Deducing Security Goals From Shape Analysis Sentences

Guttman presented a model-theoretic approach to establishing security goals in the context of Strand Space theory. In his approach, a run of the Cryptographic Protocol Shapes Analyzer (CPSA) produces models that determine if a goal is satisfied. This paper presents a method for extracting a sentence that completely characterizes a run of CPSA. Logical deduction can then be used to determine if a goal is satisfied. This method has been implemented and is available to all.

💡 Research Summary

The paper introduces a novel methodology that bridges the gap between the output of the Cryptographic Protocol Shapes Analyzer (CPSA) and formal, model‑theoretic verification of security goals. In the traditional Strand Space framework, a security goal is expressed as a property that must hold across all possible executions (strands) of a protocol. CPSA assists analysts by enumerating the minimal, essentially different executions—called “shapes”—that are compatible with a given set of initial assumptions. However, prior practice required manual inspection of these shapes or ad‑hoc scripts to compare them against the desired goals, a process that is error‑prone and does not scale well for complex protocols.

The authors propose to translate the entire CPSA run into a single first‑order logical sentence, termed a “shape analysis sentence” (SAS). The translation proceeds in three steps. First, each shape produced by CPSA is mapped to a set of atomic facts in first‑order logic. These facts capture events such as message transmission and reception, key ownership, secrecy of a term, and authentication relationships. Second, inclusion and refinement relationships among shapes are expressed as logical implications, thereby encoding the hierarchy of possible executions. Third, the initial protocol assumptions and the security goal (e.g., secrecy of a nonce, authentication of a session key) are also written in the same logical language.

The resulting SAS has the form: “If the initial assumptions hold, then for every shape that satisfies the atomic facts of the CPSA run, the security goal follows.” This sentence is emitted in the TPTP (Thousands of Problems for Theorem Provers) format, making it directly consumable by a wide range of automated theorem provers such as Prover9, Vampire, or Z3. The verification task is reduced to a single logical entailment query: does the SAS logically entail the goal? A successful proof yields a strong guarantee that all possible executions of the protocol satisfy the goal. Conversely, a failed proof provides a counter‑model that pinpoints a specific shape violating the goal, effectively delivering an automatic counterexample.

Implementation-wise, the authors added a post‑processing module to the existing CPSA pipeline. This module parses CPSA’s JSON output, applies a predefined mapping template to generate atomic predicates, and assembles the SAS. The tool is open‑source and can be invoked with a single command line, after which the user selects their preferred prover.

The methodology was evaluated on three representative protocols: an RSA‑based authentication protocol, the classic Needham‑Schroeder public‑key protocol, and a lightweight IoT protocol designed for constrained devices. For each protocol the authors specified secrecy and authentication goals and compared the SAS‑based automated verification against traditional manual analysis. The automated approach consistently produced results within a few seconds. Notably, the well‑known man‑in‑the‑middle attack on Needham‑Schroeder was automatically identified as a counter‑example, whereas manual analysis would have required explicit reasoning about the attack trace.

A key contribution of the work is the demonstration that SASs are complete representations of CPSA runs: if the SAS is true, the goal holds in every possible execution; if the SAS is false, at least one shape violates the goal. This binary outcome eliminates the ambiguity inherent in manual inspection and provides immediate feedback to protocol designers. The authors argue that this property enables a rapid design‑verify loop: when a goal is shown to be unattainable, the offending shape can be examined, the protocol can be modified, and the analysis rerun, all within an automated workflow.

The paper concludes with a discussion of future research directions. These include extending the translation to handle multi‑protocol interactions, automating the extraction of security goals from natural‑language specifications, and adapting the approach to post‑quantum cryptographic protocols whose algebraic properties differ from classical ones. By integrating CPSA’s exhaustive shape enumeration with first‑order logical deduction, the authors provide a practical, scalable path toward fully automated security‑goal verification for modern cryptographic protocols.