MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001

Outline I. Security Protocols II. MSR by Examples Multiset rewriting The Neuman-Stubblebine Protocol MSR III. Intruder Models Dolev-Yao intruder MSR by Examples 2

Part I Security Protocols MSR by Examples 3

What are they? Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce MSR by Examples 4

Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 5

Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 6

Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data MSR by Examples 7

Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details MSR by Examples 8

Languages to Specify What? Message flow Message constituents Operating environment Protocol goals MSR by Examples 9

Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful MSR by Examples 10

Part II MSR by Examples MSR by Examples 11

What s in MSR? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New MSR by Examples 12

Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability MSR by Examples 13

Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 14

NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 15

NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 16

NS-I: A s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket MSR by Examples 17

Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N({n B } kab ) MSR by Examples 18

Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e MSR by Examples 19

Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 20

MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) MSR by Examples 21

Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 22

Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data MSR by Examples 23

Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) Memory predicate MSR by Examples 24

Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder MSR by Examples 25

Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 26

What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 27

Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory MSR by Examples 28

Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies MSR by Examples 29

Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A MSR by Examples 30

Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key MSR by Examples 31

Access Control New r is AC-valid for A in Γ Catches Γ A r P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder MSR by Examples 32

NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 33

NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint MSR by Examples 34

Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) MSR by Examples 35

NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 36

NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S MSR by Examples 37

Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 38

NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) MSR by Examples 39

NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) MSR by Examples 40

Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory MSR by Examples 41

Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A MSR by Examples 42

Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ MSR by Examples 43

Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing MSR by Examples 44

Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ) Σ [S 2 ] Rρ Σ, c:τ c not in S 1 S, F S, G(c) MSR by Examples 45

Properties Type preservation Access control preservation Completeness of Dolev-Yao intruder New MSR by Examples 46

Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management MSR by Examples 47

Part III The Intruder MSR by Examples 48

Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR MSR by Examples 49

The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved MSR by Examples 50

Capabilities of the D-Y Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data MSR by Examples 51

DY Intruder Net Interference M I (t) : Intruder knowledge t: msg. N(t) M I (t) I t: msg. M I (t) N(t) I MSR by Examples 52

DY Intruder Decryption A,B: princ k: shk A B t: msg M I ({t} k ) M I (k) M I (t) I A: princ k: pubk A k : privk A t: msg M I ({t} k ) M I (k) M I (t) I MSR by Examples 53

DY Intruder Encryption A,B: princ k: shk A B t: msg M I (t) M I (k) M I ({t} k ) I A: princ k: pubk A t: msg M I (t) M I (k) M I ({t} k ) I MSR by Examples 54

DY Intruder Pairs t 1,t 2 : msg M I (t 1,t 2 ) M I (t 1 ) M I (t 2 ) I t 1,t 2 : msg M I (t 1 ) M I (t 2 ) M I (t 1,t 2 ) I MSR by Examples 55

DY Intruder Structural rules t: msg M I ( t) M I (t) M I (t) I t: msg M I ( t) I MSR by Examples 56

DY Intruder Data access A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, MSR by Examples 57

DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation? MSR by Examples 58

DY Intruder Stretches AC to Limit AC-valid Well-typed Dolev-Yao intruder MSR by Examples 59

Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ MSR by Examples 60

Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations MSR by Examples 61

Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques MSR by Examples 62