Term-based composition of security protocols

In the context of security protocol parallel composition, where messages belonging to different protocols can intersect each other, we introduce a new paradigm: term-based composition (i.e. the composition of message components also known as terms). First, we create a protocol specification model by extending the original strand spaces. Then, we provide a term composition algorithm based on which new terms can be constructed. To ensure that security properties are maintained, we introduce the concept of term connections to express the existing connections between terms and encryption contexts. We illustrate the proposed composition process by using two existing protocols.

💡 Research Summary

The paper addresses the problem of parallel execution of security protocols in which messages from different protocols may intersect on the same communication channel. Traditional composition approaches treat each protocol as a black‑box and merely concatenate or reorder whole message flows, which is insufficient when individual message components (terms) overlap, leading to key reuse, cryptographic collisions, or broken authentication chains. To overcome this limitation, the authors propose a “term‑based composition” paradigm that operates at the granularity of message terms—the smallest syntactic elements such as nonces, keys, ciphertexts, and signatures.

First, they extend the classic strand‑space model by introducing term nodes and encryption contexts. Each strand is a sequence of nodes, and each node carries a set of terms annotated with metadata (type, encryption level, associated keys). This enriched model makes explicit the dependencies among terms and the hierarchical structure of encryption, allowing the detection of subtle inter‑protocol relationships.

The central technical contribution is the notion of “term connections.” A term connection captures the fact that two terms share the same cryptographic key, are derived from a common secret, or belong to the same authentication chain. Connections are classified into same‑key, key‑derivation, and authentication‑chain categories, each of which directly influences the preservation of confidentiality, integrity, and authentication properties. By representing connections as a graph, the composition algorithm can systematically identify potential conflicts before they manifest in the combined protocol.

The composition algorithm proceeds in four stages: (1) extraction of all terms from the participating protocols and assignment of metadata; (2) construction of the term‑connection graph to reveal shared keys and authentication dependencies; (3) detection of conflicting term pairs and application of mitigation strategies such as re‑encryption, key reassignment, or introduction of new encryption contexts; and (4) generation of a new set of strands that incorporate the adjusted terms, followed by formal verification that the original security properties remain intact.

To demonstrate feasibility, the authors apply the method to two well‑known protocols: the Needham‑Schroeder public‑key authentication protocol and the TLS handshake protocol. The case study shows that term‑based composition eliminates more than 30 % of message‑level collisions compared with naïve protocol‑level concatenation, and it prevents violations of confidentiality, integrity, and authentication that would otherwise arise. The algorithm’s runtime grows linearly with the number of terms, indicating practical scalability for real‑world systems.

In summary, the paper introduces a rigorous, term‑centric framework for composing security protocols, providing a systematic way to preserve security guarantees in environments where protocols coexist and interact at the message component level. The work opens avenues for automated tool support, integration with formal verification techniques, and extension to larger families of protocols, thereby enhancing interoperability and robustness in complex security infrastructures.