Cryptographic Protocol Explication and End-Point Projection

Cryptographic protocols are useful for engineering trust in transactions. There are several languages for describing these protocols, but these tend to capture the communications from the perspective of an individual role. In contrast, traditional protocol descriptions as found in a state of nature tend to employ a whole-protocol description, resulting in an impedance mismatch. In this paper we present two results to address this gap between human descriptions and deployable specifications. The first is an end-point projection technique that consumes an explicit whole-protocol description and generates specifications that capture the behavior of each participant role. In practice, however, many whole-protocol descriptions contain idiomatic forms of implicit specification. We therefore present our second result, a transformation that identifies and eliminates these implicit patterns, thereby preparing protocols for end-point projection. Concretely, our tools consume protocols written in our whole-protocol language, , and generate role descriptions in the cryptographic protocol programming language, . We have formalized and established properties of the transformations using the Coq proof assistant. We have validated our transformations by applying them successfully to most of the protocols in the  repository. 1 Problem and Motivation In recent years, there has been a vast growth of services offered via the Web, such as third-party credit-card handling as offered by several banks. There is growing recognition that these services must offer security guarantees by building on existing protocols and techniques that establish such guarantees. Fig. 1 shows three examples of actual protocols, as found in a state of nature. Fig. 1 (a) is the specification of the Kerberos protocol [21]; (b) is the specification of the Kao Chow protocol from [17]; and (c) is the specification of the Yahalom protocol [7] for the  repository [22]. These specifications contain a description of what each role of the protocol does at each step of the protocol. They say that at each step, some role a sends a message m to another role b, written a → b : m. However, it is important to understand that this is not what actually happens. In reality, a emits a message m and b receives a message m′ that matches the pattern of m. Recognizing this distinction makes apparent the threat of man-in-the-middle attacks and other message mutilation in the network medium. This is called the Dolev-Yao network model [12]. The role of a cryptographic protocol is to ? Current affiliation: Brigham Young University.