September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato ITT Industries, Inc.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Digital Signatures and Hash Functions. Digital Signatures.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
BAN Logic A Logic of Authentication Presentation by Heather Goldsby Michelle Pirtle (Mike Burrows, Marin Abadi, Roger Needham) Published 1989, SRC Research.
ISBN Chapter 3 Describing Syntax and Semantics.
The Formal Method CAPSL Kyle Taylor Zhenxiao Yang.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.
MSR 3: One Year Later Iliano Cervesato ITT Industries, NRL Washington, DC Protocol eXchange.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Analysis of Security Protocols (III) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Introduction to Computer and Network Security Iliano Cervesato 14 September 2008 – Attacking Cryptographic Protocols.
December 7, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 9: Automated Verification Iliano Cervesato
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
Fine-Grained MSR Specifications for Quantitative Security Analysis Iliano Cervesato ITT Industries, NRL Washington, DC
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,
Maude Implementation of MSR Demo Mark-Oliver Stehr Stefan Reich University of Illinois, Urbana-Champaign (Iliano Cervesato) ITT NRL
CSE Michigan State University Extensions of BAN by Heather Goldsby Michelle Pirtle.
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Fine-Grained MSR Specifications for Quantitative Security Analysis Iliano Cervesato ITT Industries, NRL Washington, DC
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.
© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005.
Progress Report on Java Based Protocol Analysis Presented by Stephen W. Mancini, 1Lt, USAF/AFIT Robert P. Graham, MAJ, USAF/AFIT Presentation date: 09.
Describing Syntax and Semantics
Information Security of Embedded Systems : BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Inductive Verification of Protocols Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Executable specification of cryptofraglets with Maude for security verification Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented.
Formal Analysis of Security Protocols Dr. Changyu Dong
BAN LOGIC Amit Chetal Monica Desai November 14, 2001
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group
Protocol Analysis: The SPYCE Perspective Joe Halpern.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
CSCE 813 Internet Security Cryptographic Protocol Analysis.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
Chapter 3 Part II Describing Syntax and Semantics.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Semantics In Text: Chapter 3.
Network Protocols Network Systems Security Mort Anvari.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
December 6, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
IS 2620: Developing Secure Systems Formal Verification/Methods Lecture 9 March 15, 2012.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Iliano Cervesato ITT Industries, NRL Washington, DC
Security Protocols Analysis
The Inductive Approach to Verifying Cryptographic Protocols
Protocol Verification by the Inductive Method
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Efficient Short-Password Key Exchange (ESP-KE)
CDK: Chapter 7 TvS: Chapter 9
Protocol Verification by the Inductive Method
Presentation transcript:

September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato ITT Industries, NRL – Washington DC

Security Protocol Specification Languages 2 Scope of this Course  Specification languages for cryptographic protocols  Evaluation criteria  Anthology of languages  Scientific impact  Extras...  Advertisement for MSR

Security Protocol Specification Languages 3 This Course is not about  Cryptography  Applications of crypto-protocols  Taxonomy of  Protocols  Attacks  Tools  Verification

Security Protocol Specification Languages 4 Outline Hour 1: Specification languages Hour 2: MSR Hour 3: The most powerful attacker Hour 4: Reconstructing the intruder

Security Protocol Specification Languages 5 Hour 1 Specification Languages

Security Protocol Specification Languages 6 Hour 1: Outline  Security protocols  Dolev-Yao abstraction  Specification targets  Major specification languages  Origins  Example (Needham-Schroeder)  Properties  Evaluation

Security Protocol Specification Languages 7 Security Protocols  Use cryptographic means to ensure  confidentiality  authentication  non-repudiation, … in distributed/untrusted environment  Applications  e-commerce  trade/military secrets  everyday computing Security goals

Security Protocol Specification Languages 8 Why is Protocol Analysis Difficult?  Subtle cryptographic primitives  Dolev-Yao abstraction  Distributed hostile environment  “Prudent engineering practice”  Inadequate specification languages  … the devil is in details …

Security Protocol Specification Languages 9 Correctness vs. Security [Mitchell]  Correctness: satisfy specifications  For reasonable inputs, get reasonable output  Security: resist attacks  For unreasonable inputs, output not completely disastrous  Main difference  Active interference from the environment

Security Protocol Specification Languages 10 Dolev-Yao Model of Security Network Alice Bob Charlie Dan Server

Security Protocol Specification Languages 11 Dolev-Yao Abstraction  Symbolic data  No bit-strings  Perfect cryptography  No guessing of keys  Public knowledge soup  Magic access to data

Security Protocol Specification Languages 12 Perfect Cryptography  K A -1 is needed to decrypt {M} KA  No collisions  {M 1 } KA = {M 2 } KB iff M 1 = M 2 and K A = K A  …

Security Protocol Specification Languages 13 Public Knowledge Soup  Free access to auxiliary data  Abstracts actual mechanisms  database  subprotocols, …  But … not all data are public  keys  secrets

Security Protocol Specification Languages 14 … pictorially akaka kbkb s

Security Protocol Specification Languages 15 Why is specification important?  Documentation  communicate  Engineering  implementation  verification tools  Science  foundations  assist engineering good

Security Protocol Specification Languages 16 Languages to Specify What?  Message flow  Message constituents  Operating environment  Protocol goals

Security Protocol Specification Languages 17 Desirable Properties  Unambiguous  Simple  Flexible  Adapts to protocols  Powerful  Applies to a wide class of protocols  Insightful  Gives insight about protocols

Security Protocol Specification Languages 18 Language Families  “Usual notation”  Knowledge logic  BAN  Process theory  FDR, Casper  Spi-calculus  Petri nets  Strands  MSR  Inductive methods  Temporal logic  Automata  NRL Prot. Analizer  CAPSL  Mur 

Security Protocol Specification Languages 19 Why so many?  Convergence of approaches  experience from mature fields  unifying problem  scientifically intriguing  funding opportunities  Fatherhood pride

Security Protocol Specification Languages 20 Needham-Schroeder Protocol  Devised in ’78 Example of weak specification !  Broken in ’95! But …  purely academic  attack subject to interpretation

Security Protocol Specification Languages 21 “Usual Notation” A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 22 How does it do?  Flow  Expected run  Constituents  Side remarks  Environment  Side remarks  Goals  Side remarks   Unambiguous  Simple  Flexible  Powerful  Insightful 

Security Protocol Specification Languages 23 BAN Logic [Burrows, Abadi, Needham]  Roots in belief logic  reason about knowledge as prot. unfolds  security: principals share same view  Specification  usual notation  “idealized protocol”  assumptions  Goals  Verification  Logical inference

Security Protocol Specification Languages 24 NS: BAN Idealization A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB A  B: {n A } kB B  A: {  A  n B  B  n A } kA A  B: {  A  n A  B, B |  A  n B  B  n B } kB More readable syntax proposed later

Security Protocol Specification Languages 25 NS: BAN Assumptions  A |   k A A  A |   k B B  A |  # n A  A |  A  n A  B  B |   k B B  B |   k A A  B |  # n B  B |  A  n B  B

Security Protocol Specification Languages 26 NS: BAN Goals  B |  A |  A  n A  B  A |  B |  A  n B  B Formally derived from BAN rules

Security Protocol Specification Languages 27 How does BAN do?  Flow  Idealized run  Constituents  Assumptions  Environment  Implicit  Goals  BAN formulas  Unambiguous  Simple  Flexible  Powerful  Insightful     

Security Protocol Specification Languages 28 CSP [Roscoe, Lowe]  Roots in  process algebra [Hoare]  non-interference  Specification  1 process for each role  non-deterministic intruder process  Verification  Refinement w.r.t. abstract spec.  FDR: model checker for CSP  Casper: interface to FDR

Security Protocol Specification Languages 29 CSP: NS Initiator Init(A, nA) = user.A?B -> I_running.A.B -> comm!Msg1.A.B.encr.key(B).n A.a -> comm.Msg2.B.A.encr.key(A)?n A ’.n B -> if n A = n A ’ then comm!Msg3.A.B.encr.key(B).n B -> I_commit.A.B -> session.A.B -> Skip else Stop A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB Responder is similar

Security Protocol Specification Languages 30 CSP: Resp. authentication spec. AR 0 = R_running.A.B -> I_commit.A.B -> AR 0 A 1 = {| R_running.A.B, I_commit.A.B |} AR = AR 0 ||| Run (S \ A 1 )

Security Protocol Specification Languages 31  Unambiguous  Simple  Flexible  Powerful  Insightful How does CSP do?  Flow  Role-based  Constituents  Formalized math.  Environment  Explicit  Goals  Abstract spec. 

Security Protocol Specification Languages 32 Casper Specification of NS #Free variables A, B: Agent na, nb : nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INIT(A,na) knows PK, SK(A) RESP(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A, B, [na,nb]) Agreement(B,A, [na,nb] #Actual variables Alice, Bob, Mallory: Agent Na, Nb, Nm: Nonce … #Intruder information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)

Security Protocol Specification Languages 33 Spi-calculus [Abadi, Gordon]   -calculus with crypto. Constructs  Specification  1 process for each role  Instance to be studied  Intruder not explicitly modeled  Verification  Process equivalence to reference proc.

Security Protocol Specification Languages 34 Spi: NS Initiator init(A,B,c AB,K B +,K A - ) = ( n A ) c AB. c AB (x). case x of {|y|} K A - in let (y 1,y 2 ) = y in [y 1 is n A ] c AB. 0 A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 35 Spi: NS Responder resp(B,A,c AB,K A +,K B - ) = c AB (x). case x of {|y|} K B - in let (y 1,y 2 ) = y in [y 1 is A] ( n B ) c AB. c AB (x’). case x’ of {|y’|} K B - in [y’ is n B ] 0 A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 36 Spi: NS Instance inst(A,B,c AB ) = ( K A ) ( K B ) (init(A,B,c AB,K B +,K A - ) |resp(B,A,c AB,K A +,K B - ))

Security Protocol Specification Languages 37  Unambiguous  Simple  Flexible  Powerful  Insightful How does Spi do?  Flow  Role-based  Constituents  Informal math.  Environment  Implicit  Goals  Reference proc. 

Security Protocol Specification Languages 38 Strand Spaces [Guttman, Thayer]  Roots in trace theory  Lamport’s causality  Mazurkiewicz’s traces  Specification  Strands  Sets of principals, keys, …  Verification  Authentication tests  Model checking

Security Protocol Specification Languages 39 Strands {n A, A} kB {n A, n B } kA {n B } kB {n A, A} kB {n A, n B } kA {n B } kB A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 40 How do Strands do?  Flow  Role-based  Constituents  Informal math.  Environment  Side remarks  Goals  Side remarks  Unambiguous  Simple  Flexible  Powerful  Insightful   

Security Protocol Specification Languages 41 Inductive methods [Paulson]  Protocol inductively defines traces  Specification  1 inductive rule for each protocol rule  Universal intruder based on language  Verification  theorem proving (Isabelle HOL)  Related methods  [Bolignano]

Security Protocol Specification Languages 42 IMs: NS NS1[evs  ns; A  B; Nonce N A  used evs]  Says A B {Nonce N A, Agent A} KB # evs  ns NS2[evs  ns; A  B; Nonce N B  used evs; Says A’ B {Nonce N A, Agent A} KB  set evs]  Says B A {Nonce N A, Nonce N A } KA # evs  ns NS3[evs  ns; Says A B {Nonce N A, Agent A} KB  set evs; Says B’ A {Nonce N A, Nonce N A } KA  set evs]  Says A B {Nonce N A } KB # evs  ns A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 43 IMs: Environment Nil []  ns Fake [evs  ns; B  Spy; X  synth(analz (spies evs))]  Says Spy B X # evs  ns synth, analz, spies, … protocol indep.

Security Protocol Specification Languages 44  Unambiguous  Simple  Flexible  Powerful  Insightful How do IMs do?  Flow  Trace-based  Constituents  Formalized math.  Environment  Immutable  Goals  Imposs. traces 

Security Protocol Specification Languages 45 NRL Protocol Analyzer [Meadows]  Roots in automata theory  Specification  1 finite-state automata for each role  Grammar or words unaccessible to attacker  Verification  Backward state exploration  Theorem proving for finiteness

Security Protocol Specification Languages 46 NPA: NS Resp., action 2 Subroutine rec_request(user(B,honest),N,T): If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))): Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W: send msg(user(B,honest),[{rec_self},{rec_who}],N): event(user(B,honest),[user(A,H)],rec_request,[W],N) A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 47  Unambiguous  Simple  Flexible  Powerful  Insightful How does NPA do?  Flow  Role-based  Constituents  Prolog code  Environment  Explicit  Goals  Unreachable state    

Security Protocol Specification Languages 48 RTLA [Gray, McLean]  Roots in Temporal Logic (Lamport)  Specification  State components that change during a step  Verification  Proof in temporal logic  Evaluation  Similar to NPA

Security Protocol Specification Languages 49 CAPSL [Millen]  Ad-hoc model checker  Specification  Special-purpose language  Intruder built-in  Implementation  CIL [Denker] -> similar to MSR  Related systems  Mur  [Shmatikov, Stern]  ?? [Clarke, Jha, Marrero]

Security Protocol Specification Languages 50 CAPSL: NS PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END;

Security Protocol Specification Languages 51  Unambiguous  Simple  Flexible  Powerful  Insightful How does CAPSL do?  Flow  Explicit run  Constituents  Declarations  Environment  Implicit  Goals  Properties   

Security Protocol Specification Languages 52 Two more …  MSR 1.x  MSR 2.0 … next hour

Security Protocol Specification Languages 53 Hour 2 MSR

Security Protocol Specification Languages 54 Hour 2: Outline  Origins  Language description  Access control  Execution model

Security Protocol Specification Languages 55 MSR 1.x [Cervesato, Durgin, Lincoln, Mitchell, Scedrov]  Multiset rewriting with existentials  “Persistent predicates” model assumptions  Role state predicates thread rules through

Security Protocol Specification Languages 56 MSR 1.x - Initiator  A0 (A)  L 0 (A),  A0 (A) L 0 (A),  A1 (B)   n A. L 1 (A,B,n A ), N ({n A,A} kB ),  A1 (B) L 1 (A,B,n A ), N ({n A,n B } kA )  L 2 (A,B,n A,n B ) L 2 (A,B,n A,n B )  L 3 (A,B,n A,n B ), N ({n B } kB ) where  A0 (A) = Pr(A), PrvK(A,k A -1 )  A1 (B) = Pr(B), PubK(B,k B ) Nonce generation Message transmissio n A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 57 MSR 1.x - Responder  B0 (B)  L 0 (B),  B0 (B) L 0 (A),  B1 (A), N ({n A,A} kB )  L 1 (A,B,n A ),  B1 (A) L 1 (A,B,n A )   n B. L 2 (A,B,n A,n B ), N ({n A,n B } kA ) L 2 (A,B,n A,n B ), N ({n B } kB )  L 3 (A,B,n A,n B ) where  B0 (B) = Pr(B), PrvK(B,k B -1 )  B1 (A) = Pr(A), PubK(A,k A ) Role state predicate Persisten t Info. A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 58 Evaluation  Poor specification language  Error-prone  Limited automated assistance  Very insightful  Undecidability of protocol correctness verification

Security Protocol Specification Languages 59   Unambiguous  Simple  Flexible  Powerful  Insightful How did we do?  Flow  Role-based  Constituents  Persistent info.  Environment  In part  Goals  

Security Protocol Specification Languages 60 MSR 2.0 [Cervesato]  Redesign MSR as a spec. language  Easy to use  Support for automation  Margin for verification  Current techniques can be adapted  Insightful  Background in type-theory

Security Protocol Specification Languages 61  Unambiguous  Simple  Flexible  Powerful  Insightful How will we do?  Flow  Role-based  Constituents  Strong typing  Environment  In part  Goals

Security Protocol Specification Languages 62 What’s in MSR 2.0?  Multiset rewriting with existentials  Dependent types w/ subsorting  Memory predicates  Constraints New

Security Protocol Specification Languages 63 Terms  Atomic terms  Principal namesA  Keysk  Noncesn  …  Term constructors  (_ _)  {_} _ {{_}} _  [_] _  … DefinableDefinable

Security Protocol Specification Languages 64 Rules  y 1 :  ’ 1. …  y n’ :  ’ n’.  x 1 :  1. …  x n :  n. lhs  rhs N (t)Network L(t, …, t)Local state M A (t, …, t)Memory   Constraints N (t)Network L(t, …, t)Local state M A (t, …, t)Memory

Security Protocol Specification Languages 65 Types of Terms  A: princ  n: nonce  k: shK A B  k: pubK A  k’: privK k  … (definable)  A: princ  n: nonce  A: princ  n: nonce  k: shK A B  k: pubK A  k’: privK k Types can depend on term Captures relations between objects Subsumes persistent information  Static  Local  Mandatory

Security Protocol Specification Languages 66 Subtyping  Allows atomic terms in messages  Definable  Non-transmittable terms  Sub-hierarchies  :: msg

Security Protocol Specification Languages 67 Role State Predicates  Hold data local to a role instance  Lifespan = role  Invoke next rule  L l = control  (A,t, …, t) = data L l (A,t, …, t)

Security Protocol Specification Languages 68 Memory Predicates  Hold private info. across role exec.  Support for subprotocols  Communicate data  Pass control  Interface to outside system  Implements intruder New M A (t, …, t)

Security Protocol Specification Languages 69 Constraints  Guards over interpreted domain  Abstract  Modular  Invoke constraint handler  E.g.: timestamps  (T E = T N + T d )  (T N < T E ) New 

Security Protocol Specification Languages 70 Type of Predicates  Dependent sums  (x) x   Forces associations among arguments  E.g.: princ (A) x pubK A (k A ) x privK k A  x: .  x

Security Protocol Specification Languages 71 Roles  Generic roles  Anchored roles y:’.y:’. x:.x:.lhs  rhs ……………… y:’.y:’. x:.x:.lhs  rhs  L:  ’ 1 (x 1 ) x … x  ’ n (x n ) … Role state pred. var. declarations AA Role owner  L:  ’ 1 (x 1 ) x … x  ’ n (x n ) … A Role owner y:’.y:’. x:.x:.lhs  rhs …… … y:’.y:’. x:.x:.lhs  rhs

Security Protocol Specification Languages 72 MSR 2.0 – NS Initiator AA  B: princ  k B : pubK B   n A :nonce. L(A,B,k B,n A ) N ({n A,A} kB )  …  k A : pubK A  k’ A : privK k A  n A,n B : nonce L(A,B,k B,n A ) N ({n A,n B } kA )  N ({n B } kB )  L: princ x princ (B) x pubK B x nonce.  B: princ  k B : pubK B   n A :nonce. L(A,B,k B,n A ) N ({n A,A} kB )  …  k A : pubK A  k’ A : privK k A  n A,n B : nonce L(A,B,k B,n A ) N ({n A,n B } kA )  N ({n B } kB )  L: princ x princ (B) x pubK B x nonce. A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 73 MSR 2.0 – NS Responder BB  k B : pubK B  k’ B : privK k B  A: princ  n A : nonce  k A : pubK A N ({n A,A} kB )   n B :nonce. L(B,k B,k’ B,n B ) N ({n A,n B } kA )  …  n B : nonce L(B,k B,k’ B,n B ) N ({n B } kB )   L: princ (B) x pubK B (kB) x privK k B x nonce.  k B : pubK B  k’ B : privK k B  A: princ  n A : nonce  k A : pubK A N ({n A,A} kB )   n B :nonce. L(B,k B,k’ B,n B ) N ({n A,n B } kA )  …  n B : nonce L(B,k B,k’ B,n B ) N ({n B } kB )   L: princ (B) x pubK B (kB) x privK k B x nonce. A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB

Security Protocol Specification Languages 74  Transmission of a long term key  Catches:  Encryption with a nonce Type Checking  |— P |— P  |— t :  P is well- typed in  t has type  in   Decidable  Circular key hierarchies, …  Static and dynamic uses New

Security Protocol Specification Languages 75 Access Control  Catches  A signing/encrypting with B’s key  ‖— P ‖— P  ‖ — A r P is AC- valid in  r is AC-valid for A in   Decidable  A accessing B’s private data, …  Fully static New  Gives meaning to Dolev-Yao intruder

Security Protocol Specification Languages 76 An Overview of Access Control  Interpret incoming information  Collect received data  Access unknown data  Construct outgoing information  Generate data  Use known data  Access new data  Verify access to data

Security Protocol Specification Languages 77 Processing a Rule  ‖ — A lhs >>   ;  ‖ — A rhs  ‖ — A lhs  rhs Knowledge set: Collects what A knows Knowledge set: Collects what A knows Context

Security Protocol Specification Languages 78 Processing Predicates on the LHS  ;  ‖ — A t >>  ’  ;  ‖ — A N(t) >>  ’  ;  ‖ — A t 1,…,t n >>  ’  ;  ‖ — A M A (t 1,…,t n ) >>  ’ Network messages Memory predicates

Security Protocol Specification Languages 79 Interpreting Data on the LHS  ;  ‖ — A k >>  ’  ;  ’  ‖ — A t >>  ’’  ;  ‖ — A {t} k >>  ’’  ;  ‖ — A t 1, t 2 >>  ’  ;  ‖ — A (t 1, t 2 ) >>  ’  ;  ( ,x)  ‖ — A x >> ( ,x) ( ,x:  ) ;  ‖ — A x >> ( ,x) Pairs Encrypted terms Elementary terms

Security Protocol Specification Languages 80 Accessing Data on the LHS  ;  ( ,k)  ‖ — A k >> ( ,k) ( ,x:shK A B);  ‖ — A x >> ( ,x) ( ,k:pubK A,k’:privK k);  ‖ — A k >> ( ,k’) ( ,k:pubK A,k’:privK k);  ( ,k’)  ‖ — A k >> ( ,k’) Shared keys Public keys

Security Protocol Specification Languages 81 Generating Data on the RHS ( , x:nonce);  ( , x)  ‖ — A rhs  ;  ‖ — A  x:nonce. rhs Nonces

Security Protocol Specification Languages 82 Constructing Terms on the RHS  ;  ‖ — A t 1  ;  ‖ — A t 2  ;  ‖ — A (t 1, t 2 )  ;  ‖ — A t  ;  ‖ — A k  ;  ‖ — A {t} k Shared-key encryptions Pairs

Security Protocol Specification Languages 83 Accessing Data on the RHS ,  B:princ ‖ — A B ,  B:princ,  k:shK A B ‖ — A k ,  B:princ,  k:pubK B ‖ — A k ,  k:pubK A,  k’:privK k ‖ — A k’ Principal Shared key Private key Public key

Security Protocol Specification Languages 84 Configurations C = [S] R  Active role set Signatur e a :  L l :  M _ :  State N (t) L l (t, …, t) M A (t, …, t)

Security Protocol Specification Languages 85 Execution Model  Activate roles  Generates new role state pred. names  Instantiate variables  Apply rules  Skips rules P  C  C’ 1- step firing

Security Protocol Specification Languages 86 [S] R (  x: .r,  ) A   [S] R ([t/x]r,  )  A  Variable Instantiation  Not fully realistic for verification  Redundancy realizes typing, …  … but not completely  |— t :  [S] R (  x: .r,  ) A   [S] R ([t/x]r,  )  A 

Security Protocol Specification Languages 87 Rule Application S, F  [S 2 ] R  A  c:  c not in S 1 S, G(c) [S 1 ] R(r,  ) A   Firing r = F,    n: . G(n)  Constraint check  |=  (constraint handler)

Security Protocol Specification Languages 88 Properties  Admissibility of parallel firing  Type preservation  Access control preservation  Completeness of Dolev-Yao intruder New

Security Protocol Specification Languages 89 Completed Specifications  Full Needham-Schroeder public-key  Otway-Rees  Neuman-Stubblebine repeated auth.  OFT group key management

Security Protocol Specification Languages 90 Hour 3 The Most Powerful Attacker

Security Protocol Specification Languages 91 Hour 3: Outline  Execution with an attacker  Specifying the Dolev-Yao intruder  Completeness of the Dolev-Yao intruder

Security Protocol Specification Languages 92 Execution with an Attacker P, P I  C  C’  Selected principal(s):I  Generic capabilities:P I  Well-typed  AC-valid  Modeled completely within MSR

Security Protocol Specification Languages 93 The Dolev-Yao Intruder  Specific protocol suiteP DY  Underlies every protocol analysis tool  Completeness still unproved !!!

Security Protocol Specification Languages 94 Capabilities of the D-Y Intruder  Intercept / emit messages  Split / form pairs  Decrypt / encrypt with known key  Look up public information  Generate fresh data

Security Protocol Specification Languages 95 DY Intruder – Net Interference  t: msg   N(t)  M I (t) I  M I (t) : Intruder knowledge  t: msg   M I (t)  N(t) I

Security Protocol Specification Languages 96 DY Intruder – Decryption   M I (t)  A,B: princ  k: shK A B  t: msg I M I ({t} k ) M I (k)   M I (t)  A: princ  k: pubK A  k’: privK A  t: msg I M I ({t} k ) M I (k’)

Security Protocol Specification Languages 97 DY Intruder – Encryption   M I ({t} k )  A,B: princ  k: shK A B  t: msg I MI(t)MI(k)MI(t)MI(k)   M I ({t} k )  A: princ  k: pubK A  t: msg I MI(t)MI(k)MI(t)MI(k)

Security Protocol Specification Languages 98 DY Intruder – Pairs   M I ( t 1,t 2 )  t 1,t 2 : msg I MI(t1)MI(t2)MI(t1)MI(t2) M I ( t 1,t 2 )   t 1,t 2 : msg I MI(t1)MI(t2)MI(t1)MI(t2)

Security Protocol Specification Languages 99 DY Intruder – Structural Rules M I ( t)   t: msg I MI(t)MI(t)MI(t)MI(t) M I ( t)    t: msg I

Security Protocol Specification Languages 100 DY Intruder – Data Access   M I (k’)  k: pubK I  k’: privK k I   M I (k)  A: princ  k: pubK A I   M I (k)  A: princ  k: shK I A + dual I  A: princ    M I (A) I  No nonces, no other keys, …

Security Protocol Specification Languages 101 DY Intruder – Data Generation    n:nonce   M I (n) I  It depends on the protocol !!!  Automated generation ?  Safe data    m:msg   M I (m) I  Anything else ?  A,B:princ.    k:shK A B   M I (k) I ???

Security Protocol Specification Languages 102 Completeness of D-Y Intruder  If P  [S] R   [S’] R’  ’ with all well-typed and AC-valid  Then P, P DY  [S] R   [S’] R’  ’

Security Protocol Specification Languages 103 Encoding of P, S,  PRemove roles anchored on I SMap I’s state / mem. pred. using M I  Remove I’s role state pred.; add M I

Security Protocol Specification Languages 104 Encoding of R  No encoding on structure of R  Lacks context!  Encoding on AC-derivation for R A ::  ‖ — R  Associate roles from P DY to each AC rule

Security Protocol Specification Languages 105 Completeness Proof  Induction on execution sequence  Simulate every step with P DY  Rule application  Induction on AC-derivation for R  Every AC-derivation maps to execution sequence relative to P DY  Rule instantiation  AC-derivations preserved  Encoding unchanged

Security Protocol Specification Languages 106 DY Intruder Stretches AC to Limit Well-typed AC-valid Dolev-Yao intruder

Security Protocol Specification Languages 107 Consequences  Justifies design of current tools  Support optimizations  D-Y intr. often too general/inefficient  Generic optimizations  Per protocol optimizations  Restrictive environments  Caps multi-intruder situations

Security Protocol Specification Languages 108 Hour 4 Reconstructing the Intruder

Security Protocol Specification Languages 109 Hour 4: Outline  Access Control  Dolev-Yao intruder  MSR specification  Access Control

Security Protocol Specification Languages 110 The Dolev-Yao Intruder Model  Interpret incoming information  Collect received data  Access unknown data  Construct outgoing information  Generate data  Use known data  Access new data  Same operations as AC!

Security Protocol Specification Languages 111 Accessing Principal Names  B:princ    M I (B) I ,  B:princ ‖ — A B I

Security Protocol Specification Languages 112 What did we do?  Instantiate acting principal to I  Accessed data  Intruder knowledge  Meta-variables  Rule variables  Ignore context 

Security Protocol Specification Languages 113 Checking it out: Shared Keys ,  A:princ,  B:princ,  k:shK A B ‖ — A k I   M I (k)  B: princ  k: shK I B I II + dual

Security Protocol Specification Languages 114 Getting Confident: Pub./Priv. Keys ,  B:princ,  k:pubK B ‖ — A k   M I (k)  B: princ  k: pubK B I   M I (k’)  k: pubK I  k’: privK k I ,  A:princ,  k:pubK A,  k’:privK k ‖ — A k’ I I II

Security Protocol Specification Languages 115 Constructing Messages: Pairs  t 1,t 2 :msg   M I (t 1 ), M I (t 2 )  M I ((t 1,t 2 )) I  ;  ‖ — A t 1  ;  ‖ — A t 2  ;  ‖ — A (t 1, t 2 ) I I I

Security Protocol Specification Languages 116 Now, what did we do?  Instantiate acting principal to I  Accessed data  Intruder knowledge  Meta-variables  Rule variables  Ignore  and knowledge context   Premises  antecedent  Conclusion  consequent  Auxiliary typing derivation gives types

Security Protocol Specification Languages 117 Carrying on: Shared-Key Encrypt.  ;  ‖ — A t  ;  ‖ — A k  ;  ‖ — A {t} k I II  M I (t), M I (k)  M I ({t} k )  A,B: princ  k: shK A B  t: msg I Similar for public-key encryption

Security Protocol Specification Languages 118 Generating Data: Nonces ( , x:nonce );  ( , x )  ‖ — A rhs  ;  ‖ — A  x:nonce. rhs    x:nonce. M I (x) I I I Similarly for other generated data

Security Protocol Specification Languages 119 Now, what did we do?  Instantiate acting principal to I  Accessed data  Intruder knowledge  Meta-variables  Rule variables  Ignore  and knowledge context   Premises  antecedent  Conclusion  consequent  Auxiliary typing derivation gives types  One intruder rule for each AC rule  Save generated object

Security Protocol Specification Languages 120 Interpreting Shared-Key Encrypt.  ;  ‖ — A k >>  ’  ;  ’  ‖ — A t >>  ’’  ;  ‖ — A {t} k >>  ’’ I II  M I ({t} k ), M I (k)  M I (t)  A,B: princ  k: shK A B  t: msg I Similar for public-key encryption pairing

Security Protocol Specification Languages 121 Now, what did we do?  Instantiate acting principal to I  Accessed data  Intruder knowledge  Meta-variables  Rule variables  Ignore  and knowledge context   Premises  antecedent  Conclusion  consequent  Auxiliary typing derivation gives types  One intruder rule for each AC rule  Save generated object  Premises  consequent  Conclusion  antecedant

Security Protocol Specification Languages 122 Network Rules  ;  ‖ — A t >>  ’  ;  ‖ — A N(t) >>  ’  ;  ‖ — A t  ;  ‖ — A N(t)  t:msg   M I (t)  N(t) I  t:msg   N(t)  M I (t) I

Security Protocol Specification Languages 123 … Other Rules? Either  redundant  or, innocuous (but sensible)  t:msg   N(t)  N(t) I  t 1,…,t n :msg  M’ I (t 1,…,t n )  M I (t 1 ),…,M I (t n ) I

Security Protocol Specification Languages 124 Dissecting AC 5 activities:  Interpret message components on LHS  Access data (keys) on LHS  Generate data on RHS  Construct messages on RHS  Access data on RHS Constructorsatoms Trivial Pattern matching

Security Protocol Specification Languages 125 Accessing Data * + princ: type  Annotate the type of freely accessible data privK:  A: princ. pubK A -> type pubK: princ -> type  Make it conditional for dep. types

Security Protocol Specification Languages 126 Generating Data  Again, annotate types shK: princ -> princ -> type nonce: type + + ! ! shK: princ -> princ -> type + + !

Security Protocol Specification Languages 127 Interpreting Constructors  Mark arguments as input or output [_] _ : msg ->  A: princ.  k: sigK A. verK k -> msg _,_: msg -> msg -> msg hash: msg -> msg {_} _ : msg ->  A: princ.  B: princ. shK A B -> msg {{_}} _ : msg ->  A: princ.  k: pubK A. privK k -> msg + * * *

Security Protocol Specification Languages 128 Annotating Declarations  Integrates semantics of types and constructors  “Trimmed down” version of AC  Allows constructing AC rules  Allows constructing the Dolev-Yao intruder

Security Protocol Specification Languages 129 … alternatively Compute AC rules from protocol  There are finitely many annotations  Check protocol against each of them  Keep the most restrictive ones that validate the protocol Exponential! More efficient algorithms?

September 17 th, 2001FOSAD 2001 – Bertinoro, Italy The end

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.