Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Sessions and Separabilityin Security Protocols
Marco CarboneJoshua D. Guttman
IT University of CopenhagenWorcester Polytechnic Institute
Thanks to: Danish Agency for Science, Technology and InnovationUS National Science Foundation
(Grants CNS-0952287, CNS-1116557).
8 March 2013BiSS
MC & JDG ( ITU, WPI ) Sessions Mar 2013 1 / 33
Why session behavior counts
Customer C buys from broker B with commission from manufacturer M
• //
��
•
��
•oo
��
•
��
•
��
oo
• // •
��• // •
C B M
MC & JDG ( ITU, WPI ) Sessions Mar 2013 2 / 33
Getting paid twice
Can the broker get paid twice?
• //
��
•
��
•oo
��
•
��
•��
oo
M ′ • //
pp
�~
wqlhd
•
��
•
mm
��•��•
•
--
m l j i h f e d b a ` _ ^ \ [
// •
C B M
MC & JDG ( ITU, WPI ) Sessions Mar 2013 3 / 33
Separating M ′
• //
��
•
��
•oo
��
•
��
•��
oo
M ′ • // •
��
•
mm
��
·
ll
xrmhc_[•
��· ''m i d _ Z U Q
•
• // •
C B M
MC & JDG ( ITU, WPI ) Sessions Mar 2013 4 / 33
Session Behavior, v. 1Relates local runs of participants to global session
A protocol Π has session behavior if, in every execution:
Any two complete local runs that interactbelong to the same global session homogeneity
Any two complete local runs of the same rolebelong to different global sessions exclusion
Even with active, malicious adversary
Whatever the adversary can do,he can do without confusing sessions
MC & JDG ( ITU, WPI ) Sessions Mar 2013 5 / 33
Session Behavior, v. 1Relates local runs of participants to global session
A protocol Π has session behavior if, in every execution:
Any two complete local runs that interactbelong to the same global session homogeneity
Any two complete local runs of the same rolebelong to different global sessions exclusion
Even with active, malicious adversary
Whatever the adversary can do,he can do without confusing sessions
MC & JDG ( ITU, WPI ) Sessions Mar 2013 5 / 33
Goals of this hour
Define session behavior
Give syntactic criteria for a protocolto have session behavior
Develop proof methods “Separability theorem”
Free bonus:
Protocol independence results alsofollow from separability theorem
MC & JDG ( ITU, WPI ) Sessions Mar 2013 6 / 33
Goals of this hour
Define session behavior
Give syntactic criteria for a protocolto have session behavior
Develop proof methods “Separability theorem”
Free bonus:
Protocol independence results alsofollow from separability theorem
MC & JDG ( ITU, WPI ) Sessions Mar 2013 6 / 33
Exclusion principle requires freshness
Each role ρ selects a fresh value aρ
aρ called ρ’s proper session parameter
Distinct strands of same roleI Choose different values for aρ, soI Belong to different global sessions
Identify global session using session parameters aρfor the various roles
Homogeneity principle requires:
Crypto units should identify their session
MC & JDG ( ITU, WPI ) Sessions Mar 2013 7 / 33
A Session-respecting protocolBrokered invitation Roles: Host, broker, guest
c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)
��
{|Hello ,C1,N1,N2|}K
• +3
OO
• +3 •OO
• +3 • +3
��•��
c11 ,C1,N1,
OO
{|[|c12 ,N1,N2,K |]sk(S)|}pk(C1) {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
c21 ,C2,N2
• +3
��• +3 •
c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
OO
{|Hello ,C1,N1,N2|}K
OO
Session parameters N1,N2,K in red
MC & JDG ( ITU, WPI ) Sessions Mar 2013 8 / 33
A Session-respecting protocolBrokered invitation Roles: Host, broker, guest
c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)
��
{|Hello ,C1,N1,N2|}K
• +3
OO
• +3 •OO
• +3 • +3
��•��
c11 ,C1,N1,
OO
{|[|c12 ,N1,N2,K |]sk(S)|}pk(C1) {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
c21 ,C2,N2
• +3
��• +3 •
c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
OO
{|Hello ,C1,N1,N2|}K
OO
Session parameters N1,N2,K in red
MC & JDG ( ITU, WPI ) Sessions Mar 2013 8 / 33
So why is this hard?
Syntactic flexibility
I Session parameters may contribute to plaintext or keyI Participants may join late
Adversary model: Partial compromise
I Compliant participants get session behavior,despite compromised participants in session
double-commission problem
“Same session” is not an equivalence relation
I “May influence” is a preorder on nodes
I This is also an opportunity for generality:Reason about all may-influence relations
MC & JDG ( ITU, WPI ) Sessions Mar 2013 9 / 33
A Session-respecting protocolBrokered invitation Roles: Host, broker, guest
c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)
��
{|Hello ,C1,N1,N2|}K
• +3
OO
• +3 •OO
• +3 • +3
��•��
c11 ,C1,N1,
OO
{|[|c12 ,N1,N2,K |]sk(S)|}pk(C1) {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
c21 ,C2,N2
• +3
��• +3 •
c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
OO
{|Hello ,C1,N1,N2|}K
OO
Session parameters N1,N2,K in red
MC & JDG ( ITU, WPI ) Sessions Mar 2013 10 / 33
So why is this hard?
Syntactic flexibilityI Session parameters may contribute to plaintext or keyI Participants may join late
Adversary model: Partial compromise
I Compliant participants get session behavior,despite compromised participants in session
double-commission problem
“Same session” is not an equivalence relation
I “May influence” is a preorder on nodes
I This is also an opportunity for generality:Reason about all may-influence relations
MC & JDG ( ITU, WPI ) Sessions Mar 2013 11 / 33
Achieving session behavior
Contributive: Each encryption involves all session parameters acquired sofar
No ambiguity: Two encryptions that unify agree on session parameters
Early arrivals x are acquired on first reception or first transmission
Late arrivals y are acquired in encrypted form;fresh values acquired on same node are encrypted
MC & JDG ( ITU, WPI ) Sessions Mar 2013 12 / 33
Achieving session behavior
Contributive: Each encryption involves all session parameters acquired sofar
No ambiguity: Two encryptions that unify agree on session parameters
Early arrivals x are acquired on first reception or first transmission
Late arrivals y are acquired in encrypted form;fresh values acquired on same node are encrypted
MC & JDG ( ITU, WPI ) Sessions Mar 2013 12 / 33
Achieving session behavior
Contributive: Each encryption involves all session parameters acquired sofar
No ambiguity: Two encryptions that unify agree on session parameters
Early arrivals x are acquired on first reception or first transmission
Late arrivals y are acquired in encrypted form;fresh values acquired on same node are encrypted
MC & JDG ( ITU, WPI ) Sessions Mar 2013 12 / 33
Achieving session behavior
Contributive: Each encryption involves all session parameters acquired sofar
No ambiguity: Two encryptions that unify agree on session parameters
Early arrivals x are acquired on first reception or first transmission
Late arrivals y are acquired in encrypted form;fresh values acquired on same node are encrypted
MC & JDG ( ITU, WPI ) Sessions Mar 2013 12 / 33
So why is this hard?
Syntactic flexibilityI Session parameters may contribute to plaintext or keyI Participants may join late
Adversary model: Partial compromiseI Compliant participants get session behavior,
despite compromised participants in sessiondouble-commission problem
“Same session” is not an equivalence relation
I “May influence” is a preorder on nodes
I This is also an opportunity for generality:Reason about all may-influence relations
MC & JDG ( ITU, WPI ) Sessions Mar 2013 13 / 33
So why is this hard?
Syntactic flexibilityI Session parameters may contribute to plaintext or keyI Participants may join late
Adversary model: Partial compromiseI Compliant participants get session behavior,
despite compromised participants in sessiondouble-commission problem
“Same session” is not an equivalence relationI “May influence” is a preorder on nodes
I This is also an opportunity for generality:Reason about all may-influence relations
MC & JDG ( ITU, WPI ) Sessions Mar 2013 13 / 33
A Session-respecting protocolBrokered invitation Roles: Host, broker, guest
c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)
��
{|Hello ,C1,N1,N2|}K
• +3
OO
• +3 •OO
• +3 • +3
��•��
c11 ,C1,N1,
OO
{|[|c12 ,N1,N2,K |]sk(S)|}pk(C1) {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
c21 ,C2,N2
• +3
��• +3 •
c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)
OO
{|Hello ,C1,N1,N2|}K
OO
Session parameters N1,N2,K in red
MC & JDG ( ITU, WPI ) Sessions Mar 2013 14 / 33
What about this? Execution B“Bundle” formalizes execution
•
c11,N1,C1
++g f e c b a ` _ ^ ] \ [ Z X Wc11,N1,C1
//
��
S
��
•c21,N2,C2
ooc21,N2,C2
//_____
��
S ′
��•
��
•
��
oo •
��
{|[|c12,N2,N1,K ′|]sk(S)|}pk(C1)//
• // •
��
•{|[|c22,N2,N1,K ′|]sk(S)|}pk(C2)
//
•{|Hello,C1,N1,N2|}K
// •
This interactionis inessential
MC & JDG ( ITU, WPI ) Sessions Mar 2013 15 / 33
What about this? Execution B“Bundle” formalizes execution
•
c11,N1,C1
++g f e c b a ` _ ^ ] \ [ Z X Wc11,N1,C1
//
��
S
��
•c21,N2,C2
ooc21,N2,C2
//_____
��
S ′
��•
��
•
��
oo •
��
{|[|c12,N2,N1,K ′|]sk(S)|}pk(C1)//
• // •
��
•{|[|c22,N2,N1,K ′|]sk(S)|}pk(C2)
//
•{|Hello,C1,N1,N2|}K
// •
This interactionis inessential
MC & JDG ( ITU, WPI ) Sessions Mar 2013 15 / 33
Uncoupling B into C via a renaming[N2 7→ N ′1, N1 7→ N ′2] on right
• c11,N1,C1 //
��
S
��
•c21,N2,C2oo
��
S ′
��
c11,N′1,C1,c21,N′2,C2oo_ _ _ _ _ _ _ _ _ _
•
��
•
��
oo •
��
{|[|c12,N′1,N′2,K ′|]sk(S)|}pk(C1)//
• // •
��
•{|[|c22,N′1,N′2,K ′|]sk(S)|}pk(C2)
//
•{|Hello,C1,N1,N2|}K
// •
Actually, B results from this C via α =[N1 7→ N1, N2 7→ N2, N
′1 7→ N2, N
′2 7→ N1]
MC & JDG ( ITU, WPI ) Sessions Mar 2013 16 / 33
Uncoupling B into C via a renaming[N2 7→ N ′1, N1 7→ N ′2] on right
• c11,N1,C1 //
��
S
��
•c21,N2,C2oo
��
S ′
��
c11,N′1,C1,c21,N′2,C2oo_ _ _ _ _ _ _ _ _ _
•
��
•
��
oo •
��
{|[|c12,N′1,N′2,K ′|]sk(S)|}pk(C1)//
• // •
��
•{|[|c22,N′1,N′2,K ′|]sk(S)|}pk(C2)
//
•{|Hello,C1,N1,N2|}K
// •
Actually, B results from this C via α =[N1 7→ N1, N2 7→ N2, N
′1 7→ N2, N
′2 7→ N1]
MC & JDG ( ITU, WPI ) Sessions Mar 2013 16 / 33
“Lies below”
We say that C lies below B via α
1 α is a “local renaming” relative to a partition of C2 B has all the edges of C and possibly more
Special kind of homomorphism C α→ B
C is lower in the “information ordering:”
Fewer arrows
Fewer identifications of parameters
MC & JDG ( ITU, WPI ) Sessions Mar 2013 17 / 33
“Lies below”
We say that C lies below B via α
1 α is a “local renaming” relative to a partition of C2 B has all the edges of C and possibly more
Special kind of homomorphism C α→ B
C is lower in the “information ordering:”
Fewer arrows
Fewer identifications of parameters
MC & JDG ( ITU, WPI ) Sessions Mar 2013 17 / 33
“Lies below”
We say that C lies below B via α
1 α is a “local renaming” relative to a partition of C2 B has all the edges of C and possibly more
Special kind of homomorphism C α→ B
C is lower in the “information ordering:”
Fewer arrows
Fewer identifications of parameters
MC & JDG ( ITU, WPI ) Sessions Mar 2013 17 / 33
Session Behavior, v. 1Relates local runs of participants to global session
A protocol Π has session behavior if, in every execution:
Any two complete local runs that interactbelong to the same global session homogeneity
Any two complete local runs of the same rolebelong to different global sessions exclusion
Even with active, malicious adversary
Whatever the adversary can do,he can do without confusing sessions
MC & JDG ( ITU, WPI ) Sessions Mar 2013 18 / 33
May-influence relations
; is a “may-influence” relation if
preorder: ; is a preorder on nodes
progress: m⇒ n implies m ; n
no V s: When a uniquely originates at n1 and reaches n2:
n1 +++k+k+kn1 +++k+k+k���O
n3 implies n3n2
333s3s3sn2
333s3s3s
MC & JDG ( ITU, WPI ) Sessions Mar 2013 19 / 33
Session Behavior, v. 2
Π obeys ; if,for all bundles B, there exists a C lying below B s.t.
m �C n implies m ; n.
The session influence relation, m ;s n, holds, if
every session parameter aρalready defined on m is defined on n,
and takes the same value on n
Π has session behavior if
Π obeys ;s
MC & JDG ( ITU, WPI ) Sessions Mar 2013 20 / 33
So why is this hard?
Syntactic flexibilityI Session parameters may contribute to plaintext or keyI Participants may join late
Adversary model: Partial compromiseI Compliant participants get session behavior,
despite compromised participants in sessiondouble-commission problem
“Same session” is not an equivalence relationI “May influence” is a preorder on nodesI This is also an opportunity for generality:
Reason about all may-influence relations
MC & JDG ( ITU, WPI ) Sessions Mar 2013 21 / 33
Reasoning about separability
Adversary transports information along paths
Progressively takes apartand reconstructs messages
If adversary breaks down to basic parts,can substitute new basic values
Assuming that results he deliversnever get back to original source
MC & JDG ( ITU, WPI ) Sessions Mar 2013 22 / 33
Reasoning about separability
Adversary transports information along paths
Progressively takes apartand reconstructs messages
If adversary breaks down to basic parts,can substitute new basic values
Assuming that results he deliversnever get back to original source
MC & JDG ( ITU, WPI ) Sessions Mar 2013 22 / 33
Reasoning about separability
Adversary transports information along paths
Progressively takes apartand reconstructs messages
If adversary breaks down to basic parts,can substitute new basic values
Assuming that results he deliversnever get back to original source
MC & JDG ( ITU, WPI ) Sessions Mar 2013 22 / 33
Reasoning about separability
Adversary transports information along paths
Progressively takes apartand reconstructs messages
If adversary breaks down to basic parts,can substitute new basic values
Assuming that results he deliversnever get back to original source
MC & JDG ( ITU, WPI ) Sessions Mar 2013 22 / 33
Adversary actions
• a→
t1
��
t2
��
{|t1|}t2
• +3 • +3 •
OO
• +3 • +3 •��
{|t1|}t2
OO
t2−1
OO
t1
t1
��
t2
��
tag t1 , t2
• +3 • +3 •
OO
• +3 • +3
��
•��
tag t1 , t2
OO
t1 t2
MC & JDG ( ITU, WPI ) Sessions Mar 2013 23 / 33
Adversary paths
◦{|A ,Na|}pk(C) // •
��
•
��
•
��
•
��
•
pk(B)}}
•pk(C)−1
// •
��
•
��
A
66
•
��
•
��•
A ,Na
??
•Na
66
•
A ,Na
??
•{|A ,Na|}pk(B)// ◦
MC & JDG ( ITU, WPI ) Sessions Mar 2013 24 / 33
About Adversary Paths
Path p is direct1 if it has no key edges,except maybe the last step
Path p is normal ifany destruction precedes all construction
Bundle B is normal ifall its direct paths are normal
The bridge of a normal path is the message that follows alldestruction and precedes all construction
1This talk: only consider direct paths; applicable when protocols use basic keys.MC & JDG ( ITU, WPI ) Sessions Mar 2013 25 / 33
About Adversary Paths
Path p is direct1 if it has no key edges,except maybe the last step
Path p is normal ifany destruction precedes all construction
Bundle B is normal ifall its direct paths are normal
The bridge of a normal path is the message that follows alldestruction and precedes all construction
1This talk: only consider direct paths; applicable when protocols use basic keys.MC & JDG ( ITU, WPI ) Sessions Mar 2013 25 / 33
About Adversary Paths
Path p is direct1 if it has no key edges,except maybe the last step
Path p is normal ifany destruction precedes all construction
Bundle B is normal ifall its direct paths are normal
The bridge of a normal path is the message that follows alldestruction and precedes all construction
1This talk: only consider direct paths; applicable when protocols use basic keys.MC & JDG ( ITU, WPI ) Sessions Mar 2013 25 / 33
About Adversary Paths
Path p is direct1 if it has no key edges,except maybe the last step
Path p is normal ifany destruction precedes all construction
Bundle B is normal ifall its direct paths are normal
The bridge of a normal path is the message that follows alldestruction and precedes all construction
1This talk: only consider direct paths; applicable when protocols use basic keys.MC & JDG ( ITU, WPI ) Sessions Mar 2013 25 / 33
A lemma
Lemma1 Every bundle is equivalent to a normal bundle
2 Let p be direct and normal.1 The bridge of p is a common ingredient
of the messages at the two ends
2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is
MC & JDG ( ITU, WPI ) Sessions Mar 2013 26 / 33
A lemma
Lemma1 Every bundle is equivalent to a normal bundle2 Let p be direct and normal.
1 The bridge of p is a common ingredientof the messages at the two ends
2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is
MC & JDG ( ITU, WPI ) Sessions Mar 2013 26 / 33
A lemma
Lemma1 Every bundle is equivalent to a normal bundle2 Let p be direct and normal.
1 The bridge of p is a common ingredientof the messages at the two ends
2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is encryption-free
MC & JDG ( ITU, WPI ) Sessions Mar 2013 26 / 33
Adversary paths
◦{|A ,Na|}pk(C) // •
��
•
��
•
��
•
��
•
pk(B)}}
•pk(C)−1
// •
��
•
��
A
66
•
��
•
��•
A ,Na
??
•Na
66
•
A ,Na
??
•{|A ,Na|}pk(B)// ◦
MC & JDG ( ITU, WPI ) Sessions Mar 2013 27 / 33
A lemma
Lemma1 Every bundle is equivalent to a normal bundle2 Let p be direct and normal.
1 The bridge of p is a common ingredientof the messages at the two ends
2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is encryption-free
MC & JDG ( ITU, WPI ) Sessions Mar 2013 28 / 33
A lemma
Lemma1 Every bundle is equivalent to a normal bundle2 Let p be direct and normal.
1 The bridge of p is a common ingredientof the messages at the two ends
2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is basic
MC & JDG ( ITU, WPI ) Sessions Mar 2013 28 / 33
Paths that cross sessions
Suppose in B1 All session parameters appear in every encryption {|t|}K2 p crosses from one session to another, i.e.
first(p) 6;s last(p)
Then
1 p has basic bridge term a
2 Adversary can omit edge andreplace a with some other a′
3 Resulting bundle C lies below B4 No-V s property implies change never affects later node
MC & JDG ( ITU, WPI ) Sessions Mar 2013 29 / 33
Paths that cross sessions
Suppose in B1 All session parameters appear in every encryption {|t|}K2 p crosses from one session to another, i.e.
first(p) 6;s last(p)
Then
1 p has basic bridge term a
2 Adversary can omit edge andreplace a with some other a′
3 Resulting bundle C lies below B4 No-V s property implies change never affects later node
MC & JDG ( ITU, WPI ) Sessions Mar 2013 29 / 33
Paths that cross sessions
Suppose in B1 All session parameters appear in every encryption {|t|}K2 p crosses from one session to another, i.e.
first(p) 6;s last(p)
Then
1 p has basic bridge term a
2 Adversary can omit edge andreplace a with some other a′
3 Resulting bundle C lies below B
4 No-V s property implies change never affects later node
MC & JDG ( ITU, WPI ) Sessions Mar 2013 29 / 33
Paths that cross sessions
Suppose in B1 All session parameters appear in every encryption {|t|}K2 p crosses from one session to another, i.e.
first(p) 6;s last(p)
Then
1 p has basic bridge term a
2 Adversary can omit edge andreplace a with some other a′
3 Resulting bundle C lies below B4 No-V s property implies change never affects later node
MC & JDG ( ITU, WPI ) Sessions Mar 2013 29 / 33
The Separability Theorem
Definition1 Path p is ;-critical if first(p) 6; last(p)
2 B is ;-reparable if every ;-critical path in B has a basic bridge
Theorem
For every ;-reparable B,there is a C lying below B such that C obeys ;
To prove separability, check:
1 m 6; n implies no common encryptions
2 ; satisfies no-V s may involve restrictions
MC & JDG ( ITU, WPI ) Sessions Mar 2013 30 / 33
The Separability Theorem
Definition1 Path p is ;-critical if first(p) 6; last(p)
2 B is ;-reparable if every ;-critical path in B has a basic bridge
Theorem
For every ;-reparable B,there is a C lying below B such that C obeys ;
To prove separability, check:
1 m 6; n implies no common encryptions
2 ; satisfies no-V s may involve restrictions
MC & JDG ( ITU, WPI ) Sessions Mar 2013 30 / 33
The Separability Theorem
Definition1 Path p is ;-critical if first(p) 6; last(p)
2 B is ;-reparable if every ;-critical path in B has a basic bridge
Theorem
For every ;-reparable B,there is a C lying below B such that C obeys ;
To prove separability, check:
1 m 6; n implies no common encryptions
2 ; satisfies no-V s may involve restrictions
MC & JDG ( ITU, WPI ) Sessions Mar 2013 30 / 33
Applications: Sessions
Session protocols: Π-bundles are ;s-reparable ifΠ has session parameters
No-V s property requires a restriction,that some keys uncompromised,
when Π allows late arrivals
MC & JDG ( ITU, WPI ) Sessions Mar 2013 31 / 33
Applications, 2
Protocol composition, I: Π1 ∪ Π2-bundles are ;C -reparable ifΠ1 and Π2 have no unifiable encryptions, anduse only basic keys
m ;C n iff m, n ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π1 6;C Π2, Π2 6;C Π1
Protocol composition, II: No unifiable encryptions suffices in I
Protocol composition, III: Π1 ∪ Π2-bundles are ;DE -reparable ifΠ2 generates no encryptions accepted on Π1 nodesΠ2 extracts nothing from Π1 encryptions
m ;DE n iff m ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π2 6;C Π1 but Π1 ;C Π2
MC & JDG ( ITU, WPI ) Sessions Mar 2013 32 / 33
Applications, 2
Protocol composition, I: Π1 ∪ Π2-bundles are ;C -reparable ifΠ1 and Π2 have no unifiable encryptions, anduse only basic keys
m ;C n iff m, n ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π1 6;C Π2, Π2 6;C Π1
Protocol composition, II: No unifiable encryptions suffices in I
Protocol composition, III: Π1 ∪ Π2-bundles are ;DE -reparable ifΠ2 generates no encryptions accepted on Π1 nodesΠ2 extracts nothing from Π1 encryptions
m ;DE n iff m ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π2 6;C Π1 but Π1 ;C Π2
MC & JDG ( ITU, WPI ) Sessions Mar 2013 32 / 33
Applications, 2
Protocol composition, I: Π1 ∪ Π2-bundles are ;C -reparable ifΠ1 and Π2 have no unifiable encryptions, anduse only basic keys
m ;C n iff m, n ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π1 6;C Π2, Π2 6;C Π1
Protocol composition, II: No unifiable encryptions suffices in I
Protocol composition, III: Π1 ∪ Π2-bundles are ;DE -reparable ifΠ2 generates no encryptions accepted on Π1 nodesΠ2 extracts nothing from Π1 encryptions
m ;DE n iff m ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π2 6;C Π1 but Π1 ;C Π2
MC & JDG ( ITU, WPI ) Sessions Mar 2013 32 / 33
Goals of this hour
Define session behavior
Give syntactic criteria for a protocolto have session behavior
Develop proof methods “Separability theorem”
Free bonus:
Protocol independence results alsofollow from separability theorem
MC & JDG ( ITU, WPI ) Sessions Mar 2013 33 / 33