A choreography describes a transaction in which several principals interact. Since choreographies frequently describe business processes affecting substantial assets, we need a security infrastructure in order to implement them safely. As part of a line of work devoted to generating cryptoprotocols from choreographies, we focus here on the execution models suited to the two levels. We give a strand-style semantics for choreographies, and propose a special execution model in which choreography-level messages are faithfully delivered exactly once. We adapt this model to handle multiparty protocols in which some participants may be compromised. At level of cryptoprotocols, we use the standard Dolev-Yao execution model, with one alteration. Since many implementations use a "nonce cache" to discard multiply delivered messages, we provide a semantics for at-most-once delivery.
Deep Dive into Execution Models for Choreographies and Cryptoprotocols.
A choreography describes a transaction in which several principals interact. Since choreographies frequently describe business processes affecting substantial assets, we need a security infrastructure in order to implement them safely. As part of a line of work devoted to generating cryptoprotocols from choreographies, we focus here on the execution models suited to the two levels. We give a strand-style semantics for choreographies, and propose a special execution model in which choreography-level messages are faithfully delivered exactly once. We adapt this model to handle multiparty protocols in which some participants may be compromised. At level of cryptoprotocols, we use the standard Dolev-Yao execution model, with one alteration. Since many implementations use a “nonce cache” to discard multiply delivered messages, we provide a semantics for at-most-once delivery.
Choreographies are global descriptions of transactions including business or financial transactions. They describe the intertwined behavior of several principals as they negotiate some agreement and-frequentlycommit some state change. A key idea is end-point projection [5], which converts a global description into a set of descriptions that determine the local behavior of the individual participants in a choreography. Conversely, global synthesis of a choreography from local behaviors is also sometimes possible, i.e. meshing a set of local behaviors into a comprehensive global description [11].
Because these transactions may transfer sums of money and other objects of value, or may communicate sensitive information among the principals, they require a security infrastructure. It would be desirable to synthesize a cryptographic protocol directly from a choreography description, to control how adversaries can interfere with transactions among compliant principals. Corin et al. [6] have made a substantial start on this problem, with further advances described in [3]. However, many questions remain, for instance how to optimize the generated cryptographic protocols, how best to establish that they are always correct, and indeed how best to define their correctness.
This last question concerns how to state what control the protocol should provide, against adversaries trying to interfere with transactions. It is a substantial question because the execution model that choreographies use is quite distant from the execution model cryptographic protocols are designed to cope with. For instance, choreographies use an execution model-or communication model-in which messages are never received by any party other than the intended recipient, or if the formalism represents channels, they are received only over the channel. Moreover, messages are always delivered if the recipient is willing to receive the message. Messages are delivered only if they were sent, and specifically only if they were sent by the expected peer. Finally, they are delivered only once. These aspects of the model mean that confidentiality and integrity properties are built into the underlying assumptions. A security infrastructure is intended to justify exactly these assumptions, i.e. to provide a set of behaviors in which these assumptions are satisfied.
Naturally, these behaviors must be achieved within an underlying model in which the adversary is much stronger. In this model-typically called the Dolev-Yao model, after a paper [8] in which Dolev and Yao formalized ideas suggested by Needham and Schroeder [12]-all messages may be received by the adversary, so that confidentiality needs to be achieved by encryption. They may be delivered zero times, once, or repeatedly, and they may be misdelivered to the wrong participant. When delivered, a message may appear to come from a participant that did not send it. The adversary may alter messages in transit, including applying cryptographic operations using keys that he knows, or may obtain by manipulating the protocol.
Digital signatures may be used to notify a recipient reliably of the source of a message (and of the integrity of its contents). Symmetric encryption may also be used to ensure authenticity: a recipient knows that the encrypted message was prepared by a party that knew the secret key, and intended it for a peer that also knew the secret key. Nonces, which are simply randomly chosen bitstrings, may be used to ensure freshness. The principal P that chose a nonce knows, when receiving a message containing it, that the nonce was inserted after P chose it. Moreover, if P engages in many sessions and associates a different nonce with each, P can ensure that messages containing one nonce cannot be misdirected to a session using a different nonce.
In this paper, we begin the process of relating the Dolev-Yao model of execution to the choreography execution model. This is a key step in generating cryptographic protocols and proving them faithful to the intent of the choreography. In particular, we represent the two execution models using the strand space model [13,10].
We provide a few definitions and an example to indicate how the strand space framework can relate choreographies to the cryptographic protocols that implement them.
In particular, we consider a very simple choreography language, and provide a semantics for it as a set of “abstract bundles.” That is, each session of the protocol executes according to one of the bundles predicted by the semantics. Moreover, any collection of sessions that may have occurred takes the following form: its events partition into bundles that are obtained by instantiating the parameters in bundles given in the semantics. Also, if two nodes belong to different partition elements, there is no ordering between them, unless the executions are generated as parts of some higher-level choreography that might determine a causal ordering.
We call this an abst
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
