Typed MSR: Syntax and Examples

Size: px

Start display at page:

Download "Typed MSR: Syntax and Examples"

Esther Anna Casey
5 years ago
Views:

Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.

1 Typed MSR: Syntax and Examples Iliano Cervesato ITT Industries, NRL Washington DC MMM 01 St. Petersburg, Russia May 22 nd, 2001

2 Outline I. Security Protocols II. MSR by Examples Multiset rewriting The Neuman-Stubblebine Protocol MSR Typed MSR: Syntax and Examples 2

3 Part I Security Protocols Typed MSR: Syntax and Examples 3

4 What are they? Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce Typed MSR: Syntax and Examples 4

5 Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Typed MSR: Syntax and Examples 5

6 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Typed MSR: Syntax and Examples 6

7 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data Typed MSR: Syntax and Examples 7

8 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Typed MSR: Syntax and Examples 8

9 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Typed MSR: Syntax and Examples 9

10 Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful Typed MSR: Syntax and Examples 10

11 Part II MSR by Examples Typed MSR: Syntax and Examples 11

12 What s in MSR? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Typed MSR: Syntax and Examples 12

13 Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Typed MSR: Syntax and Examples 13

14 Neuman-Stubblebine Phase I A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Typed MSR: Syntax and Examples 14

15 NS-I: B s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Typed MSR: Syntax and Examples 15

16 NS-I: S s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Typed MSR: Syntax and Examples 16

17 NS-I: A s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket Typed MSR: Syntax and Examples 17

18 Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N(X,{n B } kab ) Typed MSR: Syntax and Examples 18

19 Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e Typed MSR: Syntax and Examples 19

20 Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Typed MSR: Syntax and Examples 20

21 MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Typed MSR: Syntax and Examples 21

22 Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Typed MSR: Syntax and Examples 22

23 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Typed MSR: Syntax and Examples 23

24 Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Memory predicate Typed MSR: Syntax and Examples 24

25 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Typed MSR: Syntax and Examples 25

26 Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Typed MSR: Syntax and Examples 26

27 What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Typed MSR: Syntax and Examples 27

28 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Typed MSR: Syntax and Examples 28

29 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Typed MSR: Syntax and Examples 29

30 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Typed MSR: Syntax and Examples 30

31 Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key Typed MSR: Syntax and Examples 31

32 Access Control New r is AC-valid for A in Γ Catches Γ A r P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Typed MSR: Syntax and Examples 32

33 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Typed MSR: Syntax and Examples 33

34 NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Typed MSR: Syntax and Examples 34

35 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Typed MSR: Syntax and Examples 35

36 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Typed MSR: Syntax and Examples 36

37 NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Typed MSR: Syntax and Examples 37

38 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Typed MSR: Syntax and Examples 38

39 NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) Typed MSR: Syntax and Examples 39

40 NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Typed MSR: Syntax and Examples 40

41 Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Typed MSR: Syntax and Examples 41

42 Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Typed MSR: Syntax and Examples 42

43 Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Typed MSR: Syntax and Examples 43

44 Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing Typed MSR: Syntax and Examples 44

45 Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ [S 2 ] RρA Σ, c:τ c not in S 1 S, F S, G(c) Typed MSR: Syntax and Examples 45

46 Properties Type preservation Access control preservation Completeness of Dolev-Yao intruder New Typed MSR: Syntax and Examples 46

47 Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Typed MSR: Syntax and Examples 47

48 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Typed MSR: Syntax and Examples 62

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC. MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols