1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute

2 Protocols

3 &d p(d) $p(d) d A B wants = 0 has = d + $(a-p(d)) has = $p(d) has = d wants = d has = $a

4 &d p(d) $p(d) d A B abstraction Problem

5 Solution &d p(d) $p(d) d A B

6 refinement Solution &d p(d) $p(d) d A B

7 “Security Science” logic (belief, knowledge) process (CSP,CCS,spi) crypto (next 700 models) security

8 “Security Science” logic (belief, knowledge) process (CSP,CCS,spi) crypto (next 700 models) security security protocols “idealizations”

9 “Security Science” logic (belief, knowledge) process (CSP,CCS,spi) crypto (next 700 models) security propositions-as-types proofs-as-processes security protocols Dolev-Yao

10 Derivational approach Protocol derivation components refinements transformations Proof derivation axioms proof rules proof transformations truth is just another security property derivation patterns

11 Outline Protocol logic Derivation patterns 1.Authenticated DH CR  STS 2. Identity and DoS protection STS  JFK 3. DH refinements KA  MQV 4. Combine 2. and 3. MQV  MQV + Tool demo

12 Papers Deriving, attacking and defending GDOI –with C. Meadows »submitted Abstraction and refinement in protocol derivation –with A. Datta and A. Derek and J. Mitchell »to appear in Proceedings of CSFW 2004 Secure protocol composition –with A. Datta and A. Derek and J. Mitchell »Proceedings of MFPS 2003 (ext. abstract in FMCS 2003) Derivation system for security protocols and its logical formalization –with A. Datta and A. Derek and J. Mitchell »Proceedings of CSFW 2003 Compositional logic for protocol correctness –with N. Durgin and J. Mitchell »JCS 2003 (eariler version in CSFW 2001) Composition and refinement of behavioral specifications –with D. Smith »ASE 2002 Guarded transitions in evolving specifications –with D. Smith »AMAST

13 Protocol logic term calculus names, variables operations equality action calculus send a  t:A  B  C receive b(x: X  Y) Z new ( x) C match ( t/p(x) ) C  t  R  (x)S  R  S(t/x) ( p(t)/p(x) ) R  R(t/x)

14 Protocol logic atomic predicates a = b-- actions a and b are equal a-- action a has occurred a < b-- action a has occurred before b e.g.,  t  A < (x) Y -- some  t  A precedes some (x) Y a =  t  A -- a is in the form  t  A  s  A =  t  B -- s = t and A = B

15 Protocol logic statements A : (  ) »  e.g., A : ( x) »  c AB x  A <((r AB x)) A   c AB x  A < ((c AB x)) B <  r AB x  B <((r AB x)) A

16 Protocol logic abbreviations (t)  (x) ( x/t )  t    U(t/x)  ((t))  (U(t/x))  t  A<   a =  t  A   b =  t  B. a ≤ b  t  A<   a =  t  A   b =  t  B. a ≤ b t  U(t/x)  H(t,x)    UHV(t,x) | X,Y  Z

17 Protocol logic general axioms (t)   a =  t   a < (t)(rcv) ( x) M   a A. x  FV(a)  ( x) < a A (new)  A ≠ M  ( x) M <  x  M < ((x)) A ≤ a A

18 Protocol logic challenge-response axiom A : ( x) » (cr)  c AB x  A < ((r AB x)) A   c AB x  A < ((c AB x)) B <  r AB x  B <((r AB x)) A ( x) A  c AB x  A ((r AB x)) A ((c AB x)) B  r AB x  B

19 Challenge-response CR K CRKICRKO CR P CRE CRS

20 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m r AB m c AB m

21 CR Challenge-response CR K CRKICRKO CR P CRE CRS A: ( m) A <  c AB m  A <(r AB m) A »  c AB m  A < ((r AB m)) A   c AB m  A <((c AB m)) B <  r AB m  B <((r AB m)) A A: ( m) A <  c AB m  A <((c AB m)) B <  r AB m  B < (r AB m) A

22 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m S B (A,m) m S B t = S B u  t = u (sig1)  S B t  X<  X=B (sig2) V B (y,t)  y = S B t (sig3)

23 CR Challenge-response CR K CRKICRKO CR P CRE CRS S B t = S B u  t = u (sig1)  S B t  X<  X=B (sig2) V B (y,t)  y = S B t (sig3) (sig1)  (sig2)  (sig3)  (cr)

24 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m m E B (A,m) ( m) A <  E B m  A <  m  X< (enc)  X=A  X=B

25 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m K AB (A,m) m K AB t = K AB u  t = u (hk1)  K AB t  X<  X=A  X=B (hk2)

26 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m m K AB (A,m) K AB t = K AB u  t = u (hk1)  K AB t  X<  X=A  X=B (hk2)

27 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] Nest Seq 2CRS Seq SAnSAn n, SBmn, SBm n m m SBmSBm 2CRS Nest SAnSAn n n m m

28 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] SB(m,n)SB(m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m SA(m,n)SA(m,n) n n m m

29 Reasoning in PoP ((m)) B  S B (m,y)  B ( m) A mAmA (n) A  S A (m,n)  A (S B (m,n)) A  n  Y< (rcv) n = y (sig1)  n = y yByB (S A (m,y)) B ( y) B

30 Reasoning in PoP ((m)) B  S B (m,y)  B ( m) A mAmA (n) A  S A (m,n)  A (S B (m,n)) A  n  Y< (rcv) n = y (sig1)  n = y yByB (S A (m,y)) B ( y) B

31 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] S B (m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m S A (m,n) n n m m

32 STS family m=g x, n=g y k=g xy STS a STS H STS 0 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities STS P STS 0H STS aH STSJFK 1 STS PH RFK

33 m=g x, n=g y k=g xy m S B (m,n),n S A (n,m) STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

34 m=g x, n=g y k=g xy STS family distribute certificates cookie open responder m n, H mn m, n, H mn,S A (m,n) S B (n,m) symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

35 m=g x, n=g y k=g xy m C B, S B (m,n),n C A, S A (n,m) STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

36 m=g x, n=g y k=g xy m n, H mn m, n, H mn,C A, S A (m,n) C B, S B (n,m) STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

37 m=g x, n=g y k=g xy m n, C B, H mn m, n, H mn,C A, S A (m,n) S B (n,m) STS family distribute certificates cookie open responder protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

38 m=g x, n=g y k=g xy m n, C B, E k (S B (n, m)) C A, E k (S A (m,n)) m=g x n=g y k=g xy STS family distribute certificates cookie open responder protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

39 m n, H mn m, n, H mn, C A, E k (S A (m,n)) C B, E k (S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family distribute certificates cookie open responder protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

40 m=g x, n=g y k=g xy STS family distribute certificates cookie open responder m n, C B, H mn m, n, H mn, C A,E k (S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

41 m n, E k (C B, S B (n, m)) E k (C A, S A (m,n)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

42 m n, H mn m, n, H mn, E k (C A, S A (m,n)) E k (C B, S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

43 m=g x, n=g y k=g xy STS family distribute certificates cookie open responder symmetric hash protect identities m n, C B, H mn m, n, H mn, E k (C A, S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK

44 m n, H mn m, n, H mn, E k (C A,S A (m,n)), #(I) E k (C B,S B (n, m)), #(R) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS aH STS PH JFK 1 distribute certificates cookie open responder symmetric hash protect identities RFK STS 0 STS a JFK 0 STS H STS P JFK

45 MQV family MTI/A MQV KA MTI/B DH MTI/C UM

46 MQV family mAmA mBmB KA DH MTI/BMTI/C MTI/A UM MQV

47 MQV family gxgx gygy k=g xy KA DH MTI/BMTI/C MTI/A UM MQV

48 (g b ) x (g a ) y k=(g ay ) 1/a  g x =(g bx ) 1/b  g y MQV family KA DH MTI/BMTI/C MTI/A UM MQV

49 MQV family (g b ) x (g a ) y k=(g ay ) x/a =(g bx ) y/b KA DH MTI/BMTI/C MTI/A UM MQV

50 MQV family gx, GAgx, GA g y, G B k = {(g y ) a  (g b ) x } = {(g x ) b  (g a ) y } G A ={A,g a } TA G B ={B,g b } TA KA DH MTI/BMTI/C MTI/A UM MQV

51 MQV family gx, GAgx, GA g y, G B k = { (g y ) a || (g b ) x } = { (g x ) b || (g a ) y } G A ={A,g a } TA G B ={B,g b } TA k = { (g y ) x || (g b ) a } = { (g x ) y || (g a ) b } or KA DH MTI/BMTI/C MTI/A UM MQV

52 MQV family gx, GAgx, GA g y, G B k = g f(a,x)  f(b,y) where G A ={A,g a } TA G B ={B,g b } TA f(a,x) = ag x + x KA DH MTI/BMTI/C MTI/A UM MQV

53 MQV family DH MTI/C UM gx, GAgx, GA g y, G B k = g f(a,x)  f(b,y) where G A ={A,g a } TA G B ={B,g b } TA f(a,x) = ag x + x g f(a,x) = F(g a, g x ) is 1-way in g x. E.g., given a one-way function H(n), such that H(g x ) = g h(x), take F(m,n)= m  H(n) and f(a,x) = a+h(x) g f(a,x) = F(g a, g x ) is 1-way in g x. E.g., given a one-way function H(n), such that H(g x ) = g h(x), take F(m,n)= m  H(n) and f(a,x) = a+h(x) KA MTI/B MTI/A MQV

54 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash JFK STS P MQV CP KA key conf. MQV JFK authenticate protect identities encryption  signature DH RFK symmetric hash STS a STS PH MQV C MQV CPH MQV RFK

55 mAmA mBmB add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

56 mAmA m B, C B, S B ( n, m A ) C A, S A ( m A, m B ) add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

57 gxgx gygy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

58 gxgx g y, C B, E k (S B ( g y, g x )) C A, E k (S A ( g x, g y )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

59 gxgx g y, E k (C B, S B ( g y, g x )) E k (C A, S A ( g x, g y )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

60 gxgx g y, H g x, g y, H, E k (C A, S A ( g x, g y )) E k (C B, S B ( g y, g x )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

61 gxgx g y, C B, H, g x, g y, H, E k (C A, S A ( g x, g y, C B )) E k (S B ( g y, g x )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

62 gxgx g y, H, g x, g y, H, E k (C A, S A ( g x, g y )), #(I) E k (C B, S B ( g y, g x )), #(R) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

63 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature g x, G A g y, G B G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

64 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) g x, g a g y,G B,E k ( g y, g x ) G A, E k ( g x, g y ) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

65 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) g x, g a g y, g b, E k (G B, g y, g x ) E k (G A, g x, g y ) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

66 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) g x, g a g y, g b, H, g x, g a, g y, g b, H, E k (G A, g x, g y )) E k (G B, g y, g x ) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

67 G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) gxgx g y, g b, H, g x, g a, g y, H, E k (G A, g x, g b, g y )) E k (G B, g y, g x ) add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption  signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK

68 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements STS a STS PH cookie open responder symmetric hash MQV CPH MQV C key conf. MQV RFK authenticate protect identities encryption  signature STS g x, g a g y, g b, H, g x, g a, g y, g b, H, E k (G A, g x, g y ), #(I) E k (G B, g y, g x ), #(R) G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) KA DH STS P JFK RFK MQV CP MQV JFK

69 Summary STS CR 1 JFK 2 DH MQV KA 3 MQV + 4

70 Summary mAmA mBmB gxgx g y, C B, H mn g x, g y, H mn,E k EkEk c r gxgx gygy g x, G A g y, G B gxgx g y, C B, E K C A, E K gxgx g y, g b, H n g x, g a,… H, E k EkEk

71 Future work Populate taxonomy Interface crypto complexity algebra Quantify utility evolutionary equilibria distributed fixpoint programming