september 17 th, 2001fosad 2001 – bertinoro, italy security protocol specification languages...

September 17th, 2001 FOSAD 2001 – Bertinoro, Italy

Security Protocol Specification Languages

Iliano Cervesato iliano@itd.nrl.navy.mil

ITT Industries, Inc @ NRL – Washington DC

http://www.cs.stanford.edu/~iliano/

Security Protocol Specification Languages 2

Scope of this Course

Specification languages for cryptographic protocolsEvaluation criteriaAnthology of languagesScientific impact

Extras . . .Advertisement for MSR

This Course is not about

Cryptography

Applications of crypto-protocols

Taxonomy ofProtocolsAttacksTools

Verification

Outline

Hour 1: Specification languages

Hour 2: MSR

Hour 3: The most powerful attacker

Hour 4: Reconstructing the intruder

Hour 1

Specification Languages

Hour 1: Outline

Security protocols

Dolev-Yao abstraction

Specification targets

Major specification languagesOriginsExample (Needham-Schroeder)PropertiesEvaluation

Security Protocols

Use cryptographic means to ensureconfidentialityauthenticationnon-repudiation, …

in distributed/untrusted environment

Applicationse-commerce trade/military secretseveryday computing

Securitygoals

Why is Protocol Analysis Difficult?

Subtle cryptographic primitivesDolev-Yao abstraction

Distributed hostile environment“Prudent engineering practice”

Inadequate specification languages… the devil is in details …

Correctness vs. Security [Mitchell]

Correctness: satisfy specificationsFor reasonable inputs, get reasonable

output

Security: resist attacksFor unreasonable inputs, output not

completely disastrous

Main differenceActive interference from the

environment

Dolev-Yao Model of Security

NetworkNetwork

Charlie

Server

Dolev-Yao Abstraction

Symbolic dataNo bit-strings

Perfect cryptographyNo guessing of keys

Public knowledge soupMagic access to data

Perfect Cryptography

KA-1 is needed to decrypt {M}KA

No collisions{M1}KA = {M2}KB iff M1 = M2 and KA

Public Knowledge Soup

Free access to auxiliary dataAbstracts actual mechanisms

database subprotocols, …

But …not all data are public

keys secrets

… pictorially

a kakb

Why is specification important?

Documentationcommunicate

Engineering implementationverification tools

Science foundationsassist engineering

Languages to Specify What?

Message flow

Message constituents

Operating environment

Protocol goals

Desirable Properties

Unambiguous

Simple

FlexibleAdapts to protocols

PowerfulApplies to a wide class of protocols

InsightfulGives insight about protocols

Language Families

“Usual notation” Knowledge logic

BAN Process theory

FDR, CasperSpi-calculusPetri netsStrandsMSR

Inductive methods

Temporal logic Automata

NRL Prot. Analizer

CAPSLMur

Why so many?

Convergence of approachesexperience from mature fieldsunifying problemscientifically intriguing funding opportunities

Fatherhood pride

Needham-Schroeder Protocol

Devised in ’78

Example of weak specification !

Broken in ’95!

But …purely academicattack subject to interpretation

“Usual Notation”

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

How does it do?

FlowExpected run

ConstituentsSide remarks

EnvironmentSide remarks

GoalsSide remarks

Unambiguous

Simple

Flexible

Powerful

Insightful

BAN Logic[Burrows, Abadi, Needham]

Roots in belief logic reason about knowledge as prot. unfolds security: principals share same view

Specification usual notation “idealized protocol” assumptions Goals

Verification Logical inference

NS: BAN IdealizationA B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

A B: {nA}kB

B A: {A nB BnA}kA

A B: {A nA B, B | A nB B

nB}kBMore readable syntax proposed later

NS: BAN Assumptions

A | kA A

A | kB B

A | # nA

A | A nA B

B | kB B

B | kA A

B | # nB

B | A nB B

NS: BAN Goals

B | A | A nA B

A | B | A nB B

Formally derived from BAN rules

How does BAN do?

FlowIdealized run

ConstituentsAssumptions

EnvironmentImplicit

GoalsBAN formulas

Unambiguous

Simple

Flexible

Powerful

Insightful

CSP [Roscoe, Lowe]

Roots in process algebra [Hoare] non-interference

Specification 1 process for each role non-deterministic intruder process

Verification Refinement w.r.t. abstract spec. FDR: model checker for CSP Casper: interface to FDR

CSP: NS Initiator

Init(A, nA) =

user.A?B -> I_running.A.B ->comm!Msg1.A.B.encr.key(B).nA.a ->

comm.Msg2.B.A.encr.key(A)?nA’.nB ->

if nA = nA’

then comm!Msg3.A.B.encr.key(B).nB ->

I_commit.A.B -> session.A.B -> Skip

else Stop

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Responder is similar

CSP : Resp. authentication spec.

AR0 = R_running.A.B -> I_commit.A.B -> AR0

A1 = {| R_running.A.B, I_commit.A.B |}

AR = AR0 ||| Run (S \ A1)

Unambiguous

Simple

Flexible

Powerful

Insightful

How does CSP do?

FlowRole-based

ConstituentsFormalized

EnvironmentExplicit

GoalsAbstract spec.

Casper Specification of NS

#Free variablesA, B: Agentna, nb : noncePK : Agent -> PublicKeySK : Agent -> SecretKeyInverseKeys = (PK, SK)

#ProcessesINIT(A,na) knows PK, SK(A)RESP(B,nb) knows PK,

#Protocol description0. -> A : B1. A -> B : {na, A}{PK(B)}2. B -> A : {na, nb}{PK(A)}3. A -> B : {nb}{PK(B)}

#SpecificationSecret(A, na, [B])Secret(B, nb, [A])Agreement(A, B, [na,nb])Agreement(B,A, [na,nb]

#Actual variablesAlice, Bob, Mallory: AgentNa, Nb, Nm: Nonce

#Intruder informationIntruder = MalloryIntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)

Spi-calculus[Abadi, Gordon]

-calculus with crypto. Constructs

Specification1 process for each role Instance to be studied Intruder not explicitly modeled

VerificationProcess equivalence to reference

Spi: NS Initiator

init(A,B,cAB,KB+,KA

(nA) cAB< {|A, nA|}KB+ > .

cAB(x) . case x of {|y|}KA- in

let (y1,y2) = y in [y1 is nA]

cAB< {| y2 |}KB+ > .

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Spi: NS Responder

resp(B,A,cAB,KA+,KB

cAB(x) . case x of {|y|}KB- in

let (y1,y2) = y in [y1 is A]

(nB) cAB< {| y2, nB|}KA+ > .

cAB(x’) . case x’ of {|y’|}KB- in [y’ is nB]

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Spi: NS Instance

inst(A,B,cAB) =

(KA) (KB)

( init(A,B,cAB,KB+,KA

| resp(B,A,cAB,KA+,KB

Unambiguous

Simple

Flexible

Powerful

Insightful

How does Spi do?

FlowRole-based

ConstituentsInformal math.

EnvironmentImplicit

GoalsReference proc.

Strand Spaces[Guttman, Thayer]

Roots in trace theory Lamport’s causality Mazurkiewicz’s traces

Specification Strands Sets of principals, keys, …

Verification Authentication tests Model checking

Strands

{nA, A}kB

{nA, nB}kA

{nB}kB

{nA, A}kB

{nA, nB}kA

{nB}kB

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

How do Strands do?

FlowRole-based

ConstituentsInformal math.

EnvironmentSide remarks

GoalsSide remarks

Unambiguous

Simple

Flexible

Powerful

Insightful

Inductive methods[Paulson]

Protocol inductively defines traces Specification

1 inductive rule for each protocol ruleUniversal intruder based on language

Verification theorem proving (Isabelle HOL)

Related methods [Bolignano]

IMs: NS

NS1 [evs ns; A B; Nonce NA used evs]

Says A B {Nonce NA, Agent A} KB # evs ns

NS2 [evs ns; A B; Nonce NB used evs;

Says A’ B {Nonce NA, Agent A} KB set evs]

Says B A {Nonce NA, Nonce NA} KA # evs ns

NS3 [evs ns; Says A B {Nonce NA, Agent A} KB set evs;

Says B’ A {Nonce NA, Nonce NA} KA set evs]

Says A B {Nonce NA} KB # evs ns

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

IMs: Environment

Nil [] ns

Fake [evs ns; BSpy; X synth(analz (spies evs))]

Says Spy B X # evs ns

synth, analz, spies, … protocol indep.

Unambiguous

Simple

Flexible

Powerful

Insightful

How do IMs do?

FlowTrace-based

ConstituentsFormalized

EnvironmentImmutable

GoalsImposs. traces

NRL Protocol Analyzer[Meadows]

Roots in automata theory

Specification1 finite-state automata for each roleGrammar or words unaccessible to

attacker

VerificationBackward state explorationTheorem proving for finiteness

NPA: NS Resp., action 2

Subroutine rec_request(user(B,honest),N,T):

If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))):

Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W:

send msg(user(B,honest),[{rec_self},{rec_who}],N):

event(user(B,honest),[user(A,H)],rec_request,[W],N)

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Unambiguous

Simple

Flexible

Powerful

Insightful

How does NPA do?

FlowRole-based

ConstituentsProlog code

EnvironmentExplicit

GoalsUnreachable

RTLA [Gray, McLean]

Roots in Temporal Logic (Lamport)

SpecificationState components that change during

a step

VerificationProof in temporal logic

EvaluationSimilar to NPA

CAPSL [Millen]

Ad-hoc model checker

Specification Special-purpose language Intruder built-in

Implementation CIL [Denker] -> similar to MSR

Related systems Mur [Shmatikov, Stern]

?? [Clarke, Jha, Marrero]

CAPSL: NS

PROTOCOL NS;

VARIABLESA, B: PKUser;Na, Nb: Nonce, CRYPTO

ASSUMPTIONSHOLDS A: B;

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

MESSAGESA -> B : {A, Na}pk(B);B -> A : {Na,Nb}pk(A);A -> B : {Nb}pk(B);

GOALSSECRET Na;SECRET Nb;PRECEDES A: B | Na;PRECEDES B: A | Nb;

Unambiguous

Simple

Flexible

Powerful

Insightful

How does CAPSL do?

FlowExplicit run

ConstituentsDeclarations

EnvironmentImplicit

GoalsProperties

Two more …

MSR 1.x

MSR 2.0

… next hour

Hour 2

Hour 2: Outline

Origins

Language description

Access control

Execution model

MSR 1.x[Cervesato, Durgin, Lincoln, Mitchell, Scedrov]

Multiset rewriting with existentials

“Persistent predicates” model assumptions

Role state predicates thread rules through

MSR 1.x - Initiator

A0(A) L0(A), A0(A)

L0(A), A1(B) nA. L1(A,B,nA), N({nA,A}kB), A1(B)

L1(A,B,nA), N({nA,nB}kA) L2(A,B,nA,nB)

L2(A,B,nA,nB) L3(A,B,nA,nB), N({nB}kB)

whereA0(A) = Pr(A), PrvK(A,kA-1)

A1(B) = Pr(B), PubK(B,kB)

Nonce generatio

Messagetransmissi

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

MSR 1.x - Responder

B0(B) L0(B), B0(B)

L0(A), B1(A), N({nA,A}kB) L1(A,B,nA), B1(A)

L1(A,B,nA) nB. L2(A,B,nA,nB), N({nA,nB}kA)

L2(A,B,nA,nB), N({nB}kB) L3(A,B,nA,nB)

whereB0(B) = Pr(B), PrvK(B,kB-1)

B1(A) = Pr(A), PubK(A,kA)

Role state

predicate

Persistent Info.

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Evaluation

Poor specification languageError-proneLimited automated assistance

Very insightfulUndecidability of protocol correctness

verification

Unambiguous

Simple

Flexible

Powerful

Insightful

How did we do?

FlowRole-based

ConstituentsPersistent info.

EnvironmentIn part

MSR 2.0[Cervesato]

Redesign MSR as a spec. languageEasy to useSupport for automation

Margin for verificationCurrent techniques can be adapted

InsightfulBackground in type-theory

Unambiguous

Simple

Flexible

Powerful

Insightful

How will we do?

FlowRole-based

ConstituentsStrong typing

EnvironmentIn part

What’s in MSR 2.0 ?

Multiset rewriting with existentials

Dependent types w/ subsorting

Memory predicates

Constraints

Atomic termsPrincipal names AKeys kNonces n…

Term constructors (_ _){_} _ {{_}}_

Definable

y1: ’1.

…yn’: ’n’.

x1: 1. …

xn: n.lhs rhs

• N(t) Network

• L(t, …, t) Local state

• MA(t, …, t)Memory

• Constraints

• N(t) Network

• L(t, …, t) Local state

• MA(t, …, t) Memory

Types of Terms

A: princ

n: nonce

k: shK A B

k: pubK A

k’: privK k

… (definable)

A: princ

n: nonce

A: princ

n: nonce

k: shK A B

k: pubK A

k’: privK k

Types can dependon term

• Captures relationsbetween objects

• Subsumes persistentinformationStaticLocalMandatory

Subtyping

Allows atomic terms in messages

DefinableNon-transmittable termsSub-hierarchies

:: msg

Role State Predicates

Hold data local to a role instanceLifespan = role

Invoke next ruleLl = control (A,t, …, t) = data

Ll(A,t, …, t)

Memory Predicates

Hold private info. across role exec.

Support for subprotocolsCommunicate dataPass control

Interface to outside system

Implements intruder

MA(t, …, t)

Constraints

Guards over interpreted domainAbstractModular

Invoke constraint handler

E.g.: timestamps (TE = TN + Td) (TN < TE)

Type of Predicates

Dependent sums

Forces associations among arguments

E.g.: princ(A) x pubK A(kA) x privK kA

Genericroles

Anchoredroles

y:’.x:. lhs rhs… … …

y:’.x:. lhs rhs

L: ’1(x1) x … x ’n

Role state pred.var. declarations

Role owner

L: ’1(x1) x … x ’n

Role owner

y:’.x:. lhs rhs… … …

y:’.x:. lhs rhs

MSR 2.0 – NS Initiator

B: princkB: pubK B

nA:nonce.L(A,B,kB,nA) N({nA,A}kB)

…kA: pubK A

k’A: privK kA

nA,nB: nonce

L(A,B,kB,nA)N({nA,nB}kA)

N({nB}kB)

L: princ x princ(B) x pubK B x nonce.

B: princkB: pubK B

nA:nonce.L(A,B,kB,nA) N({nA,A}kB)

…kA: pubK A

k’A: privK kA

nA,nB: nonce

L(A,B,kB,nA)N({nA,nB}kA)

N({nB}kB)

L: princ x princ(B) x pubK B x nonce.

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

MSR 2.0 – NS Responder

kB: pubK B

k’B: privK kB

A: princnA: nonce

kA: pubK A

N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)

…nB: nonce

L(B,kB,k’B,nB) N({nB}kB)

L: princ(B) x pubK B(kB) x privK kB x nonce.

kB: pubK B

k’B: privK kB

A: princnA: nonce

kA: pubK A

N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)

…nB: nonce

L(B,kB,k’B,nB) N({nB}kB)

L: princ(B) x pubK B(kB) x privK kB x nonce.

A B: {nA, A}kB

B A: {nA, nB}kA

A B: {nB}kB

Transmission of a long term key

Catches:Encryption with a nonce

Type Checking |— P

|— t :

P is well-

typed in

t has type in

Decidable

Circular key hierarchies, …

Static and dynamic uses

Access Control

CatchesA signing/encrypting with B’s key

‖— P

‖—A rP is AC-valid in

r is AC-valid for A in

Decidable

A accessing B’s private data, …

Fully static

Gives meaning to Dolev-Yao

intruder

An Overview of Access Control

Interpret incoming informationCollect received dataAccess unknown data

Construct outgoing informationGenerate dataUse known dataAccess new data

Verify access to data

Processing a Rule

‖—A lhs >> ;‖—A rhs

‖—A lhs rhs

Knowledge set:

Collects what A knows

Knowledge set:

Collects what A knows

Context

Processing Predicates on the LHS

;‖—A t >>’

;‖—A N(t) >>’

;‖—A t1,…,tn >>’

;‖—A MA(t1,…,tn) >>’

• Network messages

• Memory predicates

Interpreting Data on the LHS

;‖—A k >> ’ ;’‖—A t >> ’’

;‖—A {t}k >> ’’

;‖—A t1, t2 >> ’

;‖—A (t1, t2) >> ’

;(,x)‖—A x >> (,x)

(,x:);‖—A x >> (,x)

• Pairs

• Encryptedterms

• Elementary terms

Accessing Data on the LHS

;(,k)‖—A k >> (,k)

(,x:shK A B);‖—A x >> (,x)

(,k:pubK A,k’:privK k);‖—A k >> (,k’)

(,k:pubK A,k’:privK k);(,k’)‖—A k >> (,k’)

• Shared keys

• Publickeys

Generating Data on the RHS

(, x:nonce);(, x)‖—A rhs

;‖—A x:nonce. rhs• Nonces

Constructing Terms on the RHS

;‖—A t1 ;‖—A t2

;‖—A (t1, t2)

;‖—A t ;‖—A k

;‖—A {t}k

• Shared-key encryptions

• Pairs

Accessing Data on the RHS

,B:princ ‖—A B

,B:princ,k:shK A B ‖—A k

,B:princ,k:pubK B ‖—A k

,k:pubK A,k’:privK k ‖—A k’

• Principal

• Shared key

• Private key

• Public key

Configurations

C = [S]R

Active roleset

Signature

• a : • Ll : • M_:

•N(t)•Ll(t, …, t)•MA(t, …, t)

Execution Model

Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules

P C C’

1-step firing

[S]R (x:.r,) A

[S]R ([t/x]r,)A

Variable Instantiation

Not fully realistic for verificationRedundancy realizes typing, …… but not completely

|— t :

[S]R (x:.r,) A

[S]R ([t/x]r,)A

Rule Application

[S2]RA

c:c not in S1

S, G(c)

[S1]R(r,)A

Firing

r = F, n:. G(n)

Constraint check

|= (constraint handler)

Properties

Admissibility of parallel firing

Type preservation

Access control preservation

Completeness of Dolev-Yaointruder

Completed Specifications

Full Needham-Schroeder public-key

Otway-Rees

Neuman-Stubblebine repeated auth.

OFT group key management

Hour 3

The Most PowerfulAttacker

Hour 3: Outline

Execution with an attacker

Specifying the Dolev-Yao intruder

Completeness of the Dolev-Yao intruder

Execution with an Attacker

P, PI C C’

Selected principal(s): I

Generic capabilities: PIWell-typedAC-valid

Modeled completely within MSR

The Dolev-Yao Intruder

Specific protocol suite PDY

Underlies every protocol analysis tool

Completeness still unproved !!!

Capabilities of the D-Y Intruder

Intercept / emit messages

Split / form pairs

Decrypt / encrypt with known key

Look up public information

Generate fresh data

DY Intruder – Net Interference

t: msgN(t) MI(t) I

MI(t) : Intruder knowledge

t: msgMI(t) N(t) I

DY Intruder – Decryption

MI(t)A,B: princk: shK A Bt: msg

MI({t}k)MI(k)

A: princk: pubK Ak’: privK A t: msg

MI({t}k)MI(k’)

DY Intruder – Encryption

MI ({t}k)A,B: princk: shK A Bt: msg

MI(t)MI(k)

MI ({t}k)A: princk: pubK At: msg

MI(t)MI(k)

DY Intruder – Pairs

MI( t1,t2)t1,t2: msgI

MI(t1)MI(t2)

MI( t1,t2) t1,t2: msgIMI(t1)

MI(t2)

DY Intruder – Structural Rules

MI( t) t: msgIMI(t)

MI( t) t: msgI

DY Intruder – Data Access

MI(k’)k: pubK Ik’: privK k

MI(k)A: princk: pubK A

MI(k)A: princk: shK I A

+ dualI

A: princ MI(A)I

No nonces, no other keys, …

DY Intruder – Data Generation

n:nonceMI(n)I

It depends on the protocol !!!Automated generation ?

Safe data

m:msgMI(m)I

Anything else ?

A,B:princ. k:shK A BMI(k)I

Completeness of D-Y Intruder

If P [S]R [S’]R’

with all well-typed and AC-valid

P, PDY [S]R [S’]R’

Encoding of P, S,

P Remove roles anchored on I

S Map I’s state / mem. pred. using MI

Remove I’s role state pred.; add MI

Encoding of R

No encoding on structure of RLacks context!

Encoding on AC-derivation for R

A :: ‖— R

Associate roles from PDY to each AC

Completeness Proof

Induction on execution sequence

Simulate every step with PDY

Rule application Induction on AC-derivation for R Every AC-derivation maps to execution

sequence relative to PDY

Rule instantiation AC-derivations preserved Encoding unchanged

DY Intruder Stretches AC to Limit

Well-typedAC-valid

Dolev-Yaointruder

Consequences

Justifies design of current tools

Support optimizationsD-Y intr. often too general/inefficient

Generic optimizations Per protocol optimizations Restrictive environments

Caps multi-intruder situations

Hour 4

Reconstructing the Intruder

Hour 4: Outline

Access Control Dolev-Yao intruder

MSR specification Access Control

The Dolev-Yao Intruder Model

Interpret incoming information Collect received data Access unknown data

Construct outgoing information Generate data Use known data Access new data

Same operations as AC!

Accessing Principal Names

B:princ MI(B)I

,B:princ ‖—A BI

What did we do?

Instantiate acting principal to I

Accessed data Intruder knowledge

Meta-variables Rule variables

Ignore context

Checking it out: Shared Keys

,A:princ,B:princ,k:shK A B ‖—A kI

MI(k)B: princk: shK I B

+ dual

Getting Confident: Pub./Priv. Keys

,B:princ,k:pubK B ‖—A k

MI(k)B: princk: pubK B

MI(k’)k: pubK Ik’: privK k

,A:princ,k:pubK A,k’:privK k ‖—A k’

Constructing Messages: Pairs

t1,t2:msgMI(t1), MI(t2) MI((t1,t2))I

;‖—A t1 ;‖—A t2

;‖—A (t1, t2)I

Now, what did we do?

Ignore and knowledge context

Premises antecedent

Conclusion consequent

Auxiliary typing derivation gives types

Carrying on: Shared-Key Encrypt.

;‖—A t ;‖—A k

;‖—A {t}kI

MI(t), MI(k) MI({t}k)A,B: princk: shK A Bt: msg

Similar for public-key encryption

Generating Data: Nonces

(, x:nonce);(, x)‖—A rhs

;‖—A x:nonce. rhs

x:nonce. MI(x)I

Similarly for other generated data

Premises antecedent

One intruder rule for each AC rule

Save generated object

Interpreting Shared-Key Encrypt.

;‖—A k >> ’ ;’‖—A t >> ’’

;‖—A {t}k >> ’’I

MI({t}k), MI(k) MI(t)A,B: princk: shK A Bt: msg

Similar for• public-key encryption• pairing

Premises antecedent

One intruder rule for each AC rule

Save generated object

Premises consequent

Conclusion antecedant

Network Rules

;‖—A t >>’

;‖—A N(t) >>’

;‖—A t

;‖—A N(t)t:msgMI(t) N(t)

t:msgN(t) MI(t)I

… Other Rules?

Either redundant

or, innocuous (but sensible)

t:msgN(t) N(t)I

t1,…,tn :msgM’I(t1,…,tn) MI(t1),…,MI(tn)I

Dissecting AC

5 activities: Interpret message

components on LHS

Access data (keys) on LHS

Generate data on RHS

Construct messages on RHS

Access data on RHS

Constructorsatoms

Trivial

Patternmatchin

Accessing Data

princ: type

Annotate the type of freely accessible data

privK: A: princ. pubK A -> type

pubK: princ -> type

Make it conditional for dep. types

Generating Data

Again, annotate types

shK: princ -> princ -> type

nonce: type

shK: princ -> princ -> type + + !

Interpreting Constructors

Mark arguments as input or output

[_]_: msg -> A: princ. k: sigK A. verK k -> msg

_,_: msg -> msg -> msg

hash: msg -> msg

{_}_: msg -> A: princ. B: princ. shK A B -> msg

{{_}}_: msg -> A: princ. k: pubK A. privK k -> msg

+ * * *

- + + +

Annotating Declarations

Integrates semantics of types and constructors

“Trimmed down” version of AC

Allows constructing AC rules

Allows constructing the Dolev-Yao intruder

… alternatively

Compute AC rules from protocol

There are finitely many annotations

Check protocol against each of them

Keep the most restrictive ones that validate the protocol

Exponential!

More efficient algorithms?

September 17th, 2001 FOSAD 2001 – Bertinoro, Italy

The end

http://www.cs.stanford.edu/~iliano/

september 17 th, 2001fosad 2001 – bertinoro, italy security protocol specification languages...

specification languages

specification languages

course specification

specification important

environment slide

data slide

msr slide

reasonable output security

Documents

fine-grained msr specifications for quantitative security...

relating strands and multiset rewriting for security...

patologías políticas...

2009 senior thesis project...

december 6, 2001dimi, universita’ di udine, italy graduate...

maude implementation of msr demo mark-oliver stehr stefan...

projudi - processo: 0016108-08.2018.8.16.0017 - ref. mov....

the deductive spreadsheetiliano/slides/cmu06.pdfiliano...

edited by r. goebel, j. siekmann,...

diritto commerciale - · pdf fileschemi di diritto...

15-349 introduction to computer and network security iliano...

december 5, 2001dimi, universita’ di udine, italy graduate...

archivio contemporaneo “alessandro bonsanti”fondo...

2008 senior thesis project...

m. oto s iliano m coro salesiano - laprensaaustral.cl ·...

the logical meeting point of multiset rewriting and...

15-349 introduction to computer and network security iliano...

contro corrente cervesato

clf: a concurrent logical framework david walker princeton...

symbolic computation in softwarescience · 2013. 7. 1. ·...