deconstructing alice bob
play

Deconstructing Alice & Bob Carlos Caleiro CLC, Dep. - PowerPoint PPT Presentation

Deconstructing Alice & Bob Carlos Caleiro CLC, Dep. Mathematics, IST, TU Lisbon, Portugal Luca Vigan` o and David Basin Dep. Computer Science, ETH Zurich, Switzerland ARSPA05 Lisbon, Portugal July 16, 2005 Deconstructing


  1. Deconstructing Alice & Bob Carlos Caleiro CLC, Dep. Mathematics, IST, TU Lisbon, Portugal Luca Vigan` o and David Basin Dep. Computer Science, ETH Zurich, Switzerland ARSPA’05 – Lisbon, Portugal – July 16, 2005 Deconstructing Alice & Bob – p. 1

  2. The context Formal analysis of security protocols Strand spaces, multiset rewriting, theorem proving ... – p. 2

  3. The context Formal analysis of security protocols Strand spaces, multiset rewriting, theorem proving ... Distributed temporal logic Caleiro, Viganò and Basin. Relating strand spaces and distributed temporal logic for security protocol analysis . Logic Journal of the IGPL, in print. Caleiro, Viganò and Basin. Metareasoning about security protocols using distributed temporal logic . ENTCS 125(1):67–89, 2005. Caleiro, Viganò and Basin. Towards a metalogic for security protocol analysis . In Proceedings of the CombLog’04 Workshop, 2004. – p. 3

  4. The problem The Needham-Schroeder Public-Key Authentication Protocol ( nspk 1 ) a → b : ( n 1 ) . { n 1 ; a } K b ( nspk 2 ) b → a : ( n 2 ) . { n 1 ; n 2 } K a ( nspk 3 ) a → b { n 2 } K b : – p. 4

  5. The problem The Needham-Schroeder Public-Key Authentication Protocol ( nspk 1 ) a → b : ( n 1 ) . { n 1 ; a } K b ( nspk 2 ) b → a : ( n 2 ) . { n 1 ; n 2 } K a ( nspk 3 ) a → b { n 2 } K b : How to formalize a protocol specified in Alice&Bob-notation? What is the meaning of such protocol descriptions? How much is made explicit or left implicit? What is the expressive power of Alice&Bob-style protocol specifications? – p. 5

  6. A little philosophy and literary theory deconstruction “(noun) a method of critical analysis of language and text which emphasizes the relational quality of meaning and the assumptions implicit in forms of expression” taken from the Compact Oxford English Dictionary – p. 6

  7. The plan Preliminaries The standard semantics Good examples and bad examples Message forwarding and conditional abortion Opaque and transparent messages Incremental symbolic runs Characterization theorems Conclusion and further work – p. 7

  8. Preliminaries Messages are built from atomic messages (identifiers, numbers, and variables) by pairing, encryption and hashing Perfect cryptography Every message can be used as an encryption key and has an inverse for decryption Communication is asynchronous and takes place over a hostile network – p. 8

  9. Preliminaries Messages are built from atomic messages (identifiers, numbers, and variables) by pairing, encryption and hashing Perfect cryptography Every message can be used as an encryption key and has an inverse for decryption Communication is asynchronous and takes place over a hostile network Honest actions s ( M, A ) — sending the message M to the principal A r ( M ) — receiving the message M f ( N ) — generating the fresh number N – p. 9

  10. Preliminaries In general, a protocol description in Alice&Bob-notation involves a collection of principal variables corresponding to protocol participants ( a i ) and of number variables ( n j ), and consists of a sequence � step 1 . . . step m � of message exchange steps, each of the form ( step q ) a s → a r : ( n q 1 , . . . , n q t ) . M These steps are meant to prescribe a sequence of actions to be executed by each of the participants in a run of the protocol. But how? – p. 10

  11. Preliminaries In general, a protocol description in Alice&Bob-notation involves a collection of principal variables corresponding to protocol participants ( a i ) and of number variables ( n j ), and consists of a sequence � step 1 . . . step m � of message exchange steps, each of the form ( step q ) a s → a r : ( n q 1 , . . . , n q t ) . M These steps are meant to prescribe a sequence of actions to be executed by each of the participants in a run of the protocol. But how? – p. 11

  12. The standard semantics ( step q ) a s → a r : ( n q 1 , . . . , n q t ) . M The sequence of actions corresponding to the execution of a ’s role in the protocol is a - run = step a 1 � · · · � step a m , where step a q is defined by  � f ( n q 1 ) . . . f ( n q t ) . s ( M, a r ) � if a = a s   � r ( M ) � step a q = if a = a r   �� otherwise – p. 12

  13. A good example The Needham-Schroeder Public-Key Authentication Protocol ( nspk 1 ) a → b : ( n 1 ) . { n 1 ; a } K b ( nspk 2 ) b → a : ( n 2 ) . { n 1 ; n 2 } K a ( nspk 3 ) a → b { n 2 } K b : � f ( n 1 ) . s ( { n 1 ; a } K b , b ) . r ( { n 1 ; n 2 } K a ) . s ( { n 2 } K b , b ) � a - run : � r ( { n 1 ; a } K b ) . f ( n 2 ) . s ( { n 1 ; n 2 } K a , a ) . r ( { n 2 } K b ) � b - run : – p. 13

  14. A good example The Needham-Schroeder Public-Key Authentication Protocol ( nspk 1 ) a → b : ( n 1 ) . { n 1 ; a } K b ( nspk 2 ) b → a : ( n 2 ) . { n 1 ; n 2 } K a ( nspk 3 ) a → b { n 2 } K b : � f ( n 1 ) . s ( { n 1 ; a } K b , b ) . r ( { n 1 ; n 2 } K a ) . s ( { n 2 } K b , b ) � a - run : – p. 14

  15. A good example The Needham-Schroeder Public-Key Authentication Protocol ( nspk 1 ) a → b : ( n 1 ) . { n 1 ; a } K b ( nspk 2 ) b → a : ( n 2 ) . { n 1 ; n 2 } K a ( nspk 3 ) a → b { n 2 } K b : � f ( n 1 ) . s ( { n 1 ; a } K b , b ) . r ( { n 1 ; n 2 } K a ) . s ( { n 2 } K b , b ) � a - run : � r ( { n 1 ; a } K b ) . f ( n 2 ) . s ( { n 1 ; n 2 } K a , a ) . r ( { n 2 } K b ) � b - run : – p. 15

  16. Another example The Otway-Rees Authentication/Key-Exchange Protocol ( or 1 ) a → b : ( n 1 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ( or 2 ) b → s ( n 2 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs : ( or 3 ) s → b : ( k ) . i ; { n 1 ; k } K as ; { n 2 ; k } K bs ( or 4 ) b → a : i ; { n 1 ; k } K as – p. 16

  17. Another example The Otway-Rees Authentication/Key-Exchange Protocol ( or 1 ) a → b : ( n 1 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ( or 2 ) b → s ( n 2 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs : ( or 3 ) s → b : ( k ) . i ; { n 1 ; k } K as ; { n 2 ; k } K bs ( or 4 ) b → a : i ; { n 1 ; k } K as b - run : b - possrun : � r ( i ; a ; b ; { n 1 ; i ; a ; b } K as ) . � r ( i ; a ; b ; m 1 ) . f ( n 2 ) . f ( n 2 ) . s ( i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs , s ) . s ( i ; a ; b ; m 1 ; { n 2 ; i ; a ; b } K bs , s ) . r ( i ; { n 1 ; k } K as ; { n 2 ; k } K bs ) . r ( i ; m 2 ; { n 2 ; k } K bs ) . s ( i ; { n 1 ; k } K as , a ) � s ( i ; m 2 , a ) � – p. 17

  18. A bad example The Otway-Rees Authentication/Key-Exchange Protocol ( or 1 ) a → b : ( n 1 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ( or 2 ) b → s ( n 2 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs : ( or 3 ) s → b : ( k ) . i ; { n 1 ; k } K as ; { n 2 ; k } K bs ( or 4 ) b → a : i ; { n 1 ; k } K as b - run : b - possrun : � r ( i ; a ; b ; { n 1 ; i ; a ; b } K as ) . � r ( i ; a ; b ; m 1 ) . f ( n 2 ) . f ( n 2 ) . s ( i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs , s ) . s ( i ; a ; b ; m 1 ; { n 2 ; i ; a ; b } K bs , s ) . r ( i ; { n 1 ; k } K as ; { n 2 ; k } K bs ) . r ( i ; m 2 ; { n 2 ; k } K bs ) . s ( i ; { n 1 ; k } K as , a ) � s ( i ; m 2 , a ) � – p. 18

  19. Message variables The Otway-Rees Authentication/Key-Exchange Protocol ( or 1 ) a → b : ( n 1 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ( or 2 ) b → s ( n 2 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs : ( or 3 ) s → b : ( k ) . i ; { n 1 ; k } K as ; { n 2 ; k } K bs ( or 4 ) b → a : i ; { n 1 ; k } K as b - run : symbolic b - possrun : � r ( i ; a ; b ; { n 1 ; i ; a ; b } K as ) . � r ( i ; a ; b ; m 1 ) . f ( n 2 ) . f ( n 2 ) . s ( i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs , s ) . s ( i ; a ; b ; m 1 ; { n 2 ; i ; a ; b } K bs , s ) . r ( i ; { n 1 ; k } K as ; { n 2 ; k } K bs ) . r ( i ; m 2 ; { n 2 ; k } K bs ) . s ( i ; { n 1 ; k } K as , a ) � s ( i ; m 2 , a ) � – p. 19

  20. Message variables The Otway-Rees Authentication/Key-Exchange Protocol ( or 1 ) a → b : ( n 1 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ( or 2 ) b → s ( n 2 ) . i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs : ( or 3 ) s → b : ( k ) . i ; { n 1 ; k } K as ; { n 2 ; k } K bs ( or 4 ) b → a : i ; { n 1 ; k } K as b - run : symbolic b - possrun : � r ( i ; a ; b ; { n 1 ; i ; a ; b } K as ) . � r ( i ; a ; b ; m 1 ) . Message f ( n 2 ) . f ( n 2 ) . s ( i ; a ; b ; { n 1 ; i ; a ; b } K as ; { n 2 ; i ; a ; b } K bs , s ) . s ( i ; a ; b ; m 1 ; { n 2 ; i ; a ; b } K bs , s ) . Forwarding r ( i ; { n 1 ; k } K as ; { n 2 ; k } K bs ) . r ( i ; m 2 ; { n 2 ; k } K bs ) . s ( i ; { n 1 ; k } K as , a ) � s ( i ; m 2 , a ) � – p. 20

  21. Another bad example The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol ( asw 1 ) a → b ( n 1 ) . { K a ; K b ; t ; H ( n 1 ) } K − 1 : a ( asw 2 ) b → a : ( n 2 ) . {{ K a ; K b ; t ; H ( n 1 ) } K − 1 a ; H ( n 2 ) } K − 1 b ( asw 3 ) a → b : n 1 ( asw 4 ) b → a : n 2 – p. 21

Recommend


More recommend