Lecture 7: Specification Languages

Similar documents
Typed MSR: Syntax and Examples

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

Notes on BAN Logic CSG 399. March 7, 2006

The Logical Meeting Point of Multiset Rewriting and Process Algebra

Control Flow Analysis of Security Protocols (I)

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

A Logic of Authentication

Proving Properties of Security Protocols by Induction

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

A decidable subclass of unbounded security protocols

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Relating State-Based and Process-Based Concurrency through Linear Logic

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Analysis of authentication protocols Intership report

Verification of Security Protocols in presence of Equational Theories with Homomorphism

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

CPSA and Formal Security Goals

Heuristic Methods for Security Protocols

The Sizes of Skeletons: Security Goals are Decidable

BAN Logic A Logic of Authentication

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Verification of the TLS Handshake protocol

A Calculus for Control Flow Analysis of Security Protocols

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Models for an Adversary-Centric Protocol Logic

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

A compositional logic for proving security properties of protocols

A Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Event structure semantics for security protocols

CS 395T. Probabilistic Polynomial-Time Calculus

Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation

Probabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption

A progress report on using Maude to verify protocol properties using the strand space model

Complexity of Checking Freshness of Cryptographic Protocols

Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

Automated Validation of Internet Security Protocols. Luca Viganò

Lecture 1: Introduction to Public key cryptography

An undecidability result for AGh

Model Checking Security Protocols Using a Logic of Belief

Computing Symbolic Models for Verifying Cryptographic Protocols

arxiv: v1 [cs.cr] 27 May 2016

Skeletons and the Shapes of Bundles

On the Verification of Cryptographic Protocols

An Undecidability Result for AGh

Exam Security January 19, :30 11:30

Automata-based analysis of recursive cryptographic protocols

A Cryptographic Decentralized Label Model

Extending Dolev-Yao with Assertions

Report Documentation Page

TAuth: Verifying Timed Security Protocols

THE SHAPES OF BUNDLES

A Semantics for a Logic of Authentication. Cambridge, MA : A; B

Analysing Layered Security Protocols

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

RZ 3709 (# 99719) 06/20/2008 (Revised Version: October 2008) Computer Science 18 pages

Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method

The TLA + proof system

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

On the Automatic Analysis of Recursive Security Protocols with XOR

structure of such protocols, the difficulty is that logics are useful only when the semantics is precise, and most of the problems seem to relate to p

Symbolic trace analysis of cryptographic protocols

Deciding the Security of Protocols with Commuting Public Key Encryption

Equational Tree Automata: Towards Automated Verification of Network Protocols

Automatic, computational proof of EKE using CryptoVerif

Authentication Tests and the Structure of Bundles

Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

The State Explosion Problem

Lecture Notes on Certifying Theorem Provers

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Cryptography IV: Asymmetric Ciphers

Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis

Proof Scores in the OTS/CafeOBJ Method

Public Key Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Strand Spaces: Why is a Security Protocol Correct?

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison

A Constructor-Based Reachability Logic for Rewrite Theories

Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Proving secrecy is easy enough

A Short Tutorial on Proverif

Authentication. Chapter Message Authentication

CPSC 467b: Cryptography and Computer Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Transcription:

Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita di Udine, Italy December 6, 2001

Outline Dolev-Yao model Specification Evaluation criteria Some languages Usual notation BAN logic Spi calculus Strand spaces Inductive methods CAPSL MSR Motivations Syntax Type checking DAS Data Access Specification Execution Computer Security: 7 - Specification Languages 2

Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Lecture 4 a bit more in this lecture Distributed hostile environment Prudent engineering practice Lecture 4 Inadequate specification languages This lecture Computer Security: 7 - Specification Languages 3

Dolev-Yao Network Model Bob Alice Network Server Dan Charlie Computer Security: 7 - Specification Languages 4

The Dolev-Yao Model of Security Symbolic data No bits Black-box cryptography No guessing of keys 01001011010 k A Partially abstract data access Knowledge soup A k A k B S Found in most protocol analysis tools Tractability Computer Security: 7 - Specification Languages 5

Perfect Cryptography k -1 is needed to decrypt {m} k k -1 is just k for shared key ciphers No collisions {m 1 } ka = {m 2 } kb iff m 1 = m 2 and k A = k B {m} k = n never {m} k = (m 1 m 2 ) never We will relax this to handle type violations Computer Security: 7 - Specification Languages 6

Public Knowledge Soup Free access to auxiliary data Abstracts actual mechanisms Transmission of certificates Invocation of subprotocols Caching But not all data are public keys secrets A k S k AB S Computer Security: 7 - Specification Languages 7

Why is specification important? good Documentation Communicate Engineering Implementation Verification tools Science Foundations Assist engineering Computer Security: 7 - Specification Languages 8

Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Computer Security: 7 - Specification Languages 9

Desirable Properties Unambiguous Simple Flexible Adapts to protocols Powerful Applies to a wide class of protocols Insightful Gives insight about protocols Computer Security: 7 - Specification Languages 10

Language Families Usual notation (user interfaces) Knowledge logic BAN Process theory Spi-calculus Strands MSR FDR, Casper Petri nets Inductive methods Temporal logic Automata CAPSL NRL Protocol Analyzer Murφ Why so many? Experience from mature fields Unifying problem Scientifically intriguing Funding opportunities Convergence of approaches Computer Security: 7 - Specification Languages 11

Running Example Needham-Schroeder public key protocol (fragment) Devised in 78 Broken in 95! But purely academic attack subject to interpretation Example of weak specification! Computer Security: 7 - Specification Languages 12

Usual Notation A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb Computer Security: 7 - Specification Languages 13

Evaluation of the Usual Notation Flow Expected run Constituents Side remarks Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 14

BAN Logic [Burrows, Abadi, Needham] Roots in belief logic Reason about knowledge as protocol unfolds Security: principals share same view Specification Usual notation Idealized protocol Assumptions Goals Verification Logical inference Computer Security: 7 - Specification Languages 15

BAN Idealization A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb n B is a shared secret between A and B NS-PK [3-5] A B: {n A } kb n A provides evidence to the fact that B A: { A n B B na } ka A B: { A n A B, B A n B B nb } kb Believes (more readable syntax proposed later) Computer Security: 7 - Specification Languages 16

BAN Assumptions A B: {A,n A } kb B A: {n A,n B } ka k A is the public key of A n A is fresh A B: {n B } kb NS-PK [3-5] A k A A A k B B B k B B B k A A A # n A A A n A B B # n B B A n B B Computer Security: 7 - Specification Languages 17

BAN Goals A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Authentication goals expressed in terms of Mutual beliefs Beliefs about freshness B A A n A B A B A n B B A # n B B # n A Formally derived from BAN rules Computer Security: 7 - Specification Languages 18

Evaluation of BAN Flow Idealized run Constituents Assumptions Environment Implicit Goals BAN formulas Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 19

The Spi-Calculus [Abadi, Gordon] π-calculus with cryptographic constructs Specification 1 process for each role Instance to be studied Intruder not explicitly modeled Verification Process equivalence to reference process Computer Security: 7 - Specification Languages 20

The Syntax of Spi Computer Security: 7 - Specification Languages 21

Spi: NS Initiator A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb init(a,b,c AB,k B+,k A- ) = NS-PK [3-5] (νn A ) c AB < { A, n A } kb + >. c AB (x). case x of { y } ka - in let (y 1,y 2 ) = y in [y 1 is n A ] c AB < { y 2 } kb + >. 0 Computer Security: 7 - Specification Languages 22

Spi: NS Responder A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb resp(b,a,c AB,k A+,k B- ) = NS-PK [3-5] c AB (x). case x of { y } kb - in let (y 1,y 2 ) = y in [y 1 is A] (νn B ) c AB < { y 2, n B } ka + >. c AB (x ). case x of { y } kb - in [y is n B ] 0 Computer Security: 7 - Specification Languages 23

Spi: NS Instance A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb inst(a,b,c AB ) = NS-PK [3-5] (νk A ) (νk B ) ( init(a,b,c AB,k B+,k A- ) resp(b,a,c AB,k A+,k B- )) Computer Security: 7 - Specification Languages 24

Evaluation of Spi Flow Role-based Constituents Informal math. Environment Implicit Goals Reference process Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 25

Strand Spaces [Guttman, Thayer] Roots in trace theory Lamport s causality Mazurkiewicz s traces Specification Strands Sets of principals, keys, Verification Authentication tests Model checking Computer Security: 7 - Specification Languages 26

Strands A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Initiator strand {n A, A} kb Responder strand {n A, A} kb {n A, n B } ka {n A, n B } ka {n B } kb {n B } kb Computer Security: 7 - Specification Languages 27

Evaluation of Strands Flow Role-based Constituents Informal math. Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 28

Inductive Methods [Paulson] Protocol inductively defines traces Specification 1 inductive rule for each protocol rule Universal intruder based on language Verification Theorem proving (Isabelle HOL) Related methods [Bolignano] Computer Security: 7 - Specification Languages 29

IMs: NS A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS1 [evs ns; A B; Nonce N A used evs] NS-PK [3-5] Says A B {Nonce N A, Agent A} KB # evs ns NS2 [evs ns; A B; Nonce N B used evs; Says A B {Nonce N A, Agent A} KB set evs] Says B A {Nonce N A, Nonce N A } KA # evs ns NS3 [evs ns; Says A B {Nonce N A, Agent A} KB set evs; Says B A {Nonce N A, Nonce N A } KA set evs] Says A B {Nonce N A } KB # evs ns Computer Security: 7 - Specification Languages 30

IMs: Environment Nil [] ns Fake [evs ns; B Spy; X synth(analz (spies evs))] Says Spy B X # evs ns synth, analz, spies, protocol independent Computer Security: 7 - Specification Languages 31

Evaluation of Inductive Methods Flow Trace-based Constituents Formalized math. Environment Immutable Goals Imposs. traces Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 32

CAPSL [Millen] Ad-hoc model checker Specification Special-purpose language Intruder built-in Implementation CIL [Denker] -> similar to MSR Related systems Murφ [Shmatikov, Stern] SMV [Clarke, Jha, Marrero] Computer Security: 7 - Specification Languages 33

CAPSL A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B Na; PRECEDES B: A Nb; END; Computer Security: 7 - Specification Languages 34

Evaluation of CAPSL Flow Explicit run Constituents Declarations Environment Implicit Goals Properties Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 35

MSR [Cervesato, Durgin, Lincoln, Mitchell, Scedrov] A specification language based on MultiSet Rewriting with existentials MSR 1.0 Designed to prove the undecidability of protocol correctness verification Poor specification language Error-prone Limited automated assistance Limited support for verification MSR 2.0 Redesign of MSR 1.0 as a specification language Easy to use Support for automation New background in typetheory Margin for verification Current techniques can be adapted Computer Security: 7 - Specification Languages 36

Evaluation of MSR 2.0 Flow Role-based Constituents Strong typing Environment In part Goals Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 37

Roadmap to MSR Step-by-step specification of example Neuman-Stubblebine protocol Language description Syntax Typing Data Access Control DAS Execution semantics Properties More examples NS-PK[3-5] Computer Security: 7 - Specification Languages 38

Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Computer Security: 7 - Specification Languages 39

NSt-I: B s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs A B: A, n A Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 40

NSt-I: S s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I A B: A, n A B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 41

NSt-I: A s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: A, n A A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab X X Ticket Computer Security: 7 - Specification Languages 42

Sending / Receiving Messages N(A, n A ) Network predicate N(m): m is a message in transit N({B,n A,k AB,t B } kas,x,n B ) N(X,{n B } kab ) Computer Security: 7 - Specification Languages 43

Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ A k n D e f i n a b l e Computer Security: 7 - Specification Languages 44

Nonces A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 45

MSet Rewriting with Existentials Multisets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Computer Security: 7 - Specification Languages 46

Sequencing Actions A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t L. Fresh! n A. A B: T,{n B } kab Neuman-Stubblebine phase I N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,t B }, X, n k AS B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 47

Role State Predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Computer Security: 7 - Specification Languages 48

Remembering Things A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } ) k AB Tkt A (B,k AB,X) Memory predicate Computer Security: 7 - Specification Languages 49

Memory Predicates M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Computer Security: 7 - Specification Languages 50

Role Owner A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Role owner Neuman-Stubblebine phase I The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 51

What is what? Types A L: princ x nonce. n A :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B ) N(X, {n B} k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 52

Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Computer Security: 7 - Specification Languages 53

Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Computer Security: 7 - Specification Languages 54

Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Computer Security: 7 - Specification Languages 55

Type Checking t has type τ in Γ Catches: Γ t : τ Encryption with a nonce Transmission of a long term key Σ P P is welltyped in Σ Computer Security: 7 - Specification Languages 56

Typing Terms Γ t 1 : msg Γ t 2 : msg Γ t 1 t 2 : msg Γ t : msg Γ k : shk A B Γ {t} k : msg Γ, x : τ, Γ x : τ Similar rules for Public key encryption Digital signatures, Computer Security: 7 - Specification Languages 57

Typing Types Γ msg Γ nonce Γ time Γ A : princ Γ shk A B Γ B : princ Typing for dependent types relies on typing for terms Computer Security: 7 - Specification Languages 58

Some Subtyping Rules τ :: τ Γ t : τ Γ t : τ princ :: msg nonce :: msg time :: msg shk A B :: msg pubk A B:: msg No rule for public keys Prevent transmission Computer Security: 7 - Specification Languages 59

Typing Tuples and Tuple Types Γ : Γ x : τ Γ t : [t/x]τ Γ (x,t) : τ (x) τ Γ Γ x : τ Γ τ (x) τ Γ, x:τ τ Computer Security: 7 - Specification Languages 60

Typing Predicates Γ t:msg Γ N(t) Γ, L:τ, Γ t : τ Γ, L:τ, Γ L(t) Γ, M _ :τ, Γ (A,t ) : τ Γ, M _ :τ, Γ M A (t) Computer Security: 7 - Specification Languages 61

Typing Protocol Rules Γ lhs Γ rhs Γ lhs rhs Γ τ Γ, x:τ r Γ x:τ. r Computer Security: 7 - Specification Languages 62

Typing Roles Γ Γ τ Γ L:τ. ρ Γ, L:τ ρ Γ r Γ r, ρ Γ ρ Computer Security: 7 - Specification Languages 63

Typing Protocol Theories Γ Σ P Σ, A:princ ρ Σ P, ρ A Σ, A:princ P Σ, A:princ ρ Σ, A:princ P, ρ A Computer Security: 7 - Specification Languages 64

Data Access Specification DAS r is DASvalid for A in Γ Catches Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Computer Security: 7 - Specification Languages 65

An Overview of Access Control Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Computer Security: 7 - Specification Languages 66

Processing a Rule Knowledge set: Collects what A knows Context Γ A lhs >> Γ; A rhs Γ A lhs rhs Computer Security: 7 - Specification Languages 67

Processing Predicates on the LHS Network messages Γ ; A t >> Γ; A N(t) >> Memory predicates Γ ; A t 1,,t n >> Γ; A M A (t 1,,t n ) >> Computer Security: 7 - Specification Languages 68

Interpreting Data on the LHS Pairs Γ; A t 1, t 2 >> Γ; A (t 1, t 2 ) >> Encrypted terms Γ; A k >> Γ; A t >> Γ; A {t} k >> Elementary terms Γ; (,x) A x >> (,x) (Γ,x:τ); A x >> (,x) Computer Security: 7 - Specification Languages 69

Accessing Data on the LHS Shared keys Γ; (,k) A k >> (,k) (Γ,x:shK A B); A x >> (,x) Public keys (Γ,k:pubK A,k :privk k); (,k ) A k >> (,k ) (Γ,k:pubK A,k :privk k); A k >> (,k ) Computer Security: 7 - Specification Languages 70

Generating Data on the RHS Nonces (Γ, x:nonce); (, x) A rhs Γ; A x:nonce. rhs Computer Security: 7 - Specification Languages 71

Constructing Terms on the RHS Pairs Γ; A t 1 Γ; A t 2 Γ; A (t 1, t 2 ) Shared-key encryptions Γ; A t Γ; A k Γ; A {t} k Computer Security: 7 - Specification Languages 72

Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Computer Security: 7 - Specification Languages 73

NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 74

NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS : shk B S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB : shk A B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Computer Security: 7 - Specification Languages 75

Constraints χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Computer Security: 7 - Specification Languages 76

NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 77

NS-I: S s role Anchored role A,B:princ. k AS : shk A S k BS : shk B S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs, n B ) k AB : shk A B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Computer Security: 7 - Specification Languages 78

Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Computer Security: 7 - Specification Languages 79

NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB : shk A B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B, {n A } kab ) N({n B } kab ) Computer Security: 7 - Specification Languages 80

NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS : shk B S A:princ. k AB : shk A B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Computer Security: 7 - Specification Languages 81

Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Computer Security: 7 - Specification Languages 82

Summary: Roles Role state pred. var. declarations Generic roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Computer Security: 7 - Specification Languages 83

Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 84

Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1- step firing Computer Security: 7 - Specification Languages 85

Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 86

Configurations Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 87

Execution Model 1- step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Computer Security: 7 - Specification Languages 88

Variable Instantiation Σ t : τ [S] R ( x:τ.r,ρ) A [S] Σ R ([t/x]r,ρ) A Σ Not fully realistic for verification Redundancy realizes typing, but not completely Computer Security: 7 - Specification Languages 89

Rule Application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 90

Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder Computer Security: 7 - Specification Languages 91

MSR 2.0 NS Initiator A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Computer Security: 7 - Specification Languages 92

MSR 2.0 NS Responder A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb L: princ (B) x pubk B (kb) x privk k B x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L(B,k B,k B,n B ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,n B ) N({n B } kb ) Computer Security: 7 - Specification Languages 93

Readings R. Needham and M. Schroeder, Using Encryption for Authentication in Large Networks of Computers, 1978 M. Burrows, M. Abadi, and R. Needham, A Logic of Authentication, 1989 M. Abadi and A. Gordon, A Calculus for Cryptographic Protocols: The Spi-Calculus, 1999 J. Thayer-Fabrega, J. Herzog, and J. Guttman, Strand Spaces: Why is a Security Protocol Correct, 1998 Iliano Cervesato, Typed MSR: Syntax and Examples, 2000 Computer Security: 7 - Specification Languages 94

Exercises for Lecture 7 Give MSR 2.0 encodings of one of the following protocols from the Clark and Jacob library (http://www-users.cs.york.ac.uk/~jac/drareview.ps.gz) Needham-Schroeder public key [6.3.1] Amended Needham-Schroeder [6.3.4] Wide-Mouthed Frog [6.3.5] Yahalom[6.3.6] Woo-Lam [6.3.10 Π] Kehne-Langendorfer-Shoenwalder [6.3.5] Kao-Chow [6.5.4] Computer Security: 7 - Specification Languages 95

Next Intruder Models Computer Security: 7 - Specification Languages 96

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback