Section: New Results

Composition

Participants : Ştefan Ciobâcă, Stéphanie Delaune, Steve Kremer.

Current state-of-the-art tools and techniques have become efficient enough to analyze many protocols. However, these analyses are carried out in isolation, without necessarily taking into account other protocols which are executed in parallel. It is often assumed that participants share a key assumed abstracting away how this key has been distributed. It is therefore important to obtain composition results which allow to compose protocols. For instance such composition results aim at showing that if two protocols are secure indivdually then their parallel composition preserves the security guarantees of the protocols, even if some keying material is shared, or if the same password is reused. Another example of composition is to show that if a key exchange protocol is secure and if a protocol, relying on a shared key, guarantees a given property then these protocols can be composed sequentially. This allows to implement the shared key assumption by any secure key exchange protocol.

In [33] , Delaune and Kremer, in collaboration with Olivier Pereira (Université Catholique de Louvain, Belgium), present a symbolic framework for refinement and composition of security protocols. The framework uses the notion of ideal functionalities. These are abstract systems which are secure by construction and which can be combined into larger systems. They can be separately refined in order to obtain concrete protocols implementing them. This work builds on ideas from computational models such as the universally composable security and reactive simulatability frameworks. The underlying language they use is the applied pi calculus which is a general language for specifying security protocols. The framework allows to express the different standard flavours of simulation-based security which happen to all coincide. The framework is illustarted on an authentication functionality which can be realized using the Needham-Schroeder-Lowe protocol. For this an ideal functionality for asymmetric encryption and its realization are defined. They also show a joint state result for this functionality which allows composition (even though the same key material is reused) using a tagging mechanism. ŞtefanCiobâcă, in collaboration with Véronqiue Cortier, is also currently working on techniques allowing sequential composition of protocols. This work has been submitted to a conference and is currently under review.