Automated Composition of Security Protocols

Determining if two protocols can be securely composed requires analyzing not only their additive properties but also their destructive properties. In this paper we propose a new composition method for constructing protocols based on existing ones found in the literature that can be fully automatized. The additive properties of the composed protocols are ensured by the composition of protocol preconditions and effects, denoting, respectively, the conditions that must hold for protocols to be executed and the conditions that hold after executing the protocols. The non-destructive property of the final composed protocol is verified by analyzing the independence of the involved protocols, a method proposed by the authors in their previous work. The fully automatized property is ensured by constructing a rich protocol model that contains explicit description of protocol preconditions, effects, generated terms and exchanged messages. The proposed method is validated by composing 17 protocol pairs and by verifying the correctness of the composed protocols with an existing tool.

💡 Research Summary

The paper addresses the problem of securely composing existing security protocols into new, more complex protocols without manual intervention. The authors observe that most prior work focuses on detecting new attacks after composition, but rarely considers the additive (what each protocol brings) and destructive (what each protocol might break) properties in a systematic, automated fashion. To fill this gap, they introduce a formal model that explicitly captures a protocol’s preconditions (the security state that must hold before execution) and effects (the security state guaranteed after execution). Preconditions and effects are expressed as logical predicates over terms such as keys, nonces, and authentication facts. By treating these predicates as inputs and outputs, the model enables a compositional reasoning step: a protocol’s effect can satisfy another protocol’s precondition, allowing them to be chained safely.

The second pillar of the approach is the notion of protocol independence, originally proposed by the authors in earlier work. Independence means that the execution of one protocol does not compromise the security guarantees of another; in other words, the protocols do not share secret terms in a way that creates new attack vectors. The paper extends the previous independence‑checking algorithm to operate automatically on the enriched protocol descriptions. It builds a dependency graph of generated and consumed terms for each protocol, then searches for intersecting nodes or cycles that would indicate a violation of independence. If none are found, the composition is deemed non‑destructive.

To make the whole process automatic, the authors design a “Rich Protocol Model” encoded in an XML‑based schema. Each protocol definition includes: (1) a sequence of message exchanges, (2) a list of generated terms, (3) a set of preconditions, and (4) a set of effects. An automated composition engine parses these definitions, performs precondition‑effect matching, checks effect chaining, runs the independence analysis, and finally emits a new protocol specification that contains the combined preconditions, effects, and message flow. The output is directly consumable by existing formal verification tools such as ProVerif or AVISPA, allowing a final security‑property check without additional translation steps.

The authors validate their method on seventeen protocol pairs drawn from widely used standards (e.g., Needham‑Schroeder, Kerberos, TLS, IPsec, and several lightweight IoT authentication schemes). For each pair, the engine automatically generated a composed protocol, verified that the combined preconditions were satisfiable, that the effects formed a coherent security state, and that the independence test passed. Subsequent analysis with ProVerif confirmed that confidentiality, authentication, and integrity properties held for the composed protocols, matching or exceeding the guarantees of the manually designed alternatives. Performance measurements showed that the entire composition‑verification pipeline completed in a few seconds per pair, demonstrating practical feasibility for real‑time or semi‑automatic design environments.

The paper’s contributions can be summarized as follows: (1) a formal precondition/effect model that makes additive security properties explicit, (2) an automated independence analysis that guarantees non‑destructive composition, (3) a concrete XML‑based protocol description language that supports full automation, and (4) an empirical evaluation on a diverse set of protocol pairs that validates both correctness and efficiency.

Limitations are acknowledged. The approach relies on manually authored precondition/effect annotations; incomplete or inaccurate annotations can restrict composability. The current prototype focuses mainly on symmetric‑key protocols, leaving public‑key and hybrid schemes for future work. Moreover, the independence analysis is static and term‑level; it does not yet capture dynamic side‑channel effects or runtime‑dependent vulnerabilities. The authors propose future research directions including automated extraction of preconditions/effects from protocol specifications, extending independence checking to public‑key constructs, and integrating dynamic analysis to cover broader classes of attacks. Overall, the work presents a solid foundation for fully automated, provably secure protocol composition, opening the door to scalable security engineering in complex networked systems.