Sequential Protocol Composition in Maude-NPA

Protocols do not work alone, but together, one protocol relying on another to provide needed services. Many of the problems in cryptographic protocols arise when such composition is done incorrectly or is not well understood. In this paper we discuss an extension to the Maude-NPA syntax and operational semantics to support dynamic sequential composition of protocols, so that protocols can be specified separately and composed when desired. This allows one to reason about many different compositions with minimal changes to the specification. Moreover, we show that, by a simple protocol transformation, we are able to analyze and verify this dynamic composition in the current Maude-NPA tool. We prove soundness and completeness of the protocol transformation with respect to the extended operational semantics, and illustrate our results on some examples.

[1]  Enno Ohlebusch,et al.  Term Rewriting Systems , 2002 .

[2]  Joshua D. Guttman,et al.  Protocol independence through disjoint encryption , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[3]  José Meseguer,et al.  A rewriting-based inference system for the NRL Protocol Analyzer and its meta-logical properties , 2006, Theor. Comput. Sci..

[4]  Sonia Santiago Pinazo Sequential protocol composition in Maude-NPA , 2011 .

[5]  Joshua D. Guttman,et al.  Security protocol design via authentication tests , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[6]  Dusko Pavlovic Proving Authentication Properties in the Protocol Derivation Assistant , 2006 .

[7]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[8]  Dusko Pavlovic,et al.  Secure Protocol Composition , 2003, MFPS.

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[11]  Dusko Pavlovic,et al.  An encapsulated authentication logic for reasoning about key distribution protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[12]  Terese Term rewriting systems , 2003, Cambridge tracts in theoretical computer science.

[13]  Srdjan Capkun,et al.  Secure positioning in wireless networks , 2006, IEEE Journal on Selected Areas in Communications.

[14]  José Meseguer,et al.  A Graphical User Interface for Maude-NPA , 2009, PROLE.

[15]  Joshua D. Guttman,et al.  Searching for Shapes in Cryptographic Protocols , 2007, TACAS.

[16]  José Meseguer,et al.  Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols , 2007, High. Order Symb. Comput..

[17]  José Meseguer,et al.  Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties , 2009, FOSAD.

[18]  ProtocolsLi GongSRI InternationalComputer Fail-Stop Protocols : An Approach to Designing Secure , 1994 .

[19]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[20]  José Meseguer,et al.  Conditioned Rewriting Logic as a United Model of Concurrency , 1992, Theor. Comput. Sci..

[21]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[22]  José Meseguer,et al.  Membership algebra as a logical framework for equational specification , 1997, WADT.

[23]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[24]  Véronique Cortier,et al.  Safely composing security protocols , 2009, Formal Methods Syst. Des..