Relating Multiset Rewriting and Process Algebra for Immediate - PowerPoint PPT Presentation

Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano Joint work with S. Bistarelli, G. Lenzini, and F. Martinelli UMBC meeting June 10-11, 2003

Objective Relate specification languages for security • protocols  MSR <-> strands [CSFW’00]  MSR <-> linear logic [MFPS’00]  MSR <-> Process Algebras Non-Objective (for now) Reachability analysis <-> bisimulation •  Verification methodologies not considered MSR <-> PA

Why MSR? Model of specification underlies numerous • languages and tools  CIL/CAPSL  NRL Protocol Analyzer  Paulson’s Isabelle specifications  Mur φ  … Simple and well-understood foundations •  Distributed systems Petri nets   Linear logic  Rewriting theory MSR <-> PA

Multiset Rewriting + Existentials msets of 1 st -order atomic formulas • Rules: • r: F( x ) → ∃ n . G( x , n ) Application • r M 1 M 2 → MSR 2.0: r M’, F( t ) M’, G( t , c ) + strong typing → + constraints c not in M 1 + domain-specific enhancements This is MSR 1.0 • MSR <-> PA

Which Process Algebra? “PA” Inspired to •  CCS  π -calculus Only primitives used for protocols • As a programming language for protocols •  Reachability  Not simulation/equivalence MSR <-> PA

“PA” Sequential processes • P ::= 0 | a(t).P | a(t).P | ν x.P Parallel processes • Q ::= 0 | P || Q | !P || Q (P, || , 0) monoid •  Equivalence ≡ Reaction • t = [ θ ]t’ Q || a(t).P || a(t’).P’ -> Q || P || [ θ ]P’ MSR <-> PA

MSR ⇔ PA … in General Very different paradigms •  MSR state transition   PA contact evolution  Non trivial • MSR -> PA: granularity of actions  PA -> MSR: excise state   Reachability-preserving  Non bijective Many attempts in the literature •  Chemical abstract machine, … MSR <-> PA

MSR ⇔ PA … for Protocols Much simpler! Take natural specifications •  in MSR  in PA Bijective correspondence •  (to a large extent) MSR <-> PA

MSR for Security Protocols Fixed predicates •  N(m) Network messages  I(m) Intruder info.  A i (t 1 ,…,t ni ) Role states  Pr , PrvK , PubK , … Persistent info. Fixed format •  Protocol given as set of roles  Dolev-Yao intruder spec. (more freedom in MSR 2.0) • MSR <-> PA

Roles in MSR One instantiation rule • π ( x ) ∃ n . A 0 ( x , n ), π ( x ) → Several execution rules •  Send Captures A i ( z ) → A i+1 ( z ), N(t) only  Receive immediate decryption A i ( z ), N(t) A i+1 ( z , x t ) protocols → MSR <-> PA

NSPK (initiator) in MSR (A,B) (A,B), (A,B) π A → A 0 π A (A,B) → ∃ N A . (A,B,N A ), N ({N A ,A} KB ) A 0 A 1 (A,B, N A ), N ({N A ,N B } KA ) → A 2 (A,B,N A ,N B ) A 1 (A,B,N A ,N B ) (A,B,N A ,N B ), N ({N B } KB ) A 2 → A 3 where π A (A,B) = Pr (A), PrvK (A,K A -1 ), Pr (B), PubK (B,K B ) MSR <-> PA

MSR Configurations Rules •  U ρ Protocol roles Intruder role  ρ I State •  N(t) Network messages  A i ( t ) Role state predicates  π ( t ) Persistent knowledge  I(t) Intruder knowledge MSR <-> PA

Security Protocols in PA Captures only immediate Fixed set of name • decryption protocols  N i , N o , π , I Fixed structure of “Security Process” •  Q !net = ! N i (x). N o (x). 0 Network process  Q ! ρ = P ρ Roles || ρ ! π ( x ). ν n . P’  Q ! • input on N o • output on N i  Q !I Dolev-Yao Intruder  Q ! π Persistent information  Q I0 Initial intruder knowledge MSR <-> PA

NSPK (initiator) in PA (A,B). ν N A π A ({N A ,A} KB ) . N i ( {N A ,N B } KA ) . N o ({N B } KB ) . N i 0 MSR <-> PA

Process State Q ! Replicated process • Q Unreplicated part •  Q I Intruder knowledge  Q net Buffered network messages  Q ρ Roles in mid-execution MSR <-> PA

Captures MSR into PA only immediate decryption protocols Rules •  U ρ Q ! ρ + Q !net  Instantiation rule “! π ( x ). ν n .” prefix   “A i ( z ) → A i+1 ( z ), N(t)” N i (t). <r i+1 >   “A i ( z ), N(t) A i+1 ( z , x t )” N o (t). <r i+1 >   → Q !I  ρ I  State •  N(t) Q net   A i ( t ) Q ρ  NSPK MSR NSPK PA   π ( t ) Q ! π   I(t) Q I  MSR <-> PA

PA into MSR Essentially the inverse transformation  Q ! ρ U ρ  Invent A i ’s  Carry over substitutions   Q !I  ρ I NSPK PA NSPK MSR  (for α -convertible A i ’s) MSR <-> PA

The Intruder 1-1 correspondence, but … I(<x 1 ,x 2 >) -> I(x 1 ), I(x 2 ) I(<x 1 ,x 2 >). I(x 1 ). 0 • • I(<x 1 ,x 2 >). I(x 2 ). 0 I(x) -> I(x), I(x) I(x). I(x). I(x). 0 • • I(x 1 ), I(x 2 ) -> I(<x 1 ,x 2 >) I(x 1 ). I(x 2 ). I(<x 1 ,x 2 >). 0 • • MSR <-> PA

Correspondence * MSR PA * Proof technique: weak bi-simulation •  Observables Network messages  Intruder knowledge  MSR <-> PA

Delayed Decryption Protocols  Arguments of A i ’s may be terms  Explicit pattern matching in PA Add non-trivial complications •  Requires proper scheduling of matchings  Matching after input may cause deadlock Solutions •  WITS’03 unsatisfactory  Intermediate MSR with explicit scheduling MSR <-> PA

Conclusions Formal relation between MSR and PA •  As used for security protocols  Non trivial (yet mostly bijective)  Technique similar to MSR <-> strands … And future work  MSR 3.0  Strict comparison with spi-calculus  Relating methodologies MSR <-> PA