Choreographies with Secure Boxes and Compromised Principals

We equip choreography-level session descriptions with a simple abstraction of a security infrastructure. Message components may be enclosed within (possibly nested) “boxes” annotated with the intended source and destination of those components. The boxes are to be implemented with cryptography. Strand spaces provide a semantics for these choreographies, in which some roles may be played by compromised principals. A skeleton is a partially ordered structure containing local behaviors (strands) executed by regular (non-compromised) principals. A skeleton is realized if it contains enough regular strands so that it could actually occur, in combination with any possible activity of compromised principals. It is delivery guaranteed (DG) realized if, in addition, every message transmitted to a regular participant is also delivered. We define a novel transition system on skeletons, in which the steps add regular strands. These steps solve tests, i.e. parts of the skeleton that could not occur without additional regular behavior. We prove three main results about the transition system. First, each minimal DG realized skeleton is reachable, using the transition system, from any skeleton it embeds. Second, if no step is possible from a skeleton A, then A is DG realized. Finally, if a DG realized B is accessible from A, then B is minimal. Thus, the transition system provides a systematic way to construct the possible behaviors of the choreography, in the presence of compromised principals.

💡 Research Summary

The paper addresses a gap in choreography‑based service specifications: while choreographies describe the global ordering of message exchanges, they traditionally lack an explicit representation of cryptographic protection. To bridge this gap the authors introduce “boxes”, an abstract construct that encloses selected parts of a message together with the intended sender and receiver identifiers. A box may be nested and is meant to be realized by standard cryptographic primitives (public‑key encryption, signatures, MACs, etc.). The essential security guarantees of a box are twofold: only the designated sender can create the box and only the designated receiver can open it.

The operational semantics of choreographies with boxes is given in the strand‑space framework. A strand is a linear sequence of local actions (send, receive, box creation, box opening) performed by a single participant. The global execution is a collection of strands together with a partial order that captures causality between events on different strands. The model distinguishes between regular participants (non‑compromised) and compromised principals, the latter being able to behave arbitrarily and to inject any number of malicious strands.

A “skeleton” is defined as a partially ordered structure that contains only the strands of regular participants. A skeleton is realized if there exists some set of compromised strands such that the combined execution (regular + compromised) satisfies all the constraints imposed by the choreography and the boxes. A stronger notion, delivery‑guaranteed (DG) realized, adds the requirement that every message sent to a regular participant is indeed delivered to that participant.

The core technical contribution is a transition system that incrementally enriches a skeleton. Each transition identifies a test—a fragment of the skeleton that cannot be satisfied without additional regular behavior (for example, a regular participant attempting to open a box for which no regular strand creates the corresponding box). The transition rule adds the minimal regular strand(s) needed to satisfy that test, thereby extending the partial order accordingly. The process is nondeterministic, but the authors prove three fundamental theorems:

1. Reachability – Any minimal DG‑realized skeleton B that embeds a given skeleton A can be reached from A by a finite sequence of transitions. In other words, starting from any under‑specified skeleton, repeated application of the transition rules will eventually construct a complete, minimal execution that respects both the choreography and the security constraints.

2. Closure – If no transition is applicable to a skeleton A, then A is already DG‑realized. This shows that the transition system is exhaustive: it halts exactly when a fully consistent execution has been obtained.

3. Minimality – Whenever a DG‑realized skeleton B is reachable from A, B is minimal; no proper sub‑skeleton of B can still be DG‑realized. Consequently, the transition system does not introduce superfluous regular strands.

Together, these results provide a systematic, algorithmic method for constructing all possible regular executions of a choreography in the presence of compromised principals. The method can be used for automated verification: given a choreography with boxes, a tool can start from an empty skeleton, apply the transition rules, and either produce a minimal DG‑realized skeleton (showing that the choreography is feasible under the assumed threat model) or discover that no such skeleton exists (indicating a potential security flaw).

The paper also discusses practical implications. Boxes serve as a high‑level abstraction that can be mapped to concrete cryptographic operations during implementation, allowing designers to reason about security properties at the choreography level without committing to a specific crypto scheme. Moreover, because compromised principals are modeled explicitly, the analysis captures realistic adversarial capabilities such as message injection, replay, and selective dropping, which are often omitted in traditional protocol verification that assumes a Dolev‑Yao attacker only on the network.

In summary, the authors present a novel formalism that enriches choreography specifications with abstract cryptographic protection, define a precise semantics using strand spaces, and introduce a transition‑based construction that yields all minimal, delivery‑guaranteed executions even when some participants are malicious. The work lays a solid theoretical foundation for building automated analysis tools and for integrating security considerations directly into the design of service‑oriented choreographies.