Security Theorems via Model Theory

A model-theoretic approach can establish security theorems for cryptographic protocols. Formulas expressing authentication and non-disclosure properties of protocols have a special form. They are quantified implications for all xs . (phi implies for some ys . psi). Models (interpretations) for these formulas are *skeletons*, partially ordered structures consisting of a number of local protocol behaviors. Realized skeletons contain enough local sessions to explain all the behavior, when combined with some possible adversary behaviors. We show two results. (1) If phi is the antecedent of a security goal, then there is a skeleton A_phi such that, for every skeleton B, phi is satisfied in B iff there is a homomorphism from A_phi to B. (2) A protocol enforces for all xs . (phi implies for some ys . psi) iff every realized homomorphic image of A_phi satisfies psi. Hence, to verify a security goal, one can use the Cryptographic Protocol Shapes Analyzer CPSA (TACAS, 2007) to identify minimal realized skeletons, or "shapes," that are homomorphic images of A_phi. If psi holds in each of these shapes, then the goal holds

Skeletons and the shapes of bundles

Abstract. The shapes of a protocol are its minimal, essentially different executions. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determine from the shapes, as are attacks and anomalies. In this paper, we define the idea of shape, and we also provide some operations that can be used to construct shapes. These operations are versions of the two authentication tests, fundamental patterns for protocol analysis and heuristics for protocol design. The authentication tests were originally presented as theorems about all complete executions. We have strengthened those results here. We also use them to infer construction operations for shapes. These construction operations work on partial descriptions of executions, and serve as information-increasing transformations on the descriptions. 1 The Idea of Shapes In this paper, we study how to construct the shapes of a protocol, where b

Searching for shapes in cryptographic protocols

Abstract. We describe a method for enumerating all essentially different executions possible for a cryptographic protocol. We call them the shapes of the protocol. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determine from them, as are attacks and anomalies. cpsa, our Cryptographic Protocol Shape Analyzer, implements the method. In searching for shapes, cpsa starts with some initial behavior, and discovers what shapes are compatible with it. Normally, the initial behavior is the point of view of one participant. The analysis reveals what the other principals must have done, given this participant’s view. The search is complete, i.e. every shape can in fact be found in a finite number of steps. The steps in question are applications of two authentication tests, fundamental patterns for protocol analysis and heuristics for protocol design. We have formulated the authentication tests in a new, stronger form, and proved completeness for a search algorithm based on them.