Relating Strands and Multiset Rewriting For Security Protocol - PowerPoint PPT Presentation

Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy Durgin, Patrick Lincoln John Mitchell, Andre Scedrov July 3 rd , 2000 CSFW-13 Cambridge, UK

Representing Security Protocols Several recent proposal based on the Dolev-Yao model:  Strand spaces  Multiset rewriting  Spi-calculus, … How are they related? Relating Strands and Multiset Rewriting for Security Protocols

Roadmap MSR Strands Restricted MSR Dynamic Strands Canonical MSR Decorated Strands Relating Strands and Multiset Rewriting for Security Protocols

Running Example Needham-Schroeder Protocol , A} KB A → B: {N A B → A: {N A , N B } KA A → B: {N B } KB Relating Strands and Multiset Rewriting for Security Protocols

MSR Executable specification language • Adapts multiset rewriting with ∃ •  Solid logical foundation  Ties with linear logic and process algebra Flexible and fully precise • Follows the Dolev-Yao model • Relating Strands and Multiset Rewriting for Security Protocols

Multiset rewriting … Multiset: set with repetitions allowed • Rewrite rule: • r: N 1 N 2 → Application • r M 1 M 2 → r M’, N 1 M’, N 2 → Multi-step transition, reachability • Relating Strands and Multiset Rewriting for Security Protocols

… with existentials msets of 1 st -order atomic formulas • Rules: • r: F( x ) → ∃ n . G( x , n ) Application • r M 1 M 2 → r M’, F( t ) M’, G( t , c ) → c not in M 1 Relating Strands and Multiset Rewriting for Security Protocols

MSR predicates N(m) Network messages • I(m) Intruder info. • A i (t 1 ,…,t ni ) Role states • Pr , PrvK , PubK , … Persistent info. • Relating Strands and Multiset Rewriting for Security Protocols

Protocol Theories Initialization rules • For each role •  1 role generation rule  n execution rules Relating Strands and Multiset Rewriting for Security Protocols

MSR Restricted MSR Assume initialization has already • happened Initial info: Π • ? No initialization in strands Relating Strands and Multiset Rewriting for Security Protocols

NS: MSR rules for Alice (A) (A), (A) π A0 → A 0 π A0 (A), (B) → ∃ N A . (A,B,N A ), N ({N A ,A} KB ), π A1 (B) π A1 A 0 A 1 (A,B, N A ), N ({N A ,N B } KA ) → A 2 (A,B,N A ,N B ) A 1 (A,B,N A ,N B ) (A,B,N A ,N B ), N ({N B } KB ) → A 3 A 2 where π A0 (A) = Pr (A), PrvK (A,K A -1 ) π A1 (B) = Pr (B), PubK (B,K B ) Relating Strands and Multiset Rewriting for Security Protocols

NS: MSR rules for Bob (B) (B), (B) π B0 → B 0 π B0 (A), (A), N ({N A ,A} KB ) → B 1 (A,B,N A ), (A) π B1 π B1 B 0 (A,B, N A ) → ∃ N B . (A,B,N A ,N B ), N ({N A ,N B } KA ) B 1 B 2 (A,B,N A ,N B ), N ({N B } KB ) → B 3 (A,B,N A ,N B ) B 2 where π B0 (B) = Pr (B), PrvK (B,K B -1 ) π B1 (A) = Pr (A), PubK (A,K A ) Relating Strands and Multiset Rewriting for Security Protocols

MSR Intruder Implement the Dolev-Yao model •  Decryption/Encryption  Decomposition/composition  Nonce generation  … Expressed within the language • Relating Strands and Multiset Rewriting for Security Protocols

Strands Graphical representation of execution • Designed for after-the-fact analysis • Very simple • Follow the Dolev-Yao model • Related to •  Lamport’s causality  Mazurkiewicz’s traces Relating Strands and Multiset Rewriting for Security Protocols

NS: A Bundle {N A , A} KB {N A , A} KB {N A , N B } KA {N A , N B } KA {N B } KB Relating Strands and Multiset Rewriting for Security Protocols

Penetrator Strands Implement the Dolev-Yao model •  Decryption/Encryption  Decomposition/composition  Nonce generation  … Expressed within the language • Relating Strands and Multiset Rewriting for Security Protocols

Strands Dyn. Strands ? Support executable specifications Specification language •  Parametric strands Execution capabilities •  Configurations  Transitions Relating Strands and Multiset Rewriting for Security Protocols

Parametric strands Strands are instances of roles • Parameters: instantiable information • Constraints: •  Nonces  Persistent info. Relating Strands and Multiset Rewriting for Security Protocols

NS: Parametric Strand for Alice Alice (A,B,N A ,N B ) : {N A , A} KB N A Fresh, π A (A,B) {N A , N B } KA where {N B } KB π (A,B) = Pr (A), PrvK (A,K A -1 ), Pr (B), PubK (B,K B ) Relating Strands and Multiset Rewriting for Security Protocols

NS: Parametric Strand for Bob Bob (A,B,N A ,N B ) : {N A , A} KB N B Fresh, π B (A,B) {N A , N B } KA where {N B } KB π (A,B) = Pr (B), PrvK (B,K B -1 ), Pr (A), PubK (A,K A ) Relating Strands and Multiset Rewriting for Security Protocols

Configurations ? Capture possible next actions Extension : bundle + remaining actions • Configuration : bundle + extension • Fringe : crossing arrows • = + + Configuration = bundle + extension + fringe Relating Strands and Multiset Rewriting for Security Protocols

NS: Configuration {N A , A} KB {N A , A} KB {N C , C} KD {N A , N B } KA {N A , N B } KA {N C , N D } KC {N B } KB {N B } KB {N D } KD Relating Strands and Multiset Rewriting for Security Protocols

•  …  • Strand Transitions Fresh ξ •  …  • •  …  • Instantiate ξ ξθ • • Send • • • • + - + - • • Receive • • • • + - + - Relating Strands and Multiset Rewriting for Security Protocols

Bundles vs. Transition Sequences 1 bundle  O(n!) transition sequences • 1 transition sequence  1 bundle • Bundles • represent execution more compactly Relating Strands and Multiset Rewriting for Security Protocols

Restr. MSR Can. MSR Merge role gen. with 1 st exec. rule • Choose nonces upfront • Guess persistent info. upfront • Conversion to canonical form preserves reachability Relating Strands and Multiset Rewriting for Security Protocols

NS: Canonical MSR rules for Alice (A,B) → ∃ N A . (A,B,N A ), N ({N A ,A} KB ), π A (A,B) π A A 1 (A,B, N A ), N ({N A ,N B } KA ) → A 2 (A,B,N A ,N B ) A 1 (A,B,N A ,N B ) (A,B,N A ,N B ), N ({N B } KB ) → A 3 A 2 where π A (A,B) = Pr (A), PrvK (A,K A -1 ) Pr (B), PubK (B,K B ) Relating Strands and Multiset Rewriting for Security Protocols

Can. MSR Dyn. Strands Rules  nodes • Role state predicates  arrows • Nonces, persistent info. constraints  • Configuration ⇐ state • Reachable states  Reachable configurations Relating Strands and Multiset Rewriting for Security Protocols

NS: MSR Strands (1) Alice (A,B,N A ,N B ) : (A,B) π A N A Fresh, (A,B) π A ∃ N A . → (A,B,N A ), A 1 {N A , A} KB N ({N A ,A} KB ), (A,B) π A … where π (A,B) = Pr (A), PrvK (A,K A -1 ), Pr (B), PubK (B,K B ) Relating Strands and Multiset Rewriting for Security Protocols

NS: MSR Strands (2) {N A , A} KB (A,B, N A ), A 1 N ({N A ,N B } KA ) {N A , N B } KA → (A,B,N A ,N B ) A 2 … Relating Strands and Multiset Rewriting for Security Protocols

NS: MSR Strands (3) {N A , A} KB (A,B,N A ,N B ) A 2 → {N A , N B } KA (A,B,N A ,N B ), A 3 N ({N B } KB ) {N B } KB Relating Strands and Multiset Rewriting for Security Protocols

Dyn. Strands Dec. Strands (1) Add initial ( ) and final node ( ⊥ ) • ⊥ Add labels A i (t 1 ,…,t ni ) to arrows • t 1 ,…,t ni from  Constraints  Arguments of A i-1 Relating Strands and Multiset Rewriting for Security Protocols

Dyn. Strands Dec. Strands (2) Transitions • ⊥  • … • Fresh ξ ⊥ ⊥  • … •  • … • Instantiate ξθ Decoration preserves reachability Relating Strands and Multiset Rewriting for Security Protocols

NS: Decorated Strand for Alice ⊥ Alice (A,B,N A ,N B ) : (A) A 0 N A Fresh, π A (A,B) {N A , A} KB (A,B,N A ) A 1 {N A , N B } KA (A,B,N A ,N B ) A 2 {N B } KB where (A,B,N A ,N B ) π (A,B) = Pr (A), PrvK (A,K A -1 ), A 3 Pr (B), PubK (B,K B ) ⊥ Relating Strands and Multiset Rewriting for Security Protocols

Dec. Strands Restr. MSR Labels  role state predicates • Events  network messages • Constraints nonces, persistent info.  • State ⇐ fringe • Reachable configurations  Reachable states Relating Strands and Multiset Rewriting for Security Protocols

NS: Strands MSR (1) Alice (A,B,N A ,N B ) N A Fresh, (A,B) π A where π (A,B) = Pr (A), PrvK (A,K A -1 ), Pr (B), PubK (B,K B ) ⊥ (A) A 0 (A) (A), (A) π A0 → A 0 π A0 … where π A0 (A) = Pr (A), PrvK (A,K A -1 ) Relating Strands and Multiset Rewriting for Security Protocols

NS: Strands MSR (2) Alice (A,B,N A ,N B ) N A Fresh, π A (A,B) where π (A,B) = Pr (A), PrvK (A,K A -1 ), Pr (B), PubK (B,K B ) … (A), (B) π A1 A 0 (A) A 0 → ∃ N A . (A,B,N A ), {N A , A} KB A 1 N ({N A ,A} KB ), π A1 (B) (A,B,N A ) A 1 where π A1 (B) = Pr (B), PubK (B,K B ) … Relating Strands and Multiset Rewriting for Security Protocols