Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita di Udine, Italy December 6, 2001
Outline Dolev-Yao model Specification Evaluation criteria Some languages Usual notation BAN logic Spi calculus Strand spaces Inductive methods CAPSL MSR Motivations Syntax Type checking DAS Data Access Specification Execution Computer Security: 7 - Specification Languages 2
Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Lecture 4 a bit more in this lecture Distributed hostile environment Prudent engineering practice Lecture 4 Inadequate specification languages This lecture Computer Security: 7 - Specification Languages 3
Dolev-Yao Network Model Bob Alice Network Server Dan Charlie Computer Security: 7 - Specification Languages 4
The Dolev-Yao Model of Security Symbolic data No bits Black-box cryptography No guessing of keys 01001011010 k A Partially abstract data access Knowledge soup A k A k B S Found in most protocol analysis tools Tractability Computer Security: 7 - Specification Languages 5
Perfect Cryptography k -1 is needed to decrypt {m} k k -1 is just k for shared key ciphers No collisions {m 1 } ka = {m 2 } kb iff m 1 = m 2 and k A = k B {m} k = n never {m} k = (m 1 m 2 ) never We will relax this to handle type violations Computer Security: 7 - Specification Languages 6
Public Knowledge Soup Free access to auxiliary data Abstracts actual mechanisms Transmission of certificates Invocation of subprotocols Caching But not all data are public keys secrets A k S k AB S Computer Security: 7 - Specification Languages 7
Why is specification important? good Documentation Communicate Engineering Implementation Verification tools Science Foundations Assist engineering Computer Security: 7 - Specification Languages 8
Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Computer Security: 7 - Specification Languages 9
Desirable Properties Unambiguous Simple Flexible Adapts to protocols Powerful Applies to a wide class of protocols Insightful Gives insight about protocols Computer Security: 7 - Specification Languages 10
Language Families Usual notation (user interfaces) Knowledge logic BAN Process theory Spi-calculus Strands MSR FDR, Casper Petri nets Inductive methods Temporal logic Automata CAPSL NRL Protocol Analyzer Murφ Why so many? Experience from mature fields Unifying problem Scientifically intriguing Funding opportunities Convergence of approaches Computer Security: 7 - Specification Languages 11
Running Example Needham-Schroeder public key protocol (fragment) Devised in 78 Broken in 95! But purely academic attack subject to interpretation Example of weak specification! Computer Security: 7 - Specification Languages 12
Usual Notation A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb Computer Security: 7 - Specification Languages 13
Evaluation of the Usual Notation Flow Expected run Constituents Side remarks Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 14
BAN Logic [Burrows, Abadi, Needham] Roots in belief logic Reason about knowledge as protocol unfolds Security: principals share same view Specification Usual notation Idealized protocol Assumptions Goals Verification Logical inference Computer Security: 7 - Specification Languages 15
BAN Idealization A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb n B is a shared secret between A and B NS-PK [3-5] A B: {n A } kb n A provides evidence to the fact that B A: { A n B B na } ka A B: { A n A B, B A n B B nb } kb Believes (more readable syntax proposed later) Computer Security: 7 - Specification Languages 16
BAN Assumptions A B: {A,n A } kb B A: {n A,n B } ka k A is the public key of A n A is fresh A B: {n B } kb NS-PK [3-5] A k A A A k B B B k B B B k A A A # n A A A n A B B # n B B A n B B Computer Security: 7 - Specification Languages 17
BAN Goals A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Authentication goals expressed in terms of Mutual beliefs Beliefs about freshness B A A n A B A B A n B B A # n B B # n A Formally derived from BAN rules Computer Security: 7 - Specification Languages 18
Evaluation of BAN Flow Idealized run Constituents Assumptions Environment Implicit Goals BAN formulas Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 19
The Spi-Calculus [Abadi, Gordon] π-calculus with cryptographic constructs Specification 1 process for each role Instance to be studied Intruder not explicitly modeled Verification Process equivalence to reference process Computer Security: 7 - Specification Languages 20
The Syntax of Spi Computer Security: 7 - Specification Languages 21
Spi: NS Initiator A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb init(a,b,c AB,k B+,k A- ) = NS-PK [3-5] (νn A ) c AB < { A, n A } kb + >. c AB (x). case x of { y } ka - in let (y 1,y 2 ) = y in [y 1 is n A ] c AB < { y 2 } kb + >. 0 Computer Security: 7 - Specification Languages 22
Spi: NS Responder A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb resp(b,a,c AB,k A+,k B- ) = NS-PK [3-5] c AB (x). case x of { y } kb - in let (y 1,y 2 ) = y in [y 1 is A] (νn B ) c AB < { y 2, n B } ka + >. c AB (x ). case x of { y } kb - in [y is n B ] 0 Computer Security: 7 - Specification Languages 23
Spi: NS Instance A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb inst(a,b,c AB ) = NS-PK [3-5] (νk A ) (νk B ) ( init(a,b,c AB,k B+,k A- ) resp(b,a,c AB,k A+,k B- )) Computer Security: 7 - Specification Languages 24
Evaluation of Spi Flow Role-based Constituents Informal math. Environment Implicit Goals Reference process Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 25
Strand Spaces [Guttman, Thayer] Roots in trace theory Lamport s causality Mazurkiewicz s traces Specification Strands Sets of principals, keys, Verification Authentication tests Model checking Computer Security: 7 - Specification Languages 26
Strands A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Initiator strand {n A, A} kb Responder strand {n A, A} kb {n A, n B } ka {n A, n B } ka {n B } kb {n B } kb Computer Security: 7 - Specification Languages 27
Evaluation of Strands Flow Role-based Constituents Informal math. Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 28
Inductive Methods [Paulson] Protocol inductively defines traces Specification 1 inductive rule for each protocol rule Universal intruder based on language Verification Theorem proving (Isabelle HOL) Related methods [Bolignano] Computer Security: 7 - Specification Languages 29
IMs: NS A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS1 [evs ns; A B; Nonce N A used evs] NS-PK [3-5] Says A B {Nonce N A, Agent A} KB # evs ns NS2 [evs ns; A B; Nonce N B used evs; Says A B {Nonce N A, Agent A} KB set evs] Says B A {Nonce N A, Nonce N A } KA # evs ns NS3 [evs ns; Says A B {Nonce N A, Agent A} KB set evs; Says B A {Nonce N A, Nonce N A } KA set evs] Says A B {Nonce N A } KB # evs ns Computer Security: 7 - Specification Languages 30
IMs: Environment Nil [] ns Fake [evs ns; B Spy; X synth(analz (spies evs))] Says Spy B X # evs ns synth, analz, spies, protocol independent Computer Security: 7 - Specification Languages 31
Evaluation of Inductive Methods Flow Trace-based Constituents Formalized math. Environment Immutable Goals Imposs. traces Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 32
CAPSL [Millen] Ad-hoc model checker Specification Special-purpose language Intruder built-in Implementation CIL [Denker] -> similar to MSR Related systems Murφ [Shmatikov, Stern] SMV [Clarke, Jha, Marrero] Computer Security: 7 - Specification Languages 33
CAPSL A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B Na; PRECEDES B: A Nb; END; Computer Security: 7 - Specification Languages 34
Evaluation of CAPSL Flow Explicit run Constituents Declarations Environment Implicit Goals Properties Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 35
MSR [Cervesato, Durgin, Lincoln, Mitchell, Scedrov] A specification language based on MultiSet Rewriting with existentials MSR 1.0 Designed to prove the undecidability of protocol correctness verification Poor specification language Error-prone Limited automated assistance Limited support for verification MSR 2.0 Redesign of MSR 1.0 as a specification language Easy to use Support for automation New background in typetheory Margin for verification Current techniques can be adapted Computer Security: 7 - Specification Languages 36
Evaluation of MSR 2.0 Flow Role-based Constituents Strong typing Environment In part Goals Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 37
Roadmap to MSR Step-by-step specification of example Neuman-Stubblebine protocol Language description Syntax Typing Data Access Control DAS Execution semantics Properties More examples NS-PK[3-5] Computer Security: 7 - Specification Languages 38
Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Computer Security: 7 - Specification Languages 39
NSt-I: B s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs A B: A, n A Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 40
NSt-I: S s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I A B: A, n A B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 41
NSt-I: A s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: A, n A A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab X X Ticket Computer Security: 7 - Specification Languages 42
Sending / Receiving Messages N(A, n A ) Network predicate N(m): m is a message in transit N({B,n A,k AB,t B } kas,x,n B ) N(X,{n B } kab ) Computer Security: 7 - Specification Languages 43
Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ A k n D e f i n a b l e Computer Security: 7 - Specification Languages 44
Nonces A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 45
MSet Rewriting with Existentials Multisets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Computer Security: 7 - Specification Languages 46
Sequencing Actions A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t L. Fresh! n A. A B: T,{n B } kab Neuman-Stubblebine phase I N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,t B }, X, n k AS B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 47
Role State Predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Computer Security: 7 - Specification Languages 48
Remembering Things A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } ) k AB Tkt A (B,k AB,X) Memory predicate Computer Security: 7 - Specification Languages 49
Memory Predicates M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Computer Security: 7 - Specification Languages 50
Role Owner A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Role owner Neuman-Stubblebine phase I The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 51
What is what? Types A L: princ x nonce. n A :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B ) N(X, {n B} k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 52
Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Computer Security: 7 - Specification Languages 53
Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Computer Security: 7 - Specification Languages 54
Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Computer Security: 7 - Specification Languages 55
Type Checking t has type τ in Γ Catches: Γ t : τ Encryption with a nonce Transmission of a long term key Σ P P is welltyped in Σ Computer Security: 7 - Specification Languages 56
Typing Terms Γ t 1 : msg Γ t 2 : msg Γ t 1 t 2 : msg Γ t : msg Γ k : shk A B Γ {t} k : msg Γ, x : τ, Γ x : τ Similar rules for Public key encryption Digital signatures, Computer Security: 7 - Specification Languages 57
Typing Types Γ msg Γ nonce Γ time Γ A : princ Γ shk A B Γ B : princ Typing for dependent types relies on typing for terms Computer Security: 7 - Specification Languages 58
Some Subtyping Rules τ :: τ Γ t : τ Γ t : τ princ :: msg nonce :: msg time :: msg shk A B :: msg pubk A B:: msg No rule for public keys Prevent transmission Computer Security: 7 - Specification Languages 59
Typing Tuples and Tuple Types Γ : Γ x : τ Γ t : [t/x]τ Γ (x,t) : τ (x) τ Γ Γ x : τ Γ τ (x) τ Γ, x:τ τ Computer Security: 7 - Specification Languages 60
Typing Predicates Γ t:msg Γ N(t) Γ, L:τ, Γ t : τ Γ, L:τ, Γ L(t) Γ, M _ :τ, Γ (A,t ) : τ Γ, M _ :τ, Γ M A (t) Computer Security: 7 - Specification Languages 61
Typing Protocol Rules Γ lhs Γ rhs Γ lhs rhs Γ τ Γ, x:τ r Γ x:τ. r Computer Security: 7 - Specification Languages 62
Typing Roles Γ Γ τ Γ L:τ. ρ Γ, L:τ ρ Γ r Γ r, ρ Γ ρ Computer Security: 7 - Specification Languages 63
Typing Protocol Theories Γ Σ P Σ, A:princ ρ Σ P, ρ A Σ, A:princ P Σ, A:princ ρ Σ, A:princ P, ρ A Computer Security: 7 - Specification Languages 64
Data Access Specification DAS r is DASvalid for A in Γ Catches Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Computer Security: 7 - Specification Languages 65
An Overview of Access Control Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Computer Security: 7 - Specification Languages 66
Processing a Rule Knowledge set: Collects what A knows Context Γ A lhs >> Γ; A rhs Γ A lhs rhs Computer Security: 7 - Specification Languages 67
Processing Predicates on the LHS Network messages Γ ; A t >> Γ; A N(t) >> Memory predicates Γ ; A t 1,,t n >> Γ; A M A (t 1,,t n ) >> Computer Security: 7 - Specification Languages 68
Interpreting Data on the LHS Pairs Γ; A t 1, t 2 >> Γ; A (t 1, t 2 ) >> Encrypted terms Γ; A k >> Γ; A t >> Γ; A {t} k >> Elementary terms Γ; (,x) A x >> (,x) (Γ,x:τ); A x >> (,x) Computer Security: 7 - Specification Languages 69
Accessing Data on the LHS Shared keys Γ; (,k) A k >> (,k) (Γ,x:shK A B); A x >> (,x) Public keys (Γ,k:pubK A,k :privk k); (,k ) A k >> (,k ) (Γ,k:pubK A,k :privk k); A k >> (,k ) Computer Security: 7 - Specification Languages 70
Generating Data on the RHS Nonces (Γ, x:nonce); (, x) A rhs Γ; A x:nonce. rhs Computer Security: 7 - Specification Languages 71
Constructing Terms on the RHS Pairs Γ; A t 1 Γ; A t 2 Γ; A (t 1, t 2 ) Shared-key encryptions Γ; A t Γ; A k Γ; A {t} k Computer Security: 7 - Specification Languages 72
Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Computer Security: 7 - Specification Languages 73
NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 74
NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS : shk B S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB : shk A B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Computer Security: 7 - Specification Languages 75
Constraints χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Computer Security: 7 - Specification Languages 76
NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 77
NS-I: S s role Anchored role A,B:princ. k AS : shk A S k BS : shk B S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs, n B ) k AB : shk A B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Computer Security: 7 - Specification Languages 78
Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Computer Security: 7 - Specification Languages 79
NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB : shk A B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B, {n A } kab ) N({n B } kab ) Computer Security: 7 - Specification Languages 80
NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS : shk B S A:princ. k AB : shk A B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Computer Security: 7 - Specification Languages 81
Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Computer Security: 7 - Specification Languages 82
Summary: Roles Role state pred. var. declarations Generic roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Computer Security: 7 - Specification Languages 83
Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 84
Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1- step firing Computer Security: 7 - Specification Languages 85
Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 86
Configurations Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 87
Execution Model 1- step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Computer Security: 7 - Specification Languages 88
Variable Instantiation Σ t : τ [S] R ( x:τ.r,ρ) A [S] Σ R ([t/x]r,ρ) A Σ Not fully realistic for verification Redundancy realizes typing, but not completely Computer Security: 7 - Specification Languages 89
Rule Application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 90
Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder Computer Security: 7 - Specification Languages 91
MSR 2.0 NS Initiator A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Computer Security: 7 - Specification Languages 92
MSR 2.0 NS Responder A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb L: princ (B) x pubk B (kb) x privk k B x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L(B,k B,k B,n B ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,n B ) N({n B } kb ) Computer Security: 7 - Specification Languages 93
Readings R. Needham and M. Schroeder, Using Encryption for Authentication in Large Networks of Computers, 1978 M. Burrows, M. Abadi, and R. Needham, A Logic of Authentication, 1989 M. Abadi and A. Gordon, A Calculus for Cryptographic Protocols: The Spi-Calculus, 1999 J. Thayer-Fabrega, J. Herzog, and J. Guttman, Strand Spaces: Why is a Security Protocol Correct, 1998 Iliano Cervesato, Typed MSR: Syntax and Examples, 2000 Computer Security: 7 - Specification Languages 94
Exercises for Lecture 7 Give MSR 2.0 encodings of one of the following protocols from the Clark and Jacob library (http://www-users.cs.york.ac.uk/~jac/drareview.ps.gz) Needham-Schroeder public key [6.3.1] Amended Needham-Schroeder [6.3.4] Wide-Mouthed Frog [6.3.5] Yahalom[6.3.6] Woo-Lam [6.3.10 Π] Kehne-Langendorfer-Shoenwalder [6.3.5] Kao-Chow [6.5.4] Computer Security: 7 - Specification Languages 95
Next Intruder Models Computer Security: 7 - Specification Languages 96