the inductive approach to protocol analysis · the inductive approach to protocol analysis – p.3....
TRANSCRIPT
![Page 1: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/1.jpg)
The Inductive Approach to ProtocolAnalysis
CSG 399 Lecture
The Inductive Approach to Protocol Analysis – p.1
![Page 2: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/2.jpg)
Last Time
CSP approach:
Model system as a CSP process
A specification is a property of tracesOften, can be represented as a process Spec
Message secrecyCorrespondence assertion (see notes)
Checking a specification: Spec v P
Every trace of P is a trace of Spec
The Inductive Approach to Protocol Analysis – p.2
![Page 3: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/3.jpg)
Advantages
There are well-developped techniques for establishingv by hand
Mechanical proof rules
There are tools to automatically establish v
FDR: a commercial model-checkerRequires some conditions on Spec and P toterminate
There are even tools to automatically create CSPprocesses from protocols
Casper
Question: can we do the same without requiring CSP?
The Inductive Approach to Protocol Analysis – p.3
![Page 4: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/4.jpg)
Paulson’s Approach
Larry Paulson advocates a simple approach:
A protocol in a context describes a set of tracesThese traces are defined inductively
A specification is again a property of traces
Checking requires proving that all the traces satisfy theproperty
By induction on the construction of the traces
Main point: these proofs are big, uninteresting, andbetter left to machines
Use a theorem prover to write the proofs
The Inductive Approach to Protocol Analysis – p.4
![Page 5: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/5.jpg)
Inductively Defined Sets
A set S is inductively defined by a set X and (guarded)operations (f1, P1), (f2, P2), . . . if S is the smallest setsatisfying
(i) X ⊆ S
(ii) For every guarded operation (fi, Pi),
if x ∈ S and Pi(x) is true, then fi(x) ∈ S
Smallest ≡ S is contained in every other set satisfying (i)–(ii)
The Inductive Approach to Protocol Analysis – p.5
![Page 6: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/6.jpg)
Example
The natural numbers are inductively defined by {0} and theoperation +1 (no need for guard)
I.e., N is the smallest set such that
(i) 0 ∈ N
(ii) If x ∈ N, then x + 1 ∈ N.
The Inductive Approach to Protocol Analysis – p.6
![Page 7: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/7.jpg)
Induction Principle
Theorem: Let S be inductively defined by X and(f1, P1), (f2, P2), . . . , and let Q be a property of elements ofS. If
(i) Q(x) is true for every x ∈ X
(ii) For every (fi, Pi): whenever Q(x) is true for x ∈ S withPi(x), then Q(fi(x)) is true
Then Q(x) is true for every x ∈ S
Special case: natural numbers induction
The Inductive Approach to Protocol Analysis – p.7
![Page 8: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/8.jpg)
Traces
A trace is a finite sequence of events
Says A B M
Notes A M
We concentrate on the first kind of event
Thus a trace is just a finite sequence describing who sendsa message to who.
Traces do not record whether messages are received
Cannot distinguish message no received from messagereceived but never acted upon
The Inductive Approach to Protocol Analysis – p.8
![Page 9: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/9.jpg)
Protocols Generate Traces
Let Agents be a set of agents.Paulson’s approach assumes that:
Agents can participate in an arbitrary number ofconcurrent protocol interactions
Agents can play any role in any such interaction
Agents have an initial state initState A
We can associate a set of traces to the agents running aprotocol
The set of traces of a protocol will be an inductively definedset (In fact, everything will be inductively defined)
The Inductive Approach to Protocol Analysis – p.9
![Page 10: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/10.jpg)
Needham-Schroeder
Recall the Needham-Schroeder protocol:
A −→ B :{A, nA}kB
B −→ A :{nA, nB}kA
A −→ B :{nB}kB
We assume public keys kA known for each agent.
The Inductive Approach to Protocol Analysis – p.10
![Page 11: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/11.jpg)
Traces of Needham-Schroeder I
Define the set T inductively
The empty trace:
〈〉 is in T
Can start an interaction: If
t is in T
A 6= B
nA 6∈ used t
Then
t _ 〈Says A B {A, nA}kB〉 is in T
The Inductive Approach to Protocol Analysis – p.11
![Page 12: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/12.jpg)
Traces of Needham-Schroeder II
Can continue an interaction: If
t is in T
A 6= B
nB 6∈ used t
Says A′ B {A, nA}kB∈ t
Then
t _ 〈Says B A {nA, nB}kA〉 is in T
The Inductive Approach to Protocol Analysis – p.12
![Page 13: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/13.jpg)
Traces of Needham-Schroeder III
Can continue an interaction: If
t is in T
Says A B {A, nA}kB∈ t
Says B′ A {nA, nB}kA∈ t
Then
t _ 〈Says A B {nB}kB〉 is in T
The Inductive Approach to Protocol Analysis – p.13
![Page 14: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/14.jpg)
Set parts H
What about the set used t, the set of values used in a trace?We need to give an inductive definition
First consider the set parts H that returns the parts of allmessages in H.
It is inductively defined by
H ⊆ parts H
If (x, y) ∈ parts H then x ∈ parts H
If (x, y) ∈ parts H then y ∈ parts H
If {M}k ∈ parts H then M ∈ parts H
The Inductive Approach to Protocol Analysis – p.14
![Page 15: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/15.jpg)
Set used t
Straightforward definition:
used 〈〉 = ∪Bparts (initState B)
used t _ 〈Says A B M〉 = (parts {M}) ∪ (used t)
This does not look like an inductively defined set...
But it can be put in that form... Consider (x, t) ∈ used...
The Inductive Approach to Protocol Analysis – p.15
![Page 16: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/16.jpg)
Adversary
The adversary is called Spy in Paulson’s paper
To account for the adversary, we only need to add one ruleto the inductive definition of the traces of a protocol: If
t is in T
M ∈ known t
B 6= Spy
Then
t _ 〈Says Spy B M〉 is in T
The Inductive Approach to Protocol Analysis – p.16
![Page 17: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/17.jpg)
Set known t
The set of messages known to the adversary in trace t
Definition:
known t = synth (analz (spies t))
where
spies t: set of messages the adversary has interceptedin t
analz H: set of messages the adversary can extractfrom the messages in H
synth H: set of messages the adversary can synthesizefrom messages in H
The Inductive Approach to Protocol Analysis – p.17
![Page 18: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/18.jpg)
Set synth H
Messages the adversary can synthesize from messages inH
Inductively defined:
Agents ⊆ synth H
H ⊆ synth H
If x ∈ synth H and y ∈ synth H then (x, y) ∈ synth H
If x ∈ synth H and k ∈ H then {x}k ∈ synth H
The Inductive Approach to Protocol Analysis – p.18
![Page 19: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/19.jpg)
Set analz H
Messages the adversary can extract from the messages inH
Inductively defined:
H ⊆ analz H
If (x, y) ∈ analz H then x ∈ analz H
If (x, y) ∈ analz H then y ∈ analz H
If {x}k ∈ analz H and k−1 ∈ analz H then x ∈ analz H
The Inductive Approach to Protocol Analysis – p.19
![Page 20: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/20.jpg)
Set spies t
Messages the adversary can intercept in t
Straightforward definition:
spies 〈〉 = initState Spy
spies t _ 〈Says A B M〉 = {M} ∪ (spies t)
Again, this can be made into a properly inductively definedset
The Inductive Approach to Protocol Analysis – p.20
![Page 21: The Inductive Approach to Protocol Analysis · The Inductive Approach to Protocol Analysis – p.3. Paulson’s Approach Larry Paulson advocates a simple approach: A protocol in a](https://reader036.vdocuments.site/reader036/viewer/2022081615/5fd7b054c77d88728630648b/html5/thumbnails/21.jpg)
So?
So now, given a protocol, a set of agents, and an adversary:
We have an inductively defined set of traces T
Finitary description of an infinite set of traces
How do you establish that something is true of all traces?
By applying the induction principle corresponding to T
If a property is true of a trace and remains true if youadd an event to the trace according to the protocol,then the property is true of all traces correspondingto the protocol
The Inductive Approach to Protocol Analysis – p.21