Lecture 7: Specification Languages

Size: px

Start display at page:

Download "Lecture 7: Specification Languages"

Drusilla Bates
6 years ago
Views:

Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.

1 Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato ITT Industries, NRL Washington DC DIMI, Universita di Udine, Italy December 6, 2001

2 Outline Dolev-Yao model Specification Evaluation criteria Some languages Usual notation BAN logic Spi calculus Strand spaces Inductive methods CAPSL MSR Motivations Syntax Type checking DAS Data Access Specification Execution Computer Security: 7 - Specification Languages 2

3 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Lecture 4 a bit more in this lecture Distributed hostile environment Prudent engineering practice Lecture 4 Inadequate specification languages This lecture Computer Security: 7 - Specification Languages 3

4 Dolev-Yao Network Model Bob Alice Network Server Dan Charlie Computer Security: 7 - Specification Languages 4

5 The Dolev-Yao Model of Security Symbolic data No bits Black-box cryptography No guessing of keys k A Partially abstract data access Knowledge soup A k A k B S Found in most protocol analysis tools Tractability Computer Security: 7 - Specification Languages 5

6 Perfect Cryptography k -1 is needed to decrypt {m} k k -1 is just k for shared key ciphers No collisions {m 1 } ka = {m 2 } kb iff m 1 = m 2 and k A = k B {m} k = n never {m} k = (m 1 m 2 ) never We will relax this to handle type violations Computer Security: 7 - Specification Languages 6

7 Public Knowledge Soup Free access to auxiliary data Abstracts actual mechanisms Transmission of certificates Invocation of subprotocols Caching But not all data are public keys secrets A k S k AB S Computer Security: 7 - Specification Languages 7

8 Why is specification important? good Documentation Communicate Engineering Implementation Verification tools Science Foundations Assist engineering Computer Security: 7 - Specification Languages 8

9 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Computer Security: 7 - Specification Languages 9

10 Desirable Properties Unambiguous Simple Flexible Adapts to protocols Powerful Applies to a wide class of protocols Insightful Gives insight about protocols Computer Security: 7 - Specification Languages 10

11 Language Families Usual notation (user interfaces) Knowledge logic BAN Process theory Spi-calculus Strands MSR FDR, Casper Petri nets Inductive methods Temporal logic Automata CAPSL NRL Protocol Analyzer Murφ Why so many? Experience from mature fields Unifying problem Scientifically intriguing Funding opportunities Convergence of approaches Computer Security: 7 - Specification Languages 11

12 Running Example Needham-Schroeder public key protocol (fragment) Devised in 78 Broken in 95! But purely academic attack subject to interpretation Example of weak specification! Computer Security: 7 - Specification Languages 12

13 Usual Notation A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb Computer Security: 7 - Specification Languages 13

14 Evaluation of the Usual Notation Flow Expected run Constituents Side remarks Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 14

15 BAN Logic [Burrows, Abadi, Needham] Roots in belief logic Reason about knowledge as protocol unfolds Security: principals share same view Specification Usual notation Idealized protocol Assumptions Goals Verification Logical inference Computer Security: 7 - Specification Languages 15

16 BAN Idealization A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb n B is a shared secret between A and B NS-PK [3-5] A B: {n A } kb n A provides evidence to the fact that B A: { A n B B na } ka A B: { A n A B, B A n B B nb } kb Believes (more readable syntax proposed later) Computer Security: 7 - Specification Languages 16

17 BAN Assumptions A B: {A,n A } kb B A: {n A,n B } ka k A is the public key of A n A is fresh A B: {n B } kb NS-PK [3-5] A k A A A k B B B k B B B k A A A # n A A A n A B B # n B B A n B B Computer Security: 7 - Specification Languages 17

18 BAN Goals A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Authentication goals expressed in terms of Mutual beliefs Beliefs about freshness B A A n A B A B A n B B A # n B B # n A Formally derived from BAN rules Computer Security: 7 - Specification Languages 18

19 Evaluation of BAN Flow Idealized run Constituents Assumptions Environment Implicit Goals BAN formulas Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 19

20 The Spi-Calculus [Abadi, Gordon] π-calculus with cryptographic constructs Specification 1 process for each role Instance to be studied Intruder not explicitly modeled Verification Process equivalence to reference process Computer Security: 7 - Specification Languages 20

21 The Syntax of Spi Computer Security: 7 - Specification Languages 21

22 Spi: NS Initiator A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb init(a,b,c AB,k B+,k A- ) = NS-PK [3-5] (νn A ) c AB < { A, n A } kb + >. c AB (x). case x of { y } ka - in let (y 1,y 2 ) = y in [y 1 is n A ] c AB < { y 2 } kb + >. 0 Computer Security: 7 - Specification Languages 22

23 Spi: NS Responder A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb resp(b,a,c AB,k A+,k B- ) = NS-PK [3-5] c AB (x). case x of { y } kb - in let (y 1,y 2 ) = y in [y 1 is A] (νn B ) c AB < { y 2, n B } ka + >. c AB (x ). case x of { y } kb - in [y is n B ] 0 Computer Security: 7 - Specification Languages 23

24 Spi: NS Instance A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb inst(a,b,c AB ) = NS-PK [3-5] (νk A ) (νk B ) ( init(a,b,c AB,k B+,k A- ) resp(b,a,c AB,k A+,k B- )) Computer Security: 7 - Specification Languages 24

25 Evaluation of Spi Flow Role-based Constituents Informal math. Environment Implicit Goals Reference process Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 25

26 Strand Spaces [Guttman, Thayer] Roots in trace theory Lamport s causality Mazurkiewicz s traces Specification Strands Sets of principals, keys, Verification Authentication tests Model checking Computer Security: 7 - Specification Languages 26

27 Strands A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Initiator strand {n A, A} kb Responder strand {n A, A} kb {n A, n B } ka {n A, n B } ka {n B } kb {n B } kb Computer Security: 7 - Specification Languages 27

28 Evaluation of Strands Flow Role-based Constituents Informal math. Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 28

29 Inductive Methods [Paulson] Protocol inductively defines traces Specification 1 inductive rule for each protocol rule Universal intruder based on language Verification Theorem proving (Isabelle HOL) Related methods [Bolignano] Computer Security: 7 - Specification Languages 29

30 IMs: NS A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS1 [evs ns; A B; Nonce N A used evs] NS-PK [3-5] Says A B {Nonce N A, Agent A} KB # evs ns NS2 [evs ns; A B; Nonce N B used evs; Says A B {Nonce N A, Agent A} KB set evs] Says B A {Nonce N A, Nonce N A } KA # evs ns NS3 [evs ns; Says A B {Nonce N A, Agent A} KB set evs; Says B A {Nonce N A, Nonce N A } KA set evs] Says A B {Nonce N A } KB # evs ns Computer Security: 7 - Specification Languages 30

31 IMs: Environment Nil [] ns Fake [evs ns; B Spy; X synth(analz (spies evs))] Says Spy B X # evs ns synth, analz, spies, protocol independent Computer Security: 7 - Specification Languages 31

32 Evaluation of Inductive Methods Flow Trace-based Constituents Formalized math. Environment Immutable Goals Imposs. traces Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 32

33 CAPSL [Millen] Ad-hoc model checker Specification Special-purpose language Intruder built-in Implementation CIL [Denker] -> similar to MSR Related systems Murφ [Shmatikov, Stern] SMV [Clarke, Jha, Marrero] Computer Security: 7 - Specification Languages 33

34 CAPSL A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B Na; PRECEDES B: A Nb; END; Computer Security: 7 - Specification Languages 34

35 Evaluation of CAPSL Flow Explicit run Constituents Declarations Environment Implicit Goals Properties Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 35

36 MSR [Cervesato, Durgin, Lincoln, Mitchell, Scedrov] A specification language based on MultiSet Rewriting with existentials MSR 1.0 Designed to prove the undecidability of protocol correctness verification Poor specification language Error-prone Limited automated assistance Limited support for verification MSR 2.0 Redesign of MSR 1.0 as a specification language Easy to use Support for automation New background in typetheory Margin for verification Current techniques can be adapted Computer Security: 7 - Specification Languages 36

37 Evaluation of MSR 2.0 Flow Role-based Constituents Strong typing Environment In part Goals Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 37

38 Roadmap to MSR Step-by-step specification of example Neuman-Stubblebine protocol Language description Syntax Typing Data Access Control DAS Execution semantics Properties More examples NS-PK[3-5] Computer Security: 7 - Specification Languages 38

39 Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Computer Security: 7 - Specification Languages 39

40 NSt-I: B s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs A B: A, n A Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 40

41 NSt-I: S s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I A B: A, n A B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 41

42 NSt-I: A s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: A, n A A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab X X Ticket Computer Security: 7 - Specification Languages 42

43 Sending / Receiving Messages N(A, n A ) Network predicate N(m): m is a message in transit N({B,n A,k AB,t B } kas,x,n B ) N(X,{n B } kab ) Computer Security: 7 - Specification Languages 43

44 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ A k n D e f i n a b l e Computer Security: 7 - Specification Languages 44

45 Nonces A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 45

46 MSet Rewriting with Existentials Multisets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Computer Security: 7 - Specification Languages 46

47 Sequencing Actions A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t L. Fresh! n A. A B: T,{n B } kab Neuman-Stubblebine phase I N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,t B }, X, n k AS B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 47

48 Role State Predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Computer Security: 7 - Specification Languages 48

49 Remembering Things A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } ) k AB Tkt A (B,k AB,X) Memory predicate Computer Security: 7 - Specification Languages 49

50 Memory Predicates M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Computer Security: 7 - Specification Languages 50

51 Role Owner A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Role owner Neuman-Stubblebine phase I The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 51

52 What is what? Types A L: princ x nonce. n A :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B ) N(X, {n B} k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 52

53 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Computer Security: 7 - Specification Languages 53

54 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Computer Security: 7 - Specification Languages 54

55 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Computer Security: 7 - Specification Languages 55

56 Type Checking t has type τ in Γ Catches: Γ t : τ Encryption with a nonce Transmission of a long term key Σ P P is welltyped in Σ Computer Security: 7 - Specification Languages 56

57 Typing Terms Γ t 1 : msg Γ t 2 : msg Γ t 1 t 2 : msg Γ t : msg Γ k : shk A B Γ {t} k : msg Γ, x : τ, Γ x : τ Similar rules for Public key encryption Digital signatures, Computer Security: 7 - Specification Languages 57

58 Typing Types Γ msg Γ nonce Γ time Γ A : princ Γ shk A B Γ B : princ Typing for dependent types relies on typing for terms Computer Security: 7 - Specification Languages 58

59 Some Subtyping Rules τ :: τ Γ t : τ Γ t : τ princ :: msg nonce :: msg time :: msg shk A B :: msg pubk A B:: msg No rule for public keys Prevent transmission Computer Security: 7 - Specification Languages 59

60 Typing Tuples and Tuple Types Γ : Γ x : τ Γ t : [t/x]τ Γ (x,t) : τ (x) τ Γ Γ x : τ Γ τ (x) τ Γ, x:τ τ Computer Security: 7 - Specification Languages 60

61 Typing Predicates Γ t:msg Γ N(t) Γ, L:τ, Γ t : τ Γ, L:τ, Γ L(t) Γ, M _ :τ, Γ (A,t ) : τ Γ, M _ :τ, Γ M A (t) Computer Security: 7 - Specification Languages 61

62 Typing Protocol Rules Γ lhs Γ rhs Γ lhs rhs Γ τ Γ, x:τ r Γ x:τ. r Computer Security: 7 - Specification Languages 62

63 Typing Roles Γ Γ τ Γ L:τ. ρ Γ, L:τ ρ Γ r Γ r, ρ Γ ρ Computer Security: 7 - Specification Languages 63

64 Typing Protocol Theories Γ Σ P Σ, A:princ ρ Σ P, ρ A Σ, A:princ P Σ, A:princ ρ Σ, A:princ P, ρ A Computer Security: 7 - Specification Languages 64

65 Data Access Specification DAS r is DASvalid for A in Γ Catches Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Computer Security: 7 - Specification Languages 65

66 An Overview of Access Control Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Computer Security: 7 - Specification Languages 66

67 Processing a Rule Knowledge set: Collects what A knows Context Γ A lhs >> Γ; A rhs Γ A lhs rhs Computer Security: 7 - Specification Languages 67

68 Processing Predicates on the LHS Network messages Γ ; A t >> Γ; A N(t) >> Memory predicates Γ ; A t 1,,t n >> Γ; A M A (t 1,,t n ) >> Computer Security: 7 - Specification Languages 68

69 Interpreting Data on the LHS Pairs Γ; A t 1, t 2 >> Γ; A (t 1, t 2 ) >> Encrypted terms Γ; A k >> Γ; A t >> Γ; A {t} k >> Elementary terms Γ; (,x) A x >> (,x) (Γ,x:τ); A x >> (,x) Computer Security: 7 - Specification Languages 69

70 Accessing Data on the LHS Shared keys Γ; (,k) A k >> (,k) (Γ,x:shK A B); A x >> (,x) Public keys (Γ,k:pubK A,k :privk k); (,k ) A k >> (,k ) (Γ,k:pubK A,k :privk k); A k >> (,k ) Computer Security: 7 - Specification Languages 70

71 Generating Data on the RHS Nonces (Γ, x:nonce); (, x) A rhs Γ; A x:nonce. rhs Computer Security: 7 - Specification Languages 71

72 Constructing Terms on the RHS Pairs Γ; A t 1 Γ; A t 2 Γ; A (t 1, t 2 ) Shared-key encryptions Γ; A t Γ; A k Γ; A {t} k Computer Security: 7 - Specification Languages 72

73 Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Computer Security: 7 - Specification Languages 73

74 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 74

75 NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS : shk B S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB : shk A B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Computer Security: 7 - Specification Languages 75

76 Constraints χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Computer Security: 7 - Specification Languages 76

77 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 77

78 NS-I: S s role Anchored role A,B:princ. k AS : shk A S k BS : shk B S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs, n B ) k AB : shk A B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Computer Security: 7 - Specification Languages 78

79 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Computer Security: 7 - Specification Languages 79

80 NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB : shk A B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B, {n A } kab ) N({n B } kab ) Computer Security: 7 - Specification Languages 80

81 NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS : shk B S A:princ. k AB : shk A B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Computer Security: 7 - Specification Languages 81

82 Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Computer Security: 7 - Specification Languages 82

83 Summary: Roles Role state pred. var. declarations Generic roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Computer Security: 7 - Specification Languages 83

84 Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 84

85 Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1- step firing Computer Security: 7 - Specification Languages 85

86 Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 86

87 Configurations Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 87

88 Execution Model 1- step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Computer Security: 7 - Specification Languages 88

89 Variable Instantiation Σ t : τ [S] R ( x:τ.r,ρ) A [S] Σ R ([t/x]r,ρ) A Σ Not fully realistic for verification Redundancy realizes typing, but not completely Computer Security: 7 - Specification Languages 89

90 Rule Application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 90

91 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder Computer Security: 7 - Specification Languages 91

92 MSR 2.0 NS Initiator A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Computer Security: 7 - Specification Languages 92

93 MSR 2.0 NS Responder A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb L: princ (B) x pubk B (kb) x privk k B x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L(B,k B,k B,n B ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,n B ) N({n B } kb ) Computer Security: 7 - Specification Languages 93

94 Readings R. Needham and M. Schroeder, Using Encryption for Authentication in Large Networks of Computers, 1978 M. Burrows, M. Abadi, and R. Needham, A Logic of Authentication, 1989 M. Abadi and A. Gordon, A Calculus for Cryptographic Protocols: The Spi-Calculus, 1999 J. Thayer-Fabrega, J. Herzog, and J. Guttman, Strand Spaces: Why is a Security Protocol Correct, 1998 Iliano Cervesato, Typed MSR: Syntax and Examples, 2000 Computer Security: 7 - Specification Languages 94

95 Exercises for Lecture 7 Give MSR 2.0 encodings of one of the following protocols from the Clark and Jacob library ( Needham-Schroeder public key [6.3.1] Amended Needham-Schroeder [6.3.4] Wide-Mouthed Frog [6.3.5] Yahalom[6.3.6] Woo-Lam [ Π] Kehne-Langendorfer-Shoenwalder [6.3.5] Kao-Chow [6.5.4] Computer Security: 7 - Specification Languages 95

96 Next Intruder Models Computer Security: 7 - Specification Languages 96

Typed MSR: Syntax and Examples

Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline