1 / 29

MSR 3: One Year Later

MSR 3: One Year Later. Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano. Protocol eXchange Seminar, UMBC. May 27-28, 2004. A  B : {n A , A} kB B  A: {n A , n B } kA A  B : {n B } kB. NSPK in MSR 3. MSR 2 spec.

grady
Download Presentation

MSR 3: One Year Later

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MSR 3:One Year Later Iliano Cervesatoiliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano Protocol eXchange Seminar, UMBC May 27-28, 2004

  2. A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB NSPK in MSR 3 MSR 2 spec. A:princ. { L: princ B:princ.pubK B  nonce  mset. B: princ. kB: pubK B.  nA: nonce. net ({nA, A}kB), L (A, B, kB, nA) B: princ. kB: pubK B. kA: pubK A. kA': prvK kA. nA: nonce. nB: nonce. net ({nA, nB}kA), L (A, B, kB, nA) net ({nB}kB) } Interpretation of L • Rule invocation • Implementation detail • Control flow • Local state of role • Explicit view • Important for DOS MSR 3: One Year Later

  3. A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB NSPK in MSR 3 Not an MSR 2 spec. A:princ. B: princ. kB: pubK B.  nA: nonce. net ({nA, A}kB), (kA: pubK A. kA': prvK kA. nB: nonce. net ({nA, nB}kA) net ({nB}kB)) • Succinct • Continuation-passing style • Rule asserts what to do next • Lexical control flow • State is implicit • Abstract MSR 3: One Year Later

  4. A B: {nA, A}kB B A: {nA, nB}kA A B: {nB}kB Parametric strand Alice (A,B,NA,NB) : NA Fresh, pA(A,B) {NA, A}KB {NA, NB}KA {NB}KB Looks Familiar? Process calculus A:princ. B: princ. kB: pubK B. kA: pubK A. kA': prvK kA. nB: nonce. nnA: nonce. net ({nA, A}kB) . net <{nA, nB}kA> . net ({nB}kB) . 0 MSR 3: One Year Later

  5. What is MSR 3? A new language for security protocols • Supports • State transition specs • Conservative over MSR 2 • Process algebraic specs • Rewriting re-interpretation of logic • Rich composable set of connectives • Universal connector Neutral paradigm MSR 3: One Year Later

  6. More than the Sum of its Parts Process- and transition-based specs. in the same language • Choose the paradigm • User’s preference • Highlight characteristics of interest • Support various verification techniques (FW) • Mix and match styles • Within a spec. • Within a protocol • Within a role MSR 3: One Year Later

  7. What is in MSR 3 ? • Security-relevant signature • Network • Encryption, … • Typing infrastructure • Dependent types • Subsorting • Data Access Specification (DAS) • Module system • Equations FromMSR 1 FromMSR 2 w-Multisets MSR 2 Protocols Repr. gap From MSR 2implementation MSR 3: One Year Later

  8. w-Multisets Specification language for concurrent systems • Crossroad of • State transition languages • Petri nets, multiset rewriting, … • Process calculi • CCS, p-calculus, … • (Linear) logic • Benefits • Analysis methods from logic and type theory • Common ground for comparing • Multiset rewriting • Process algebra • Allows multiple styles of specification • Unified approach w-Multisets MSR 2 Protocols Repr. gap MSR 3: One Year Later

  9. Syntax A ::= a atomic object | 1[] empty | A B [A, B] formation | A  B [A  B] rewrite | T no-op | A & B [A || B] choice | x. A instantiation | x. A generation | ! A replication Generalizes FO multiset rewriting (MSR 1-2) x1…xn. a(x)y1…yk. b(x,y) MSR 3: One Year Later

  10. State and Transitions • States S ; G ; D S ; D • S is a list • G and D arecommutative monoids • Transitions S; G; D S’; G’; D’ S; G; D*S’; D’ • * for reflexive and transitive closure • Constructor: “,” • Empty: “” - logic- system w- rewriting - processes- security MSR 3: One Year Later

  11. Transition Semantics S ; G ; (D, A, A  B) S ; G ; (D, B) T (no rule) & S ; G ; (D, A1& A2) S ; G ; (D, Ai) S ; G ; (D, x. A) S ; G ; (D, [t/x]A) if S |- t S ; G ; (D, x. A) (S, x) ; G ; (D, A) ! S ; G ; (D, !A)S ; (G, A) ; D S ; (G, A) ; D S ; (G, A) ; (D, A) S ;G;D*S ;D S ;G;D*S’’;D’’ if S ;G;D S’;G’;D’ andS’;G’;D’ *S’’;D’’ MSR 3: One Year Later

  12. Linear Logic • Formulas A, B ::= a | 1 | A B | A  B | ! A | T | A & B | x. A | x. A • LV sequents G ; D -->S C • Constructor: “,” • Empty: “” - logic- system w- rewriting - processes- security Unrestrictedcontext Goalformula Linearcontext Signature MSR 3: One Year Later

  13. Logical Derivations G’’’; C -->S’’’C • Proof of C from D and G • Emphasis on C • C is input • Finite • Closed • Rules shown • Major premise • Preserves C • Minor premise • Starts subderivation G’’; D’’ -->S’’CG’; D’ -->S’C - logic- system w- rewriting - processes- security G; D -->SC MSR 3: One Year Later

  14. A Rewriting Re-Interpretation • Transition • From conclusion • To major premise • Emphasis on G, Dand S • C is output, at best • Does not change • Possibly infinite • Open • Minor premise • Auxiliary rewrite chain • Finite • Topped with axiom G’’’; C -->S’’’C G’’; D’’ -->S’’CG’; D’ -->S’C - logic- system w- rewriting - processes- security G; D -->SC MSR 3: One Year Later

  15. S; G; (D, x. A) S; G; (D, [t/x]A) if S |- t S |- t G; D,[t/x]A -->SC G; D,x.A -->SC Interpreting Unary Rules S; G; (D, !A)S; (G, A); D G; D, A, B -->SC G; D, AB -->SC S; G; (D, AB) S; G; (D, A, B) G; D, A -->S,xC G; D, $x.A -->SC - logic- system w- rewriting - processes- security S; G; (D, x. A) (S, x); G; (D, A) G, A; D -->SC G; D, !A -->SC … … MSR 3: One Year Later

  16. Minor premise Auxiliary rewrite chain Top of tree Focus shifts to RHS Axiom rule Observation Binary Rules and Axiom G’; A -->S’A G; D’ -->SAG; D, B -->SC G; D, D’, AB -->SC - logic- system w- rewriting - processes- security MSR 3: One Year Later

  17. G,G’; A’ -->S,S’A’ Observations G; D -->SS’.A’ • Observation states S ; D • In D, we identify • , with  •  with 1 Categorical semantics • Identified with x1. … xn.D • For S = x1, …, xn De Bruijn’s telescopes • Observation transitions S; G; D*S’; D’ A D = D - logic- system w- rewriting - processes- security S; D = S.D MSR 3: One Year Later

  18. G; D’ -->SAG; D, B -->SC G; D, D’, AB -->SC G; D’ -->SA G; D, A-->SC G; D, D’ -->S C Interpreting Binary Rules G; A -->SA S; G; (D, D’, A  B) S; G; (D, B)if S; G; D’* S; A S; G; D*S; D S; G; D*S’’; D’’if S; G; D S’; G’; D’and S’; G’; D’* S’’; D’’ - logic- system w- rewriting - processes- security S;G;D,D’ S;G; (A, D)if S;G;D’*S; A … … MSR 3: One Year Later

  19. Formal Correspondence • Soundness If S ; G ; D* S,S’; D’then G ; D -->SS’. D’ • Completeness? • No! We have only crippled right rules  ;  ; a  b, b  c*  ; a  c - logic- system w- rewriting - processes- security MSR 3: One Year Later

  20. System w • With cut, rule for  can be simplified to S; G; (D, A, A  B) S; G; (D, B) • Cut elimination holds = in-lining of auxiliary rewrite chains • But … • Careful with extra signature symbols • Careful with extra persistent objects • No rule for  needs a premise •  does not depend on * - logic- system w- rewriting - processes- security MSR 3: One Year Later

  21. Multiset Rewriting • Multiset: set with repetitions allowed a ::=  | a, a • Commutative monoid • Multiset rewriting (a.k.a. Petri nets) • Rewriting within the monoid • Fundamental model of distributed computing • Alternative: Process Algebras • Basis for security protocol spec. languages • MSR family • … several others • Many extensions, more or less ad hoc - logic- system w- rewriting - processes- security MSR 3: One Year Later

  22. Atomic terms Principals A Keys K Nonces N Other Raw data , timestamp, … Constructors Encryption {_}_ Pairing (_, _) Other Signature, hash, MAC, … The Atomic Objects of MSR 3 w-Multisets MSR 2 Protocols Repr. gap Predicates • Network net • Memory MA • Intruder I • … Fully definable MSR 3: One Year Later

  23. Types Fully definable • Powerful abstraction mechanism • At various user-definable level • Finely tagged messages • Untyped: msg only • Simplify specification and reasoning • Automated type checking • Simple types • A : princ • n: nonce • m: msg, … • Dependent types • k : shKAB • K : pubKA • K’ : privKK, … w-Multisets MSR 2 Protocols Repr. gap MSR 3: One Year Later

  24. Subsorting • Allows atomic terms in messages • Definable • Non-transmittable terms • Sub-hierarchies • Discriminant for type-flaw attacks t <: t’ w-Multisets MSR 2 Protocols Repr. gap MSR 3: One Year Later

  25. Data Access Specification • Prevent illegitimate use of information • Protocol specification divided in roles • Owner = principal executing the role • A signing/encrypting with B’s key • A accessing B’s private data, … • Simple static check • Central meta-theoretic notion • Detailed specification of Dolev-Yao access model • Gives meaning to Dolev-Yao intruder • Current effort towards integration in type system • Definable • Possibility of going beyond Dolev-Yao model w-Multisets MSR 2 Protocols Repr. gap MSR 3: One Year Later

  26. Modules and Equations • Modules • Bundle declarations with simple import/export interface • Keep specifications tidy • Reusable • Equations (For free from underlying Maude engine) • Specify useful algebraic properties • Associativity of pairs • Allow to go beyond free-algebra model • Dec(k, Enc(k, M)) = M w-Multisets MSR 2 Protocols Repr. gap MSR 3: One Year Later

  27. State-Based vs. Process-Based • State-based languages • Multiset Rewriting • NRL Prot. Analyzer, CAPSL/CIL, Paulson’s approach, … • Statetransitionsemantics • Process-based languages • Process Algebra • Strand spaces, spi-calculus, … • Independentcommunicatingthreads w-Multisets MSR 2 Protocols Repr. gap MSR 3: One Year Later

  28. PB State vs.processdistance PB SB SB Otherdistance MSR 3 MSR 3 Bridges the Gap • Difficult to go from one to the other • Different paradigms w-Multisets MSR 2 Protocols Repr. gap State  Process translation done once and for all in MSR 3 MSR 3: One Year Later

  29. Summary • MSR 3.0 • Language for security protocol specification • Succinct representations • Simpl specifications • Economy of reasoning • Bridge between • State-based representation • Process-based representation • w-multisets • Logical foundation of multiset rewriting • Relationship with process algebras • Unified logical view • Better understanding of where we are • Hint about where to go next MSR 3: One Year Later

More Related