Secure Composition of PKIs with Public Key Protocols

We use symbolic formal models to study the composition of public key-based protocols with public key infrastructures (PKIs). We put forth a minimal set of requirements which a PKI should satisfy and then identify several reasons why composition may fail. Our main results are positive and offer various trade-offs which align the guarantees provided by the PKI with those required by the analysis of protocol with which they are composed. We consider both the case of ideally distributed keys but also the case of more realistic PKIs.,,Our theorems are broadly applicable. Protocols are not limited to specific primitives and compositionality asks only for minimal requirements on shared ones. Secure composition holds with respect to arbitrary trace properties that can be specified within a reasonably powerful logic. For instance, secrecy and various forms of authentication can be expressed in this logic. Finally, our results alleviate the common yet demanding assumption that protocols are fully tagged.

[1]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[2]  Ralf Küsters,et al.  Universal Composition with Responsive Environments , 2016, ASIACRYPT.

[3]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[4]  Mark Ryan,et al.  Composition of Password-Based Protocols , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[5]  Véronique Cortier,et al.  Protocol Composition for Arbitrary Primitives , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[6]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[7]  Bogdan Warinschi,et al.  A Modular Treatment of Cryptographic APIs: The Symmetric-Key Case , 2016, CRYPTO.

[8]  L. Viganò,et al.  Sufficient conditions for vertical composition of security protocols , 2014, AsiaCCS.

[9]  Ran Canetti,et al.  Time-Bounded Task-PIOAs: A Framework for Analyzing Security Protocols , 2006, DISC.

[10]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[11]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[12]  Vincent Cheval,et al.  Composing Security Protocols: From Confidentiality to Privacy , 2014, POST.

[13]  Gavin Lowe,et al.  Verifying layered security protocols , 2015, J. Comput. Secur..

[14]  Marc Fischlin,et al.  Composability of bellare-rogaway key exchange protocols , 2011, CCS '11.

[15]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[16]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[17]  Dominique Unruh,et al.  Symbolic Universal Composability , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[18]  Véronique Cortier,et al.  Safely composing security protocols , 2009, Formal Methods Syst. Des..

[19]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[20]  Kenneth G. Paterson,et al.  ASICS: authenticated key exchange security incorporating certification systems , 2013, International Journal of Information Security.

[21]  Marc Fischlin,et al.  Less is more: relaxed yet composable security notions for key exchange , 2013, International Journal of Information Security.

[22]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[23]  Stéphanie Delaune,et al.  Simulation based security in the applied pi calculus , 2009, FSTTCS.

[24]  Jean-Pierre Jouannaud,et al.  Rewrite Systems , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[25]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[26]  Eike Kiltz,et al.  Practical Chosen Ciphertext Secure Encryption from Factoring , 2009, Journal of Cryptology.

[27]  Vincent Cheval,et al.  Secure Refinements of Communication Channels , 2015, FSTTCS.

[28]  Marc Fischlin,et al.  A Closer Look at PKI: Security and Efficiency , 2007, Public Key Cryptography.

[29]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.