Event-based Methods for Security Protocols Federico Crazzolara - PowerPoint PPT Presentation

Event-based Methods for Security Protocols Federico Crazzolara C&C Laboratories, NEC Europe (joint work with G. Winskel while at BRICS) DIMACS, July 8, 2003

� ✁ ✁ ✁ Road map 1) Security Protocol Language (SPL) Transition vs. event-based semantics 2) Relation between models (finite behaviours) SPL & Basic Nets, Event Structures, Inductive Rules SPL & Strand Spaces Strand Spaces & Event Structures

✂ ✂ ✂ High level, special purpose language Program, verify & compile program: concise & precise protocol description formal semantics that supports protocol verification => reduce gap between protocol & model compile verified program => correct protocol code

� � � � � � � Security Protocol Language (SPL) asynchronous, process oriented language abstracts concrete network with a tuple space messages: v | k | M,M' | {M} k | prefixing: new-name generation & send: out new(x) M . p input with pattern matching: in pat( ) N . p parallel composition of processes: ∈ I p i i ∈ ∈ ∈

ISO mutual authentication in SPL (1) A B : n (2) B A : {n, m, B, K} Key(A,B) (3) A B : {n, m} Key(A,B) in pat(x) x . Resp(B, A) out new(y,z) {x, y, B, Key(z)} Key(A,B) . in {x, y} Key(A,B) RESP B ∈ Agents A ∈ Agents ! Resp(B,A) ISO p ∈{ INIT,RESP, SPY } p

✄ ✄ ✄ Transition Semantics provided n ∉ s output: out new(n) M[n/x] <out new(x) M . p, s, t> <p[n/x], s {n}, t {M[n/x]}> provided M[N/ ] ∈ t input: in M[N/ ] <in pat( ) M . p, s, t> <p[N/ ], s , t> parallel composition: <p j , s, t> <p' j , s' , t'> where p' i is p' j for i=j, else p i j: < i p' j , s' , t'> < i p j , s, t>

Transitions & security properties Secrecy of session key : For all runs where resp:B,A:i :out new(m,b) {n, m, B, Key(b)} Key(A,B) <p j , s j , t j > <p j+1 , s j+1 , t j+1 > Key(A,B) t 0 stage w . Key(b) t w Possible proof strategy: assume does not hold => exists earliest violating action derive contradiction from causally preceding events ? Transition semantics masks local dependencies !

✁ ✁ ✁ ✁ Petri nets with persistence Def : Petri net with persistent conditions consists of B set of conditions, P ⊆ B persistent conditions, E set of events, pre,post: E Pow(B) pre and postcondition maps. Def : Token game: e iff • e ⊆ M & ( M \ ( • e P)) e • = M M' where M' = ( M \ • e) e • ( M P)

Event Semantics SPL Petri net conditions C N O output control names (persistent) events (with pre- and postcondition maps) i:outnew(x) M . p i:inpat( ) M . p M[N/ ] i:outnew(n) M[n/x] i:in M[N/ ] M[n/x] n i:Ic(p[N/ ]) i:Ic(p[n/x]) events can carry indices to identify component

☎ Net of an SPL process Ev(out new(x) M. p) = i:outnew(x) M . p i:outnew(n) M[n/x] n Ev(p[n/x]) { | n names } M[n/x] n i:Ic(p[n/x]) Ev (in pat ( ) M. p) = i:inpat( ) M . p M[N/ ] M Ev([M/ ]) { | M messages} i:in M[N/ ] i:Ic(p[N/ ]) Ev ( i ∈ I p i ) = I i: Ev(p i ) i

✄ ✄ Relating transition and event semantics Th : If <p, s, t> <p', s' , t' > e then Ic(p) s t Ic(p') s' t' for some event e with act(e) = . e Th : If Ic(p) s t M act(e) <p, s, t> <p', s' , t' > then and M = Ic(p') s' t' for some closed process term p', names s' and messages t'.

✁ ✁ ✁ Protocol verification – proof strategy Use event-based semantics of SPL: formalize security property P in terms of events (as safety property), assume the run contains event violating P (take first such event), use dependencies among events & derive contradiction (case analysis on the events of a protocol).

✁ ✁ ✁ Derived proof principles Well foundedness : in a protocol run at some stage P => first stage s.t. P Freshness of m in a run: at most one event s.t. m e n Precedence : control: if b c e i either e j , j<i s.t. b e c b Ic(p 0 ) or j output input: if M o e i either M t 0 or e j , j<i s.t. M e o j

✁ ✁ ✁ Summary (I) Event based semantics of SPL non interleaving models useful for security- => protocol analysis. Transition semantics of SPL easy to implement. Relation between event-based & transition sem. + correct impl. of transition sem. properties of protocol model are properties of => protocol implementation.

Relation between models (relate finite behaviours) IR (Paulson) NetPers StrandSp SPL new, special purpose other models Spi, CSP, ... traditional, well studied SPL E (event st.) TL (trace languages) TS (tran. sys.) N (basic nets)

SPL Nets, Trace Languages, Event Structures e P Ø => e does not IR (Paulson) occur more than once in a run NetPers StrandSp SPL new, special purpose traditional, well studied SPL E TL N TS

SPL and Inductive Rules p* SPL process (all actions replicated) NetPers IR (Paulson) StrandSp SPL new, special purpose traditional, well studied SPL E TL N TS

✆ ✁ ✆ ✆ ✆ ✁ ✁ ✁ Strand Spaces with conflict Strand Spaces: <s i > i ∈ ∈ I ∈ ∈ only limited form of nondeterminism difficult to compose using traditional process op. Extension: (<s i > i ∈ ∈ I , #) ∈ ∈ # ∈ ∈ I × ∈ ∈ × I , symmetric & irreflexive ( conflict relation ) × × unique orig. on the bundles not on entire space Compose Strand Spaces: a.S , S || S' , S+S' ( abbreviation || k ∈ (<s i > i ∈ I , #) = !(<s i > i ∈ I , #) ) ∈ ∈ ∈

✝ ✝ Conflict relation is inessential Def: binary, symmetric relation s.t. S S' iff b bundle of S => b' bundle of S' s.t. b and b' are isomorphic graphs. Th : b bundle of !(<s i > i ∈ I , #) then b bundle of !(<s i > i ∈ I , ∅ ) b bundle of !(<s i > i ∈ I , ∅ ) then re-indexing s.t. (b) bundle of !(<s i > i ∈ I ,# ). ∈Ι , ∅ ∅ ) ∅ ∅ Cor : !(<s i > i ∈ ∈ I , #) (<s i > i ∈Ι ∈ ∈ ∈Ι ∈Ι

✞ ✞ ✞ SPL and Strand Spaces max seq. in Ev(p) coinciding at control (p “par” process) i:out M i:out M i:out M # i:in M i i:in M 1 i:in M 1 i:in M i S(p) Net(p) Th : Seq. of events in Net(p) <=> lineariz. of bundle in S(p) ∈ I , ∅ ∅ ∅ ) ∅ if p is “!-par” process then S(p) = !(<s i > i ∈ ∈ I ,# ) !(<s i > i ∈ ∈ ∈ ∈ ∈

✞ ✞ Prime Event Structures Prime Event Structure (E, # , ) binary conflict relation #, symmetric and irreflexive {e' | e' e} finite e#e' e'' => e#e'' configurations F( E ) are x E s.t. x is conflict free x is left closed (e' e x => e' x)

✟ ✞ ✟ ✞ Strand Spaces and Event Structures bundles are graphs, i.e. sets of nodes and edges ( B , ) b B bundle, e b e b = {b' B e b' and b' b} (primes) b e b e b' Prop : b'' e b is a bundle if b B then b = {p | p b, p prime}

✟ ✠ ✠ ✟ Strand Spaces and Event Structures (II) Def : Pr( B ) = ( P ,#, ) P the primes of B p#p' if prime p'' s.t. p p'' and p' p'' (p,p' not compatible) Th : Pr( B ) is a prime event structure & ) (F fin Pr( B ), ) : ( B where (b) = {p | p b, p prime} iso of partial orders with : F fin Pr( B ) inverse B where (x) = x .

Summary (II) e P Ø => e does not p* SPL process (all actions replicated) occur more than once in a run !par SPL processes IR (Paulson) NetPers StrandSp SPL new, special purpose traditional, well studied SPL E TL N TS

✟ ✟ ✟ ✟ ✟ References F. Crazzolara. Language, Semantics, and Methods for Security Protocols. Ph.D. Thesis, BRICS, May 2003. F. Crazzolara, G. Winskel. Composing Strand Spaces . FSTTCS'02. F. Crazzolara, G. Winskel. Events in Security Protocols . ACM CCS'01. F. Crazzolara, G. Winskel. Petri nets in Cryptographic Protocols . FMPPTA'01. F. Crazzolara, G. Milicia. Implementation of SPL @ www.chispaces.com.