Understanding abstractions of secure channels
FAST'10 Proceedings of the 7th International conference on Formal aspects of security and trust
Towards formal validation of trust and security in the internet of services
The future internet
Implementing cryptographic primitives in the symbolic model
NFM'11 Proceedings of the Third international conference on NASA Formal methods
ASLan++ -- a formal security specification language for distributed systems
FMCO'10 Proceedings of the 9th international conference on Formal Methods for Components and Objects
Secure composition of protocols
TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
Sessions and separability in security protocols
POST'13 Proceedings of the Second international conference on Principles of Security and Trust
Hi-index | 0.00 |
We study the composition of security protocols when protocols share secrets such as keys. We show (in a Dolev-Yao model) that if two protocols use disjoint cryptographic primitives, their composition is secure if the individual protocols are secure, even if they share data. Our result holds for any cryptographic primitives that can be modeled using equational theories, such as encryption, signature, MAC, exclusive-or, and Diffie-Hellman. Our main result transforms any attack trace of the combined protocol into an attack trace of one of the individual protocols. This allows various ways of combining protocols such as sequentially or in parallel, possibly with inner replications. As an application, we show that a protocol using preestablished keys may use any (secure) key-exchange protocol without jeopardizing its security, provided that they do not use the same primitives. This allows us, for example, to securely compose a Diffie-Hellman key exchange protocol with any other protocol using the exchanged key, provided that the second protocol does not use the Diffie-Hellman primitives. We also explore tagging, which is a way of forcing the disjointness of two protocols that share cryptographic primitives We explain why composing protocols which use tagged cryptographic primitives like encryption and hash functions is secure by reducing this problem to the previous one.