September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato [email protected] ITT Industries, Inc

September 17th, 2001 FOSAD 2001 – Bertinoro, Italy

Security Protocol Specification Languages

Iliano Cervesato [email protected]

ITT Industries, Inc @ NRL – Washington DC

http://www.cs.stanford.edu/~iliano/

Security Protocol Specification Languages 2

Scope of this Course

Specification languages for cryptographic protocolsEvaluation criteriaAnthology of languagesScientific impact

Extras . . .Advertisement for MSR


This Course is not about

Cryptography

Applications of crypto-protocols

Taxonomy ofProtocolsAttacksTools

Verification


Outline

Hour 1: Specification languages

Hour 2: MSR

Hour 3: The most powerful attacker

Hour 4: Reconstructing the intruder


Hour 1

Specification Languages


Hour 1: Outline

Security protocols

Dolev-Yao abstraction

Specification targets

Major specification languagesOriginsExample (Needham-Schroeder)PropertiesEvaluation


Security Protocols

Use cryptographic means to ensureconfidentialityauthenticationnon-repudiation, …

in distributed/untrusted environment

Applicationse-commerce trade/military secretseveryday computing

Securitygoals


Why is Protocol Analysis Difficult?

Subtle cryptographic primitivesDolev-Yao abstraction

Distributed hostile environment“Prudent engineering practice”

Inadequate specification languages… the devil is in details …


Correctness vs. Security [Mitchell]

Correctness: satisfy specificationsFor reasonable inputs, get reasonable

output

Security: resist attacksFor unreasonable inputs, output not

completely disastrous

Main differenceActive interference from the

environment


Dolev-Yao Model of Security

NetworkNetwork

Alice

Bob

Charlie

Dan

Server


Dolev-Yao Abstraction

Symbolic dataNo bit-strings

Perfect cryptographyNo guessing of keys

Public knowledge soupMagic access to data


Perfect Cryptography

KA-1 is needed to decrypt {M}KA

No collisions{M1}KA = {M2}KB iff M1 = M2 and KA

= KA

…


Public Knowledge Soup

Free access to auxiliary dataAbstracts actual mechanisms

database subprotocols, …

But …not all data are public

keys secrets


… pictorially

a kakb

s


Why is specification important?

Documentationcommunicate

Engineering implementationverification tools

Science foundationsassist engineering

good


Languages to Specify What?

Message flow

Message constituents

Operating environment

Protocol goals


Desirable Properties

Unambiguous

Simple

FlexibleAdapts to protocols

PowerfulApplies to a wide class of protocols

InsightfulGives insight about protocols


Language Families

“Usual notation” Knowledge logic

BAN Process theory

FDR, CasperSpi-calculusPetri netsStrandsMSR

Inductive methods

Temporal logic Automata

NRL Prot. Analizer

CAPSLMur


Why so many?

Convergence of approachesexperience from mature fieldsunifying problemscientifically intriguing funding opportunities

Fatherhood pride


Needham-Schroeder Protocol

Devised in ’78

Example of weak specification !

Broken in ’95!

But …purely academicattack subject to interpretation


“Usual Notation”

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


How does it do?

FlowExpected run

ConstituentsSide remarks

EnvironmentSide remarks

GoalsSide remarks

Unambiguous

Simple

Flexible

Powerful

Insightful


BAN Logic[Burrows, Abadi, Needham]

Roots in belief logic reason about knowledge as prot. unfolds security: principals share same view

Specification usual notation “idealized protocol” assumptions Goals

Verification Logical inference


NS: BAN IdealizationA B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

A B: {nA}kB

B A: {A nB BnA}kA

A B: {A nA B, B | A nB B

nB}kBMore readable syntax proposed later


NS: BAN Assumptions

A | kA A

A | kB B

A | # nA

A | A nA B

B | kB B

B | kA A

B | # nB

B | A nB B


NS: BAN Goals

B | A | A nA B

A | B | A nB B

Formally derived from BAN rules


How does BAN do?

FlowIdealized run

ConstituentsAssumptions

EnvironmentImplicit

GoalsBAN formulas

Unambiguous

Simple

Flexible

Powerful

Insightful


CSP [Roscoe, Lowe]

Roots in process algebra [Hoare] non-interference

Specification 1 process for each role non-deterministic intruder process

Verification Refinement w.r.t. abstract spec. FDR: model checker for CSP Casper: interface to FDR


CSP: NS Initiator

Init(A, nA) =

user.A?B -> I_running.A.B ->comm!Msg1.A.B.encr.key(B).nA.a ->

comm.Msg2.B.A.encr.key(A)?nA’.nB ->

if nA = nA’

then comm!Msg3.A.B.encr.key(B).nB ->

I_commit.A.B -> session.A.B -> Skip

else Stop

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Responder is similar


CSP : Resp. authentication spec.

AR0 = R_running.A.B -> I_commit.A.B -> AR0

A1 = {| R_running.A.B, I_commit.A.B |}

AR = AR0 ||| Run (S \ A1)


Unambiguous

Simple

Flexible

Powerful

Insightful

How does CSP do?

FlowRole-based

ConstituentsFormalized

math.

EnvironmentExplicit

GoalsAbstract spec.


Casper Specification of NS

#Free variablesA, B: Agentna, nb : noncePK : Agent -> PublicKeySK : Agent -> SecretKeyInverseKeys = (PK, SK)

#ProcessesINIT(A,na) knows PK, SK(A)RESP(B,nb) knows PK,

SK(B)

#Protocol description0. -> A : B1. A -> B : {na, A}{PK(B)}2. B -> A : {na, nb}{PK(A)}3. A -> B : {nb}{PK(B)}

#SpecificationSecret(A, na, [B])Secret(B, nb, [A])Agreement(A, B, [na,nb])Agreement(B,A, [na,nb]

#Actual variablesAlice, Bob, Mallory: AgentNa, Nb, Nm: Nonce

…

#Intruder informationIntruder = MalloryIntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)


Spi-calculus[Abadi, Gordon]

-calculus with crypto. Constructs

Specification1 process for each role Instance to be studied Intruder not explicitly modeled

VerificationProcess equivalence to reference

proc.


Spi: NS Initiator

init(A,B,cAB,KB+,KA

-) =

(nA) cAB< {|A, nA|}KB+ > .

cAB(x) . case x of {|y|}KA- in

let (y1,y2) = y in [y1 is nA]

cAB< {| y2 |}KB+ > .

0

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


Spi: NS Responder

resp(B,A,cAB,KA+,KB

-) =

cAB(x) . case x of {|y|}KB- in

let (y1,y2) = y in [y1 is A]

(nB) cAB< {| y2, nB|}KA+ > .

cAB(x’) . case x’ of {|y’|}KB- in [y’ is nB]

0

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


Spi: NS Instance

inst(A,B,cAB) =

(KA) (KB)

( init(A,B,cAB,KB+,KA

-)

| resp(B,A,cAB,KA+,KB

-))


Unambiguous

Simple

Flexible

Powerful

Insightful

How does Spi do?

FlowRole-based

ConstituentsInformal math.

EnvironmentImplicit

GoalsReference proc.


Strand Spaces[Guttman, Thayer]

Roots in trace theory Lamport’s causality Mazurkiewicz’s traces

Specification Strands Sets of principals, keys, …

Verification Authentication tests Model checking


Strands

{nA, A}kB

{nA, nB}kA

{nB}kB

{nA, A}kB

{nA, nB}kA

{nB}kB

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


How do Strands do?

FlowRole-based

ConstituentsInformal math.

EnvironmentSide remarks

GoalsSide remarks

Unambiguous

Simple

Flexible

Powerful

Insightful


Inductive methods[Paulson]

Protocol inductively defines traces Specification

1 inductive rule for each protocol ruleUniversal intruder based on language

Verification theorem proving (Isabelle HOL)

Related methods [Bolignano]


IMs: NS

NS1 [evs ns; A B; Nonce NA used evs]

Says A B {Nonce NA, Agent A} KB # evs ns

NS2 [evs ns; A B; Nonce NB used evs;

Says A’ B {Nonce NA, Agent A} KB set evs]

Says B A {Nonce NA, Nonce NA} KA # evs ns

NS3 [evs ns; Says A B {Nonce NA, Agent A} KB set evs;

Says B’ A {Nonce NA, Nonce NA} KA set evs]

Says A B {Nonce NA} KB # evs ns

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


IMs: Environment

Nil [] ns

Fake [evs ns; BSpy; X synth(analz (spies evs))]

Says Spy B X # evs ns

synth, analz, spies, … protocol indep.


Unambiguous

Simple

Flexible

Powerful

Insightful

How do IMs do?

FlowTrace-based

ConstituentsFormalized

math.

EnvironmentImmutable

GoalsImposs. traces


NRL Protocol Analyzer[Meadows]

Roots in automata theory

Specification1 finite-state automata for each roleGrammar or words unaccessible to

attacker

VerificationBackward state explorationTheorem proving for finiteness


NPA: NS Resp., action 2

Subroutine rec_request(user(B,honest),N,T):

If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))):

Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W:

send msg(user(B,honest),[{rec_self},{rec_who}],N):

event(user(B,honest),[user(A,H)],rec_request,[W],N)

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


Unambiguous

Simple

Flexible

Powerful

Insightful

How does NPA do?

FlowRole-based

ConstituentsProlog code

EnvironmentExplicit

GoalsUnreachable

state


RTLA [Gray, McLean]

Roots in Temporal Logic (Lamport)

SpecificationState components that change during

a step

VerificationProof in temporal logic

EvaluationSimilar to NPA


CAPSL [Millen]

Ad-hoc model checker

Specification Special-purpose language Intruder built-in

Implementation CIL [Denker] -> similar to MSR

Related systems Mur [Shmatikov, Stern]

?? [Clarke, Jha, Marrero]


CAPSL: NS

PROTOCOL NS;

VARIABLESA, B: PKUser;Na, Nb: Nonce, CRYPTO

ASSUMPTIONSHOLDS A: B;

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

MESSAGESA -> B : {A, Na}pk(B);B -> A : {Na,Nb}pk(A);A -> B : {Nb}pk(B);

GOALSSECRET Na;SECRET Nb;PRECEDES A: B | Na;PRECEDES B: A | Nb;

END;


Unambiguous

Simple

Flexible

Powerful

Insightful

How does CAPSL do?

FlowExplicit run

ConstituentsDeclarations

EnvironmentImplicit

GoalsProperties


Two more …

MSR 1.x

MSR 2.0

… next hour


Hour 2

MSR


Hour 2: Outline

Origins

Language description

Access control

Execution model


MSR 1.x[Cervesato, Durgin, Lincoln, Mitchell, Scedrov]

Multiset rewriting with existentials

“Persistent predicates” model assumptions

Role state predicates thread rules through


MSR 1.x - Initiator

A0(A) L0(A), A0(A)

L0(A), A1(B) nA. L1(A,B,nA), N({nA,A}kB), A1(B)

L1(A,B,nA), N({nA,nB}kA) L2(A,B,nA,nB)

L2(A,B,nA,nB) L3(A,B,nA,nB), N({nB}kB)

whereA0(A) = Pr(A), PrvK(A,kA-1)

A1(B) = Pr(B), PubK(B,kB)

Nonce generatio

n

Messagetransmissi

on

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


MSR 1.x - Responder

B0(B) L0(B), B0(B)

L0(A), B1(A), N({nA,A}kB) L1(A,B,nA), B1(A)

L1(A,B,nA) nB. L2(A,B,nA,nB), N({nA,nB}kA)

L2(A,B,nA,nB), N({nB}kB) L3(A,B,nA,nB)

whereB0(B) = Pr(B), PrvK(B,kB-1)

B1(A) = Pr(A), PubK(A,kA)

Role state

predicate

Persistent Info.

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


Evaluation

Poor specification languageError-proneLimited automated assistance

Very insightfulUndecidability of protocol correctness

verification


Unambiguous

Simple

Flexible

Powerful

Insightful

How did we do?

FlowRole-based

ConstituentsPersistent info.

EnvironmentIn part

Goals


MSR 2.0[Cervesato]

Redesign MSR as a spec. languageEasy to useSupport for automation

Margin for verificationCurrent techniques can be adapted

InsightfulBackground in type-theory


Unambiguous

Simple

Flexible

Powerful

Insightful

How will we do?

FlowRole-based

ConstituentsStrong typing

EnvironmentIn part

Goals


What’s in MSR 2.0 ?

Multiset rewriting with existentials

Dependent types w/ subsorting

Memory predicates

Constraints

New

New

New


Terms

Atomic termsPrincipal names AKeys kNonces n…

Term constructors (_ _){_} _ {{_}}_

[_] _

…

Definable


Rules

y1: ’1.

…yn’: ’n’.

x1: 1. …

xn: n.lhs rhs

• N(t) Network

• L(t, …, t) Local state

• MA(t, …, t)Memory

• Constraints

• N(t) Network

• L(t, …, t) Local state

• MA(t, …, t) Memory


Types of Terms

A: princ

n: nonce

k: shK A B

k: pubK A

k’: privK k

… (definable)

A: princ

n: nonce

A: princ

n: nonce

k: shK A B

k: pubK A

k’: privK k

Types can dependon term

• Captures relationsbetween objects

• Subsumes persistentinformationStaticLocalMandatory


Subtyping

Allows atomic terms in messages

DefinableNon-transmittable termsSub-hierarchies

:: msg


Role State Predicates

Hold data local to a role instanceLifespan = role

Invoke next ruleLl = control (A,t, …, t) = data

Ll(A,t, …, t)


Memory Predicates

Hold private info. across role exec.

Support for subprotocolsCommunicate dataPass control

Interface to outside system

Implements intruder

New

MA(t, …, t)


Constraints

Guards over interpreted domainAbstractModular

Invoke constraint handler

E.g.: timestamps (TE = TN + Td) (TN < TE)

New


Type of Predicates

Dependent sums

(x) x

Forces associations among arguments

E.g.: princ(A) x pubK A(kA) x privK kA

x: .

x


Roles

Genericroles

Anchoredroles

y:’.x:. lhs rhs… … …

y:’.x:. lhs rhs

L: ’1(x1) x … x ’n

(xn)

…

Role state pred.var. declarations

A

Role owner

L: ’1(x1) x … x ’n

(xn)

…A

Role owner

y:’.x:. lhs rhs… … …

y:’.x:. lhs rhs


MSR 2.0 – NS Initiator

A

B: princkB: pubK B

nA:nonce.L(A,B,kB,nA) N({nA,A}kB)

…kA: pubK A

k’A: privK kA

nA,nB: nonce

L(A,B,kB,nA)N({nA,nB}kA)

N({nB}kB)

L: princ x princ(B) x pubK B x nonce.

B: princkB: pubK B

nA:nonce.L(A,B,kB,nA) N({nA,A}kB)

…kA: pubK A

k’A: privK kA

nA,nB: nonce

L(A,B,kB,nA)N({nA,nB}kA)

N({nB}kB)

L: princ x princ(B) x pubK B x nonce.

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


MSR 2.0 – NS Responder

B

kB: pubK B

k’B: privK kB

A: princnA: nonce

kA: pubK A

N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)

…nB: nonce

L(B,kB,k’B,nB) N({nB}kB)

L: princ(B) x pubK B(kB) x privK kB x nonce.

kB: pubK B

k’B: privK kB

A: princnA: nonce

kA: pubK A

N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)

…nB: nonce

L(B,kB,k’B,nB) N({nB}kB)

L: princ(B) x pubK B(kB) x privK kB x nonce.

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB


Transmission of a long term key

Catches:Encryption with a nonce

Type Checking |— P

|— t :

P is well-

typed in

t has type in

Decidable

Circular key hierarchies, …

Static and dynamic uses

New


Access Control

CatchesA signing/encrypting with B’s key

‖— P

‖—A rP is AC-valid in

r is AC-valid for A in

Decidable

A accessing B’s private data, …

Fully static

New

Gives meaning to Dolev-Yao

intruder


An Overview of Access Control

Interpret incoming informationCollect received dataAccess unknown data

Construct outgoing informationGenerate dataUse known dataAccess new data

Verify access to data


Processing a Rule

‖—A lhs >> ;‖—A rhs

‖—A lhs rhs

Knowledge set:

Collects what A knows

Knowledge set:

Collects what A knows

Context


Processing Predicates on the LHS

;‖—A t >>’

;‖—A N(t) >>’

;‖—A t1,…,tn >>’

;‖—A MA(t1,…,tn) >>’

• Network messages

• Memory predicates


Interpreting Data on the LHS

;‖—A k >> ’ ;’‖—A t >> ’’

;‖—A {t}k >> ’’

;‖—A t1, t2 >> ’

;‖—A (t1, t2) >> ’

;(,x)‖—A x >> (,x)

(,x:);‖—A x >> (,x)

• Pairs

• Encryptedterms

• Elementary terms


Accessing Data on the LHS

;(,k)‖—A k >> (,k)

(,x:shK A B);‖—A x >> (,x)

(,k:pubK A,k’:privK k);‖—A k >> (,k’)

(,k:pubK A,k’:privK k);(,k’)‖—A k >> (,k’)

• Shared keys

• Publickeys


Generating Data on the RHS

(, x:nonce);(, x)‖—A rhs

;‖—A x:nonce. rhs• Nonces


Constructing Terms on the RHS

;‖—A t1 ;‖—A t2

;‖—A (t1, t2)

;‖—A t ;‖—A k

;‖—A {t}k

• Shared-key encryptions

• Pairs


Accessing Data on the RHS

,B:princ ‖—A B

,B:princ,k:shK A B ‖—A k

,B:princ,k:pubK B ‖—A k

,k:pubK A,k’:privK k ‖—A k’

• Principal

• Shared key

• Private key

• Public key


Configurations

C = [S]R

Active roleset

Signature

• a : • Ll : • M_:

State

•N(t)•Ll(t, …, t)•MA(t, …, t)


Execution Model

Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules

P C C’

1-step firing


[S]R (x:.r,) A

[S]R ([t/x]r,)A

Variable Instantiation

Not fully realistic for verificationRedundancy realizes typing, …… but not completely

|— t :

[S]R (x:.r,) A

[S]R ([t/x]r,)A


Rule Application

S, F

[S2]RA

c:c not in S1

S, G(c)

[S1]R(r,)A

Firing

r = F, n:. G(n)

Constraint check

|= (constraint handler)


Properties

Admissibility of parallel firing

Type preservation

Access control preservation

Completeness of Dolev-Yaointruder

New


Completed Specifications

Full Needham-Schroeder public-key

Otway-Rees

Neuman-Stubblebine repeated auth.

OFT group key management


Hour 3

The Most PowerfulAttacker


Hour 3: Outline

Execution with an attacker

Specifying the Dolev-Yao intruder

Completeness of the Dolev-Yao intruder


Execution with an Attacker

P, PI C C’

Selected principal(s): I

Generic capabilities: PIWell-typedAC-valid

Modeled completely within MSR


The Dolev-Yao Intruder

Specific protocol suite PDY

Underlies every protocol analysis tool

Completeness still unproved !!!


Capabilities of the D-Y Intruder

Intercept / emit messages

Split / form pairs

Decrypt / encrypt with known key

Look up public information

Generate fresh data


DY Intruder – Net Interference

t: msgN(t) MI(t) I

MI(t) : Intruder knowledge

t: msgMI(t) N(t) I


DY Intruder – Decryption

MI(t)A,B: princk: shK A Bt: msg

I

MI({t}k)MI(k)

MI(t)

A: princk: pubK Ak’: privK A t: msg

I

MI({t}k)MI(k’)


DY Intruder – Encryption

MI ({t}k)A,B: princk: shK A Bt: msg

I

MI(t)MI(k)

MI ({t}k)A: princk: pubK At: msg

I

MI(t)MI(k)


DY Intruder – Pairs

MI( t1,t2)t1,t2: msgI

MI(t1)MI(t2)

MI( t1,t2) t1,t2: msgIMI(t1)

MI(t2)


DY Intruder – Structural Rules

MI( t) t: msgIMI(t)

MI(t)

MI( t) t: msgI


DY Intruder – Data Access

MI(k’)k: pubK Ik’: privK k

I

MI(k)A: princk: pubK A

I

MI(k)A: princk: shK I A

+ dualI

A: princ MI(A)I

No nonces, no other keys, …


DY Intruder – Data Generation

n:nonceMI(n)I

It depends on the protocol !!!Automated generation ?

Safe data

m:msgMI(m)I

Anything else ?

A,B:princ. k:shK A BMI(k)I

???


Completeness of D-Y Intruder

If P [S]R [S’]R’

’

with all well-typed and AC-valid

Then

P, PDY [S]R [S’]R’

’


Encoding of P, S,

P Remove roles anchored on I

S Map I’s state / mem. pred. using MI

Remove I’s role state pred.; add MI


Encoding of R

No encoding on structure of RLacks context!

Encoding on AC-derivation for R

A :: ‖— R

Associate roles from PDY to each AC

rule


Completeness Proof

Induction on execution sequence

Simulate every step with PDY

Rule application Induction on AC-derivation for R Every AC-derivation maps to execution

sequence relative to PDY

Rule instantiation AC-derivations preserved Encoding unchanged


DY Intruder Stretches AC to Limit

Well-typedAC-valid

Dolev-Yaointruder


Consequences

Justifies design of current tools

Support optimizationsD-Y intr. often too general/inefficient

Generic optimizations Per protocol optimizations Restrictive environments

Caps multi-intruder situations


Hour 4

Reconstructing the Intruder


Hour 4: Outline

Access Control Dolev-Yao intruder

MSR specification Access Control


The Dolev-Yao Intruder Model

Interpret incoming information Collect received data Access unknown data

Construct outgoing information Generate data Use known data Access new data

Same operations as AC!


Accessing Principal Names

B:princ MI(B)I

,B:princ ‖—A BI


What did we do?

Instantiate acting principal to I

Accessed data Intruder knowledge

Meta-variables Rule variables

Ignore context


Checking it out: Shared Keys

,A:princ,B:princ,k:shK A B ‖—A kI

MI(k)B: princk: shK I B

I

II

+ dual


Getting Confident: Pub./Priv. Keys

,B:princ,k:pubK B ‖—A k

MI(k)B: princk: pubK B

I

MI(k’)k: pubK Ik’: privK k

I

,A:princ,k:pubK A,k’:privK k ‖—A k’

I

II I


Constructing Messages: Pairs

t1,t2:msgMI(t1), MI(t2) MI((t1,t2))I

;‖—A t1 ;‖—A t2

;‖—A (t1, t2)I

I I


Now, what did we do?




Ignore and knowledge context

Premises antecedent

Conclusion consequent

Auxiliary typing derivation gives types


Carrying on: Shared-Key Encrypt.

;‖—A t ;‖—A k

;‖—A {t}kI

I I

MI(t), MI(k) MI({t}k)A,B: princk: shK A Bt: msg

I

Similar for public-key encryption


Generating Data: Nonces

(, x:nonce);(, x)‖—A rhs

;‖—A x:nonce. rhs

x:nonce. MI(x)I

I

I

Similarly for other generated data







Premises antecedent



One intruder rule for each AC rule

Save generated object


Interpreting Shared-Key Encrypt.

;‖—A k >> ’ ;’‖—A t >> ’’

;‖—A {t}k >> ’’I

I I

MI({t}k), MI(k) MI(t)A,B: princk: shK A Bt: msg

I

Similar for• public-key encryption• pairing







Premises antecedent



One intruder rule for each AC rule

Save generated object

Premises consequent

Conclusion antecedant


Network Rules

;‖—A t >>’

;‖—A N(t) >>’

;‖—A t

;‖—A N(t)t:msgMI(t) N(t)

I

t:msgN(t) MI(t)I


… Other Rules?

Either redundant

or, innocuous (but sensible)

t:msgN(t) N(t)I

t1,…,tn :msgM’I(t1,…,tn) MI(t1),…,MI(tn)I


Dissecting AC

5 activities: Interpret message

components on LHS

Access data (keys) on LHS

Generate data on RHS

Construct messages on RHS

Access data on RHS

Constructorsatoms

Trivial

Trivial

Trivial

Patternmatchin

g


Accessing Data

+

+ + +

* +

princ: type

Annotate the type of freely accessible data

privK: A: princ. pubK A -> type

pubK: princ -> type

Make it conditional for dep. types


Generating Data

Again, annotate types

shK: princ -> princ -> type

nonce: type

+ + !

!

shK: princ -> princ -> type + + !


Interpreting Constructors

Mark arguments as input or output

[_]_: msg -> A: princ. k: sigK A. verK k -> msg

_,_: msg -> msg -> msg

hash: msg -> msg

{_}_: msg -> A: princ. B: princ. shK A B -> msg

{{_}}_: msg -> A: princ. k: pubK A. privK k -> msg

+ * * *

- -

+

- + + +

- + + +


Annotating Declarations

Integrates semantics of types and constructors

“Trimmed down” version of AC

Allows constructing AC rules

Allows constructing the Dolev-Yao intruder


… alternatively

Compute AC rules from protocol

There are finitely many annotations

Check protocol against each of them

Keep the most restrictive ones that validate the protocol

Exponential!

More efficient algorithms?

September 17th, 2001 FOSAD 2001 – Bertinoro, Italy

The end

http://www.cs.stanford.edu/~iliano/

Documents

September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato [email protected] ITT Industries, Inc