Secure protocol composition

Modular composition of security mechanisms is complicated by the way that one mechanism may reveal information that interferes with the security of another. We develop methods for modular reasoning about security protocols, using before-after assertions and protocol invariants. The before-after assertions allow us to prove properties of a sequential composition of protocol steps and therefore enable construction of complex protocols from smaller sub-protocols. Invariants provide a mechanism for ensuring that sub-protocols which are individually secure do not interact insecurely when they are composed to construct a bigger protocol. The application of the method is demonstrated by giving modular formal proofs involving two standard protocols.

[1]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[2]  Joshua D. Guttman,et al.  Mixed strand spaces , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[3]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Ran Canetti,et al.  Environmental Requirements for Authentication Protocols , 2002, ISSS.

[5]  Daryl McCullough,et al.  A Hookup Theorem for Multilevel Security , 1990, IEEE Trans. Software Eng..

[6]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[7]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[8]  Catherine A. Meadows,et al.  A model of computation for the NRL Protocol Analyzer , 1994, Proceedings The Computer Security Foundations Workshop VII.

[9]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[10]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[11]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[12]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[13]  Robin Milner,et al.  Action structures: LFCS report ECS-LFCS-92-249 , 1992 .

[14]  Heiko Mantel,et al.  On the composition of secure systems , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[15]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[16]  Gérard Berry,et al.  The chemical abstract machine , 1989, POPL '90.

[17]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[18]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[19]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[20]  Bruce Schneier,et al.  Protocol Interactions and the Chosen Protocol Attack , 1997, Security Protocols Workshop.

[21]  Joshua D. Guttman,et al.  Protocol independence through disjoint encryption , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[22]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Paul Syverson,et al.  Fail-Stop Protocols: An Approach to Designing Secure Protocols (Preprint) , 1995 .

[24]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[25]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[26]  ProtocolsLi GongSRI InternationalComputer Fail-Stop Protocols : An Approach to Designing Secure , 1994 .

[27]  Paul Syverson,et al.  A formal language for cryptographic protocol requirements , 1996 .

[28]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[29]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[30]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[31]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[32]  Nancy A. Lynch,et al.  I/O automaton models and proofs for shared-key communication systems , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[33]  John C. Mitchell,et al.  A derivation system for security protocols and its logical formalization , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[34]  Du Sko Pavlovi,et al.  Categorical Logic of Names and Abstraction in Action Calculi , 1993 .

[35]  J. Doug Tygar,et al.  A Model for Secure Protocols and Their Compositions , 1996, IEEE Trans. Software Eng..

[36]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[37]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[38]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.