Extending Dolev-Yao with Assertions

Size: px

Start display at page:

Download "Extending Dolev-Yao with Assertions"

April Norton
5 years ago
Views:

1 Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions 1 / 24

2 Outline 1 Introduction 2 Example 3 Assertions Syntax, Semantics 4 Manipulating assertions 5 Concluding remarks Vaishnavi S Extending Dolev-Yao with Assertions 2 / 24

3 Introduction Outline 1 Introduction 2 Example 3 Assertions Syntax, Semantics 4 Manipulating assertions 5 Concluding remarks Vaishnavi S Extending Dolev-Yao with Assertions 3 / 24

4 Introduction The Dolev-Yao Model Useful for modelling agents abilities in cryptographic protocols Message space viewed as term algebra t := m (t 1, t 2 ) {t} k Intruder is the network has access to any communicated message, but cannot break encryption X t ax (t X) X (t 0, t 1 ) split i (i = 0, 1) X t i X t 0 X (t 0, t 1 ) X t 1 pair X {t} k X inv(k) X t X k dec enc X t X {t} k Figure : Term derivation rules, where X is a set of terms Vaishnavi S Extending Dolev-Yao with Assertions 4 / 24

5 Introduction More about Dolev-Yao Dolev-Yao treats terms as tokens Recepients own terms, can pass them along in own name What if protocol uses certificates? (Should only be verified, but not owned) Common behaviour, especially in protocols involving authorization and delegation. Surely if it s that common, Dolev-Yao handles it? Yes, it does. Vaishnavi S Extending Dolev-Yao with Assertions 5 / 24

6 Introduction But... Dolev-Yao expresses certification in the following ways: Vaishnavi S Extending Dolev-Yao with Assertions 6 / 24

7 Introduction But... Dolev-Yao expresses certification in the following ways: Cryptographic devices zero knowledge proofs, bit commitment etc. Vaishnavi S Extending Dolev-Yao with Assertions 6 / 24

8 Introduction But... Dolev-Yao expresses certification in the following ways: Not concise or readable Cryptographic devices zero knowledge proofs, bit commitment etc. Vaishnavi S Extending Dolev-Yao with Assertions 6 / 24

9 Introduction But... Dolev-Yao expresses certification in the following ways: Not concise or readable Cryptographic devices zero knowledge proofs, bit commitment etc. Ad-hoc methods by tagging a term with an agent s name to indicate origin etc. Vaishnavi S Extending Dolev-Yao with Assertions 6 / 24

10 Introduction But... Dolev-Yao expresses certification in the following ways: Not concise or readable Cryptographic devices zero knowledge proofs, bit commitment etc. Ad-hoc methods by tagging a term indicate origin etc. with an agent s name to Not general enough Vaishnavi S Extending Dolev-Yao with Assertions 6 / 24

11 Example Outline 1 Introduction 2 Example 3 Assertions Syntax, Semantics 4 Manipulating assertions 5 Concluding remarks Vaishnavi S Extending Dolev-Yao with Assertions 7 / 24

12 Example Example We wish to model the following scenario. Example 1 Agent A sends agent B a nonce m encrypted in its public key, with some partial information about the value of m. (Suppose the actual value of m is a) One of the most common ways to communicate such a certificate is by 1-out-of-2 re-encryption. Vaishnavi S Extending Dolev-Yao with Assertions 8 / 24

13 Example Modelling this in Dolev-Yao Everyone knows g and h such that h = g s (s is secret to A). Choose ( d 0, d 1, r 0, r 1 randomly. Set c = hash x d0 0 gr0, x d1 1 gr1, y d0 0 hr0, y d1 1 ). hr1 Set d 1 i = d, r 1 i = r, e = c d and s = md i +r i me. ( ) hash x d0 0 gr0, x d1 1 gr1, y d0 0 hr0, y d1 1 hr1, x 0, x 1, y 0, y 1, d, e, r, s A Check whether?? c = d + e = hash(x d 1 i gr, x e i gs, y1 i d hr, yi ehs, x 0, x 1, y 0, y 1 ). What A does B What B does Vaishnavi S Extending Dolev-Yao with Assertions 9 / 24

14 Assertions Syntax, Semantics Outline 1 Introduction 2 Example 3 Assertions Syntax, Semantics 4 Manipulating assertions 5 Concluding remarks Vaishnavi S Extending Dolev-Yao with Assertions 10 / 24

15 Assertions Syntax, Semantics What we want of assertions An assertion should Be readable. Be non-ownable agent B should not be able to send A s assertion in its own name. Be able to provide partial information about terms it references. Be communicated in a form which reveals the origin agent. Vaishnavi S Extending Dolev-Yao with Assertions 11 / 24

16 Assertions Syntax, Semantics Assertion language The set A of assertions is given by the following syntax α := m t t = t α 1 α 2 α 1 α 2 where m is a nonce, and m t is to be read as m occurs in t. Vaishnavi S Extending Dolev-Yao with Assertions 12 / 24

17 Assertions Syntax, Semantics Communicated messages In Example 1, the communication from A to B in the earlier protocol looks as follows: A B : {m} pk(a), {a {m} pk(a) b {m} pk(a) } sd(a) The sd(a) signifies that the assertion is signed by A. The communicated assertion thus carries information about the originating agent. Vaishnavi S Extending Dolev-Yao with Assertions 13 / 24

18 Assertions Syntax, Semantics What about the intruder? The intruder I is still the network. But assertions, unlike terms, are signed. How does that affect I? I stores all signed assertions sent out, and may replay them later. Cannot modify assertions sent out earlier, cannot forge signatures. Vaishnavi S Extending Dolev-Yao with Assertions 14 / 24

19 Assertions Syntax, Semantics Why aren t there any proofs being sent in our version? Underlying system ensures only true assertions are sent out. Think of it as the underlying system being a verifying authority, and each agent sends a proof of its assertion to this authority. The authority checks the proof first, and allows the agent to send out the assertion only if the proof is correct. Vaishnavi S Extending Dolev-Yao with Assertions 15 / 24

20 Assertions Syntax, Semantics Checks and derivations When A sends a term t and an assertion α, the system checks that A can derive the term t from its set of terms X A using Dolev-Yao rules. A can derive the assertion α from its set of assertions Φ A using the system derivation rules (coming up on the next two slides). Vaishnavi S Extending Dolev-Yao with Assertions 16 / 24

21 Assertions Syntax, Semantics Checks and derivations When A sends a term t and an assertion α, the system checks that A can derive the term t from its set of terms X A using Dolev-Yao rules. A can derive the assertion α from its set of assertions Φ A using the system derivation rules (coming up on the next two slides). When A receives assertion α (claiming to be) from B, the system checks that α is signed by B. B sent α out into the network earlier. Vaishnavi S Extending Dolev-Yao with Assertions 16 / 24

22 Assertions Syntax, Semantics Derivation rules X dy m ax X, Φ m m X dy st(t) B eq X, Φ t = t X dy {t} k X dy k X, Φ m t enc X, Φ m {t} k X dy inv(k) X, Φ m {t} k dec X, Φ m t X dy (t 0, t 1 ) X, Φ m t i X dy st(t 1 i ) B pair X, Φ m (t 0, t 1 ) X, Φ m (t 0, t 1 ) X dy st(t i ) B m st(t i ) split X, Φ m t 1 i Figure : The rules for atomic assertions Vaishnavi S Extending Dolev-Yao with Assertions 17 / 24

23 Assertions Syntax, Semantics More derivation rules ax X, Φ {α} α X, Φ m {b} k X, Φ n {b} k (m n; b B) X, Φ α X, Φ α 1 X, Φ α 2 i X, Φ α 1 α 2 X, Φ α 1 α 2 e X, Φ α i X, Φ α i i X, Φ α 1 α 2 X, Φ α 1 α 2 X, Φ {α 1 } β X, Φ {α 2 } β e X, Φ β Figure : Rules for propositional reasoning Vaishnavi S Extending Dolev-Yao with Assertions 18 / 24

24 Manipulating assertions Outline 1 Introduction 2 Example 3 Assertions Syntax, Semantics 4 Manipulating assertions 5 Concluding remarks Vaishnavi S Extending Dolev-Yao with Assertions 19 / 24

25 Manipulating assertions What about forwarding? Suppose B wants to forward an assertion α it received from A to agent C. Scenario is quite common in protocols employing delegation. We want to disallow B from just sending α in its own name. How to achieve this, then? B sends C an assertion of the form A says α. Vaishnavi S Extending Dolev-Yao with Assertions 20 / 24

26 Manipulating assertions What about forwarding? Suppose B wants to forward an assertion α it received from A to agent C. Scenario is quite common in protocols employing delegation. We want to disallow B from just sending α in its own name. How to achieve this, then? B sends C an assertion of the form A says α. Again, think of the underlying network as being a verifying authority. B basically tells the authority to approach A for a proof of α. The set A of assertions is now given by the following syntax α := m t t = t α 1 α 2 α 1 α 2 A says α Vaishnavi S Extending Dolev-Yao with Assertions 20 / 24

27 Manipulating assertions Checks and derivations for says On receiving α from A, B adds A says α to its assertion set Φ B. Other checks and updates remain the same. X, Φ A says (m {b} k ) X, Φ A says (n {b} k ) (m n; b B) X, Φ A says α X, Φ A says α 1 X, Φ A says α 2 i X, Φ A says (α 1 α 2 ) X, Φ A says (α 1 α 2 ) e X, Φ A says α i X, Φ A says α i X, Φ A says (α 1 α X, Φ A says (α 1 α 2 ) X, Φ {A says α 1 } A says β X, Φ {A says α 2 } A says β X, Φ A says β Figure : Rules for says Vaishnavi S Extending Dolev-Yao with Assertions 21 / 24

28 Concluding remarks Outline 1 Introduction 2 Example 3 Assertions Syntax, Semantics 4 Manipulating assertions 5 Concluding remarks Vaishnavi S Extending Dolev-Yao with Assertions 22 / 24

29 Concluding remarks Conclusion and future work Described a framework to add a separate algebra for assertions to the Dolev-Yao term model. Makes for concise and more readable certification in protocols. Future work: better assertion structure, modeling real-life protocols. Link to paper: Vaishnavi S Extending Dolev-Yao with Assertions 23 / 24

30 Concluding remarks Thank you! Vaishnavi S Extending Dolev-Yao with Assertions 24 / 24

Extending Dolev-Yao with assertions

Extending Dolev-Yao with assertions R. Ramanujam 1, Vaishnavi Sundararajan 2, and S.P. Suresh 2 1 Institute of Mathematical Sciences Chennai, India. jam@imsc.res.in 2 Chennai Mathematical Institute, Chennai,