Composing security protocols: from confidentiality to privacy
This work addresses the challenge of formal verification for complex security protocols, which is crucial for ensuring privacy in daily applications, though it appears incremental by building on existing modular techniques.
The paper tackles the complexity of verifying security protocols by developing modular composition techniques, enabling the derivation of security properties like confidentiality and privacy from individual sub-protocol analyses, as demonstrated on 3G phone and electronic passport protocols.
Security protocols are used in many of our daily-life applications, and our privacy largely depends on their design. Formal verification techniques have proved their usefulness to analyse these protocols, but they become so complex that modular techniques have to be developed. We propose several results to safely compose security protocols. We consider arbitrary primitives modeled using an equational theory, and a rich process algebra close to the applied pi calculus. Relying on these composition results, we are able to derive some security properties on a protocol from the security analysis performed on each sub-protocol individually. We consider parallel composition and the case of key-exchange protocols. Our results apply to deal with confidentiality but also privacy-type properties (e.g. anonymity, unlinkability) expressed using a notion of equivalence. We illustrate the usefulness of our composition results on protocols from the 3G phone application and electronic passport.