1

Towards evolving specs of security protocols

Towards evolving specs of security protocols

March 7, 2002

Dusko PavlovicKestrel Institute

2

ClaimClaim

Security Engineering

is a part of

Software Engineering

3

ClaimClaim

• it is helpful to analyze:• protocols in context of architectures

• security as a part of of high assurance

• malicious attackers on connectors together with

unspecified environments of components

• both SE and SE are concerned with• distributed,

• multi-layered,

• heterogenous complex systems…

4

OutlineOutline

• Mobile proposals: – IPv4 vs IPv6

• Problem: – remote redirection (traffic hijacking)

• Adding authentication: – espec transformation

• Variations and ongoing work

5

PapersPapers

• Authentication for Mobile IPv6

– with A. Datta, J. Mitchell and F. Muller

• Composition and refinement of behavioral specifications

– with D. Smith

• Guarded transitions in evolving specifications

– with D. Smith

http://www.kestrel.edu/users/pavlovic/

6

Mobile IPv4Mobile IPv4

HAHA

MNMN

FAFA

CNCN

initial architecture

7

Mobile IPv4Mobile IPv4

HAMN

FA

CN

8

Mobile IPv4Mobile IPv4

HA

MN FA

CN

9

Mobile IPv4Mobile IPv4

HA

MN FA

CN

10

Mobile IPv4Mobile IPv4

HA

MN FA

CN

11

Mobile IPv4Mobile IPv4

HA

MN FA

CN

triangle routing!

12

Mobile IPv4Mobile IPv4

HAHA

MNMN

FAFA

CNCN

session architecture

13

Mobile IPv6Mobile IPv6

• avoid triangle routing:– use IPv6 Routing Header and tunneling

• minimize– network partitioning

– computational load on:

» routers

» nodes: no expensive encryptions or decryptions

– number of messages

– need for infrastructure: no global PKI

• maximize– performance and availability: no DoS

– end-to-end security: authenticate location information

14

Mobile IPv6Mobile IPv6

• home address – the node is always addressed by the same IP number

• care-of addresses (one or more)– bind dynamically to different subnet IP numbers

» all packets containing the binding information must be authenticated

» authentication relies upon previously established security associations

• Binding Update/Acknowledgement – realized through Destination Options Headers

– Binding Cache integrated with Destination Cache

15

Mobile IPv6 proposalMobile IPv6 proposal

HAHA

MNMN CNCN

initial architecture

16

HAMN

CN

17

Mobile IPv6Mobile IPv6

HA

MN

CNg y

k = gxy

g x

g y

{BU} k

18

Mobile IPv6Mobile IPv6

HA

MN

CN

19

Mobile IPv6Mobile IPv6

HA

MN

CN

20

Mobile IPv6 proposalMobile IPv6 proposal

MNMN CNCN

session architecture

21

EE

EE

EE

Mobile IPv6 proposalMobile IPv6 proposal

HAHA

MNMN CNCN

EE

actual initial architecture

22

Mobile IPv6Mobile IPv6

HA

MN

CN

g x

g v

g v

E

k = g uyEC

k = gME xv

g ug y

23

Mobile IPv6 proposalMobile IPv6 proposal

MNMN EE CNCN

possible session architecture

24

TaskTask

Use especs

to add authentication!

25

TaskTask

• Assess tradeoff between• maximizing strength of authentication

• minimizing need for infrastructure

26

MN’s viewMN’s view

(u) (ux/k)

gx (u) ux/k

(x) gx (u) ux/k

espec MN

27

CN’s viewCN’s view

gy (wy/k)

(y) gy (wy/k)

(w) (y) gy (wy/k)

espec CN

28

BU architectureBU architecture

espec CN

espec MN

espec HAespec Net espec BU

29

(aspects of especs)(aspects of especs)

• genericity– all agents are instances of cord espec

• automated – composition of agents

– trace generation

• support for formal analysis– model checking

– theorem proving

– invariant generation

30

BU architectureBU architecture

espec CN

espec MN

espec HAespec Net espec BU

31

BU architectureBU architecture

espec CN

espec MN

espec HAespec Net diag BU

32

(aspects of especs)(aspects of especs)

• adjustable abstraction level

• stratification:– agents: process calculus

– protocols: especs

– architectures: diagrams

» network connectors and components

» infrastructure and chain of trust

» information flow

» …

33

BU architectureBU architecture

diag BU

34

BU refinementBU refinement

diag BU

diagAuthKeyExch

diagKeyExch

diagAuthBU

Lib

Lib

35

(aspects of especs)(aspects of especs)

• development (programming, generation)– top-down: refinement

» morphisms: inheritance, genericity

– bottom-up: composition» pushouts

» emergent and vanishing properties

» game theory, linear logic (strategies)

– program transformation » authentication compiler (Bellare-Canetti-Krawczyk)

» optimization

– adaptation» specification-carrying software

36

BU refinementBU refinement

diag BU

diagAuthKeyExch

diagKeyExch

diagAuthBU

Lib

Lib

37

AuthBU architectureAuthBU architecture

especAuthCN

especAuthMN

especHACN

espec Net

especHAMN

diag AuthBU

38

gx (u,v) (v/{gx,u}hm) (ux/k)

(u,v) (v/{gx,u}hm) (ux/k)

(v/{gx,u}hm) (ux/k)

(x) gx (u,v) (v/{gx,u}hm) (ux/k)

especAuthMN

AuthMN’s viewAuthMN’s view

39

EE

EE

EE

Authenticated MIPv6Authenticated MIPv6

HAHA

MNMN CNCN

EEHAHA

initial architecture

40

MN CN

k = gxy

HA MN HA CN

g x

g , g ,{g , g } x y

hc

x y

g , g ,{g , g } x y

sg

x y

g ,{g , g } x y

hm

y

41

MN CN

HA MN HA CN

{iMN, gy, s}hc

s

{iCN, iMN, gy, s}pk {iCN, iMN, gy, s}sg

s = {iCN, iMN, gx , gy}k

{iMN, gy, s}hm

k = gxy

g x

42

MN CN

HA MN HA CN

{iMN, gy, s}hc

s

{iCN, iMN, gy, s, {iCN, iMN, gy, s}sg }pk

s = {iCN, iMN, gx , gy}k

{s, gy, iMN}hm

k = gxy

g x

43

Authenticated MIPv6Authenticated MIPv6

MNMN CNCN

assured session architecture

44

VariationsVariations

• weaker authentications:– one-way: no PKI, just certificates, or AAA - no anonymity

– first time unauthenticated (like SSH), then chained hashing

• stronger authentications:– privacy

– anonymity, non-repudiation

• dynamic infrastructure– no shared secret: databases of “fingerprints”

– authenticating by non-forgeable capability

– authenticating by divided secret

45

(aspects of especs)(aspects of especs)

• additional aspects:– information flow

– information hiding

– cryptography

– …

46

Ongoing workOngoing work

IMPLEMENT the tool!

47

PapersPapers

• Authentication for Mobile IPv6

– with A. Datta, J. Mitchell and F. Muller

• Composition and refinement of behavioral specifications

– with D. Smith

• Guarded transitions in evolving specifications

– with D. Smith

http://www.kestrel.edu/users/pavlovic/

48

(cord spaces)(cord spaces)

(names) N ::= X | A

(terms) t ::= x | a | N | t,...,t | {t}N

(strands) S ::= aS

(cords) C ::= [S]

(actions) a ::= t | (x) | (t/p(x))

(interaction) [(x)R] [tS] ... [R(t/x)] [S] ...

(reaction) [(p(t)/p(x))R] ... [R(t/x)]...

FV(t) =

FV(t) =

49

What are especs?What are especs?

• diagrams of specs

• specification-carrying programs

• in a development environment supporting– refinement (top-down)

– composition (bottom-up)

– synthesis of verified code

• programming language with– guarded commands

– logical annotations as first-class citizens (available at runtime)

– procedural abstraction and refinement

50

What are specs?What are specs?

spec Poset is sort X op < : X*X -> Bool ax trans is x<y /\ y<z => x<z ax sym...end-spec

spec Semilattice is sort X op V in : X*X -> X cons b : X

ax assoc is (xVy)Vz = xV(yVz)…end-spec

x<y xVy=y

spec BinR

spec AsymRspec RefR spec TranR

spec BinO

spec Comm spec Involspec Assoc

51

What are especs?What are especs?

espec Basic_Acct is spec … end-spec

prog stad Create init[X] is… stad Amount[self] is… … step Depos[self,d]: Amount[self] -> Amount[self,d] cond d>0 balance(self)|-> balance(self)+d end-step end-progend-espec

Create

AmountDepos

espec Savings_Acct is spec … end-spec

prog stad Create init[X] is … stad Accum… step Transfer… … end-step …

end-progend-espec

Create

AmountDepos Accum