An Analysis of the CAVES Attestation Protocol using CPSA

This paper describes the CAVES attestation protocol and presents a tool-supported analysis showing that the runs of the protocol achieve stated goals. The goals are stated formally by annotating the protocol with logical formulas using the rely-guarantee method. The protocol analysis tool used is the Cryptographic Protocol Shape Analyzer.

💡 Research Summary

The paper presents a formal, tool‑supported analysis of the CAVES attestation protocol, a TPM‑based remote‑measurement scheme that extends the classic two‑party attestation model with additional roles: a Server, a Verifier, and an Enterprise Privacy Certificate Authority (EPCA). The authors first describe the protocol’s purpose and its design goals—freshness, comprehensiveness, constrained disclosure, semantic explicitness, and trust‑worthiness—derived from the foundational principles of attestation. They then detail the message flow: a client initiates a request to the server, providing a session key K and a distinguished name A that identifies the TPM identity key to be used. The server forwards a challenge (nonce N_V), a measurement query J, a PCR mask M, and its own nonce N_S to the verifier. The verifier obtains A’s certificate from the EPCA, forwards the challenge and query to the client, which passes them to its local Attester. The Attester generates a TPM quote that binds the measurement output J_O and the selected PCR values P to a hash of protocol parameters, signs it with the TPM identity private key I⁻¹, and packages everything into a “blob” B encrypted under a fresh Attester‑Server session key K′. The blob traverses the client and server to reach the verifier, which validates the signature and, if successful, returns a “valid” acknowledgment encrypted under the server‑client key K_S. Finally, the server releases the protected data D to the client using K′.

To verify that the protocol meets its security goals, the authors model it in the Cryptographic Protocol Shape Analyzer (CPSA) using S‑expressions. Each transmission and reception event is annotated with logical formulas in the rely‑guarantee style. Guarantees (φ) attached to sends express the local conditions a principal must be able to prove before emitting a message (e.g., “the measurement is fresh, the PCR mask matches the verifier’s request, the nonce is fresh”). Reliance formulas (A says φ) attached to receives capture the facts a principal can add to its local theory after successfully processing an incoming message. The rely‑guarantee framework allows the authors to distinguish regular (uncompromised) principals, whose long‑term keys are assumed secret, from an adversary who may inject arbitrary messages but cannot satisfy the guarantees of honest participants.

CPSA explores all executions compatible with the stated assumptions: uncompromised long‑term keys K_S, K_V, and I; freshly generated nonces N_S and N_V; and the proper generation of session keys K and K′. The tool computes a finite set of “shapes,” each representing a minimal, essentially different execution trace. The analysis yields roughly ten distinct shapes, all of which satisfy authentication (the verifier’s acceptance of a valid signature implies the Attester indeed produced the quoted measurements), freshness (nonces match across messages, preventing replay), and minimal disclosure (the blob is encrypted such that the client and server cannot read its contents, only the verifier can verify the signature). The shapes also demonstrate that any attempt by an attacker to forge a “valid” message would require breaking the TPM signature or compromising the long‑term keys, both excluded by the model’s assumptions.

The paper further discusses how the protocol accommodates virtualization environments. A dedicated Measurement VM, isolated from the client VM, can perform the measurements and invoke the TPM, while the server‑verifier pair remains agnostic to the internal VM layout. The EPCA’s certificate chain is incorporated into the CPSA model, ensuring that the verifier’s trust in the Attester’s identity is grounded in a verifiable public‑key infrastructure.

In the “Rely‑Guarantee Method” section, the authors formalize soundness: for every execution that respects the assumptions, each rely formula must be logically entailed by earlier guarantees. They argue that regular principals, by virtue of holding uncompromised keys, can always satisfy their guarantees, whereas the adversary may only send messages that violate guarantees, which are filtered out by the shape analysis.

The paper concludes that CAVES successfully meets its design objectives, and that the combination of CPSA’s shape analysis with rely‑guarantee annotations provides a rigorous, machine‑checked proof of security. This work illustrates a practical methodology for analyzing complex, multi‑role attestation protocols and offers a template for future verification efforts in cloud‑based trusted computing environments.