Event structure semantics for security protocols
|
|
- Blake Roberts
- 5 years ago
- Views:
Transcription
1 Event structure semantics for security protocols Jonathan Hayman and Glynn Winskel Computer Laboratory, University of Cambridge, United Kingdom Abstract. We study the use of event structures, a well-known model for concurrency, to provide a semantics for a language for security protocols called SPL. The semantics makes use of the ability to define event structures as rigid families of partial order configurations. We formulate a number of useful principles to establish correctness properties of protocols and use the well-studied Needham-Schroeder-Lowe protocol as an illustrative example of the the direct proofs arising from causal reasoning that the semantics permits. The work lays a foundation through which current work on logic, symmetry, name binding, probability and games for event structures may be brought to bear in the analysis of security protocols. 1 Introduction Protocols for security and trust are notoriously difficult to reason about, the classic example being the discovery by Lowe [1] of an attack on Needham and Schroeder s public key authentication protocol [2] sixteen years after its introduction. The challenges facing the design of such protocols, from their initial creation through to the the specification and proof of their key correctness properties, has led to the development of a range of languages, models and logics to support their formal analysis. A feature found in many proofs of correctness of security protocols is causal reasoning. For example, in showing that a security breach never happens, we may establish that such a breach causally depends on an earlier security breach; from this, we obtain a contradiction to the existence of an earliest breach. This is essentially Paulson s inductive method [3]. By employing causal models such as strand spaces [4], the model directly encapsulates the the facts necessary to prove the existence of the earlier event. In this paper, we show how an event structure semantics can be given to a simple language for security protocols called SPL [5]. The semantics is obtained through the use of rigid families of partial orders, which closely resemble the bundles of strand spaces [4], from which we may extract an event structure through the adjunction/equivalence between their categories. We show how this semantics equips direct proofs of properties, studying the Needham-Schroeder- Lowe protocol as an example. The support of the ERC through the Advanced Grant ECSYM is gratefully acknowledged
2 2 Jonathan Hayman and Glynn Winskel The key rationale for this work is that, by using an established model for concurrency and showing how it directly and uniformly supports compositional semantics and reasoning techniques that are as simple as those for the domainspecific model of strand spaces, we lay a foundation through which other theories may be imported to the analysis of security protocols and vice versa. For example, topics that have been extensively studied for event structures, including game-theoretic aspects [6], symmetry [7], and logic (e.g. [8, 9]), are all of central importance to the analysis of protocols. Finally, the capture of branching behaviour by event structures seems to be important in reasoning about more sophisticated correctness properties such as non-repudiation in exchange protocols [10]. Overview We begin by reviewing the NSL protocol and the syntax and operational semantics of SPL. We then introduce event structures and rigid families of configurations; these are an important tool in the following section where we define the semantics of SPL. We study the fundamental proof principles and properties of the semantics before reviewing the correctness of the NSL protocol in the newly developed setting. 2 The Needham-Schroeder-Lowe protocol We begin by giving a brief introduction to the Needham-Schroeder-Lowe (NSL) public key protocol [1]. The NSL protocol makes use of public-key cryptography to allow processes known as an initiator and a responder to authenticate each other s identity and to distribute a value that is known only to the two processes. We shall use this well-known protocol throughout the paper to explain SPL and show how its event structure semantics allows proofs that are as direct as those for strand spaces. We take the two participants (often called principals) to be A, who will act as the initiator, and B, who will act as the responder. Both participants have their own public-private key pairs: each participant is the only one to know its private key, whereas the public key for any participant is common knowledge. The assumption of public-key cryptography is that a participant must hold the corresponding private key to be able to decrypt a message encrypted using a public key. As such, any participant can send a message encrypted with the recipient s public key; even on an untrustworthy network, only the recipient will be able to read the contents of the message since only it has the private key needed to decrypt it. The protocol begins with A sending a message to B containing a nonce value (a freshly-generated number highly unlikely to be known or guessed by any other principal) x and its identity encrypted with B s public key. (1) A B : {A, x} P ub(b) B responds to A with a message, encrypted using A s public key, containing a new nonce value y, the nonce value x generated by A and B s identity. (2) B A : {B, x, y} P ub(a)
3 Event structure semantics for security protocols 3 As B is the only principal able to decrypt message (1), on receipt of message (2) A knows from the freshness of the value x that B has read (1). A confirms by sending the nonce value y back to B, encrypted using B s public key. (3) A B : {y} P ub(b) Upon receipt of this, process B can now be sure that it is communicating with A since only A had the ability to extract y from the message in (2). We shall focus on two of the algorithm s correctness criteria: secrecy and authentication. Secrecy means that the nonce values are only known to the two participants under the assumption that both processes have followed the protocol. The second is that, upon completion of the protocol, each participant can be sure that the process that it interacted with is who it claimed to be. 3 SPL To model the processes involved in interactions of the form seen above, we now introduce SPL [5], the security protocol language. The language has a limited yet expressive range of combinators to describe the kinds of action that processes involved in cryptographic protocols might perform. In particular, it has syntax for the generation of nonce values, the output of messages to the network and the input of messages matching a specified pattern from the network (cf. the message passing language Erlang or the pattern matching spi calculus [11]). Since various syntactic classes apart from processes shall be involved in pattern matching, as we introduce their syntax we shall also introduce variables over them. Names Drawing upon the intuitions of the pi-calculus [12], the starting point for the syntax of SPL is a set of names. Names will generalise the identities of processes, nonce values and any other basic values that can be communicated. Formally, we assume that the set of names includes all principal identifiers, ranged over by A, B,... disjoint from a countably-infinite set of other names, ranged over by m, n,.... The syntax also includes name variables, ranged over by X, Y, x, y,...; again, we use upper-case letters to indicate that the variable represents the identity of a principal. Finally, we use v, w,... to range over both names and name variables: v ::= n A x X Keys We use the symbols k, k,... to range over keys: k ::= P ub(v) P riv(v) Key( # v ) Keys can be either public keys, private keys, or symmetric keys identified by a vector of names # v. Messages M ranges over message expressions, which may be names v, keys k, pairs of message expressions M 1, M 2, messages encrypted with a key {M} k or message variables ψ. M ::= v k M 1, M 2 {M} k ψ
4 4 Jonathan Hayman and Glynn Winskel The processes of SPL follow the grammar p ::= out new # x M.p in pat # x # ψ M.p Intuitively, out new # x M.p both generates a set of nonce values, substituting them for the vector of distinct variables # x in M and p, and outputs the resulting message on the network before continuing to execute p. Turning to in pat # x ψ # M.p, we require that every variable in the vectors of distinct variables # x and ψ # occurs in M. Intuitively, this is a process that performs a pattern match on messages that have been output to the network. This means that values are nondeterministically chosen for the name variables # # x and message variables ψ in M in such a way that the message M with the appropriate substitution made has already been output by some other process; the resumption is the process p with the substitution of the corresponding values for # x and ψ. # The output out new # x M.p is seen to bind the finite vector of variables # x within M and p. The input in pat # x ψ # M.p binds the variables # x and ψ # within M and p. As standard, we obtain the set of free variables fv(p) and free names fn(p) of any process p and substitution of a vector of names for free name variables in messages M[ # n/ # x ] and processes p[ # n/ # x ], and also substitution of a vector of closed messages for free message variables. We give the definition of substitution on messages and processes in Appendix A. We adopt the conventions of writing out M.p instead of out new # x M.p when the list # x is empty and in M.p for the process in pat # x ψ # M.p when # x is the list of name variables free in M and ψ # is the list of message variables free in M. Any parallel composition is indexed by a by a set I to help identify any individual process within a parallel composition. We write!p for i ω p and nil for i p i. 0 i I p i 3.1 Programming the Needham-Schroeder-Lowe protocol The code for the initiator and responder processes is given in Figure 1. The process Init(A, B) is that for an initiator with identity A attempting to begin the protocol with a responder with identity B. The process Resp(B) is that for a responder with identity B that is open to communication with any initiator process. In order to reason about the security of protocols, we must consider the kinds of attack that can take place. If, for example, it turned out that publickey cryptography were unsound in the sense that a message encrypted using a public key could be decrypted within a reasonable amount of time without access to the private key, then the protocol as described above would surely fail in its objectives for authentication and creation of a value that it secret to the participants. Necessarily, we must describe the kinds of attack that are feasible under our assumptions about cryptography, and we do so by specifying spy processes. We assume that the forms of possible attack are as follows: messages
5 Event structure semantics for security protocols 5 Init(A, B) out new x {x, A} P ub(b). in {x, y, B} P ub(a). out {y} P ub(b). nil Spy 1 in ψ 1.in ψ 2.out (ψ 1, ψ 2).nil Spy 2 in (ψ 1, ψ 2).out ψ 1.out ψ 2.nil Spy 3 in x.in ψ.out {ψ} P ub(x).nil Spy 4 in P riv(x).in {ψ} P ub(x).out ψ.nil Spy Spy i i {1,2,3,4} Resp(B) in {x, Z} P ub(b). out new y {x, y, B} P ub(z). in {y} P ub(b). nil P init!init(a, B) A,B P resp A!Resp(A) P spy!spy NSL i {resp,init,spy} P i Fig. 1. The NSL protocol in SPL. Init(A, B) represents participant A attempting to initiate the protocol with B. Resp(B) represents participant B waiting to respond to any other participant. Spy i represent actions that the attacker can perform. NSL represents all interactions of the protocol. can be merged, messages can be split, messages can be encrypted using a public key and messages encrypted using a public key can be decrypted but only if the private key is available. These forms of attack are captured by the Spy process in Figure 1. These are the forms of attack specified in the Dolev-Yao model [13], and, as such, we make the perfect cryptography assumption that encryption cannot be broken. Our analysis will therefore reveal flaws only in the underlying distributed algorithm for public key authentication. 3.2 Operational semantics We now proceed to give the operational semantics of SPL. Notably, the semantics shall be asynchronous: output actions are not synchronized with input actions. Instead, we record which messages have been output to the network at any time, and a process can input a message if it has been output at any time in the past. This has the effect of us not assuming the network to be trustworthy in the ordering of messages. The operational semantics is defined as a transition relation between configurations. A configuration is a tuple p, s, t, where p is a closed process term, s is a subset of names indicating those that are currently in use and t is a subset of closed messages indicating the messages that have been output to the network. We restrict attention to proper configurations: these are configurations such that fn(p) s, A s for every principal identifier A and {fn(m) M t} s. Transitions are labelled with the action α that occurred: α ::=!( # n)m?m i : α
6 6 Jonathan Hayman and Glynn Winskel Output: Input: Parallel: if # n all distinct and not in s (writing # n for the underlying set) out new # x M.p, s, t!( # n )M[ # n / # x ] p[ # n/ # x ], s # n, t {M[ # n/ # x ]} if M[ # n/ # x ][ # N/ # ψ] t in pat # x # ψ M.p, s, t?m[ # n / # x ][ # N/ # ψ ] p[ # n/ # x ][ # N/ # ψ], s, t p j, s, t α p j, s, t j:α i I pi, s, t i I p i, s, t where p i = p i for j i Fig. 2. Operational semantics of SPL The action!( # n)m is the action that creates a vector of nonce values # n and outputs a closed message M. The action?m represents the input of a closed message M. Finally, the action i : α represents that the ith component of a parallel composition performs action α. 4 Event structures In this section, we give a brief introduction to event structures. We refer the reader to [14] for a full account. The idea is to equip a set of events with a partial order to indicate upon which prior events the occurrence of any event causally depends, and also to stipulate how the occurrence of events can inhibit the occurrence of others. Definition 1. A (prime) event structure is a tuple (E,, Con) where E is a set of events, E E is a partial order of causal dependency, and Con is a set of finite subsets of E, called consistency, satisfying for any e E, the set {e e e} is finite, Con and {e} Con for any e E, if X Con and Y X then Y Con, if X Con and e e X then X {e} Con. Definition 2. A configuration of an event structure (E,, Con) is a subset of events x E that is: Down-closed: if e x and e e then e x Consistent: X Con for all finite sets X x A finite configuration of an event structure represents a reachable state. Given a finite configuration x of an event structure ES = (E,, Con), we write ES/x for the event structure representing the behaviour of ES from the configuration x. It is defined to be ES/x = (E,, Con ) where Con = {y \ x y Con & x y}, the set of events E = Con and is the restriction of to E. Where the set x is the singleton set {e}, we write ES/e instead of ES/{e} and say that e is enabled in ES.
7 Event structure semantics for security protocols 7 In the coming semantics, we shall make use of labelled event structures. These are just event structures with an additional function λ : E L taking events to elements of a labelling set L. Finally, two event structures are isomorphic, written ES = ES, if there is a label-preserving bijection between their events that preserves and reflects causality and consistency. 4.1 Rigid families Some constructions on event structures are more easily expressed in alternative but equivalent categories. Stable families [15], for example, are useful in defining the product of event structures and, from this, their parallel composition. In the present work, we shall see that it is in fact more convenient to work with rigid families of partial orders. For a partial order x X X, write x for the set X and e x e iff (e, e ) x. Define the relation of rigid inclusion on partial orders as x y iff the following conditions hold: x y and e, e x : e x e e y e e y e x : e y e = e x We write x y for x y and x y. A rigid family is a set of finite partial orders that is non-empty and is down-closed with respect to rigid inclusions. We shall also call partial orders in the rigid family configurations. Let D 0 (ES) be the set of partial orders x such that x is a finite configuration of ES and the order is the restriction of causal dependency to x. It is clear that this defines a rigid family. Conversely, we can obtain an event structure Pr(F) from a rigid family F by considering its primes: a prime of F is a partial order [e] x for e x F, where [e] x denotes the restriction of the partial order x to elements less than or equal to e: [e] x {(u, u ) (u, e) x & (u, u ) x} The primes of F form the events of Pr(F); causal dependency is rigid inclusion; and a finite subset of primes X is consistent if its least upper bound is in F. As for event structures, we can define the resumption F/x of a rigid family F following x. The configurations of F/x are the configurations of F that rigidly extend x with the events in x removed. The details of the categories of rigid families and event structures are given in Appendix B, and D 0 and Pr extend to functors that exhibit an equivalence of categories. Two rigid families are isomorphic, written F = F, iff there is a bijection between their configurations that preserves and reflects rigid inclusion. 5 Event structure semantics In this section, we give a labelled event structure semantics to closed SPL processes. The semantics shall be defined in two stages. First, we define a compositional open semantics for processes. This shall include events from individual
8 8 Jonathan Hayman and Glynn Winskel parallel processes that might in isolation be impossible, for example inputs of messages for which there is no earlier output of the message; these events are necessary in case we later compose the semantics with that for some other process that does output the message. Making use of rigid families, we then define the closed semantics of processes. This reveals the causal dependency of input events on corresponding output events and removes events that cannot possibly occur. 5.1 The open semantics The open semantics of a closed SPL process p will be an event structure denoted p. In the definition of its events, we frequently wish to enforce disjointness of various subsets of events. For example, when forming the event structure for a prefixed process (an input or an output), we need to ensure that the event prefixing the process is not equal to any event in the semantics of the resumption. This requires a little book-keeping, so we say that any event structure representing the open semantics shall have events drawn from the set Events, the least set satisfying the following conditions: out M Events, for any closed message M, in M Events, for any closed message M, (i, e) Events for any e Events and i that is either a natural number, vector of messages and names or index from the definition of parallel composition; we normally write i : e for (i, e). In order to avoid continually being drawn into detail about the precise structure of any event, we consider event structures with each event labelled by an action α as defined for the operational semantics. The definition of the semantics shall be by induction on the size of terms rather than structural induction on the terms themselves. This is due to the definitions of input and output using the definition of the semantics of closed subterms following substitution. To avoid having to restrict to finite parallel compositions, we do not define size as a natural number but instead define a well-founded size relation: Definition 3 (Size relation). Define the size relation to be the least transitive relation on closed process terms satisfying: p[ # n/ # x ] out new # x M.p for any substitution of names [ # n/ # x ], p[ # N/ # ψ][ # n/ # x ] in pat # x # ψ M.p for any substitution of names [ # n/ # x ] and closed messages [ # N/ # ψ], and p j i I p i for any index j I. In the following definitions, for any vector # a we write len( # a ) for the length of # a. For any event structure ES, we write E ES for its set of events, write ES for its partial order, write Con ES for its consistency relation and write λ ES for its labelling function. A diagrammatic account is presented in Figure 3.
9 Event structure semantics for security protocols 9 All vec. distinct names # n 1, # n 2 All compat. vec. # N 1, N 2, n 1, n 2 p[ # n 1/ # x ] p[ # n 2/ # x ] p[ # N 2/ # ψ][ # n 1/ # x ] p[ # N 2/ # ψ][ # n 2/ # x ]!( # n 1)M[ # n 1/ # x ]!( # n 2)M[ # n 2/ # x ] out new # x M.p?M[ # N 1/ # ψ][ # n 1/ # x ]?M[ # N 2/ # ψ][ # n 2/ # x ] in pat # ψ # x M.p Fig. 3. Event structure semantics of output and input, showing the relationships between pairs of bindings. Dots represent labelled events, arrows represent causal dependency and wavy lines represent conflict: that two events do not both occur in any consistent set. Boxes indicate the event structures for subterms; arrows into and wavy lines between them represent causal dependency and conflict for all their events. Output Let Σ be the set of vectors of distinct names # n such that len( # n) = len( # x ). The labelled event structure out new # x M.p = (E,, Con, λ) is defined as: E = { # n : 1 : out M[ # n/ # x ]) n Σ} { # n : 2 : e # n Σ & e E p[ # n / # x ] } e e # n, u, u. e = # n : 1 : u & e = # n : 2 : u or e = # n : 2 : u & e = # n : 2 : u & u p[ n # / # x ] u X Con X = or # n. m, # i, u. m # : i : u X = m # = # n & {u # n : 2 : u X} Con p[ n # / # x ] {!( # n)m[ # n/ # x ] if e = # n : 1 : out M[ # n/ # x ]) λ(e) = λ p[ n # / # x ] (u) if e = # n : 2 : u Input In the following definition, let Σ denote the set of pairs ( # n, # N) of vectors of names and closed messages that are of lengths consistent with # x and # ψ. Note that unlike in the definition for output, we do not require # n to be a vector of distinct names. The labelled event structure in pat # x # ψ M.p = (E,, Con, λ) is defined as: e e E = {# n # N : 1 : in M[ # N/ # ψ][ # n/ # x ] ( # n, # N) Σ} { # n # N : 2 : e ( # n, # N) Σ & e E p[ # N/ # ψ ][ # n / # x ] } # n, # N, u, u. e = # n # N : 1 : u & e = # n # N : 2 : u or e = # n # N : 2 : u & e = # n # N : 2 : u & u p[ # N/ # ψ ][ # n / # x ] u X Con X = or # n N. # m, # Q, # i, u. m # # Q : i : u X = m # = # # # n & Q = N & {u # n N # : 2 : u X} Con # # p[ N/ ψ ][ n # / # x ] {?M[ N/ # ψ][ # # n/ # x ] if e = # n N # : 1 : in M[ N/ # ψ][ # # n/ # x ]) λ(e) = λ # # p[ N/ ψ ][ n # / # x ] (u) if e = # n N # : 2 : u
10 10 Jonathan Hayman and Glynn Winskel Parallel composition The parallel composition is formed by allowing the event structures for each subprocess to run in parallel with each other: the events are the disjoint union, formed using the tagging operation, with causality and consistency inherited from each component. It is important to note that the labels on each event are extended to include the index of their component of the parallel composition; this is unlike the previous definitions, where the labels on events from inductively-defined subprocesses were completely unchanged. This reflects the fact that we later wish to identify the particular process performing each action. For each i I, let p i = (E i, i, Con i ). Define i I p i = (E,, Con) as: E = {i : e i I & e E i} i : e i : e i = i & e i e X Con X is finite & λ(i : e) = i : λ i(e) i I. {e i : e X} Con i 5.2 Closed asynchronous semantics The closed semantics of processes, denoted p t s, represents the behaviour of the process p regarded as a closed system from initial state (s, t): there is no potential for input from an external process. It is formed by taking the open semantics and removing behaviours that cannot possibly be seen: inputs of messages that we can now be sure will never be output and the generation of non-fresh names. It also extends the causality relation to include the dependency of inputs on particular outputs, mirroring the definition of bundles from strand spaces [4]. Here we encounter a slight technical issue, prompting the earlier introduction of rigid families. In the process out 1.nil out 1.nil in 1.nil, the input can only occur once either of the two outputs have occurred. The prime event structures introduced earlier (or stable families) cannot model this using just three events: every event in a prime event structure has a unique set of events that must occur prior to it. By using rigid families, we avoid having to define further events. In more detail, the closed semantics p t s shall be formed from partial order configurations of p. There are two facets of the construction of configurations of p t s. Firstly, we must ensure that the configurations of p t s are consistent with the concept of freshness: if a name is generated on an output event, the name should not be in s and it should be distinct from any other name generated. Secondly, we must extend the order on events in the configuration arising from the event structure p by recording upon which output event, if any, any input event depends. In doing so, we must be careful to avoid creating cycles in the dependency relation. For example, given the open semantics of in 1.out 2.nil in 2.out 1.nil we do not obtain a configuration by extending the relation of causal dependency in the following way (the solid lines represent causal dependency from the open semantics; the dotted lines represent the candidate I/O causal dependency):
11 Event structure semantics for security protocols 11!2!1?1?2 Even though the open event structure for the process above has several configurations, if initially t =, we would expect there to be no non-empty configurations in the closed semantics since the processes are deadlocked. Definition 4. For any event e, write Fresh(n, e) if the event e creates n as a fresh name, i.e. λ(e) = π :!( # m)m for some sequence of tags π and there exists i such that m i = n. Every event in the open and closed semantics is either an input or an output event. We write msg(e) for the message either input or output by the event e; formally, this can be straightforwardly identified from the label of λ(e). Causal dependency in a configuration of the closed semantics extends that in the open semantics as specified by a relation of data dependency, x d : Definition 5. A partial order x E E is a configuration of p t s if, and only if, there is a partial order x 0 E E and a relation x d E E such that: 1. x 0 D 0 ( p ) 2. x = (x 0 x d ) +, the transitive closure of x 0 x d 3. e, n. e x & Fresh(n, e) = n s 4. e, e, n. e, e x & Fresh(n, e) & Fresh(n, e ) = e = e 5. for all (e, e ) x d, the event e is an output event and e is an input event and msg(e) = msg(e ) 6. for all e E, if e is an input event then either msg(e ) t or there exists unique e such that (e, e ) x d Note that the relation (x 0 x d ) + above must be antisymmetric due to the assumption that x is a partial order. Proposition 1. The set of configurations of p t s form a rigid family. Proof. It is sufficient to establish that if x is a configuration of p t s and e is maximal in x then x e, the partial order with e removed, is a configuration of p t s. It is straightforward to verify that restricting x d to x e we obtain a relation satisfying the constraints, by maximality of e. The event structure semantics corresponds to the earlier operational semantics (Appendix C). α Proposition 2. If p, s, t p, s, t then there exists an enabled event e in p t s such that λ(e) = α and p t s = p t s/e. If e is enabled in p t s then there exist p, s and t such that p, s, t λ(e) p, s, t and p t s = p t s/e.
12 12 Jonathan Hayman and Glynn Winskel 5.3 Example: The semantics of NSL Each configuration of the open semantics NSL is the disjoint union of some number of configurations of initiator, responder and spy processes. This disjoint union is obtained by attaching tags which propagate to the labels on events. For example, the following is a configuration of NSL in which an initiator and two individual spy processes have begun to act. The first spy process decrypts the message sent by the initiator and the second spy process breaks it apart. Though NSL is an event structure and its configurations are sets, we have drawn in the causal dependency relation. The primes of the order drawn here are analogous to (partial) strands [4]. The first number in any sequence is simply to indicate from which replicated process the event originates; it can be disregarded (and it would be meaningful to represent the symmetry where different labels could be chosen see the conclusion). init : (A 0, B 0 ) : 1 :!(n 0 ){n 0, A 0 } P ub(b0 ) init : (A 0, B 0 ) : 1 :?{n 0, m 0, B 0 } P ub(a0 ) Spy : 5 : 4 :!n 0, A 0 Spy : 5 : 4 :?P riv(b 0 ) Spy : 5 : 4 :?{n 0, A 0 } P ub(b0 ) Spy : 8 : 2 :!A 0 Spy : 8 : 2 :!n 0 Spy : 8 : 2 :?n 0, A 0 Configurations of NSL t s are partial order configurations of NSL as drawn above to which we add dependencies of events on data. For example, suppose that t contains P riv(b 0 ). This allows the event labelled Spy : 5 : 4 :?P riv(b 0 ) to be in the configuration: the message that it receives is already assumed to be on the network, from which the message transmitted by A 0 can be intercepted and the secret value compromised. init : (A 0, B 0 ) : 1 :!(n 0 ){n 0, A 0 } P ub(b0 ) Spy : 5 : 4 :!n 0, A 0 Spy : 5 : 4 :?P riv(b 0 ) Spy : 5 : 4 :?{n 0, A 0 } P ub(b0 ) Spy : 8 : 2 :!A 0 Spy : 8 : 2 :!n 0 Spy : 8 : 2 :?n 0, A 0 This configuration could be extended with further spy process events so that the process A 0 receives the message expected from B 0 without B 0 having taken any part in the communication. Configurations of p t s correspond to bundles in the terminology of [4]. Note, however, that we can view the set of configurations as an event structure by taking their primes. Though this perspective is not central to the secrecy and authentication protocols discussed here, it is important to have a handle on nondeterminism when addressing other issues such as repudiation [10].
13 6 Fundamental properties Event structure semantics for security protocols 13 In this section, we study the underlying properties of all SPL processes, providing the key lemmas that will enable intuitive and direct reasoning about security protocols. We begin by defining the submessage relation as the least relation on messages such that M M, M M 1 = M (M 1, M 2 ) & M (M 2, M 1 ), and M M = M {M } k. Note that this allows consideration of submessages within encrypted messages. The notation is extended to sets of messages by defining N t if, and only if, there exists M t such that N M. 6.1 Well-foundedness Well-foundedness arguments often play an important role in reasoning about assertions of security protocols. For example, proofs about the secrecy of private keys typically analyse the given processes to show that the output of a private key on the network would causally depend on the prior input of the key, and any input would depend on either the key initially being released or there being a corresponding output event upon which the input causally depends. Well-foundedness of causal dependency allows us to infer that either the key is initially available or it is never released to the network. The following lemma, an immediate consequence of the well-foundedness of the relation, yields a key reasoning technique: that if a property fails in some configuration then there is a minimal sub-configuration in which it fails. Lemma 1. Let P be a predicate on configurations of a rigid family F such that P ( ). If y F and P (y) then there exists x y such that P (x) and P (z) for all z x. To demonstrate the use of well-foundedness and to provide a useful reasoning technique, we derive a way of connecting the open semantics to the closed to establish properties of messages. Lemma 2. Let Q be a predicate on closed messages, p = (E,, Con) and (p, s, t) be a proper configuration. Suppose that there is no M t such that Q(M) and, for all events e E, if Q(msg(e)) then there exists e E that is an input and e e and Q(msg(e )). Then Q(msg(u)) for all u y p t s. Proof. Take the predicate P (y) on of y p t s to be e y. Q(msg(e)). Suppose, for contradiction, that there exists y p t s such that P (y). By Lemma 1, there exists x p t s such that P (x) and P (z) for all z x. Since P (x), there exists e x such that Q(msg(e)). The events of configurations of the closed semantics are events of the open semantics, so e E. By assumption, there exists e E that is an input and e e and Q(msg(e )) and there is no M t such that
14 14 Jonathan Hayman and Glynn Winskel Q(M). From the definition of the closed semantics, there exists an output u such that u < e and u is an output and msg(u) = msg(e ), and hence Q(msg(u)). Considering the prime [u] x, we have [u] x x and clearly P ([u] x ), so we arrive at a contradiction to the minimality of x. Hence P (y) for all y p t s. 6.2 Freshness We now consider the key properties of the freshness of newly-generated names. Such properties are frequently found in arguments about security protocols: they are used, for example, in the NSL protocol to establish causal connections between the receipt of messages containing nonce values and their transmission by the only other process that could have known these values. The first step is to perform an inductive analysis of processes in the open semantics. Lemma 3. For any event e in p and any name n such that n fn(p), if n msg(e) then either there exists e e such that Fresh(n, e ) or there exists e e that is an input and n msg(e ). Proof. The proof is a straightforward well-founded induction on the size relation, proceeding by a case analysis on p. The details are presented in Appendix D. We now connect this result to the closed semantics. Proposition 3. For any process p and any configuration x of p t s, the following properties hold: 1. For any n, there is at most one event e x such that Fresh(n, e). 2. If e x and n msg(e) then n s or there exists e x e such that Fresh(n, e ). 3. If Fresh(n, e) and n msg(e ) then e x e Proof. Property (1) is part of the definition of the configurations of p t s and property (3) will be a simple consequence of (1) and (2). Now consider (2); assume that e x and n msg(e) and n s. Take P (x) to be e x.n msg(e) = e x e.fresh(n, e ). For contradiction, suppose that P fails for some configuration; by Lemma 1 there is a configuration x for which P (x) but P (z) for all z x. Since P (x), there exists e x such that n msg(e) and Fresh(n, e ) for all e x e. Applying Lemma 3, it must be the case that there is u e in the open semantics that is an input and n msg(u). Since configurations of the closed semantics are down closed with respect to the order from the open semantics, u x. From the definition of the closed semantics, either msg(u) t or there exists e that is an output satisfying e < u and msg(e ) = msg(u). The former case is impossible: if msg(u) t then n s since n fn(msg(u)). However, the latter case is impossible: if there were such an e, then P ([e ] x ) and clearly [e ] x x, contradicting the minimality of x.
15 7 Correctness of NSL Event structure semantics for security protocols 15 We now use the reasoning techniques described above to show how they provide a framework for clear and intuitive proofs about the NSL protocol. 7.1 Private key secrecy The first lemma specifically about the NSL protocol is that private keys of processes are not revealed by any process. This is an example of a property that depends on the particular spy processes described. If, for example, we had introduced a spy in x.out P riv(x).nil then the property would fail to hold. We begin with an inductive analysis of the processes in the open semantics. Lemma 4. For any name A and any event e in NSL, if P riv(a) msg(e) there exists e such that e e and e is an input event and P riv(a) msg(e ). Proof. Let e be an event in the event structure NSL such that P riv(a) msg(e). If e is an input event, the property trivially holds, so we only need to consider output events. It is easy to check that e cannot be any initiator or responder event, so the only possibility is that e is a spy event. We shall only consider one of the cases for the spy processes, Spy 1 ; the others are similar. Since e is an output, the only possibility is that we have λ(e) = spy : j : 1 :!(M 1, M 2 ) for some M 1, M 2 and j (j indicates which replication of the process Spy the event is in). It is easy to see from the semantics that there are events e 1 and e 2 such that e 1 e and e 2 e and λ(e 1 ) = spy : j : 1 :?M 1 and λ(e 2 ) = spy : j : 1 :?M 2. Since P riv(a) (M 1, M 2 ), we have either P riv(a) M 1 or P riv(a) M 2, from which the required property immediately follows. As an immediate consequence of the previous lemma and Lemma 2, we obtain a secrecy lemma for the closed semantics. Lemma 5. For any name A and proper configuration (NSL, s, t), if P riv(a) t then there is no configuration x of NSL t s with an event e x such that P riv(a) msg(e). 7.2 Nonce value secrecy We now show that the nonce value generated by responder in the NSL protocol remains secret. The statement makes use of the ability of spy processes to break apart messages to provide a concise event-based characterization: were the nonce value to be output in an insecure form on the network, the value in isolation would also appear by application of spy processes.
16 16 Jonathan Hayman and Glynn Winskel Theorem 1. Let (NSL, s, t) be a proper configuration such that P riv(a 0 ) t and P riv(b 0 ) t. If x is a configuration of NSL t s that contains an event e r with λ(e r ) = resp : B 0 : j :!(n 0 ){m 0, n 0, B 0 } P ub(a0) then there is no e x such that msg(e) = n 0. Proof. We prove the stronger property that, for any x NSL t s containing an event e r with the given label and for any event e x, if n 0 msg(e) then either {m 0, n 0, B 0 } P ub(a0) msg(e) or {n 0 } P ub(b0) msg(e). Suppose, for contradiction, that this fails: by Lemma 1, there is a -minimal configuration in which it does so. Let y be this configuration. There is an event e y such that n 0 msg(e) and {m 0, n 0, B 0 } P ub(a0) msg(e) and {n 0 } P ub(b0) msg(e). Note that y = [e] y since, otherwise, y would fail to be minimal: the configuration [e] y would also violate the property. Additionally, e is the minimal event in y such that {m 0, n 0, B 0 } P ub(a0) msg(e) and {n 0 } P ub(b0) msg(e). We now establish that e must be an output event. The configuration y contains an event e r labelled λ(e r ) = resp : B 0 : j :!(n 0 ){m 0, n 0, B 0 } P ub(a0), so from the definition of the closed semantics we have n 0 s. It follows immediately that n 0 t. Were the event e to be an input, there would have to be an output event e y such that msg(e ) = msg(e). Consequently, we would have a configuration [e ] y y containing an event e with n 0 msg(e ) and {m 0, n 0, B 0 } P ub(a0) msg(e ) and {n 0 } P ub(b0) msg(e ), contradicting minimality of y. Hence e must be an input event. Since y is in NSL t s, its underlying set is also a configuration of NSL and so e is an event of NSL. We consider cases for e based on the characterization of the events of NSL in Section 5.3, deriving the required contradiction in each case. The cases are essentially straightforward analyses of causality. We show only those for the initiator events; the others are in Appendix D. Case 1 (Initiator events). Observing the possible output events of the initiator, there are two cases to consider. 1. λ(e) = init : A, B : i :!(m){m, A} P ub(b) for some m, A, B and index i. Since n msg(e), either n 0 = m or n 0 = A. However, we cannot have n 0 = A for any principal name A since A s but n 0 s. Therefore, we have m = n 0. However, in this case we have Fresh(m, e) and Fresh(n 0, e r ), and clearly e e r since the events have incompatible labels, so we arrive at a contradiction to part (1) of Proposition λ(e) = init : A, B : i :!{n 0 } P ub(b) for some A, B and index i. Since {n 0 } P ub(b0) msg(e) by assumption, it must be the case that B B 0. Since y is a configuration of NSL, it is down-closed, and so by the analysis in Section 5.3 there exists e such that e < y e and λ(e ) = init : A, B : i :?{m, n 0, B} P ub(a) for some m. However, since B B 0 we observe that n 0 msg(e ) and {m 0, n 0, B 0 } P ub(a0) msg(e ) and {n 0 } P ub(b0) msg(e ), from which we derive a contradiction to the minimality of e. The proof that the nonce generated by the initiator remains secret is similar.
17 Event structure semantics for security protocols 17 8 Authentication We now turn to the second correctness property for the NSL protocol: authentication. Authentication is specified in two parts: authentication for the initiator and authentication for the responder. Here, we only present authentication for the responder. Following the formulation by Lowe [1], this asserts that any configuration in which the principal B 0 has completed the responder s actions seemingly with A 0 includes a corresponding sequence where A 0 transmitted, in the appropriate sequence, all the messages in accordance with the initiator s role. Theorem 2. Let (NSL, s, t) be a proper configuration such that P riv(a 0 ) t. If x is a configuration of NSL t s containing events b 1 with λ(b 1 ) = resp : B 0 : i :?{m 0, A 0 } P ub(b0) b 2 with λ(b 2 ) = resp : B 0 : i :!(n 0 ){m 0, n 0, B 0 } P ub(a0) b 3 with λ(b 3 ) = resp : B 0 : i :?{n 0 } P ub(b0) for any A 0, B 0, m 0, n 0 and index i then the configuration contains events a 1 with λ(a 1 ) = init : (A 0, B 0 ) : j :!(m 0 ){m 0, A 0 } P ub(b0) a 2 with λ(a 2 ) = init : (A 0, B 0 ) : j :?{m 0, n 0, B 0 } P ub(a0) a 3 with λ(a 3 ) = init : (A 0, B 0 ) : j :!{n 0 } P ub(b0) for some index j, and furthermore a 3 x b 3. Proof. If the configuration contains the event b 3 then we have b 2 x b 3 since b 2 is the unique event in NSL consistent with b 3 with the label given above, and such an event must be prior to b 3. Similarly, b 1 x b 2. Consider the property of events Q(e) = (n 0 msg(e) = {m 0, n 0, B 0 } P ub(a0) msg(e)). Clearly, Q(b 2 ) holds but Q(b 3 ) fails to hold. By part (3) of Proposition 3, any e x such that Q(e) satisfies b 2 e. Let e be a x -minimal event such that b 2 x e x b 3 and Q(e). Consider cases for the event e from the description of NSL in Section 5.3, noting that e must be an output event due to its minimality: e cannot be a spy event, by analysis of the possible cases. For example, suppose that λ(e) = i : spy : 4 :!M for some index i and M such that n 0 M but {m 0, n 0, B 0 } P ub(a0) M. Since the configuration x is down-closed with respect to the causal dependency relation of N SL, there exists an event e x such that e < x e and λ(e ) = i : spy : 4 :?{M} P ub(a) for some A. Clearly n 0 {M} P ub(a), so if minimality of e is not to be contradicted we must have {m 0, n 0, B 0 } P ub(a0) {M} P ub(a). We must therefore have A 0 = A. There exists an event e such that e < x e and λ(e ) = i : spy : 4 :?P riv(a 0 ). We assumed that P riv(a 0 ) t, so we arrive at a contradiction to the secrecy of private keys (Lemma 5).
18 18 Jonathan Hayman and Glynn Winskel e cannot be a responder event. To see this, the only case that we need to consider is λ(e) = resp : B : j :!(n){m, n, B} P ub(a) for some m, b, A, B and index j. Since n 0 {m, n, B} P ub(a), either n 0 = m or n 0 = n or n 0 = B; we shall show that each case is impossible. Since by assumption Q(e) but Q(b 2 ), we have e b 2. We have Fresh(n, e), so by Proposition 3 (Freshness) part (1), we have n n 0. Since B s, from the definition of the configurations of NSL t s, we cannot have B = n 0 since Fresh(n 0, b 2 ) and b 2 is in the configuration x. Finally, for contradiction suppose that n 0 = m. From the analysis of the events of NSL in Section 5.3 and the fact that x must be down-closed, there exists an event e < x e such that λ(e ) = resp : B : j :?{n 0, A} P ub(b). Clearly, {m 0, n 0, B 0 } P ub(a0) msg(e ), so we arrive at a contradiction to the minimality of e. The only remaining possibility is that e is an initiator event. The first case is that λ(e) = init : (A, B) : j :!(m){m, A} P ub(b) for some A, B, m and index j. We cannot have m = n 0 by part (1) of Freshness (Proposition 3) since Fresh(m, e). As standard, we furthermore cannot have n 0 = A since A s and n 0 is fresh on b 2. We therefore contradict the assumption that n 0 msg(e) This leaves one final possibility, that λ(e) = init : (A, B) : j :!{n} P ub(b) for some A, B, n and index j. Let a 3 = e. Since n 0 msg(a 3 ) we must have n = n 0. Since x is down-closed with respect to the causal dependency relation of NSL, from the analysis in Section 5.3 we see that there exists a 2 a 3 such that λ(a 2 ) = init : (A, B) : j :?{m, n 0, B} P ub(a). By part (3) of Proposition 3 we have b 2 x a 2. By minimality of a 3, we must have m = m 0 and B = B 0 and A = A 0. A final inspection of the open semantics in Section 5.3 yields existence of an event a 1 such that λ(a 1 ) = init : (A 0, B 0 ) : j :!(m 0 ){m 0, A 0 } P ub(b0), as required to complete the proof. In summary, in the configuration x we have, drawing e e for e e : b 1 b 2 b 3 a 1 a 2 a 3 The causal dependence of b 1 on a 1 is by freshness of m 0, Proposition 3 (3). 9 Conclusion In this paper, we have seen how event structures and rigid families allow the semantics of a language for security protocols to be defined and have demonstrated that the event structure semantics corresponds to the operational semantics. The use of causal models for security protocols has a long history. Multiset rewriting [16] is closely related to Petri nets, from which relations of causality can be extracted. The popular model of strand spaces [4] model sequential
19 Event structure semantics for security protocols 19 processes which feature neither internal nor external choice. On top of a set of interacting processes, represented as linear sequences of actions, a relation of data dependency is placed to form a partial order of causal dependency. There are many factors in favour of directly using event structures to model security protocols. Firstly, they are amenable to studying richer aspects of behaviour such as non-determinism: this comes to the fore when we pass beyond safety-style properties to, for example, the study of non-repudiation in exchange protocols [10]. Being a non-domain-specific model for concurrency, they provide a bridge between research on security and research into basic models for concurrency. The comparison of logics for causal models (see e.g. [9]) with those traditionally used to model security protocols such as [17] would, for example, be interesting. Note that the logic in [17] is specifically for non-branching processes: though the global state space is non-deterministic due to the parallel composition, the temporal operators only apply to the non-branching threads. Towards the aim of using non-domain-specific models for security protocols, SPL was originally developed with a semantics based on Petri nets with persistent conditions [5]. However, the net semantics does not represent causality as directly as the event structure semantics here: the proofs presented here are as simple as the proofs for strand spaces, not having to deal with the details of conditions, while being based on a compositional semantics. Additionally, a range of theories are emerging for event structures that have significant potential for application to the analysis of security protocols; we see the current work as laying a foundation for connection to them, from which we may also gain experience of their application. We summarize these now. A theory of symmetry on event structures is developed in [7]. The structures defined here clearly possess a good deal of symmetry which needs to be captured before practical applications can be developed. For example, there is symmetry between the branching processes determined by the choice of fresh names which is left implicit in the strand space model (cf. equivariance in [18]). There is also symmetry in replication: its capture may lead the way to automated tools for reasoning about arbitrary numbers of protocols, for example as desired in [19]. Probabilistic event structures [20] may also be useful when we wish to model more refined cryptographic assumptions, for example that an attacker may have some probability of guessing a freshly generated name or may have some chance of decrypting a message. More tentatively, given the importance of games in the analysis of security protocols, for example non-repudiation in [10], one may hope to establish connections to recent work on concurrent games [6] and their extension with probability. References 1. Lowe, G.: Breaking and fixing the needham-schroeder public-key protocol using FDR. In: Proc. TACAS. Volume 1055 of LNCS. (1996) 2. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Comm. ACM 21(12) (1978)
20 20 Jonathan Hayman and Glynn Winskel 3. Paulson, L.C.: Proving properties of security protocols by induction. In: Proceedings of the 10th IEEE workshop on Computer Security Foundations. CSFW 97, IEEE Computer Society (1997) 4. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(1) (1999) Crazzolara, F., Winskel, G.: Events in security protocols. In: ACM Conference on Computer and Communications Security. (2001) Rideau, S., Winskel, G.: Concurrent strategies. In: Proc. LICS, IEEE Computer Society (2011) Winskel, G.: Event structures with symmetry. Electr. Notes Theor. Comput. Sci. 172 (2007) Nielsen, M., Clausen, C.: Games and logics for a noninterleaving bisimulation. Nord. J. Comput. 2(2) (1995) Baldan, P., Crafa, S.: A logic for true concurrency. In: Proc. CONCUR. Volume 6269 of LNCS. (2010) Kremer, S., Raskin, J.F.: A game-based verification of non-repudiation and fair exchange protocols. Journal of Computer Security 11(3) (2003) Haack, C., Jeffrey, A.: Pattern-matching spi-calculus. Inf. Comput. 204(8) (2006) Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, I. Inf. Comput. 100(1) (1992) Dolev, D., Yao, A.C.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2) (1983) Winskel, G.: Event structures. In: Advances in Petri Nets. Volume 255 of LNCS., Springer (1986) Winskel, G.: Event structure semantics for CCS and related languages. In: Proc. ICALP. Volume 140 of LNCS., Springer (1982) Cervesato, I., Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: A metanotation for protocol analysis. In: Proc. CSFW. (1999) Basin, D.A., Caleiro, C., Ramos, J., Viganò, L.: Distributed temporal logic for the analysis of security protocol models. Theor. Comput. Sci. 412(31) (2011) Pitts, A.M.: Nominal logic, a first order theory of names and binding. Inf. Comput. 186(2) (2003) Mukhamedov, A., Ryan, M.D.: Fair multi-party contract signing using private contract signatures. Inf. Comput. 206(2-4) (2008) Varacca, D., Völzer, H., Winskel, G.: Probabilistic event structures and domains. Theor. Comput. Sci. 358(2-3) (2006)
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationExpressing Security Properties Using Selective Interleaving Functions
Expressing Security Properties Using Selective Interleaving Functions Joseph Halpern and Sabina Petride August 8, 2008 Abstract McLean s notion of Selective Interleaving Functions (SIFs) is perhaps the
More informationAn Inquisitive Formalization of Interrogative Inquiry
An Inquisitive Formalization of Interrogative Inquiry Yacin Hamami 1 Introduction and motivation The notion of interrogative inquiry refers to the process of knowledge-seeking by questioning [5, 6]. As
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationA compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationA Canonical Contraction for Safe Petri Nets
A Canonical Contraction for Safe Petri Nets Thomas Chatain and Stefan Haar INRIA & LSV (CNRS & ENS Cachan) 6, avenue du Président Wilson 935 CACHAN Cedex, France {chatain, haar}@lsvens-cachanfr Abstract
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationModel checking the basic modalities of CTL with Description Logic
Model checking the basic modalities of CTL with Description Logic Shoham Ben-David Richard Trefler Grant Weddell David R. Cheriton School of Computer Science University of Waterloo Abstract. Model checking
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationUniversal Concurrent Constraint Programing: Symbolic Semantics and Applications to Security
Universal Concurrent Constraint Programing: Symbolic Semantics and Applications to Security Carlos Olarte INRIA and LIX École Polytechnique Pontificia Universidad Javeriana carlos.olarte@lix.polytechnique.fr
More informationSkeletons and the Shapes of Bundles
Skeletons and the Shapes of Bundles Shaddin F. Doghmi, Joshua D. Guttman, and F. Javier Thayer The MITRE Corporation Abstract. The shapes of a protocol are its minimal, essentially different executions.
More informationBorel Determinacy of Concurrent Games
Borel Determinacy of Concurrent Games Julian Gutierrez Computer Science Dept, University of Oxford Glynn Winskel Computer Laboratory, University of Cambridge Abstract Just as traditional games are represented
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationTrace Refinement of π-calculus Processes
Trace Refinement of pi-calculus Processes Trace Refinement of π-calculus Processes Manuel Gieseking manuel.gieseking@informatik.uni-oldenburg.de) Correct System Design, Carl von Ossietzky University of
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationThe MSO Theory of Connectedly Communicating Processes
The MSO Theory of Connectedly Communicating Processes P. Madhusudan 1, P. S. Thiagarajan 2, and Shaofa Yang 2 1 Dept. of Computer Science, University of Illinois at Urbana-Champaign Email: madhu@cs.uiuc.edu
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationThe unfolding of general Petri nets
Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008. Editors: R. Hariharan, M. Mukund, V. Vinay; pp - The unfolding of general Petri nets Jonathan Hayman and Glynn Winskel
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationA Graph Rewriting Semantics for the Polyadic π-calculus
A Graph Rewriting Semantics for the Polyadic π-calculus BARBARA KÖNIG Fakultät für Informatik, Technische Universität München Abstract We give a hypergraph rewriting semantics for the polyadic π-calculus,
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationReview of The π-calculus: A Theory of Mobile Processes
Review of The π-calculus: A Theory of Mobile Processes Riccardo Pucella Department of Computer Science Cornell University July 8, 2001 Introduction With the rise of computer networks in the past decades,
More informationThe Underlying Semantics of Transition Systems
The Underlying Semantics of Transition Systems J. M. Crawford D. M. Goldschlag Technical Report 17 December 1987 Computational Logic Inc. 1717 W. 6th St. Suite 290 Austin, Texas 78703 (512) 322-9951 1
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationTree sets. Reinhard Diestel
1 Tree sets Reinhard Diestel Abstract We study an abstract notion of tree structure which generalizes treedecompositions of graphs and matroids. Unlike tree-decompositions, which are too closely linked
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationEquational Tree Automata: Towards Automated Verification of Network Protocols
Equational Tree Automata: Towards Automated Verification of Network Protocols Hitoshi Ohsaki and Toshinori Takai National Institute of Advanced Industrial Science and Technology (AIST) Nakoji 3 11 46,
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationApproximation Metrics for Discrete and Continuous Systems
University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science May 2007 Approximation Metrics for Discrete Continuous Systems Antoine Girard University
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationPSL Model Checking and Run-time Verification via Testers
PSL Model Checking and Run-time Verification via Testers Formal Methods 2006 Aleksandr Zaks and Amir Pnueli New York University Introduction Motivation (Why PSL?) A new property specification language,
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationConsistent Fixed Points and Negative Gain
2009 International Conference on Parallel and Distributed Computing, Applications and Technologies Consistent Fixed Points and Negative Gain H. B. Acharya The University of Texas at Austin acharya @ cs.utexas.edu
More informationDecentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication
Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication Stavros Tripakis Abstract We introduce problems of decentralized control with communication, where we explicitly
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationCanonical Calculi: Invertibility, Axiom expansion and (Non)-determinism
Canonical Calculi: Invertibility, Axiom expansion and (Non)-determinism A. Avron 1, A. Ciabattoni 2, and A. Zamansky 1 1 Tel-Aviv University 2 Vienna University of Technology Abstract. We apply the semantic
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationPropositional and Predicate Logic - V
Propositional and Predicate Logic - V Petr Gregor KTIML MFF UK WS 2016/2017 Petr Gregor (KTIML MFF UK) Propositional and Predicate Logic - V WS 2016/2017 1 / 21 Formal proof systems Hilbert s calculus
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationAn Independence Relation for Sets of Secrets
Sara Miner More Pavel Naumov An Independence Relation for Sets of Secrets Abstract. A relation between two secrets, known in the literature as nondeducibility, was originally introduced by Sutherland.
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationModels for Concurrency
Models for Concurrency (A revised version of DAIMI PB-429) Glynn Winskel Mogens Nielsen Computer Science Department, Aarhus University, Denmark November 1993 Abstract This is, we believe, the final version
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationAutomata, Logic and Games: Theory and Application
Automata, Logic and Games: Theory and Application 1. Büchi Automata and S1S Luke Ong University of Oxford TACL Summer School University of Salerno, 14-19 June 2015 Luke Ong Büchi Automata & S1S 14-19 June
More information39 A Logic for True Concurrency
39 A Logic for True Concurrency PAOLO BALDAN, University of Padova SILVIA CRAFA, University of Padova We propose a logic for true concurrency whose formulae predicate about events in computations and their
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationEE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo
EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories 1 Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo Outline: Contracts and compositional methods for system design Where and why using
More informationSFM-11:CONNECT Summer School, Bertinoro, June 2011
SFM-:CONNECT Summer School, Bertinoro, June 20 EU-FP7: CONNECT LSCITS/PSS VERIWARE Part 3 Markov decision processes Overview Lectures and 2: Introduction 2 Discrete-time Markov chains 3 Markov decision
More informationTowards a General Theory of Non-Cooperative Computation
Towards a General Theory of Non-Cooperative Computation (Extended Abstract) Robert McGrew, Ryan Porter, and Yoav Shoham Stanford University {bmcgrew,rwporter,shoham}@cs.stanford.edu Abstract We generalize
More informationReasoning with Constraint Diagrams
Reasoning with Constraint Diagrams Gem Stapleton The Visual Modelling Group University of righton, righton, UK www.cmis.brighton.ac.uk/research/vmg g.e.stapletonbrighton.ac.uk Technical Report VMG.04.01
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More informationProving Completeness for Nested Sequent Calculi 1
Proving Completeness for Nested Sequent Calculi 1 Melvin Fitting abstract. Proving the completeness of classical propositional logic by using maximal consistent sets is perhaps the most common method there
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationIntroduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either
Introduction to Temporal Logic The purpose of temporal logics is to specify properties of dynamic systems. These can be either Desired properites. Often liveness properties like In every infinite run action
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationProbabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford
Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of Computer Science University of Oxford Overview Temporal logic Non-probabilistic temporal logic CTL Probabilistic temporal
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationTowards a Denotational Semantics for Discrete-Event Systems
Towards a Denotational Semantics for Discrete-Event Systems Eleftherios Matsikoudis University of California at Berkeley Berkeley, CA, 94720, USA ematsi@eecs. berkeley.edu Abstract This work focuses on
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationRelating State-Based and Process-Based Concurrency through Linear Logic
École Polytechnique 17 September 2009 Relating State-Based and Process-Based oncurrency through Linear Logic Iliano ervesato arnegie Mellon University - Qatar iliano@cmu.edu Specifying oncurrent Systems
More informationRelational Interfaces and Refinement Calculus for Compositional System Reasoning
Relational Interfaces and Refinement Calculus for Compositional System Reasoning Viorel Preoteasa Joint work with Stavros Tripakis and Iulia Dragomir 1 Overview Motivation General refinement Relational
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationFirst-order resolution for CTL
First-order resolution for Lan Zhang, Ullrich Hustadt and Clare Dixon Department of Computer Science, University of Liverpool Liverpool, L69 3BX, UK {Lan.Zhang, U.Hustadt, CLDixon}@liverpool.ac.uk Abstract
More informationA MODEL-THEORETIC PROOF OF HILBERT S NULLSTELLENSATZ
A MODEL-THEORETIC PROOF OF HILBERT S NULLSTELLENSATZ NICOLAS FORD Abstract. The goal of this paper is to present a proof of the Nullstellensatz using tools from a branch of logic called model theory. In
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationApplied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw
Applied Logic Lecture 1 - Propositional logic Marcin Szczuka Institute of Informatics, The University of Warsaw Monographic lecture, Spring semester 2017/2018 Marcin Szczuka (MIMUW) Applied Logic 2018
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationChapter 4: Computation tree logic
INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationBisimulation for conditional modalities
Bisimulation for conditional modalities Alexandru Baltag and Giovanni Ciná Institute for Logic, Language and Computation, University of Amsterdam March 21, 2016 Abstract We give a general definition of
More informationTime and Timed Petri Nets
Time and Timed Petri Nets Serge Haddad LSV ENS Cachan & CNRS & INRIA haddad@lsv.ens-cachan.fr DISC 11, June 9th 2011 1 Time and Petri Nets 2 Timed Models 3 Expressiveness 4 Analysis 1/36 Outline 1 Time
More informationStrategies as Concurrent Processes
MFPS 2013 Strategies as Concurrent Processes Simon Castellan a Jonathan Hayman a Marc Lasson b Glynn Winskel a a Computer Laboratory, University of Cambridge b PPS, Université Paris Diderot - Paris 7 Abstract
More informationFrom Liveness to Promptness
From Liveness to Promptness Orna Kupferman Hebrew University Nir Piterman EPFL Moshe Y. Vardi Rice University Abstract Liveness temporal properties state that something good eventually happens, e.g., every
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationKRIPKE S THEORY OF TRUTH 1. INTRODUCTION
KRIPKE S THEORY OF TRUTH RICHARD G HECK, JR 1. INTRODUCTION The purpose of this note is to give a simple, easily accessible proof of the existence of the minimal fixed point, and of various maximal fixed
More informationStrategies as Concurrent Processes
1 Strategies as Concurrent Processes Simon Castellan Jonathan Hayman Marc Lasson Glynn Winskel Computer Laboratory, University of Cambridge PPS, Université Paris Diderot - Paris 7 Abstract Concurrent strategies
More informationLTL is Closed Under Topological Closure
LTL is Closed Under Topological Closure Grgur Petric Maretić, Mohammad Torabi Dashti, David Basin Department of Computer Science, ETH Universitätstrasse 6 Zürich, Switzerland Abstract We constructively
More informationPairing Transitive Closure and Reduction to Efficiently Reason about Partially Ordered Events
Pairing Transitive Closure and Reduction to Efficiently Reason about Partially Ordered Events Massimo Franceschet Angelo Montanari Dipartimento di Matematica e Informatica, Università di Udine Via delle
More information