Formal Support for Standardizing Protocols with State

Many cryptographic protocols are designed to achieve their goals using only messages passed over an open network. Numerous tools, based on well-understood foundations, exist for the design and analysis of protocols that rely purely on message passing. However, these tools encounter difficulties when faced with protocols that rely on non-local, mutable state to coordinate several local sessions. We adapt one of these tools, {\cpsa}, to provide automated support for reasoning about state. We use Ryan’s Envelope Protocol as an example to demonstrate how the message-passing reasoning can be integrated with state reasoning to yield interesting and powerful results. Keywords: protocol analysis tools, stateful protocols, TPM, PKCS#11.

💡 Research Summary

The paper addresses a significant gap in automated cryptographic protocol analysis: existing tools such as CPSA are designed for protocols that rely solely on message passing, and they struggle with protocols that incorporate mutable, non‑local state (e.g., TPM registers, PKCS#11 key stores). The authors propose a formal framework that extends the strand‑space model with explicit state‑synchronization nodes and introduces two fundamental axioms governing state behavior.

Axiom 1 states that a produced state can be consumed by at most one subsequent transition, capturing the “single‑use” nature of mutable state. Axiom 2 asserts that once a state has been consumed, it cannot be observed thereafter, preventing any later operation from relying on a state that is no longer valid. These axioms differentiate state from ordinary messages, which may be delivered repeatedly.

The authors embed these axioms into the strand‑space semantics, defining bundles that now contain both message events (send/receive) and state events (read‑write synchronizations). They prove in Lemmas 1 and 2 that the axioms are equivalent to an explicit family of traditional state machines whose transitions are triggered by synchronized events. This establishes a solid theoretical foundation for reasoning about stateful protocols within the same partial‑order framework used for message‑only protocols.

To make the theory practical, the authors modify the CPSA tool, which implements an “enrich‑by‑need” analysis: given a fragment of a protocol execution, CPSA incrementally adds missing events until a set of representative executions (shapes) is obtained. The modification adds checks for the two state axioms during the search, pruning any execution that would violate them. Consequently, CPSA can now automatically generate state‑respecting shapes without exhaustive enumeration of all possible state histories.

The framework is demonstrated on Ryan’s Envelope Protocol, a TPM‑based construction that forces a party to either reveal a secret or produce a signed statement that the secret was never revealed, but not both. The protocol’s security hinges on the non‑monotonic nature of PCR values: extending a PCR with a hash of a nonce and a prior value creates a state that cannot later be transformed into the alternative “refuse” state without violating the collision‑free property of the hash function. The authors model the TPM’s boot, extend, create‑key, decrypt, and quote commands as separate roles with explicit state‑sync nodes, and they model Alice’s actions as a pure message‑only strand.

Running the enhanced CPSA on the formal model yields the following results: (1) the intended execution where Alice creates a key bound to the “obtain” PCR value and either decrypts the secret or produces a refusal quote is found, confirming the protocol’s intended security property; (2) variants that attempt to reuse the same PCR state for both decryption and refusal are rejected because they violate Axiom 2 (the state would be consumed twice); (3) malformed extensions that try to set the PCR to an illegal value lead to attacks that CPSA discovers, illustrating how the tool can pinpoint subtle state‑related flaws.

Overall, the paper makes four major contributions: (i) identification of two central state axioms that capture the essential semantics of mutable state; (ii) a proof‑theoretic link between these axioms and an explicit state‑machine model; (iii) integration of the axioms into CPSA, enabling automated, need‑driven state‑respecting analysis; and (iv) a concrete case study on a TPM‑based protocol that validates the approach and uncovers attacks on incorrect variants.

The authors argue that this methodology is directly applicable to any protocol that relies on standardized hardware security modules such as TPMs or PKCS#11 devices. By providing a formal, tool‑supported means to reason about state, protocol designers can more confidently standardize protocols that depend on hardware‑maintained state, ensuring that security claims hold not only at the message level but also across the mutable state space. Future work is suggested in extending the approach to richer state models, handling concurrent sessions with shared state, and integrating with other formal verification frameworks.