Composing Security Protocols: From Confidentiality to Privacy

  • Myrto Arapinis
  • Vincent Cheval
  • Stéphanie Delaune
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9036)


Security protocols are used in many of our daily-life applications, and our privacy largely depends on their design. Formal verification techniques have proved their usefulness to analyse these protocols, but they become so complex that modular techniques have to be developed. We propose several results to safely compose security protocols. We consider arbitrary primitives modeled using an equational theory, and a rich process algebra close to the applied pi calculus.

Relying on these composition results, we derive some security properties on a protocol from the security analysis performed on each of its sub-protocols individually. We consider parallel composition and the case of key-exchange protocols. Our results apply to deal with confidentiality but also privacy-type properties (e.g. anonymity) expressed using a notion of equivalence. We illustrate the usefulness of our composition results on protocols from the 3G phone application and electronic passport.


Mobile Station Function Symbol Security Protocol Parallel Composition Active Authentication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    PKI for machine readable travel documents offering ICC read-only access. Technical report, International Civil Aviation Organization (2004)Google Scholar
  2. 2.
    3GPP. Technical specification group services and system aspects; 3G security; security architecture (release 9). Technical report, 3rd Generation Partnership Project (2010)Google Scholar
  3. 3.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proc. 28th Symposium on Principles of Programming Languages, POPL 2001 (2001)Google Scholar
  4. 4.
    Arapinis, M., Cheval, V., Delaune, S.: Verifying privacy-type properties in a modular way. In: Proc. 25th IEEE Computer Security Foundations Symposium, CSF 2012 (2012)Google Scholar
  5. 5.
    Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M., Golde, N., Redon, K., Borgaonkar, R.: New privacy issues in mobile telephony: fix and verification. In: ACM Conference on Computer and Communications Security (2012)Google Scholar
  6. 6.
    Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Tobarra, M.L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: Proc. 6th ACM Workshop on Formal Methods in Security Engineering, FMSE 2008 (2008)Google Scholar
  7. 7.
    Armando, A., et al.: The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Barak, B., Canetti, R., Nielsen, J., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: Proc. 45th Symposium on Foundations of Computer Science, FOCS 2004 (2004)Google Scholar
  9. 9.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. Journal of Logic and Algebraic Programming (2008)Google Scholar
  10. 10.
    Böhl, F., Unruh, D.: Symbolic universal composability. In: Proc. 26th Computer Security Foundations Symposium, CSF 2013 (2013)Google Scholar
  11. 11.
    Bruso, M., Chatzikokolakis, K., den Hartog, J.: Formal verification of privacy for RFID systems. In: Proc. 23rd Computer Security Foundations Symposium, CSF 2010 (2010)Google Scholar
  12. 12.
    Ciobâcă, Ş., Cortier, V.: Protocol composition for arbitrary primitives. In: Proc. of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010 (2010)Google Scholar
  13. 13.
    Cortier, V., Delaune, S.: Safely composing security protocols. Formal Methods in System Design 34(1), 1–36 (2009)CrossRefzbMATHGoogle Scholar
  14. 14.
    Groß, T., Mödersheim, S.: Vertical protocol composition. In: Proc. 24th Computer Security Foundations Symposium, CSF 2011 (2011)Google Scholar
  15. 15.
    Guttman, J.D., Thayer, F.J.: Protocol independence through disjoint encryption. In: Proc. 13th Computer Security Foundations Workshop, CSFW 2000 (2000)Google Scholar
  16. 16.
    Küsters, R., Tuengerthal, M.: Composition Theorems Without Pre-Established Session Identifiers. In: Proc. 18th Conference on Computer and Communications Security, CCS 2011 (2011)Google Scholar
  17. 17.
    Mödersheim, S., Viganò, L.: Secure pseudonymous channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 337–354. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Tiu, A., Dawson, J.E.: Automating open bisimulation checking for the spi calculus. In: Proc. 23rd Computer Security Foundations Symposium, CSF 2010 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Myrto Arapinis
    • 1
  • Vincent Cheval
    • 2
    • 3
  • Stéphanie Delaune
    • 4
  1. 1.School of InformaticsUniversity of EdinburghEdinburghUK
  2. 2.LORIACNRSNancyFrance
  3. 3.School of ComputingUniversity of KentKentUK
  4. 4.LSV, CNRS & ENSCachanFrance

Personalised recommendations