MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002
Outline Security Protocols MSR Multiset rewriting The Neuman-Stubblebine Protocol MSR Iliano Cervesato MSR by Examples 2
Security Protocols Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce Iliano Cervesato MSR by Examples 3
Neuman-Stubblebine Phase I A B: A, n A A wants to access service provided by B B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab S is the key distribution center Ticket Iliano Cervesato MSR by Examples 4
Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Ticket A wants to use the service provided by B again Iliano Cervesato MSR by Examples 5
The Dolev-Yao Model of Security Symbolic data No bits 01001011010 k a Black-box cryptography No guessing of keys Partially abstract data access Knowledge soup a k a k b s Found in most protocol analysis tools Tractability Iliano Cervesato MSR by Examples 6
Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Iliano Cervesato MSR by Examples 7
Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Iliano Cervesato MSR by Examples 8
Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful Iliano Cervesato MSR by Examples 9
MSR Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Iliano Cervesato MSR by Examples 10
Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Iliano Cervesato MSR by Examples 11
Neuman-Stubblebine Phase I A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 12
NS-I: B s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 13
NS-I: S s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 14
NS-I: A s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket Iliano Cervesato MSR by Examples 15
Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N(X,{n B } kab ) Iliano Cervesato MSR by Examples 16
Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e Iliano Cervesato MSR by Examples 17
Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 18
MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Iliano Cervesato MSR by Examples 19
Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 20
Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Iliano Cervesato MSR by Examples 21
Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Memory predicate Iliano Cervesato MSR by Examples 22
Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Iliano Cervesato MSR by Examples 23
Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 24
What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 25
Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Iliano Cervesato MSR by Examples 26
Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Iliano Cervesato MSR by Examples 29
Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Iliano Cervesato MSR by Examples 31
Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key Iliano Cervesato MSR by Examples 37
Data Access Specification DAS r is DAS-valid for A in Γ Catches New Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Iliano Cervesato MSR by Examples 38
NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 39
NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Iliano Cervesato MSR by Examples 40
Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Iliano Cervesato MSR by Examples 41
NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 42
NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Iliano Cervesato MSR by Examples 43
Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Iliano Cervesato MSR by Examples 44
NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) Iliano Cervesato MSR by Examples 45
NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Iliano Cervesato MSR by Examples 46
Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Iliano Cervesato MSR by Examples 47
Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Iliano Cervesato MSR by Examples 48
Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Iliano Cervesato MSR by Examples 49
Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing Iliano Cervesato MSR by Examples 50
Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ [S 2 ] RρA Σ, c:τ c not in S 1 S, F S, G(c) Iliano Cervesato MSR by Examples 51
Properties Decidability of type checking Type preservation Access control preservation Decidability of DAS verification Completeness of Dolev-Yao intruder Iliano Cervesato MSR by Examples 52
Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Iliano Cervesato MSR by Examples 53
Part III The Intruder Iliano Cervesato MSR by Examples 54
Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Iliano Cervesato MSR by Examples 55
The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved Iliano Cervesato MSR by Examples 56
Capabilities of the D-Y Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data Iliano Cervesato MSR by Examples 57
Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Iliano Cervesato MSR by Examples 58