Cryptographic Protocol Composition via the Authentication Tests

  • Joshua D. Guttman
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5504)


Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol Π 1, when analyzed alone, was shown to meet some security goals, will it still meet those goals when executed together with a second protocol Π 2? Not necessarily: for every Π 1, some Π 2s undermine its goals. We use the strand space “authentication test” principles to suggest a criterion to ensure a Π 2 preserves Π 1’s goals; this criterion strengthens previous proposals.

Security goals for Π 1 are expressed in a language \(\mathcal{L}\)(Π 1) in classical logic. Strand spaces provide the models for \(\mathcal{L}\)(Π 1). Certain homomorphisms among models for \(\mathcal{L}\)(Π) preserve the truth of the security goals. This gives a way to extract—from a counterexample to a goal that uses both protocols—a counterexample using only the first protocol. This model-theoretic technique, using homomorphisms among models to prove results about a syntactically defined set of formulas, appears to be novel for protocol analysis.


Atomic Formula Trusted Platform Module Security Goal Transmission Node Secondary Node 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Andova, S., Cremers, C.J.F., Gjøsteen, K., Mauw, S., Mjølsnes, S.F., Radomirović, S.: Sufficient conditions for composing security protocols. Information and Computation (2007)Google Scholar
  2. 2.
    Backes, M., Maffei, M., Unruh, D.: Zero-knowledge in the applied pi-calculus and automated verification of the Direct Anonymous Attestation protocol. In: IEEE Symposium on Security and Privacy (2008)Google Scholar
  3. 3.
    Backes, M., Pfitzmann, B.: Relating cryptographic and symbolic key secrecy. In: Proceedings of 26th IEEE Symposium on Security and Privacy (May 2005)Google Scholar
  4. 4.
    Balacheff, B., Chen, L., Pearson, S., Plaquin, D., Proudler, G.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, NJ (2003)Google Scholar
  5. 5.
    Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: ACM Conference on Communications and Computer Security (CCS) (2004)Google Scholar
  6. 6.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS, IACR 2000/067 (October 2001)Google Scholar
  7. 7.
    Canetti, R., Herzog, J.: Universally composable symbolic analysis of mutual authentication and key-exchange protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 380–403. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Cortier, V., Delaitre, J., Delaune, S.: Safely composing security protocols. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 352–363. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: A derivation system and compositional logic for security protocols. Journal of Computer Security 13(3), 423–482 (2005)CrossRefGoogle Scholar
  10. 10.
    Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Completeness of the authentication tests. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 106–121. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Searching for shapes in cryptographic protocols. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 523–537. Springer, Heidelberg (2007), Extended version, CrossRefGoogle Scholar
  12. 12.
    Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Transactions on Information Theory 29, 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security 12(2), 247–311 (2004)CrossRefGoogle Scholar
  14. 14.
    Fröschle, S.: Adding branching to the strand space model. In: Proceedings of EXPRESS 2008. Electronic Notes in Theoretical Computer Science. Elsevier, Amsterdam (2008)Google Scholar
  15. 15.
    Goguen, J.A., Meseguer, J.: Order-sorted algebra I. Theoretical Computer Science 105(2), 217–273 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Guttman, J.D., Herzog, J.C., Ramsdell, J.D., Sniffen, B.T.: Programming cryptographic protocols. In: De Nicola, R., Sangiorgi, D. (eds.) TGC 2005. LNCS, vol. 3705, pp. 116–145. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Guttman, J.D., Thayer, F.J.: Protocol independence through disjoint encryption. In: Proceedings of 13th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  18. 18.
    Guttman, J.D., Thayer, F.J.: Authentication tests and the structure of bundles. Theoretical Computer Science 283(2), 333–380 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: Proceedings of 13th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Joshua D. Guttman
    • 1
  1. 1.The MITRE CorporationUSA

Personalised recommendations