, Delaune S (2007) Safely composing security protocols. In: Proc 27th conference on foundations of software technology and theoretical computer science (FSTTCS’07). LNCS, vol 4855. Springer, Berlin, pp 352–363
Cortier V, Zalinescu E (2006) Deciding key cycles for security protocols. In: Proc. 13th international conference on logic for programming, artificial intelligence, and reasoning (LPAR’06). LNCS, vol 4246. Springer, Berlin, pp 317–331
Cremers C (2006) Scyther—semantics and verification of security protocols. PhD dissertation, Eindhoven University of Technology
Datta A, Derek A, Mitchell JC, Roy A (2007) Protocol composition logic (PCL). Electr Not Theor Comput Sci 172:311–358
Delaune S, Kremer S, Ryan MD (2008) Composition of password-based protocols. In: Proc of the 21st IEEE computer security foundations symposium (CSF’08), Pittsburgh, PA, USA, 2008. IEEE Computer Society Press, Los Alamitos, pp 239–251
Durgin N, Lincoln P, Mitchell J, Scedrov A (1999) Undecidability of bounded security protocols. In: Proc of the workshop on formal methods and security protocols
Gong L, Syverson P (1995) Fail-stop protocols: An approach to designing secure protocols. In: Proc 5th international working conference on dependable computing for critical applications, pp 44–55
Guttman JD, Thayer FJ (2000) Protocol independence through disjoint encryption. In: Proc 13th computer security foundations workshop (CSFW’00). IEEE Comput Soc Press, Los Alamitos, pp 24–34
Kelsey J, Schneier B, Wagner D (1997) Protocol interactions and the chosen protocol attack. In: Proc 5th international workshop on security protocols. LNCS, vol 1361. Springer, Berlin, pp 91–104
Küsters R, Tuengerthal M (2008) Joint state theorems for public-key encryption and digital signature functionalities with local computation. In: Proceedings of the 21st IEEE computer security foundations symposium (CSF 2008). IEEE Comput Soc Press, Los Alamitos
Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Proc 2nd international workshop on tools and algorithms for the construction and analysis of systems (TACAS’96), Berlin Germany, 1996. LNCS, vol 1055. Springer, Berlin, pp 147–166
Lowe G (1997) Casper: A compiler for the analysis of security protocols. In: Proc 10th computer security foundations workshop (CSFW’97). IEEE Comput Soc Press, Los Alamitos
Lowe G (1997) A hierarchy of authentication specifications. In: Proceedings of the 10th computer security foundations workshop (CSFW’97), Rockport, Massachusetts, USA, 1997. IEEE Computer Society Press, Los Alamitos, pp 18–30
Martelli A, Montanari U (1982) An efficient unification algorithm. ACM Trans Program Lang Syst 4(2):258–282
Millen JK, Shmatikov V (2001) Constraint solving for bounded-process cryptographic protocol analysis. In Proc 8th ACM conference on computer and communications security (CCS’01), pp 166–175
Needham R, Schroeder M (1978) Using encryption for authentication in large networks of computers. Commun ACM 21(12):993–999
Rusinowitch M, Turuani M (2003) Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theor Comput Sci 299:451–475
Schneider S (1996) Security properties and CSP. In: Proc of the symposium on security and privacy, Oakland, 1996. IEEE Computer Society Press, Los Alamitos, pp 174–187
Seidl H, Verma KN (2005) Flat and one-variable clauses: Complexity of verifying cryptographic protocols with single blind copying. In: Proc 11th international conference on logic for programming, artificial intelligence, and reasoning (LPAR’04). LNCS, vol 3452. Springer, Berlin
Song DX (1999) Athena: A new efficient automatic checker for security protocol analysis. In: Proc 12th computer security foundations workshop (CSFW’99), Mordano, Italy, June 1999. IEEE Computer Society Press, Los Alamitos
Author information
Authors and Affiliations
Corresponding author
Additional information
This work has been partly supported by the RNTL project POSÉ and the ARA SSIA Formacrypt.
Rights and permissions
About this article
Cite this article
Cortier, V., Delaune, S. Safely composing security protocols. Form Methods Syst Des 34, 1–36 (2009). https://doi.org/10.1007/s10703-008-0059-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-008-0059-4