Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Security Protocols II:Syntax and Operational Semantics (Part 1)
Sebastian Modersheim
FMSEC Module 3, v.15.10.2009
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 1 of 36
Introduction
What are formal models?
• A language is formal when it has a well-defined syntax andsemantics. Additionally there is often a deductive system fordetermining the truth of statements.
• Examples: propositional logic, first-order logic.
• A model (or construction) is formal when it is specified in aformal language.
• Standard protocol notation is not formal.
• We will see today how to formalize such notations.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 2 of 36
Introduction
Formal modeling and analysis of protocols
Goal: formally model protocols and their properties and provide amathematically sound means for reasoning about these models.
Basis: suitable abstraction of protocols:
⇒
Analysis: with formal methods based on mathematics and logic.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 3 of 36
Introduction
Formal Methods
systemspecification
securityproperties
proof
How does thesystem operate?
What shallbe achieved?
Does the system meetits requirements?
satisfies
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 4 of 36
AnB Syntax
Overview Module 3 & 4
• Introduction• Two formal specification languages:
AnB
Syntax______________ AnB
Semantics
Roles
Syntax
KKKKKKKKKK
______________ Roles
Semantics
The Dolev-Yao-style intruder
rrrrrrrrrr
• Security Properties• Landscape of Protocol Models: a quick tour.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 5 of 36
AnB Syntax
Alice and Bob Notation/Message Sequence Charts
A B
{NA, A}pk(B)
{NA, NB}pk(A)
{NB}pk(B)
msc NSPK
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 6 of 36
AnB Syntax
A Formal Alice & Bob Language
Protocol : NSPKTypes :Agent A,B;Number NA,NB;Function pk;
Knowledge :A : A,B, pk, inv(pk(A));B : B, pk, inv(pk(B));
Actions :A → B : {NA,A}pk(B)
B → A : {NA,NB}pk(A)
A → B : {NB}pk(B)
Goals :A •→• B : NAB •→• A : NB
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 7 of 36
AnB Syntax
A Formal Alice & Bob Language
Protocol : NSPK
Types :Agent A,B;Number NA,NB;Function pk;
Knowledge :A : A,B, pk, inv(pk(A));B : B, pk, inv(pk(B));
Actions :A → B : {NA,A}pk(B)
B → A : {NA,NB}pk(A)
A → B : {NB}pk(B)
Goals :A •→• B : NAB •→• A : NB
First, let’s give it a name.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 7 of 36
AnB Syntax
A Formal Alice & Bob Language
Protocol : NSPKTypes :Agent A,B;Number NA,NB;Function pk;
Knowledge :A : A,B, pk, inv(pk(A));B : B, pk, inv(pk(B));
Actions :A → B : {NA,A}pk(B)
B → A : {NA,NB}pk(A)
A → B : {NB}pk(B)
Goals :A •→• B : NAB •→• A : NB
Specify the types of all identifiers.NB: we do not necessarily consider types in the analysis!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 7 of 36
AnB Syntax
A Formal Alice & Bob Language
Protocol : NSPKTypes :Agent A,B;Number NA,NB;Function pk;
Knowledge :A : A,B, pk, inv(pk(A));B : B, pk, inv(pk(B));
Actions :A → B : {NA,A}pk(B)
B → A : {NA,NB}pk(A)
A → B : {NB}pk(B)
Goals :A •→• B : NAB •→• A : NB
Initial knowledge of each role; variables only of type Agent.Every other variable: freshly created by the agent who first uses it.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 7 of 36
AnB Syntax
A Formal Alice & Bob Language
Protocol : NSPKTypes :Agent A,B;Number NA,NB;Function pk;
Knowledge :A : A,B, pk, inv(pk(A));B : B, pk, inv(pk(B));
Actions :A → B : {NA,A}pk(B)
B → A : {NA,NB}pk(A)
A → B : {NB}pk(B)
Goals :A •→• B : NAB •→• A : NB
Specify the goals we want to achieve.Here: secure transmission of nonce NA from A to B and . . .(secrecy + authentication).
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 7 of 36
AnB Syntax
Towards to meaning of an AnB specification
Split a message sequence chart into single roles (aka chords, symbolicstrands, role scripts):
A B
{NA, A}pk(B)
{NA, NB}pk(A)
{NB}pk(B)
msc NSPK
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 8 of 36
AnB Syntax
Towards to meaning of an AnB specification
Split a message sequence chart into single roles (aka chords, symbolicstrands, role scripts):
A
{NA, A}pk(B)
{NA, NB}pk(A)
{NB}pk(B)
msc NSPK A
B
{NA, A}pk(B)
{NA, NB}pk(A)
{NB}pk(B)
msc NSPK B
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 8 of 36
AnB Syntax
Towards to meaning of an AnB specification
Not trivial for some protocols:
A B
{|M |}K
{|{|M |}K |}sk(A,B)
{|K|}sk(A,B)
msc Encryption-Example
Here, sk(A,B) is a shared key of A and B, K is fresh.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 9 of 36
AnB Syntax
Towards to meaning of an AnB specification
Not trivial for some protocols:
A
{|M |}K
{|{|M |}K |}sk(A,B)
{|K|}sk(A,B)
msc
Encryption-Example A
B
{|M |}K
{|{|M |}K |}sk(A,B)
{|K|}sk(A,B)
msc
Encryption-Example B
This is wrong: B cannot decrypt/check the format of the firstmessage... before receiving the third!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 9 of 36
Roles Syntax
Overview Module 3 & 4
• Introduction• Two formal specification languages:
AnB
Syntax______________ AnB
Semantics
Roles
Syntax
KKKKKKKKKK
______________ Roles
Semantics
The Dolev-Yao-style intruder
rrrrrrrrrr
• Security Properties• Landscape of Protocol Models: a quick tour.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 10 of 36
Roles Syntax
Roles syntax
Graphical:
A
{NA, A}pk(B)
{NA, NB}pk(A)
{NB}pk(B)
msc NSPK A
Textual:snd({NA,A}pk(B)) · rcv({NA,NB ,B}pk(A)) · snd({NB}pk(B))
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 11 of 36
Roles Syntax
Roles Syntax
• Event = snd(Term) | rcv(Term) | sig(SID,Term)
• Role = Event∗
• Protocols = Rolename ⇀ Role
Role scripts
• A protocol is described by a role script for each role name.
• Role names are variables of type agent.
• Signal (sig) events are used for property specification andverification.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 12 of 36
The Dolev-Yao-Style Intruder
Overview Module 3 & 4
• Introduction• Two formal specification languages:
AnB
Syntax______________ AnB
Semantics
Roles
Syntax
KKKKKKKKKK
______________ Roles
Semantics
The Dolev-Yao-style intruder
rrrrrrrrrr
• Security Properties• Landscape of Protocol Models: a quick tour.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 13 of 36
The Dolev-Yao-Style Intruder
Danny Dolev & Andrew C. Yao
On the Security of Public Key Protocols (IEEE Trans. Inf. Th., 1983)
• Consider a public key system in which for every user XF there is a public encryption function EX
— every user can apply this function.F and a private decryption function DX
— only X can apply this function.F These functions have the property that EX DX = DX EX = 1.
• The Dolev-Yao intruder:F Controls the network (read, intercept, send)F Is also a user, called ZF Can apply EX for any XF Can apply DZ
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 14 of 36
The Dolev-Yao-Style Intruder
Message Term Algebra
Signature Σ: set of function symbols for cryptographic andnon-cryptographic operations, for instance:
Symbol Arity Meaning Public
i 0 name of the intruder yesinv(·) 1 private-key of a given public-key no{·}· 2 asymmetric encryption yes{| · |}· 2 symmetric encryption yes〈·, ·〉 2 pairing/concatenation yesexp(·, ·) 2 exponentiation modulo fixed prime p yes· ⊕ · 2 bitwise exclusive or yesf (·) 1 User-defined function symbol f User-def.
ΣP ⊆ Σ to denote the public functions: every agent (including theintruder) can apply the function to known messages.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 15 of 36
The Dolev-Yao-Style Intruder
Message Term Algebra (Cont.)
Let Σ0 ⊆ Σ be a countable set of constants
• Convention: start with lower-case letters
• E.g. alice, na17, k2
Let V be a countable set of variables with V ∩ Σ = ∅.• Convention: start with upper-case letters
• E.g. A,NA,K
Definition
The set TΣ(V) of all message terms is the least set such that:
• V ⊆ TΣ(V)
• If t1, . . . , tn ∈ TΣ(V) and f ∈ Σ and f has arity n,then also f (t1, . . . , tn) ∈ TΣ(V).
For V = ∅, we write just TΣ, the set of all ground messages terms.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 16 of 36
The Dolev-Yao-Style Intruder
Message Term Algebra (Cont.)
Definition
For a signature Σ, a Σ-Algebra A consists of a universe A andinterprets every symbol f ∈ Σ of arity n as a function f A : An → A.We extend this interpretation to terms as follows:
vA = v for v ∈ V(f (t1, . . . , tn))A = f A(tA1 , . . . , t
An )
We write t1 ≈A t2 for tA1 = tA2 , and simply t1 ≈ t2 when A is clear.
E.g.: A = {0, 1}2048, {| · |}A· = Description-of-AES, . . .
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 17 of 36
The Dolev-Yao-Style Intruder
Message Term Algebra (Cont.)
The most simple and most widely used interpretation:
Definition
In the free message term algebra, A = TΣ(V) and
f A(t1, . . . , tn) = f (t1, . . . , tn)
In the free algebra ...
• We interpret every term by itself.
• t1 ≈ t2 iff t1 = t2.
• a 6≈ b for any distinct constants a and b
• If m1 6≈ m2 then also h(m1) 6≈ h(m2).(Thus: hash functions are collision free)
• DecX (EncX (M)) 6≈ M for any functions Dec and Enc ...
• exp(exp(g ,X ),Y ) 6≈ exp(exp(g ,Y ),X )
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 18 of 36
The Dolev-Yao-Style Intruder
Algebraic Properties
Example
{{M}K}inv(K) ≈ M inv(inv(K )) ≈ K{|{|M|}K |}K ≈ M exp(exp(B,X ),Y ) ≈ exp(exp(B,Y ),X )
Definition
A set of equations E induces a congruence relation ≈E on terms andthus the equivalence class [t]E of a term E . The quotient algebraTΣ(V)/≈E
interprets each term by its equivalence class.
• Two terms are semantically equal iff that’s a consequence of E .• For the above example equations:
F a 6≈ b for any distinct constants a and bF If m1 6≈ m2 then also h(m1) 6≈ h(m2)F {{M}inv(K)}K ≈ MF {|{|M|}exp(exp(g ,Y ),X )|}exp(exp(g ,X ),Y ) ≈ M
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 19 of 36
The Dolev-Yao-Style Intruder
Substitution
Definition (Substitution)
A substitution σ = [x1 7→ t1, . . . , xn 7→ tn] is the following functionfrom V to TΣ(V):
σ(x) =
{ti if x = xi
x otherwise
where {x1, . . . , xn} is called the domain dom(σ) of σ.We use postfix notation (writing xσ instead of σ(x)) and extend σ toa homomorphism over TΣ(V):
f (t1, . . . , tn)σ = f (t1σ, . . . , tnσ)
Example
For σ = [x 7→ f (y), y 7→ z ] we have g(z , y , f (x))σ = g(z , z , f (f (y))).
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 20 of 36
The Dolev-Yao-Style Intruder
Substitution (Cont.)
Definition
We denote with στ the composition of substitutions σ and τ , i.e.,τ ◦ σ.Substitution σ is more general than substitution τ on the set ofvariables V , written σ �V τ , iff there is a substitution ρ such that forall x ∈ V holds xσρ = xτ . For V = V, we simply write σ � τ .
Example
Let
• σ1 = [x 7→ f (y)],
• σ2 = [x 7→ f (c)],
• σ3 = [x 7→ f (c), y 7→ c],
• ρ = [y 7→ c]
then we have
• σ1 �{x} σ2 since xσ1ρ = xσ2.
• σ1 6� σ2: for any ρ such thatσ1ρ � σ2 we have that yρ = c ,thus yσ1ρ 6= yσ2.
• σ1 � σ3 since σ1ρ = σ3.
• σ2 � σ3 since σ2ρ = σ3.Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 21 of 36
The Dolev-Yao-Style Intruder
Unification
Definition (Unification)
Given a set {(s1, t1), . . . , (sn, tn)} of pairs of terms. A unifier σ forthis unification problem is a substitution such that
s1σ ≈ t1σ and . . . and snσ ≈ tnσ .
Matching is a variant of unification where
s1σ ≈ t1 and . . . and snσ ≈ tn .
(Special case of unification if the ti are ground.)
Example
{(f (x , c), f (g(y), y))} has the unifier [x 7→ g(c), y 7→ c]{(f (x , c), g(y))} has no unifier—in the free algebra.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 22 of 36
The Dolev-Yao-Style Intruder
Unification in the Free Algebra
Postponed to module 5.
Definition (Unification Algorithm)
Input: A unification problem U and a substitution σ, initially empty.Output: A substitution or failure.If U = ∅ then return σ. Otherwise pick any pair (s, t) in U and
• if s = t, remove this pair and continue
• if s is a variable:F if s ∈ vars(t): return with failureF otherwise: remove the pair from U and continue with σ[s 7→ t]
• if t is a variable: analogous to previous case
• otherwise, i.e., s = f (s1, . . . , sn) and t = g(t1, . . . , tm):F if f = g (and thus n = m): replace in U the pair (s, t) with the
pairs {(s1, t1), . . . , (sn, tn)} and continueF if f 6= g : return with failure
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 23 of 36
The Dolev-Yao-Style Intruder
Unification in the Free Algebra (Cont.)
Definition (Unification Algorithm)
Input: A unification problem U and a substitution σ, initially empty.Output: A substitution or failure.. . .
Theorem
• If the algorithm returns failure then, the unification problem hasno unifier (in the free algebra).
• If the algorithm returns a substitution σ, then σ is the mostgeneral unifier (in the free algebra), i.e., for all unifiers τ it holdsthat σ � τ .
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 24 of 36
The Dolev-Yao-Style Intruder
Unification in other Algebras
• When considering other algebras, unifiability is in generalundecidable, e.g. associativity and distributivity.
• Similarly, matchability and ground equality of terms are ingeneral undecidable, e.g. encoding computational logic.
• Even when decidable, there is in general no unique most generalunifier, e.g., {exp(X ,Y ), exp(X ′, c)} . . .
• Some unification problems are decidable but infinitary: in general,there is an infinite set of most general unifiers, e.g. associativity.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 25 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Definition
Given a set of terms M we define DY(M) as the least closure of Munder the following rules:
m ∈ DY(M)Axiom (m ∈ M) s ∈ DY(M)
t ∈ DY(M)Algebra (s ≈ t)
t1 ∈ DY(M) . . . tn ∈ DY(M)
f (t1, . . . , tn) ∈ DY(M)Composition (f ∈ Σp)
〈m1,m2〉 ∈ DY(M)
mi ∈ DY(M)Proji
{|m|}k ∈ DY(M) k ∈ DY(M)
m ∈ DY(M)DecSym
{m}k ∈ DY(M) inv(k) ∈ DY(M)
m ∈ DY(M)DecAsym
{m}inv(k) ∈ DY(M)
m ∈ DY(M)OpenSig
Decidability/complexity: in module 5.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 26 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Dolev-Yao Closure
Example
M = { x , {|b, exp(g , y)|}k , k ,m }
{|m|}exp(exp(g ,x),y)
?∈ DY(M)
{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)
〈b, exp(g , y)〉 ∈ DY(M)
exp(g , y) ∈ DY(M) x ∈ DY(M)
exp(exp(g , y), x) ∈ DY(M)
exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)
{|m|}exp(exp(g ,x),y) ∈ DY(M)
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 27 of 36
The Dolev-Yao-Style Intruder
Explicit vs. Implicit Destructors
Implicit Destructor Rules (no destruction operation)
〈m1,m2〉 ∈ DY(M)
mi ∈ DY(M)Proji
{|m|}k ∈ DY(M) k ∈ DY(M)
m ∈ DY(M)DecSym
{m}k ∈ DY(M) inv(k) ∈ DY(M)
m ∈ DY(M)DecAsym
{m}inv(k) ∈ DY(M)
m ∈ DY(M)OpenSig
versus
Explicit Destructors with algebraic properties
π1(〈m1,m2〉) ≈ m1 {{m}k}inv(k) ≈ mπ2(〈m1,m2〉) ≈ m2 open({m}inv(k)) ≈ m{|{|m|}k |}k ≈ m
• Implicit destructor rules are redundant with these properties• Explicit has strictly more derivable messages• Considerably more difficult to handle
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 28 of 36
Roles Semantics
Overview Module 3 & 4
• Introduction• Two formal specification languages:
AnB
Syntax______________ AnB
Semantics
Roles
Syntax
KKKKKKKKKK
______________ Roles
Semantics
The Dolev-Yao-style intruder
rrrrrrrrrr
• Security Properties• Landscape of Protocol Models: a quick tour.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 29 of 36
Roles Semantics
Free Variables
Those variables of a chord are called free for which the firstoccurrence is not in a receive event:
Definition
fv(Protocol ,R) = {R} ∪ fv ′{R}(Protocol(R))
fv ′M(role) =fv ′M∪vars(m)(role ′) if role = rcv(m) · role ′
(vars(m) \M) ∪ fv ′M∪vars(m)(role ′) if role = snd(m) · role ′
or role = sig(sig ,m) · role ′
∅ if role = []
Example: NSPK
fv(NSPK ,A) = {A,B,NA}fv(NSPK ,B) = {B,NB}
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 30 of 36
Roles Semantics
Role-based Protocol Specs (cont)aka cords, strands, scripts etc
• To execute a role, we first instantiate all free variables:F The name of the agent playing the role.F The name of other agents that are free in the role.F All the freshly generated values in the role.
• This yields a closed role description, i.e., one without freevariables.
• The remaining bound variables are placeholders for parts ofmessages that are going to be received and for which the value isnot yet determined.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 31 of 36
Roles Semantics
Operational Semantics
Definition (State)
• State = Trace × IntruderKnowledge × Threads.
• Trace = (TID × Event)∗
• IntruderKnowledge = P(Term)
• Threads = TID ⇀ Role
where the trace and the intruder knowledge are ground and thethreads are closed.
• The TID are Thread IDs for each honest agent playing a role.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 32 of 36
Roles Semantics
Initial State
• We start with an initial state ([], IK 0, th0) where IK 0 is the initialintruder knowledge and th0 are the threads of honest agents.
• IK 0 and th0 are parameters of the verification problem.
• Many analysis methods work only for the case that dom(th0) isfinite.
• For infinitely many threads, we need an appropriate finiterepresentation.
• For a given protocol P, all initial threads instantiate a role in P:F For each tid ∈ dom(th0), th0(tid) = P(R)σ for some role R and
such that P(R)σ is closed.F Usually, σ substitutes all variables except role names with fresh
constants (disjoint in all threads).F We denote with role(tid) the protocol role R that is instantiatedF and with player(tid) we denote the player Rσ of that role.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 33 of 36
Roles Semantics
Initial State: Example
Example (An initial state that is sufficient to find the attackagainst NSPK)
tr0 = []
IK 0 = { a, b, i , pk(a), pk(b), pk(i), inv(pk(i)) }
th0(0) = NSPK (A)[A 7→ a,B 7→ i ,NA 7→ na0]
th0(1) = NSPK (B)[B 7→ B,NB 7→ nb1]
Note bound variables here.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 34 of 36
Roles Semantics
Initial State: Example
Example (An initial state that is sufficient to find the attackagainst NSPK)
tr0 = []
IK 0 = { a, b, i , pk(a), pk(b), pk(i), inv(pk(i)) }
th0(0) = snd({na0, a}pk(i)) · rcv({na0,NB}pk(b)) · snd({NB}pk(i))
th0(1) = rcv({NA,A}pk(b)) · snd({NA, nb1}pk(A)) · rcv({nb1}pk(b))
Note bound variables here.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 34 of 36
Roles Semantics
Operational Semantics
Rules
th(tid) = snd(t) · tl
(tr , IK , th)→ (tr · (tid , snd(t)), IK ∪ {t}, th[tid 7→ tl ])snd
th(tid) = rcv(t) · tl dom(σ) = var(t) tσ ∈ DY(IK )
(tr , IK , th)→ (tr · (tid , rcv(tσ)), IK , th[tid 7→ tlσ])rcv
th(tid) = sig(sig , t) · tl
(tr , IK , th)→ (tr · (tid , sig(sig , t)), IK , th[tid 7→ tl ])sig
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 35 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i))) snd({na0, i}pk(i)) rcv({NA,A}pk(b))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({NA, nb1}pk(A))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i))) snd({na0, i}pk(i)) rcv({NA,A}pk(b))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({NA, nb1}pk(A))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i))) rcv({NA,A}pk(b))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({NA, nb1}pk(A))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({na0, nb1}pk(a))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b)))(1, snd({na0, nb1}pk(a))) snd({nb1}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b)))(1, snd({na0, nb1}pk(a))) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Operational Semantics: Example
Example (NSPK Attack)
Trace th(0) th(1)
(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b)))(1, snd({na0, nb1}pk(a)))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))
Attack!
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 36 of 36
Roles Semantics
Bibliography
• Franz Baader and Tobias Nipkow. Term Rewriting and All That. CambridgeUniversity Press, 1998.
• Iliano Cervesato, Nancy A. Durgin, Patrick D. Lincoln, John C. Mitchell,Andre Scedrov. A comparison between strand spaces and multiset rewritingfor security protocol analysis. Journal of Computer Security 13(2),IOS-Press, 2005.
• Danny Dolev and Andrew C. Yao. On the Security of Public Key Protocols.IEEE Trans. Inf. Th., 1983.
• Claude Kirchner, Helene Kirchner. Rewriting, Solving, Proving. Apreliminary version of a book available athttp://www.loria.fr/˜ckirchne/=rsp/rsp.pdf, 1999.
• Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone. Handbook ofApplied Cryptography. CRC Press, 1996.Available at http://www.cacr.math.uwaterloo.ca/hac
• Sebastian Modersheim. Algebraic Properties in Alice and Bob Notation.Proceedings of Ares’09. IEEE Computer Society, 2009.
• Peter Ryan, Steve Schneider, Michael Goldsmith, Gawin Lowe, Bill Roscoe.Modelling and Analysis of Security Protocols. Addison-Wesley, 2000.
Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 37 of 36