Cryptographic Protocol Composition via the Authentication Tests

Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol Π1, when analyzed alone, was shown to meet some security goals, will it still meet those goals when executed together with a second protocol Π2? Not necessarily: for every Π1, some Π2s undermine its goals. We use the strand space “authentication test” principles to suggest a criterion to ensure a Π2 preserves Π1’s goals; this criterion strengthens previous proposals. Security goals for Π1 are expressed in a language L(Π1) in classical logic. Strand spaces provide the models for L(Π1). Certain homomorphisms among models for L(Π) preserve the truth of the security goals. This gives a way to extract—from a counterexample to a goal that uses both protocols—a counterexample using only the first protocol. This model-theoretic technique, using homomorphisms among models to prove results about a syntactically defined set of formulas, appears to be novel for protocol analysis. Protocol analysis usually focuses on the secrecy and authentication properties of individual, finished protocols. There is a good reason for this: Each security goal then definitely either holds or does not hold. However, the analysis is more reusable if we know which results will remain true after combination with other protocols, and perhaps other kinds of elaborations to the protocol. In practice, every protocol is used in combination with other protocols, often with the same long-term keys. Also, many protocols contain messages with “blank slots.” Higher level protocols piggyback on them, filling the blank spots with their own messages. We want to find out when the goals that hold of a protocol on its own are preserved under combination with other protocols, and when these blanks are filled in. Two results on composition. Two existing results, both within the DolevYao model [12], are particularly relevant. We showed [17] that if two protocols manipulate disjoint sets of ciphertexts, then combining the protocols cannot undermine their security goals. A careful, asymmetric formulation of this “disjoint encryption” property allowed us to show that one protocol Π1 may produce ciphertexts—in a broad sense including digital certificates as well as Kerberosstyle tickets—consumed by another protocol Π2, without Π2 undermining any ? Supported by MITRE-Sponsored Research. Email address: [email protected]. An extended version with proofs appears at http://eprint.iacr.org/2008/430.