Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
September 17th, 2001 FOSAD 2001 – Bertinoro, Italy
Security Protocol Specification Languages
Iliano Cervesato [email protected]
ITT Industries, Inc @ NRL – Washington DC
http://www.cs.stanford.edu/~iliano/
Security Protocol Specification Languages 2
Scope of this Course
Specification languages for cryptographic protocolsEvaluation criteriaAnthology of languagesScientific impact
Extras . . .Advertisement for MSR
Security Protocol Specification Languages 3
This Course is not about
Cryptography
Applications of crypto-protocols
Taxonomy ofProtocolsAttacksTools
Verification
Security Protocol Specification Languages 4
Outline
Hour 1: Specification languages
Hour 2: MSR
Hour 3: The most powerful attacker
Hour 4: Reconstructing the intruder
Security Protocol Specification Languages 5
Hour 1
Specification Languages
Security Protocol Specification Languages 6
Hour 1: Outline
Security protocols
Dolev-Yao abstraction
Specification targets
Major specification languagesOriginsExample (Needham-Schroeder)PropertiesEvaluation
Security Protocol Specification Languages 7
Security Protocols
Use cryptographic means to ensureconfidentialityauthenticationnon-repudiation, …
in distributed/untrusted environment
Applicationse-commerce trade/military secretseveryday computing
Securitygoals
Security Protocol Specification Languages 8
Why is Protocol Analysis Difficult?
Subtle cryptographic primitivesDolev-Yao abstraction
Distributed hostile environment“Prudent engineering practice”
Inadequate specification languages… the devil is in details …
Security Protocol Specification Languages 9
Correctness vs. Security [Mitchell]
Correctness: satisfy specificationsFor reasonable inputs, get reasonable
output
Security: resist attacksFor unreasonable inputs, output not
completely disastrous
Main differenceActive interference from the
environment
Security Protocol Specification Languages 10
Dolev-Yao Model of Security
NetworkNetwork
Alice
Bob
Charlie
Dan
Server
Security Protocol Specification Languages 11
Dolev-Yao Abstraction
Symbolic dataNo bit-strings
Perfect cryptographyNo guessing of keys
Public knowledge soupMagic access to data
Security Protocol Specification Languages 12
Perfect Cryptography
KA-1 is needed to decrypt {M}KA
No collisions{M1}KA = {M2}KB iff M1 = M2 and KA
= KA
…
Security Protocol Specification Languages 13
Public Knowledge Soup
Free access to auxiliary dataAbstracts actual mechanisms
database subprotocols, …
But …not all data are public
keys secrets
Security Protocol Specification Languages 14
… pictorially
a kakb
s
Security Protocol Specification Languages 15
Why is specification important?
Documentationcommunicate
Engineering implementationverification tools
Science foundationsassist engineering
good
Security Protocol Specification Languages 16
Languages to Specify What?
Message flow
Message constituents
Operating environment
Protocol goals
Security Protocol Specification Languages 17
Desirable Properties
Unambiguous
Simple
FlexibleAdapts to protocols
PowerfulApplies to a wide class of protocols
InsightfulGives insight about protocols
Security Protocol Specification Languages 18
Language Families
“Usual notation” Knowledge logic
BAN Process theory
FDR, CasperSpi-calculusPetri netsStrandsMSR
Inductive methods
Temporal logic Automata
NRL Prot. Analizer
CAPSLMur
Security Protocol Specification Languages 19
Why so many?
Convergence of approachesexperience from mature fieldsunifying problemscientifically intriguing funding opportunities
Fatherhood pride
Security Protocol Specification Languages 20
Needham-Schroeder Protocol
Devised in ’78
Example of weak specification !
Broken in ’95!
But …purely academicattack subject to interpretation
Security Protocol Specification Languages 21
“Usual Notation”
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 22
How does it do?
FlowExpected run
ConstituentsSide remarks
EnvironmentSide remarks
GoalsSide remarks
Unambiguous
Simple
Flexible
Powerful
Insightful
Security Protocol Specification Languages 23
BAN Logic[Burrows, Abadi, Needham]
Roots in belief logic reason about knowledge as prot. unfolds security: principals share same view
Specification usual notation “idealized protocol” assumptions Goals
Verification Logical inference
Security Protocol Specification Languages 24
NS: BAN IdealizationA B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
A B: {nA}kB
B A: {A nB BnA}kA
A B: {A nA B, B | A nB B
nB}kBMore readable syntax proposed later
Security Protocol Specification Languages 25
NS: BAN Assumptions
A | kA A
A | kB B
A | # nA
A | A nA B
B | kB B
B | kA A
B | # nB
B | A nB B
Security Protocol Specification Languages 26
NS: BAN Goals
B | A | A nA B
A | B | A nB B
Formally derived from BAN rules
Security Protocol Specification Languages 27
How does BAN do?
FlowIdealized run
ConstituentsAssumptions
EnvironmentImplicit
GoalsBAN formulas
Unambiguous
Simple
Flexible
Powerful
Insightful
Security Protocol Specification Languages 28
CSP [Roscoe, Lowe]
Roots in process algebra [Hoare] non-interference
Specification 1 process for each role non-deterministic intruder process
Verification Refinement w.r.t. abstract spec. FDR: model checker for CSP Casper: interface to FDR
Security Protocol Specification Languages 29
CSP: NS Initiator
Init(A, nA) =
user.A?B -> I_running.A.B ->comm!Msg1.A.B.encr.key(B).nA.a ->
comm.Msg2.B.A.encr.key(A)?nA’.nB ->
if nA = nA’
then comm!Msg3.A.B.encr.key(B).nB ->
I_commit.A.B -> session.A.B -> Skip
else Stop
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Responder is similar
Security Protocol Specification Languages 30
CSP : Resp. authentication spec.
AR0 = R_running.A.B -> I_commit.A.B -> AR0
A1 = {| R_running.A.B, I_commit.A.B |}
AR = AR0 ||| Run (S \ A1)
Security Protocol Specification Languages 31
Unambiguous
Simple
Flexible
Powerful
Insightful
How does CSP do?
FlowRole-based
ConstituentsFormalized
math.
EnvironmentExplicit
GoalsAbstract spec.
Security Protocol Specification Languages 32
Casper Specification of NS
#Free variablesA, B: Agentna, nb : noncePK : Agent -> PublicKeySK : Agent -> SecretKeyInverseKeys = (PK, SK)
#ProcessesINIT(A,na) knows PK, SK(A)RESP(B,nb) knows PK,
SK(B)
#Protocol description0. -> A : B1. A -> B : {na, A}{PK(B)}2. B -> A : {na, nb}{PK(A)}3. A -> B : {nb}{PK(B)}
#SpecificationSecret(A, na, [B])Secret(B, nb, [A])Agreement(A, B, [na,nb])Agreement(B,A, [na,nb]
#Actual variablesAlice, Bob, Mallory: AgentNa, Nb, Nm: Nonce
…
#Intruder informationIntruder = MalloryIntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)
Security Protocol Specification Languages 33
Spi-calculus[Abadi, Gordon]
-calculus with crypto. Constructs
Specification1 process for each role Instance to be studied Intruder not explicitly modeled
VerificationProcess equivalence to reference
proc.
Security Protocol Specification Languages 34
Spi: NS Initiator
init(A,B,cAB,KB+,KA
-) =
(nA) cAB< {|A, nA|}KB+ > .
cAB(x) . case x of {|y|}KA- in
let (y1,y2) = y in [y1 is nA]
cAB< {| y2 |}KB+ > .
0
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 35
Spi: NS Responder
resp(B,A,cAB,KA+,KB
-) =
cAB(x) . case x of {|y|}KB- in
let (y1,y2) = y in [y1 is A]
(nB) cAB< {| y2, nB|}KA+ > .
cAB(x’) . case x’ of {|y’|}KB- in [y’ is nB]
0
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 36
Spi: NS Instance
inst(A,B,cAB) =
(KA) (KB)
( init(A,B,cAB,KB+,KA
-)
| resp(B,A,cAB,KA+,KB
-))
Security Protocol Specification Languages 37
Unambiguous
Simple
Flexible
Powerful
Insightful
How does Spi do?
FlowRole-based
ConstituentsInformal math.
EnvironmentImplicit
GoalsReference proc.
Security Protocol Specification Languages 38
Strand Spaces[Guttman, Thayer]
Roots in trace theory Lamport’s causality Mazurkiewicz’s traces
Specification Strands Sets of principals, keys, …
Verification Authentication tests Model checking
Security Protocol Specification Languages 39
Strands
{nA, A}kB
{nA, nB}kA
{nB}kB
{nA, A}kB
{nA, nB}kA
{nB}kB
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 40
How do Strands do?
FlowRole-based
ConstituentsInformal math.
EnvironmentSide remarks
GoalsSide remarks
Unambiguous
Simple
Flexible
Powerful
Insightful
Security Protocol Specification Languages 41
Inductive methods[Paulson]
Protocol inductively defines traces Specification
1 inductive rule for each protocol ruleUniversal intruder based on language
Verification theorem proving (Isabelle HOL)
Related methods [Bolignano]
Security Protocol Specification Languages 42
IMs: NS
NS1 [evs ns; A B; Nonce NA used evs]
Says A B {Nonce NA, Agent A} KB # evs ns
NS2 [evs ns; A B; Nonce NB used evs;
Says A’ B {Nonce NA, Agent A} KB set evs]
Says B A {Nonce NA, Nonce NA} KA # evs ns
NS3 [evs ns; Says A B {Nonce NA, Agent A} KB set evs;
Says B’ A {Nonce NA, Nonce NA} KA set evs]
Says A B {Nonce NA} KB # evs ns
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 43
IMs: Environment
Nil [] ns
Fake [evs ns; BSpy; X synth(analz (spies evs))]
Says Spy B X # evs ns
synth, analz, spies, … protocol indep.
Security Protocol Specification Languages 44
Unambiguous
Simple
Flexible
Powerful
Insightful
How do IMs do?
FlowTrace-based
ConstituentsFormalized
math.
EnvironmentImmutable
GoalsImposs. traces
Security Protocol Specification Languages 45
NRL Protocol Analyzer[Meadows]
Roots in automata theory
Specification1 finite-state automata for each roleGrammar or words unaccessible to
attacker
VerificationBackward state explorationTheorem proving for finiteness
Security Protocol Specification Languages 46
NPA: NS Resp., action 2
Subroutine rec_request(user(B,honest),N,T):
If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))):
Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W:
send msg(user(B,honest),[{rec_self},{rec_who}],N):
event(user(B,honest),[user(A,H)],rec_request,[W],N)
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 47
Unambiguous
Simple
Flexible
Powerful
Insightful
How does NPA do?
FlowRole-based
ConstituentsProlog code
EnvironmentExplicit
GoalsUnreachable
state
Security Protocol Specification Languages 48
RTLA [Gray, McLean]
Roots in Temporal Logic (Lamport)
SpecificationState components that change during
a step
VerificationProof in temporal logic
EvaluationSimilar to NPA
Security Protocol Specification Languages 49
CAPSL [Millen]
Ad-hoc model checker
Specification Special-purpose language Intruder built-in
Implementation CIL [Denker] -> similar to MSR
Related systems Mur [Shmatikov, Stern]
?? [Clarke, Jha, Marrero]
Security Protocol Specification Languages 50
CAPSL: NS
PROTOCOL NS;
VARIABLESA, B: PKUser;Na, Nb: Nonce, CRYPTO
ASSUMPTIONSHOLDS A: B;
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
MESSAGESA -> B : {A, Na}pk(B);B -> A : {Na,Nb}pk(A);A -> B : {Nb}pk(B);
GOALSSECRET Na;SECRET Nb;PRECEDES A: B | Na;PRECEDES B: A | Nb;
END;
Security Protocol Specification Languages 51
Unambiguous
Simple
Flexible
Powerful
Insightful
How does CAPSL do?
FlowExplicit run
ConstituentsDeclarations
EnvironmentImplicit
GoalsProperties
Security Protocol Specification Languages 52
Two more …
MSR 1.x
MSR 2.0
… next hour
Security Protocol Specification Languages 53
Hour 2
MSR
Security Protocol Specification Languages 54
Hour 2: Outline
Origins
Language description
Access control
Execution model
Security Protocol Specification Languages 55
MSR 1.x[Cervesato, Durgin, Lincoln, Mitchell, Scedrov]
Multiset rewriting with existentials
“Persistent predicates” model assumptions
Role state predicates thread rules through
Security Protocol Specification Languages 56
MSR 1.x - Initiator
A0(A) L0(A), A0(A)
L0(A), A1(B) nA. L1(A,B,nA), N({nA,A}kB), A1(B)
L1(A,B,nA), N({nA,nB}kA) L2(A,B,nA,nB)
L2(A,B,nA,nB) L3(A,B,nA,nB), N({nB}kB)
whereA0(A) = Pr(A), PrvK(A,kA-1)
A1(B) = Pr(B), PubK(B,kB)
Nonce generatio
n
Messagetransmissi
on
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 57
MSR 1.x - Responder
B0(B) L0(B), B0(B)
L0(A), B1(A), N({nA,A}kB) L1(A,B,nA), B1(A)
L1(A,B,nA) nB. L2(A,B,nA,nB), N({nA,nB}kA)
L2(A,B,nA,nB), N({nB}kB) L3(A,B,nA,nB)
whereB0(B) = Pr(B), PrvK(B,kB-1)
B1(A) = Pr(A), PubK(A,kA)
Role state
predicate
Persistent Info.
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 58
Evaluation
Poor specification languageError-proneLimited automated assistance
Very insightfulUndecidability of protocol correctness
verification
Security Protocol Specification Languages 59
Unambiguous
Simple
Flexible
Powerful
Insightful
How did we do?
FlowRole-based
ConstituentsPersistent info.
EnvironmentIn part
Goals
Security Protocol Specification Languages 60
MSR 2.0[Cervesato]
Redesign MSR as a spec. languageEasy to useSupport for automation
Margin for verificationCurrent techniques can be adapted
InsightfulBackground in type-theory
Security Protocol Specification Languages 61
Unambiguous
Simple
Flexible
Powerful
Insightful
How will we do?
FlowRole-based
ConstituentsStrong typing
EnvironmentIn part
Goals
Security Protocol Specification Languages 62
What’s in MSR 2.0 ?
Multiset rewriting with existentials
Dependent types w/ subsorting
Memory predicates
Constraints
New
New
New
Security Protocol Specification Languages 63
Terms
Atomic termsPrincipal names AKeys kNonces n…
Term constructors (_ _){_} _ {{_}}_
[_] _
…
Definable
Security Protocol Specification Languages 64
Rules
y1: ’1.
…yn’: ’n’.
x1: 1. …
xn: n.lhs rhs
• N(t) Network
• L(t, …, t) Local state
• MA(t, …, t)Memory
• Constraints
• N(t) Network
• L(t, …, t) Local state
• MA(t, …, t) Memory
Security Protocol Specification Languages 65
Types of Terms
A: princ
n: nonce
k: shK A B
k: pubK A
k’: privK k
… (definable)
A: princ
n: nonce
A: princ
n: nonce
k: shK A B
k: pubK A
k’: privK k
Types can dependon term
• Captures relationsbetween objects
• Subsumes persistentinformationStaticLocalMandatory
Security Protocol Specification Languages 66
Subtyping
Allows atomic terms in messages
DefinableNon-transmittable termsSub-hierarchies
:: msg
Security Protocol Specification Languages 67
Role State Predicates
Hold data local to a role instanceLifespan = role
Invoke next ruleLl = control (A,t, …, t) = data
Ll(A,t, …, t)
Security Protocol Specification Languages 68
Memory Predicates
Hold private info. across role exec.
Support for subprotocolsCommunicate dataPass control
Interface to outside system
Implements intruder
New
MA(t, …, t)
Security Protocol Specification Languages 69
Constraints
Guards over interpreted domainAbstractModular
Invoke constraint handler
E.g.: timestamps (TE = TN + Td) (TN < TE)
New
Security Protocol Specification Languages 70
Type of Predicates
Dependent sums
(x) x
Forces associations among arguments
E.g.: princ(A) x pubK A(kA) x privK kA
x: .
x
Security Protocol Specification Languages 71
Roles
Genericroles
Anchoredroles
y:’.x:. lhs rhs… … …
y:’.x:. lhs rhs
L: ’1(x1) x … x ’n
(xn)
…
Role state pred.var. declarations
A
Role owner
L: ’1(x1) x … x ’n
(xn)
…A
Role owner
y:’.x:. lhs rhs… … …
y:’.x:. lhs rhs
Security Protocol Specification Languages 72
MSR 2.0 – NS Initiator
A
B: princkB: pubK B
nA:nonce.L(A,B,kB,nA) N({nA,A}kB)
…kA: pubK A
k’A: privK kA
nA,nB: nonce
L(A,B,kB,nA)N({nA,nB}kA)
N({nB}kB)
L: princ x princ(B) x pubK B x nonce.
B: princkB: pubK B
nA:nonce.L(A,B,kB,nA) N({nA,A}kB)
…kA: pubK A
k’A: privK kA
nA,nB: nonce
L(A,B,kB,nA)N({nA,nB}kA)
N({nB}kB)
L: princ x princ(B) x pubK B x nonce.
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 73
MSR 2.0 – NS Responder
B
kB: pubK B
k’B: privK kB
A: princnA: nonce
kA: pubK A
N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)
…nB: nonce
L(B,kB,k’B,nB) N({nB}kB)
L: princ(B) x pubK B(kB) x privK kB x nonce.
kB: pubK B
k’B: privK kB
A: princnA: nonce
kA: pubK A
N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)
…nB: nonce
L(B,kB,k’B,nB) N({nB}kB)
L: princ(B) x pubK B(kB) x privK kB x nonce.
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Security Protocol Specification Languages 74
Transmission of a long term key
Catches:Encryption with a nonce
Type Checking |— P
|— t :
P is well-
typed in
t has type in
Decidable
Circular key hierarchies, …
Static and dynamic uses
New
Security Protocol Specification Languages 75
Access Control
CatchesA signing/encrypting with B’s key
‖— P
‖—A rP is AC-valid in
r is AC-valid for A in
Decidable
A accessing B’s private data, …
Fully static
New
Gives meaning to Dolev-Yao
intruder
Security Protocol Specification Languages 76
An Overview of Access Control
Interpret incoming informationCollect received dataAccess unknown data
Construct outgoing informationGenerate dataUse known dataAccess new data
Verify access to data
Security Protocol Specification Languages 77
Processing a Rule
‖—A lhs >> ;‖—A rhs
‖—A lhs rhs
Knowledge set:
Collects what A knows
Knowledge set:
Collects what A knows
Context
Security Protocol Specification Languages 78
Processing Predicates on the LHS
;‖—A t >>’
;‖—A N(t) >>’
;‖—A t1,…,tn >>’
;‖—A MA(t1,…,tn) >>’
• Network messages
• Memory predicates
Security Protocol Specification Languages 79
Interpreting Data on the LHS
;‖—A k >> ’ ;’‖—A t >> ’’
;‖—A {t}k >> ’’
;‖—A t1, t2 >> ’
;‖—A (t1, t2) >> ’
;(,x)‖—A x >> (,x)
(,x:);‖—A x >> (,x)
• Pairs
• Encryptedterms
• Elementary terms
Security Protocol Specification Languages 80
Accessing Data on the LHS
;(,k)‖—A k >> (,k)
(,x:shK A B);‖—A x >> (,x)
(,k:pubK A,k’:privK k);‖—A k >> (,k’)
(,k:pubK A,k’:privK k);(,k’)‖—A k >> (,k’)
• Shared keys
• Publickeys
Security Protocol Specification Languages 81
Generating Data on the RHS
(, x:nonce);(, x)‖—A rhs
;‖—A x:nonce. rhs• Nonces
Security Protocol Specification Languages 82
Constructing Terms on the RHS
;‖—A t1 ;‖—A t2
;‖—A (t1, t2)
;‖—A t ;‖—A k
;‖—A {t}k
• Shared-key encryptions
• Pairs
Security Protocol Specification Languages 83
Accessing Data on the RHS
,B:princ ‖—A B
,B:princ,k:shK A B ‖—A k
,B:princ,k:pubK B ‖—A k
,k:pubK A,k’:privK k ‖—A k’
• Principal
• Shared key
• Private key
• Public key
Security Protocol Specification Languages 84
Configurations
C = [S]R
Active roleset
Signature
• a : • Ll : • M_:
State
•N(t)•Ll(t, …, t)•MA(t, …, t)
Security Protocol Specification Languages 85
Execution Model
Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules
P C C’
1-step firing
Security Protocol Specification Languages 86
[S]R (x:.r,) A
[S]R ([t/x]r,)A
Variable Instantiation
Not fully realistic for verificationRedundancy realizes typing, …… but not completely
|— t :
[S]R (x:.r,) A
[S]R ([t/x]r,)A
Security Protocol Specification Languages 87
Rule Application
S, F
[S2]RA
c:c not in S1
S, G(c)
[S1]R(r,)A
Firing
r = F, n:. G(n)
Constraint check
|= (constraint handler)
Security Protocol Specification Languages 88
Properties
Admissibility of parallel firing
Type preservation
Access control preservation
Completeness of Dolev-Yaointruder
New
Security Protocol Specification Languages 89
Completed Specifications
Full Needham-Schroeder public-key
Otway-Rees
Neuman-Stubblebine repeated auth.
OFT group key management
Security Protocol Specification Languages 90
Hour 3
The Most PowerfulAttacker
Security Protocol Specification Languages 91
Hour 3: Outline
Execution with an attacker
Specifying the Dolev-Yao intruder
Completeness of the Dolev-Yao intruder
Security Protocol Specification Languages 92
Execution with an Attacker
P, PI C C’
Selected principal(s): I
Generic capabilities: PIWell-typedAC-valid
Modeled completely within MSR
Security Protocol Specification Languages 93
The Dolev-Yao Intruder
Specific protocol suite PDY
Underlies every protocol analysis tool
Completeness still unproved !!!
Security Protocol Specification Languages 94
Capabilities of the D-Y Intruder
Intercept / emit messages
Split / form pairs
Decrypt / encrypt with known key
Look up public information
Generate fresh data
Security Protocol Specification Languages 95
DY Intruder – Net Interference
t: msgN(t) MI(t) I
MI(t) : Intruder knowledge
t: msgMI(t) N(t) I
Security Protocol Specification Languages 96
DY Intruder – Decryption
MI(t)A,B: princk: shK A Bt: msg
I
MI({t}k)MI(k)
MI(t)
A: princk: pubK Ak’: privK A t: msg
I
MI({t}k)MI(k’)
Security Protocol Specification Languages 97
DY Intruder – Encryption
MI ({t}k)A,B: princk: shK A Bt: msg
I
MI(t)MI(k)
MI ({t}k)A: princk: pubK At: msg
I
MI(t)MI(k)
Security Protocol Specification Languages 98
DY Intruder – Pairs
MI( t1,t2)t1,t2: msgI
MI(t1)MI(t2)
MI( t1,t2) t1,t2: msgIMI(t1)
MI(t2)
Security Protocol Specification Languages 99
DY Intruder – Structural Rules
MI( t) t: msgIMI(t)
MI(t)
MI( t) t: msgI
Security Protocol Specification Languages 100
DY Intruder – Data Access
MI(k’)k: pubK Ik’: privK k
I
MI(k)A: princk: pubK A
I
MI(k)A: princk: shK I A
+ dualI
A: princ MI(A)I
No nonces, no other keys, …
Security Protocol Specification Languages 101
DY Intruder – Data Generation
n:nonceMI(n)I
It depends on the protocol !!!Automated generation ?
Safe data
m:msgMI(m)I
Anything else ?
A,B:princ. k:shK A BMI(k)I
???
Security Protocol Specification Languages 102
Completeness of D-Y Intruder
If P [S]R [S’]R’
’
with all well-typed and AC-valid
Then
P, PDY [S]R [S’]R’
’
Security Protocol Specification Languages 103
Encoding of P, S,
P Remove roles anchored on I
S Map I’s state / mem. pred. using MI
Remove I’s role state pred.; add MI
Security Protocol Specification Languages 104
Encoding of R
No encoding on structure of RLacks context!
Encoding on AC-derivation for R
A :: ‖— R
Associate roles from PDY to each AC
rule
Security Protocol Specification Languages 105
Completeness Proof
Induction on execution sequence
Simulate every step with PDY
Rule application Induction on AC-derivation for R Every AC-derivation maps to execution
sequence relative to PDY
Rule instantiation AC-derivations preserved Encoding unchanged
Security Protocol Specification Languages 106
DY Intruder Stretches AC to Limit
Well-typedAC-valid
Dolev-Yaointruder
Security Protocol Specification Languages 107
Consequences
Justifies design of current tools
Support optimizationsD-Y intr. often too general/inefficient
Generic optimizations Per protocol optimizations Restrictive environments
Caps multi-intruder situations
Security Protocol Specification Languages 108
Hour 4
Reconstructing the Intruder
Security Protocol Specification Languages 109
Hour 4: Outline
Access Control Dolev-Yao intruder
MSR specification Access Control
Security Protocol Specification Languages 110
The Dolev-Yao Intruder Model
Interpret incoming information Collect received data Access unknown data
Construct outgoing information Generate data Use known data Access new data
Same operations as AC!
Security Protocol Specification Languages 111
Accessing Principal Names
B:princ MI(B)I
,B:princ ‖—A BI
Security Protocol Specification Languages 112
What did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore context
Security Protocol Specification Languages 113
Checking it out: Shared Keys
,A:princ,B:princ,k:shK A B ‖—A kI
MI(k)B: princk: shK I B
I
II
+ dual
Security Protocol Specification Languages 114
Getting Confident: Pub./Priv. Keys
,B:princ,k:pubK B ‖—A k
MI(k)B: princk: pubK B
I
MI(k’)k: pubK Ik’: privK k
I
,A:princ,k:pubK A,k’:privK k ‖—A k’
I
II I
Security Protocol Specification Languages 115
Constructing Messages: Pairs
t1,t2:msgMI(t1), MI(t2) MI((t1,t2))I
;‖—A t1 ;‖—A t2
;‖—A (t1, t2)I
I I
Security Protocol Specification Languages 116
Now, what did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore and knowledge context
Premises antecedent
Conclusion consequent
Auxiliary typing derivation gives types
Security Protocol Specification Languages 117
Carrying on: Shared-Key Encrypt.
;‖—A t ;‖—A k
;‖—A {t}kI
I I
MI(t), MI(k) MI({t}k)A,B: princk: shK A Bt: msg
I
Similar for public-key encryption
Security Protocol Specification Languages 118
Generating Data: Nonces
(, x:nonce);(, x)‖—A rhs
;‖—A x:nonce. rhs
x:nonce. MI(x)I
I
I
Similarly for other generated data
Security Protocol Specification Languages 119
Now, what did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore and knowledge context
Premises antecedent
Conclusion consequent
Auxiliary typing derivation gives types
One intruder rule for each AC rule
Save generated object
Security Protocol Specification Languages 120
Interpreting Shared-Key Encrypt.
;‖—A k >> ’ ;’‖—A t >> ’’
;‖—A {t}k >> ’’I
I I
MI({t}k), MI(k) MI(t)A,B: princk: shK A Bt: msg
I
Similar for• public-key encryption• pairing
Security Protocol Specification Languages 121
Now, what did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore and knowledge context
Premises antecedent
Conclusion consequent
Auxiliary typing derivation gives types
One intruder rule for each AC rule
Save generated object
Premises consequent
Conclusion antecedant
Security Protocol Specification Languages 122
Network Rules
;‖—A t >>’
;‖—A N(t) >>’
;‖—A t
;‖—A N(t)t:msgMI(t) N(t)
I
t:msgN(t) MI(t)I
Security Protocol Specification Languages 123
… Other Rules?
Either redundant
or, innocuous (but sensible)
t:msgN(t) N(t)I
t1,…,tn :msgM’I(t1,…,tn) MI(t1),…,MI(tn)I
Security Protocol Specification Languages 124
Dissecting AC
5 activities: Interpret message
components on LHS
Access data (keys) on LHS
Generate data on RHS
Construct messages on RHS
Access data on RHS
Constructorsatoms
Trivial
Trivial
Trivial
Patternmatchin
g
Security Protocol Specification Languages 125
Accessing Data
+
+ + +
* +
princ: type
Annotate the type of freely accessible data
privK: A: princ. pubK A -> type
pubK: princ -> type
Make it conditional for dep. types
Security Protocol Specification Languages 126
Generating Data
Again, annotate types
shK: princ -> princ -> type
nonce: type
+ + !
!
shK: princ -> princ -> type + + !
Security Protocol Specification Languages 127
Interpreting Constructors
Mark arguments as input or output
[_]_: msg -> A: princ. k: sigK A. verK k -> msg
_,_: msg -> msg -> msg
hash: msg -> msg
{_}_: msg -> A: princ. B: princ. shK A B -> msg
{{_}}_: msg -> A: princ. k: pubK A. privK k -> msg
+ * * *
- -
+
- + + +
- + + +
Security Protocol Specification Languages 128
Annotating Declarations
Integrates semantics of types and constructors
“Trimmed down” version of AC
Allows constructing AC rules
Allows constructing the Dolev-Yao intruder
Security Protocol Specification Languages 129
… alternatively
Compute AC rules from protocol
There are finitely many annotations
Check protocol against each of them
Keep the most restrictive ones that validate the protocol
Exponential!
More efficient algorithms?
September 17th, 2001 FOSAD 2001 – Bertinoro, Italy
The end
http://www.cs.stanford.edu/~iliano/