MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002

Outline Security Protocols MSR Multiset rewriting The Neuman-Stubblebine Protocol MSR Iliano Cervesato MSR by Examples 2

Security Protocols Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce Iliano Cervesato MSR by Examples 3

Neuman-Stubblebine Phase I A B: A, n A A wants to access service provided by B B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab S is the key distribution center Ticket Iliano Cervesato MSR by Examples 4

Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Ticket A wants to use the service provided by B again Iliano Cervesato MSR by Examples 5

The Dolev-Yao Model of Security Symbolic data No bits 01001011010 k a Black-box cryptography No guessing of keys Partially abstract data access Knowledge soup a k a k b s Found in most protocol analysis tools Tractability Iliano Cervesato MSR by Examples 6

Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Iliano Cervesato MSR by Examples 7

Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Iliano Cervesato MSR by Examples 8

Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful Iliano Cervesato MSR by Examples 9

MSR Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Iliano Cervesato MSR by Examples 10

Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Iliano Cervesato MSR by Examples 11

Neuman-Stubblebine Phase I A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 12

NS-I: B s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 13

NS-I: S s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 14

NS-I: A s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket Iliano Cervesato MSR by Examples 15

Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N(X,{n B } kab ) Iliano Cervesato MSR by Examples 16

Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e Iliano Cervesato MSR by Examples 17

Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 18

MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Iliano Cervesato MSR by Examples 19

Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 20

Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Iliano Cervesato MSR by Examples 21

Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Memory predicate Iliano Cervesato MSR by Examples 22

Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Iliano Cervesato MSR by Examples 23

Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 24

What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 25

Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Iliano Cervesato MSR by Examples 26

Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Iliano Cervesato MSR by Examples 29

Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Iliano Cervesato MSR by Examples 31

Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key Iliano Cervesato MSR by Examples 37

Data Access Specification DAS r is DAS-valid for A in Γ Catches New Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Iliano Cervesato MSR by Examples 38

NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 39

NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Iliano Cervesato MSR by Examples 40

Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Iliano Cervesato MSR by Examples 41

NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 42

NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Iliano Cervesato MSR by Examples 43

Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Iliano Cervesato MSR by Examples 44

NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) Iliano Cervesato MSR by Examples 45

NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Iliano Cervesato MSR by Examples 46

Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Iliano Cervesato MSR by Examples 47

Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Iliano Cervesato MSR by Examples 48

Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Iliano Cervesato MSR by Examples 49

Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing Iliano Cervesato MSR by Examples 50

Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ [S 2 ] RρA Σ, c:τ c not in S 1 S, F S, G(c) Iliano Cervesato MSR by Examples 51

Properties Decidability of type checking Type preservation Access control preservation Decidability of DAS verification Completeness of Dolev-Yao intruder Iliano Cervesato MSR by Examples 52

Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Iliano Cervesato MSR by Examples 53

Part III The Intruder Iliano Cervesato MSR by Examples 54

Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Iliano Cervesato MSR by Examples 55

The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved Iliano Cervesato MSR by Examples 56

Capabilities of the D-Y Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data Iliano Cervesato MSR by Examples 57

Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Iliano Cervesato MSR by Examples 58