Duminda Wijesekera Fall 2005 1
AVISPA
Class Notes for ISA 780Made from many publications available from the AVISPA web sitehttp://www.avispa-project.org
This transparency is simply a teaching aid used to explain contributions of authors of AVISPA. We respect all copyrights held by those and possibly other authors.
Duminda Wijesekera Fall 2005 2
References Many references available at http://www.avispa-project.org Will use some presentations available at
http://www.avispa-project.org/talks.html Will cover some details from
The High Level Protocol Specification Language Intermediate form List of selected problems The Temporal Logic of Action by Leslie Lamport, ACM Transactions of
Programming Languages and Systems Vol 7, No 7, November 1993, Pages 1-52 available from the authors web site at Microsoft Research. Also the book Specifying Systems describing TAL and a model checker
is freely available from the Microsoft Web site http://research.microsoft.com/users/lamport/
Will cover other tools used in AVISPA from the respective papers.
Some experience in using AVISPA at GMU
Duminda Wijesekera Fall 2005 3
Suggested Reading
1. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications, The 5 page paper from CAV05, available through the AVISPA web site.Authors: Armando, Basin, Boichut, Chavalier,
Compagna, Culler, Hankes Drielsma, Heam, Kouchnarenko, Mantovani, Modersheim, von Ohiemb, Rusinowich, Santiago, Turuani, Vigano, Vigneron
Duminda Wijesekera Fall 2005 4
Suggested Reading1. The High Level Protocol Specification Language.
(HLPSL)2. The AVISPA Tutorial.3. The Intermediate Form.4. Some fragment of the TLA paper to see how HLPSL is
mapped to TLA.5. Papers 6,9,2,5 listed on CAV05 Paper to get an idea
of how the different components of AVISPA works.6. A Hierarchy of Authentication Protocols by Gavin
Lowe, to understand the difference between strong vs. Weak authentication.
7. Suggested: Two facets of authentication, by martin Abadi (an old paper)
Duminda Wijesekera Fall 2005 5
Introduction to AVISPA
1. First go through the transparencies “The AVISPA Project:Automated Validation of Internet Security Protocols and Applications” by Alessandro Armando.
2. See the AVISPA tool being used online3. Come back to describing the details of
HLPSL4. Then Review TAL and understand how
HLPSL is translated to TAL
Duminda Wijesekera Fall 2005 6
High Level Protocol Specification Language. (HLPSL) Reference: Deliverable 2.1:
The High Level Protocol Specification Language, available from http://www.avispa-project.org/
Syntax used to specify protocols in AVISPA: Strongly typed Supports
modularity: composition, hiding control flow explicit intruder knowledge
cryptographic primitives: nonces, hashes, signatures
algebraic properties: Xor exp
Duminda Wijesekera Fall 2005 7
Entities in HLPSL Basic types and terms State-based formalism Roles
Simple (agents such as Alice, Bob etc) Composite (communities of agents playing their
roles as Alice Bob and the Dolev-Yao Intruder, Key Server synchronizing with each other)
The environment (where all evil lives = Intruder = environment)
Security Goals String authentication, authorization, anonymity,
secrecy, etc.
Duminda Wijesekera Fall 2005 8
States and Variables
Kinds of variables: State variables: Those that are within the
scope of a role. Declared at the top of a role Unprimed versions indicate current state Primed versions indicate next state
Duminda Wijesekera Fall 2005 9
An examplerole Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0
transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role
Duminda Wijesekera Fall 2005 10
Basic types in HLPSL
Agent: names of principles public_key: asymmetric keys symmetric key: symmetric keys nat: natural numbers function: to model hash functions etc bool: Boolean values for modeling
flags
Duminda Wijesekera Fall 2005 11
Aggregate types
Lists Example:
KeyMap: (agent, public_key) listinit KeyMap = []in((B,Kb’), KeyMap)
Duminda Wijesekera Fall 2005 12
State and transition predicates State predicate: First order formulas written
using unprimed state variables. Example:
State = Init State= done
Transition predicates First order formulas written using primed and unprimed state variables.
Example:(State‘=2) /\ SND({Na'.A}_Kb)
/\ witness(A,B,na,Na‘)
Duminda Wijesekera Fall 2005 13
Mappings Functions on messages:
rigid mapping that do not change due to state changes
Thus f(x) = f(x’) Mapping from one type to another
Denoted using -> Exampleexists KeyMap: agent -> public_keyinit KeyMap = [(A,Ka),(B,Kb)]
Duminda Wijesekera Fall 2005 14
Messages space of legal messages
as the closure of the basic types under the operations of concatenation via the associative “.” operator
and Encryption written {Msg}Key
for a given message Msg and encryption key Key Examples:
Na % The nonce on its ownA.Na % A’s name concatenated with the nonce{A.Na}K % As above, but encrypted with K
Duminda Wijesekera Fall 2005 15
Channels variables over which communication takes
place. Connects communicating parties. Type may take an attribute specifying the
intruder Currently supports only (dy), the Dolev-Yao
intruder Example:
role Alice (A, B: agent,Ka, Kb: public_key,SND, RCV: channel (dy) )
Duminda Wijesekera Fall 2005 16
Roles
Description of entity behavior Two kinds:
Basic Roles: Schematic descriptions of atomic behavior
Composed Roles: Instantiations of other roles composed
using operators
Roles are translated to TLA for operational semantics
Duminda Wijesekera Fall 2005 17
Role Definition1. Role declaration:
its name and the list of formal arguments, along with (in the case of basic roles)
a player declaration;2. Declaration of local variables and ownership rules, if
any;3. Initialization of variables, if required;4. Declaration of accepting states, if any;5. Knowledge declarations, if applicable; 6. Either (optionally) :
a transition section (for basic roles) or a composition section (for composed roles).
Duminda Wijesekera Fall 2005 18
Basic Roles
role Basic_Role (…) played_by … def= owns {θ: Θ} local {ε} init Init accepts Accept transition event1 action1 event2 action2end role
role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0
transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role
General Pattern Initiator Role in NSPK
Duminda Wijesekera Fall 2005 19
Composed Roles: Parallel Composition
role Par_Role (…)
def= owns {θ:Θ}
local {ε}
init Init
accepts Accept
composition
A Bend role
Pattern
Example
role Kerberos (..) composition Client /\ Authn_Server /\ TGS /\ Serverend role
Duminda Wijesekera Fall 2005 20
Composed Roles: Sequential Composition
role Seq_Role (…)def= owns {θ:Θ} local {ε} init Init accepts Acceptcomposition
A ; Bend role
General Pattern
Example
role Alice (..) establish_TLS_Tunnel(server_ authn_only); present_credentials; main_protocol(request, response)end role
Duminda Wijesekera Fall 2005 21
Syntactic Details: Role declaration keyword role followed by an identifier (the
role name) and, in parentheses, a comma separated list of arguments with
their types. A definition of the role player An optional role header:
may declare local variables using exists may assert ownership of variables with owns, may initialize variables in an init may define accepting states using accepts may include knowledge declarations
Duminda Wijesekera Fall 2005 22
An example role
role Alice(A,S:agent, Ka,Ks: public_key) played_by Alice def=exists State:nat, Na:text (fresh)init State = 0owns Xaccepts State=5 /\ auth =1knowledge(A)={ inv(Ka),{A,Ka}inv(Ks)}... % Role bodyend role
Duminda Wijesekera Fall 2005 23
State transitions in roles
Spontaneous transitionsanAction. A --|> B where Whenever state predicate A is satisfied
action B may be taken (non-deterministic: not required)
Immediate ReactionsaReaction. A =|> B Whenever a non-stutter event A is true
action B must be executed simultaneously
Duminda Wijesekera Fall 2005 24
State predicates, events and actions
A state predicate: Predicates that do not have primed variables.
Stuttering step: A transition predicate that does not change any value Example: X’=X /\ Y=Y’
Action: transition predicates p(v,v’) satisfying v v’ p(v,v’)
Events: transition predicates containing at least one X ≠X’
Duminda Wijesekera Fall 2005 25
An example again
role Basic_Role (…) played_by … def= owns {θ: Θ} local {ε} init Init accepts Accept transition event1 action1 event2 action2end role
role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0
transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role
General Pattern Initiator Role in NSPK
Duminda Wijesekera Fall 2005 26
Communication in HLPSL Synchronous, via immediate transitions Runtime ensures that SND and RCV are
executed simultaneously, over channels How communication is modeled:
SND(msg) in RHS of rule shorthand for SND’=msg RCV(masg) in LHS is shorthand for
(RCV-flag’≠RCV-flag)/\(RCV’=Msg) where RCV-flag is a binary flag toggled whenever the channel has a new message.
Duminda Wijesekera Fall 2005 27
Role composition
No transition section Have a composition section that
instantiate other roles Operators:
Parallel /\ Sequential ;
Top level role is named Environment
Duminda Wijesekera Fall 2005 28
The NSPK example: Alicerole Alice (A,B:agent,Ka,Kb:public_key,SND,RCV: channel(dy))
played_by A def=exists State : nat, Na : text (fresh), Nb: textinit State=0knowledge(A) = { inv(Ka) }transitionstep1. State=0 /\ RCV(start)=|>
State’=1/\ SND({Na’.A}Kb)step2. State=1 /\ RCV({Na.Nb’}Ka) =|>
State’=2 /\ SND({Nb’}Kb)end role
Duminda Wijesekera Fall 2005 29
The NSPH example: Bobrole Bob(A,B:agent,Ka,Kb:public_key,SND,RCV:channel(dy))
played_by B def=exists State : nat, Na: text, Nb: text (fresh)init State=0knowledge(B) = { inv(Kb) }transitionstep1. State=0 /\ RCV({Na’.A}Kb) =|>
State’=1 /\ SND({Na’.Nb’}Ka)step2. State=1 /\ RCV({Nb}Ka) =|>
State’=2end role
Duminda Wijesekera Fall 2005 30
The NSPK: Compositionrole NSPK(S, R: agent -> channel (dy),
Instances: (agent,agent, public_key,public_key) set)
def=exists A, B: agent, Ka, Kb: public_key
composition/\_{in((A,B,Ka,Kb),Instances)}Alice(A,B,Ka,Kb,S(A),R(A))/\ Bob(A,B,Ka,Kb,S(B),R(B))
end role
Duminda Wijesekera Fall 2005 31
The NSPK: Environment
role Environment()
def=composition
NSPK([(a,s_a),(b,s_b)], % S[(a,r_a),(b,r_b)], % R[(a,b,ka,kb),(a,i,ka,ki)]) % Instances
end role
Duminda Wijesekera Fall 2005 32
Security Goals Only secrecy and authentication goals are
supported currently. Expected have more expressive goals using
temporal logic syntax. Expressed in the goal section Examples:
Secrecy of V: If V is obtained or derived by the attacker, AVISPA would report.
Authentication goals: Strong authentication Weak authentication
Duminda Wijesekera Fall 2005 33
Examples: Security Goals of NSPK
goal Alice weakly authenticates Bob on NbBob weakly authenticates Alice on Nasecrecy_of Na, Nb
end goal
Duminda Wijesekera Fall 2005 34
Instantiating the main role in AVISPA
Environment()