80 likes | 206 Views
Alice & Bob Specifications. Jon Millen June 2005. Security Protocol Specification Languages. Alice & Bob Textbook and article style Specification is a normal message list A B: {A,Na}Kb CAPSL, Casper, HLPSL, ISL, ... Role process specifications
E N D
Alice & Bob Specifications Jon Millen June 2005
Security Protocol Specification Languages • Alice & Bob • Textbook and article style • Specification is a normal message list • A B: {A,Na}Kb • CAPSL, Casper, HLPSL, ISL, ... • Role process specifications • Separate specifications for each participant • Some form of state transition spec • Semantics is easier to understand • Varying degrees of customization, convenience • Prolog, CSP, PVS, Maude, pi-calculus: existing languages • MSR, CPPL, Spi-calculus: specialized languages • CIL, IF: just intermediate languages • May or may not support code generation
CAPSL PROTOCOL NeedhamSchroederPK; VARIABLES A, B: PKUser; Na, Nb: Nonce, FRESH; ASSUMPTIONS HOLDS A: B; MESSAGES 1. A -> B: {Na, A}pk(B); 2. B -> A: {Na, Nb}pk(A); 3. A -> B: {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END; ENVIRONMENT Test1; IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; END; Translated to CIL; from there to Athena, Csolve, PVS, Maude, NRL-PA, and Java code
Casper Example from Lowe's Web page -- Needham Schroeder Public Key Protocol, -- 3 message version #Free variables A, B : Agent na, nb : Nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INITIATOR(A,na) knows PK, SK(A) RESPONDER(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A,B,[na,nb]) Agreement(B,A,[na,nb]) #Actual variables Alice, Bob, Mallory : Agent Na, Nb, Nm : Nonce #Functions symbolic PK, SK #System INITIATOR(Alice, Na) RESPONDER(Bob, Nb) #Intruder Information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)} Translated to CSP and Java
HLPSL PROTOCOL NSPK; Identifiers A, B: user; Na, Nb: number; Ka, Kb: public_key; Knowledge A: B,Ka,Ka',Kb; B: A,Ka,Kb,Kb'; Messages 1. A -> B: {Na,A}Kb 2. B -> A: {Na,Nb}Ka 3. A -> B: {Nb}Kb Session_instances [ A:a, B:b, Ka:ka, Kb:kb ] [ A:a, B:I, Ka:ka, Kb:ki ]; Intruder divert, impersonate; Intruder_knowledge I, b, ka, kb, ki; Goal A authenticate B on Nb; Goal B authenticate A on Na;
Design Issues • A B: source, destination; part of the message or not? (no) • Principal-to-key and key inverse relations • public_key(A,Ka) vs. pk(A) • pk(A) only (free algebra) or inverse(Kpa,Ksa) • Message views (hidden structure) and implicit message actions • Lowe "%" notation: A B: {M}Kc%F where B sees only "blob" F • Role and parameter identification • Which parameters are independent inputs • Which nonces and session keys are generated by whom • Security goal statements • Other issues • Data types and extensibility • Attacker capabilities and knowledge • Scenario specification for model checking • Implementability checking - definedness of variables • Some of these issues apply to role process specs as well
Non sequitur: Constraint Solver (Csolve) • Bounded-process model checker in Prolog • Parametric strand specifications • SWI-Prolog/XPCE for diagrams • Working on translation from CPPL