MSR 3: One Year Later Iliano Cervesato [email protected] ITT Industries, inc @ NRL Washington, DC iliano Protocol eXchange

MSR 3:One Year Later

Iliano [email protected]

ITT Industries, inc @ NRL Washington, DC

http://theory.stanford.edu/~iliano

Protocol eXchange Seminar, UMBC May 27-28, 2004

MSR 3.0:The Logical Meeting Point of MultisetRewriting and Process Algebra

I liano Cervesato [email protected]

I TT I ndustries, inc @ NRL Washington, DC

http:/ / www.cs.stanf ord.edu/ ~iliano

CS Department, UMBC February 27-28, 2003

MSR 3: One Year Later 2/28

NSPK in MSR 3

A: princ.

{ L: princ B:princ.pubK B nonce mset.

B: princ. kB: pubK B. nA: nonce.

net ({nA, A}kB), L (A, B, kB, nA)

B: princ. kB: pubK B.

kA: pubK A. kA': prvK kA.

nA: nonce. nB: nonce.

net ({nA, nB}kA), L (A, B, kB, nA)

net ({nB}kB)

}

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Interpretation of L Rule invocation

Implementation detail

Control flow Local state of

role Explicit view Important for

DOS

MSR 2 spec.


NSPK in MSR 3

A:princ. B: princ. kB: pubK B.

nA: nonce.

net ({nA, A}kB),

(kA: pubK A. kA': prvK kA. nB: nonce.

net ({nA, nB}kA) net ({nB}kB))

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Succinct Continuation-passing style

Rule asserts what to do next Lexical control flow

State is implicit Abstract

Not an MSR 2 spec.


Looks Familiar?A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Process calculus

A:princ.B: princ. kB: pubK B.

kA: pubK A. kA': prvK kA. nB: nonce.

nA: nonce.

net ({nA, A}kB) .

net <{nA, nB}kA> .

net ({nB}kB) . 0

{NA, A}KB

{NA, NB}KA

{NB}KB

Alice (A,B,NA,NB) :

NA Fresh, A(A,B)

Parametric strand


What is MSR 3?

A new language for security protocols

Supports State transition specs

Conservative over MSR 2Process algebraic specs

Rewriting re-interpretation of logicRich composable set of connectives

Universal connector

Neutral paradigm


More than the Sum of its Parts

Process- and transition-based specs.in the same language

Choose the paradigmUser’s preferenceHighlight characteristics of interestSupport various verification techniques (FW)

Mix and match stylesWithin a spec.Within a protocolWithin a role


What is in MSR 3 ?

Security-relevant signature Network Encryption, …

Typing infrastructure Dependent types Subsorting

Data Access Specification (DAS)

Module system Equations

FromMSR 2

FromMSR 1

From MSR 2implementation

-Multisets

MSR 2

Protocols

Repr. gap


-Multisets

Specification language for concurrent systems

Crossroad of State transition languages

Petri nets, multiset rewriting, … Process calculi

CCS, -calculus, … (Linear) logic

Benefits Analysis methods from logic and type theory Common ground for comparing

Multiset rewriting Process algebra

Allows multiple styles of specification Unified approach

-Multisets

MSR 2

Protocols

Repr. gap


SyntaxA ::= a atomic object

| 1 [] empty| A B [A, B] formation| A B [A B] rewrite| T no-op| A & B [A || B] choice| x. A instantiation| x. A generation| ! A replication

Generalizes FO multiset rewriting (MSR 1-2)x1…xn. a(x) y1…yk. b(x,y)


State and Transitions

States ; ;

; is a list and are

commutative monoids Transitions

; ; ’; ’; ’; ; * ’; ’

* for reflexive and transitive closure

Constructor: “,” Empty: “”- logic

- system - rewriting - processes- security


Transition Semantics

; ; (, A, A B) ; ; (, B)T (no rule)

& ; ; (, A1 & A2) ; ; (, Ai)

; ; (, x. A) ; ; (, [t/x]A)if |- t

; ; (, x. A) (, x) ; ; (, A)

! ; ; (, !A) ; (, A) ;

; (, A) ; ; (, A) ; (, A)

; ; * ; ; ; * ’’; ’’if ; ; ’; ’ ; ’ and ’; ’ ; ’ * ’’; ’’


Linear Logic

FormulasA, B ::= a | 1 | A B | A B | ! A

| T | A & B | x. A | x. A

LV sequents ; --> C

Goalformula

Signature

Unrestrictedcontext Linear

context

Constructor: “,” Empty: “”

- logic- system - rewriting - processes- security


Logical Derivations

Proof of C from and Emphasis on C

C is input

Finite Closed

Rules shown Major premise

Preserves C Minor premise

Starts subderivation; --> C

’’; ’’ -->’’ C

’; ’ -->’ C

’’’; C -->’’’ C



A Rewriting Re-Interpretation

Transition From conclusion To major premise

Emphasis on , and C is output, at best

Does not change

Possibly infinite Open

Minor premise Auxiliary rewrite chain

Finite Topped with axiom

; --> C

’’; ’’ -->’’ C

’; ’ -->’ C

’’’; C -->’’’ C



Interpreting Unary Rules

; ; (, !A) ; (, A);

; , A -->,x C

; , x.A --> C

, A; --> C

; , !A --> C

|- t ; , [t/x]A --> C

; , x.A --> C

; , A, B --> C

; , AB --> C; ; (, AB ) ; ; (, A, B)

; ; (, x. A) ; ; (, [t/x]A)if |- t

; ; (, x. A) (, x); ; (, A)

… …



Binary Rules and Axiom

Minor premiseAuxiliary rewrite

chain

Top of treeFocus shifts to

RHS Axiom rule

Observation

; ’ --> A ; , B --> C

; , ’ , AB --> C

’; A -->’ A



Observations

Observation states

; In , we identify

, with with 1

Categorical semantics

Identified with x1. … xn. For = x1, …, xn

De Bruijn’s telescopes

Observation transitions; ; * ’; ’

A

,’; A’ -->,’ A’

; --> ’. A’

=

; = . - logic- system - rewriting - processes- security


Interpreting Binary Rules

; ; (, ’, A B) ; ; (, B)if ; ; ’ * ; A

; ’ --> A ; , B --> C

; , ’ , AB --> C

; ’ --> A ; A --> C

; , ’ --> C

; ; , ’ ; ; (A, )if ; ; ’ * ; A

; A --> A; ; * ; ; ; * ’’; ’’

if ; ; ’; ’; ’and ’; ’; ’ * ’’; ’’

… …



Formal Correspondence

SoundnessIf ; ; * ,’; ’then ; --> ’. ’

Completeness?No! We have only crippled right rules

; ; a b, b c * ; a c



System

With cut, rule for can be simplified to; ; (, A, A B) ; ; (, B)

Cut elimination holds= in-lining of auxiliary rewrite chains

But … Careful with extra signature symbols Careful with extra persistent objects

No rule for needs a premise does not depend on *



Multiset Rewriting

Multiset: set with repetitions alloweda ::= | a, a

Commutative monoid

Multiset rewriting (a.k.a. Petri nets)Rewriting within the monoid Fundamental model of distributed computing

Alternative: Process AlgebrasBasis for security protocol spec. languages

MSR family … several others

Many extensions, more or less ad hoc



The Atomic Objects of MSR 3

Atomic termsPrincipals AKeys KNonces NOther

Raw data , timestamp, …

Constructors Encryption

{_}_

Pairing (_, _) Other

Signature, hash, MAC, …

Fully definable

PredicatesNetwork

netMemory

MA

Intruder I…

-Multisets

MSR 2

Protocols

Repr. gap


Types

Fully definable Powerful abstraction mechanism

At various user-definable level Finely tagged messages Untyped: msg only

Simplify specification and reasoning Automated type checking

Simple typesA : princn : noncem : msg, …

Dependent typesk : shK A BK : pubK AK’ : privK K, …

-Multisets

MSR 2

Protocols

Repr. gap


Subsorting

Allows atomic terms in messages

DefinableNon-transmittable termsSub-hierarchies

Discriminant for type-flaw attacks

<: ’

-Multisets

MSR 2

Protocols

Repr. gap


Data Access Specification

Prevent illegitimate use of information Protocol specification divided in roles

– Owner = principal executing the role A signing/encrypting with B’s key A accessing B’s private data, …

Simple static check

Central meta-theoretic notion Detailed specification of Dolev-Yao access model

Gives meaning to Dolev-Yao intruder

Current effort towards integration in type system Definable

Possibility of going beyond Dolev-Yao model

-Multisets

MSR 2

Protocols

Repr. gap


Modules and Equations

ModulesBundle declarations with simple

import/export interfaceKeep specifications tidyReusable

Equations(For free from underlying Maude engine)

Specify useful algebraic properties Associativity of pairs

Allow to go beyond free-algebra model Dec(k, Enc(k, M)) = M

-Multisets

MSR 2

Protocols

Repr. gap


State-Based vs. Process-Based

State-based languages Multiset Rewriting NRL Prot. Analyzer, CAPSL/CIL, Paulson’s approach,

…State

transitionsemantics

Process-based languages Process Algebra Strand spaces, spi-calculus, …

Independentcommunicatingthreads

-Multisets

MSR 2

Protocols

Repr. gap


MSR 3 Bridges the Gap

Difficult to go from one to the otherDifferent paradigms

PB

SB

State vs.processdistance

Otherdistance

MSR 3

PB

SB

State Process translation done once and for all in MSR 3

-Multisets

MSR 2

Protocols

Repr. gap


Summary

MSR 3.0 Language for security protocol specification Succinct representations

Simpl specifications Economy of reasoning

Bridge between State-based representation Process-based representation

-multisets Logical foundation of multiset rewriting Relationship with process algebras Unified logical view

Better understanding of where we are Hint about where to go next

Documents

MSR 3: One Year Later Iliano Cervesato [email protected] ITT Industries, inc @ NRL Washington, DC iliano Protocol eXchange