MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001
Outline I. Security Protocols II. MSR by Examples Multiset rewriting The Neuman-Stubblebine Protocol MSR III. Intruder Models Dolev-Yao intruder MSR by Examples 2
Part I Security Protocols MSR by Examples 3
What are they? Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce MSR by Examples 4
Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 5
Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 6
Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data MSR by Examples 7
Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details MSR by Examples 8
Languages to Specify What? Message flow Message constituents Operating environment Protocol goals MSR by Examples 9
Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful MSR by Examples 10
Part II MSR by Examples MSR by Examples 11
What s in MSR? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New MSR by Examples 12
Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability MSR by Examples 13
Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 14
NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 15
NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 16
NS-I: A s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket MSR by Examples 17
Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N({n B } kab ) MSR by Examples 18
Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e MSR by Examples 19
Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 20
MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) MSR by Examples 21
Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 22
Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data MSR by Examples 23
Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) Memory predicate MSR by Examples 24
Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder MSR by Examples 25
Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 26
What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 27
Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory MSR by Examples 28
Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies MSR by Examples 29
Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A MSR by Examples 30
Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key MSR by Examples 31
Access Control New r is AC-valid for A in Γ Catches Γ A r P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder MSR by Examples 32
NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 33
NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint MSR by Examples 34
Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) MSR by Examples 35
NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 36
NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S MSR by Examples 37
Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 38
NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) MSR by Examples 39
NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) MSR by Examples 40
Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory MSR by Examples 41
Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A MSR by Examples 42
Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ MSR by Examples 43
Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing MSR by Examples 44
Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ) Σ [S 2 ] Rρ Σ, c:τ c not in S 1 S, F S, G(c) MSR by Examples 45
Properties Type preservation Access control preservation Completeness of Dolev-Yao intruder New MSR by Examples 46
Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management MSR by Examples 47
Part III The Intruder MSR by Examples 48
Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR MSR by Examples 49
The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved MSR by Examples 50
Capabilities of the D-Y Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data MSR by Examples 51
DY Intruder Net Interference M I (t) : Intruder knowledge t: msg. N(t) M I (t) I t: msg. M I (t) N(t) I MSR by Examples 52
DY Intruder Decryption A,B: princ k: shk A B t: msg M I ({t} k ) M I (k) M I (t) I A: princ k: pubk A k : privk A t: msg M I ({t} k ) M I (k) M I (t) I MSR by Examples 53
DY Intruder Encryption A,B: princ k: shk A B t: msg M I (t) M I (k) M I ({t} k ) I A: princ k: pubk A t: msg M I (t) M I (k) M I ({t} k ) I MSR by Examples 54
DY Intruder Pairs t 1,t 2 : msg M I (t 1,t 2 ) M I (t 1 ) M I (t 2 ) I t 1,t 2 : msg M I (t 1 ) M I (t 2 ) M I (t 1,t 2 ) I MSR by Examples 55
DY Intruder Structural rules t: msg M I ( t) M I (t) M I (t) I t: msg M I ( t) I MSR by Examples 56
DY Intruder Data access A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, MSR by Examples 57
DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation? MSR by Examples 58
DY Intruder Stretches AC to Limit AC-valid Well-typed Dolev-Yao intruder MSR by Examples 59
Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ MSR by Examples 60
Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations MSR by Examples 61
Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques MSR by Examples 62