Choreographies with Secure Boxes and Compromised Principals

We equip choreography-level session descriptions with a simple abstraction of a security infrastructure. Message components may be enclosed within (possibly nested) "boxes" annotated with the intended source and destination of those components. The boxes are to be implemented with cryptography. Strand spaces provide a semantics for these choreographies, in which some roles may be played by compromised principals. A skeleton is a partially ordered structure containing local behaviors (strands) executed by regular (non-compromised) principals. A skeleton is realized if it contains enough regular strands so that it could actually occur, in combination with any possible activity of compromised principals. It is delivery guaranteed (DG) realized if, in addition, every message transmitted to a regular participant is also delivered. We define a novel transition system on skeletons, in which the steps add regular strands. These steps solve tests, i.e. parts of the skeleton that could not occur without additional regular behavior. We prove three main results about the transition system. First, each minimal DG realized skeleton is reachable, using the transition system, from any skeleton it embeds. Second, if no step is possible from a skeleton A, then A is DG realized. Finally, if a DG realized B is accessible from A, then B is minimal. Thus, the transition system provides a systematic way to construct the possible behaviors of the choreography, in the presence of compromised principals

Cryptographic protocol composition via the authentication tests

Abstract. Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol Π1, when analyzed alone, was shown to meet some security goals, will it still meet those goals when executed together with a second protocol Π2? Not necessarily: for every Π1, some Π2s undermine its goals. We use the strand space “authentication test ” principles to suggest a criterion to ensure a Π2 preserves Π1’s goals; this criterion strengthens previous proposals. Security goals for Π1 are expressed in a language L(Π1) in classical logic. Strand spaces provide the models for L(Π1). Certain homomorphisms among models for L(Π) preserve the truth of the security goals. This gives a way to extract—from a counterexample to a goal that uses both protocols—a counterexample using only the first protocol. This model-theoretic technique, using homomorphisms among models to prove results about a syntactically defined set of formulas, appears to be novel for protocol analysis