148 research outputs found
A Cut Principle for Information Flow
We view a distributed system as a graph of active locations with
unidirectional channels between them, through which they pass messages. In this
context, the graph structure of a system constrains the propagation of
information through it.
Suppose a set of channels is a cut set between an information source and a
potential sink. We prove that, if there is no disclosure from the source to the
cut set, then there can be no disclosure to the sink. We introduce a new
formalization of partial disclosure, called *blur operators*, and show that the
same cut property is preserved for disclosure to within a blur operator. This
cut-blur property also implies a compositional principle, which ensures limited
disclosure for a class of systems that differ only beyond the cut.Comment: 31 page
Fair Exchange in Strand Spaces
Many cryptographic protocols are intended to coordinate state changes among
principals. Exchange protocols coordinate delivery of new values to the
participants, e.g. additions to the set of values they possess. An exchange
protocol is fair if it ensures that delivery of new values is balanced: If one
participant obtains a new possession via the protocol, then all other
participants will, too. Fair exchange requires progress assumptions, unlike
some other protocol properties. The strand space model is a framework for
design and verification of cryptographic protocols. A strand is a local
behavior of a single principal in a single session of a protocol. A bundle is a
partially ordered global execution built from protocol strands and adversary
activities. The strand space model needs two additions for fair exchange
protocols. First, we regard the state as a multiset of facts, and we allow
strands to cause changes in this state via multiset rewriting. Second, progress
assumptions stipulate that some channels are resilient-and guaranteed to
deliver messages-and some principals are assumed not to stop at certain
critical steps. This method leads to proofs of correctness that cleanly
separate protocol properties, such as authentication and confidentiality, from
invariants governing state evolution. G. Wang's recent fair exchange protocol
illustrates the approach
Security Theorems via Model Theory
A model-theoretic approach can establish security theorems for cryptographic
protocols. Formulas expressing authentication and non-disclosure properties of
protocols have a special form. They are quantified implications for all xs .
(phi implies for some ys . psi). Models (interpretations) for these formulas
are *skeletons*, partially ordered structures consisting of a number of local
protocol behaviors. Realized skeletons contain enough local sessions to explain
all the behavior, when combined with some possible adversary behaviors. We show
two results. (1) If phi is the antecedent of a security goal, then there is a
skeleton A_phi such that, for every skeleton B, phi is satisfied in B iff there
is a homomorphism from A_phi to B. (2) A protocol enforces for all xs . (phi
implies for some ys . psi) iff every realized homomorphic image of A_phi
satisfies psi. Hence, to verify a security goal, one can use the Cryptographic
Protocol Shapes Analyzer CPSA (TACAS, 2007) to identify minimal realized
skeletons, or "shapes," that are homomorphic images of A_phi. If psi holds in
each of these shapes, then the goal holds
Execution Models for Choreographies and Cryptoprotocols
A choreography describes a transaction in which several principals interact.
Since choreographies frequently describe business processes affecting
substantial assets, we need a security infrastructure in order to implement
them safely. As part of a line of work devoted to generating cryptoprotocols
from choreographies, we focus here on the execution models suited to the two
levels.
We give a strand-style semantics for choreographies, and propose a special
execution model in which choreography-level messages are faithfully delivered
exactly once. We adapt this model to handle multiparty protocols in which some
participants may be compromised.
At level of cryptoprotocols, we use the standard Dolev-Yao execution model,
with one alteration. Since many implementations use a "nonce cache" to discard
multiply delivered messages, we provide a semantics for at-most-once delivery
Choreographies with Secure Boxes and Compromised Principals
We equip choreography-level session descriptions with a simple abstraction of
a security infrastructure. Message components may be enclosed within (possibly
nested) "boxes" annotated with the intended source and destination of those
components. The boxes are to be implemented with cryptography. Strand spaces
provide a semantics for these choreographies, in which some roles may be played
by compromised principals. A skeleton is a partially ordered structure
containing local behaviors (strands) executed by regular (non-compromised)
principals. A skeleton is realized if it contains enough regular strands so
that it could actually occur, in combination with any possible activity of
compromised principals. It is delivery guaranteed (DG) realized if, in
addition, every message transmitted to a regular participant is also delivered.
We define a novel transition system on skeletons, in which the steps add
regular strands. These steps solve tests, i.e. parts of the skeleton that could
not occur without additional regular behavior. We prove three main results
about the transition system. First, each minimal DG realized skeleton is
reachable, using the transition system, from any skeleton it embeds. Second, if
no step is possible from a skeleton A, then A is DG realized. Finally, if a DG
realized B is accessible from A, then B is minimal. Thus, the transition system
provides a systematic way to construct the possible behaviors of the
choreography, in the presence of compromised principals
A Hybrid Analysis for Security Protocols with State
Cryptographic protocols rely on message-passing to coordinate activity among
principals. Each principal maintains local state in individual local sessions
only as needed to complete that session. However, in some protocols a principal
also uses state to coordinate its different local sessions. Sometimes the
non-local, mutable state is used as a means, for example with smart cards or
Trusted Platform Modules. Sometimes it is the purpose of running the protocol,
for example in commercial transactions.
Many richly developed tools and techniques, based on well-understood
foundations, are available for design and analysis of pure message-passing
protocols. But the presence of cross-session state poses difficulties for these
techniques.
In this paper we provide a framework for modeling stateful protocols. We
define a hybrid analysis method. It leverages theorem-proving---in this
instance, the PVS prover---for reasoning about computations over state. It
combines that with an "enrich-by-need" approach---embodied by CPSA---that
focuses on the message-passing part. As a case study we give a full analysis of
the Envelope Protocol, due to Mark Ryan
- …