A Semantic Model for Adaptive Communicationdsm/papers/adaptiveformal/sem04.pdfFor example, today...
Transcript of A Semantic Model for Adaptive Communicationdsm/papers/adaptiveformal/sem04.pdfFor example, today...
A SemanticModel for Adaptive Communication
SebastianGutierrez-Nolasco�, Nalini Venkatasubramanian
�, andCarolynTalcott
��
Universityof California,Irvine, Irvine, CA [email protected], [email protected]�
StanfordUniversity, Stanford,CA [email protected]
Abstract. Futureapplicationswill executein highly dynamicenvironments,wherecommunicationis notuniformdueto changingconditionsof network connectivity, reliability andresourceavailability. Designingcommunicationframeworks that are capableof dynamicallyadaptingthemselves to the environmentis an importantchallenge.Furthermore,differentapplicationsmaydemanddifferentpropertiesandguaranteesasfar astheQoS,securityandfailuresemanticsareconcerned.Althoughseveral frameworkshave beendesignedto supportmodularandrecon-figurablecommunicationprotocols,they supportcomplex programminginterfacesandprotocolbehavior is oftenexpressedvia informal descriptions.Clearsemanticmodelscapableof expressingdependenciesamongpropertiesrequiredby a givencommunicationsystemwill helpdesignsafecustomizablecommunicationframeworks.In thispaperwe presenta reflective communicationframework basedon a semanticmodelof distributedobject reflec-tion. We illustratehow suchan adaptive framework is usedto formalizeandreasonaboutinteractionsbetweencommunicationprotocolsandensuretheir safecomposition.
1 Intr oduction
Recentadvancesin componentbasedsoftwareandcommercialoff-the-shelfproductshave enabledthe creationofapplicationscapableof dynamicallyadaptingthemselvesto unpredictablechangesin thecomputationalandcommu-nicationenvironment.However, thesenew kindsof applicationmaydemanddiverseguaranteesfrom theunderlyingcommunicationsubsystemasfarasQoS(qualityof service),securityandfailuresemanticsareconcerned.Traditionalcommunicationframeworksarenotwell suitedto captureandexpressdependenciesamongpropertiesrequiredby theapplication.
For example,todaymany workersaccess(via VPNs)confidentialbusinessdatafrom almostany wirelesshot-spotlocationsuchascoffee houses,food-franchises,librariesandconferencehalls.Currently, thesehot-spotsoffer freenetwork access,but weforeseeashift in thisaltruisticvisionallowing freerestrictedaccess;while providing increasedbandwidthor greateraccessto paidcustomers.In thisscenario,apaidcustomerwill expectacertainminimumlevel ofQoSin theform of sustainedbandwidth,end-to-enddelayboundanda certaindegreeof security(evenif hedoesnottrust thehot-spotinfrastructureandusesa VPN, sinceuserauthenticationis donebeforeobtaininga securechannelor a VPN connection).However, currentsecurityprotocolsassumereliablecommunicationbetweenend-pointsandall communication(at theapplicationlevel) is stalledwhile bothend-pointsauthenticatethemselvesandestablishtheconnectionor whenthey executerefreshor rekey protocols.Therefore,they arenot immediatelysuitablefor useinhot-spots,whicharecharacterizedby suddenchangesin latency, bandwidthandreliability dueto unexpectedincreaseof customersin thevicinity or theuseof intensiveapplications(e.g.multimedia,file transfers,etc)by customersonthemove. Next generationof communicationframeworksmustmonitor their environmentin orderto adaptthemselvesto suddenchangeson reliability, latency, bandwidthandsecuritylevels providedby the hot-spotwithout disruptingcommunicationat theapplicationlevel. [Nalini - add 2 more
examples]As anotherexample,anunmannedair vehicle(UAV) recordssurveillancevideodataandtransmitsit via awirelesschannelto areceiveronanearbyship.Thereceivedvideostreammustbedistributedto severalviewersonthatshipandpossiblyonotherships.In thisenvisionedscenario,datain transfermustbeprotectedfrom beingreadby unauthorizedentitiesand compressedin order to overcomebandwidthconstraints.Moreover, in a battlefieldsituation the shiprequirestimelinessof delivery of the UAV picturesto assurethat decisionsaremadefrom timely data.Encryptionandcompressionareinherentlydataintensive andtheir useaffectsthetimelinessrequirement.To furthercomplicatethescenario,dependingon theircurrentlocation,viewersmayhavedifferentandconstantlychangingrequirementsintermsof securityandtimeliness.
Although thesesimple scenarioshighlight the relevanceof adaptive communication,they also underscoretherequirementfor a semanticmodelcapableof assuringsafeadaptation. [clt - will needto say
whatsafemeans– seeintro to TOSEM pa-per]
In thispaper, wedescribeareflectivecommunicationframework(RCF)anddevelopadetailedformalsemanticsforsuchframework usinga genericsemanticmodelof distributedobjectreflection.We thenillustratehow thesemanticspecificationof the RCF is usedto ensurecorrectnessof critical applicationpropertiesandhow it can be usedtosupportadaptive communication.The remainderof this paperis organizedasfollows. In Section2, we describethebasicreflective communicationframework. Formalspecificationof the framework is discussedin Section3. Section4 givesan overview of the formal semanticsof the reflective communicationframework; while Section5 discussescomposabilityandinteractionissuesthatarisein adaptivecommunication.We describerelatedwork andconcludeinSection6 with futureresearchdirections.
2 A Reflective Communication Framework
Sincetheactormodelof computation[7] incorporatesthe notionof encapsulationandinteractiononly via messagepassing,it offers a clear, flexible andsimplesemanticapproachto describedistributedsystemsbasedon incomingcommunications[9]. Thesystemis modeledasa groupof self containedandindependentautonomousobjects,calledactors,which communicatevia asynchronous(buffered)messagepassing.On receiving a communication,an actorprocessesthe messagein a mannerdeterminedby its currentbehavior. As a result, the actormay: (1) Createnewactors,(2) Changeits behavior and (3) Sendmessagesto itself or to other (existing) actors.Sincemail addressesmaybecommunicatedin messagestheconfigurationof thecommunicationis dynamicandtheactivationorder(onemessageactivatesanotherif thelatteris sentduringtheprocessingof theformer)determinescommunicationpatterns.
In ourmodel,asystemis composedof two kindsof actors,baseactorsandmetaactors,distributedoveranetworkof processingnodes.Baseactorscarryout applicationlevel computation,while metaactorsarepart of the run-timesystem,which managessystemresourcesandcontrolsthe run-timebehavior of the baselevel. Metaactorscommu-nicatewith eachothervia messagepassingasdo baseactors,andthey mayalsoexamineandmodify thestateof thebaseactorslocatedonthesamenode.Baselevel actorsandmessageshaveassociatedrun-timeannotationsthatcanbesetandreadby metaactors.Theannotationsareinvisible to baselevel computation.Actionswhich resultin a changeof baselevel state,arecalledeventsandmetaactorsmayreactto themif they occuron theirnode.A configurationhasasetof baseandmetalevel actorsandasetof undeliveredmessages.Theactorsaredistributedoverthesystemnodes.Eachactorhasauniquename(actoridentifier)andtheconfigurationassociatesacurrentstateto eachactorname.Theundeliveredmessagesaredistributedover thenetwork (somearetraveling alongcommunicationlinks andothersareheldin nodebuffers).
In orderto provide correctcompositionof communicationprotocolsin a transparentandscalablefashion,we ex-tendour modelwith a reflective communicationframework (RCF),which customizesthebaselevel communicationas follows (seeFigure1). Eachbaselevel actorhasa metalevel actor, calledmessenger, which servesas the cus-tomizedandtransparentmail queuefor thatbaselevel actor. Thereis onecommunicationmanager in every nodeofthedistributedsystem,which implementsandcontrolsthecorrectcompositionof communicationprotocolsspecifiedby messengerson thatnode.A messengerhastwo messagequeues:(i) Theupqueueis usedasthe(baselevel) actor’ssendbuffer, and(ii) The dwn queueis usedto deliver messagesto the (baselevel) actor, servingas its customizedmail queue.Thecommunicationmanagerhasa setof communicationprotocolactors,eachof themimplementingaparticularcommunicationprotocolprovidedby theframework (e.g.reliable,in-orderor security).Thisschemeallowsusto abstracta coresetof communicationprotocolsandshareit betweenthedifferentmessengerson a node,simpli-fying thesynchronizationandcompositionprocess.Furthermore,it encouragesseparationof concernsin theprocessof messagetransmissionandreception.However, in purely reflective architectures,reasoningaboutthesemanticsofcorrectcommunicationcompositionmaybecomplicated;moreover, its implementationmaybeinefficient.
In orderto maintainaccuratesemanticsandprovideanefficient implementationof thearchitecture,thecommuni-cationmanagerusesa pre-definedpool of metalevel entities,calledcommunicationmessagecoordinators(or simplymessage coordinators). Every messagerequiringa communicationprotocolis assigneda messagecoordinatorandatany instance,amessagecoordinatorhandlesthecompositionof thecommunicationprotocolsrequestedby a messen-gerfor anindividualmessage.Themessagecoordinatorassuresthecorrectorderof compositionof requiredprotocolsandprovidesa coordinationmechanismbetweenthe messengerand the protocolsthat provide it. This conceptofreusablemessagecoordinatorsis anefficient way to handletheservicerequestof eachmessengerwithout having topay thebottleneckassociatedwith thecentralizationof theservicesin thenodecommunicationmanagerandallowsusto processconcurrentlymultiple messages.
In theRCFmodel,acommunicationprotocolmaybeexplicitly requested(atany instance)by thesenderor implic-itly specifiedby its messenger, in casethesenderandthereceiverpreviouslyagreedto useaparticularcommunication
2
Fig.1. Thereflective communicationframework model.
protocol.In orderto providedynamiccustomizationof communicationprotocols(potentiallyonapermessagebasis),theRCFmodelseparatesspecification,compositionandimplementationof communicationprotocols.Thespecifica-tion is handledby the messengerthrougha messageservicelist (msl), which determinesthe setof communicationprotocolsto beusedin thecommunicationof a specificmessageto its target.Thecommunicationprotocolsrequiredby acommunicationmaybeexplicitly specifiedor constructedby themessengerusingtarget-actorinformationwithinthe message.The messengeralsoassignsevery outgoingmessagea uniquemessageidentifier (msgid), which is auniquesequenceof valuesassignedto every messageto besent.Themsgidis composedby concatenatingthecom-municationmanageridentifier (cmid), anapplicationidentifier (appid), a communicationmanagersequencenumber(cms) anda local time stamp(ts) definedby Lamport’s happened-beforerelation[16]. Theprotocolsthemselvesareimplementedby independentcommunicationprotocolactors.This schemeallowsusto add(plug in) or remove(plugout) communicationprotocolsdynamically.
3 RussianDolls: A semanticmodelof distrib uted object reflection
Theconcurrentstateof a distributedsystem,oftencalleda configuration,hastypically thestructureof a flat multisetmadeupof objectsandmessagesthatbehaveaccordingto a setof rulesdescribingthebehavior of individualobjects.We canvisualizethis configurationasa soupin which objectsandmessagesfloat andinteractwith eachother. Wemodela distributedsystemconfigurationusingtherewriting logic objectmodel[26] [13] whereanobjectin a givenstateis representedas
����� � �� � ����Where � is the object’s nameor identifier, � is its classand ������� its attribute set,andthe rewrite rulesdescribingthedynamicsof thesystemcanhavetheform
�����! �"#"#" �%$ �&� $ � $ �� � �� $ � "#"#" �&�(')� *'+ �� � ��,'-�.+/���&0�� 102 �� � ��302� "#"#" ���('2� �'4 �� � ��,'4�5���7698�: � �; � �� � "#"#" ���7698�:$ � $ �� � �� $ � � 6)8<:' "#"#" � 6)8<:6 =?>A@where r is the label, B ’s are messages,and C is the rule condition. That is, at any time, objectsand messagescancometogetherandparticipatein a concurrenttransitioncorrespondingto a communicationevent in which somenew objectsmaybecreated( �ED1F�G ), otherobjectsmaybedestroyed,othersmaychangetheir stateandnew messages( BHD*F�G ) maybecreated.
3
3.1 Componentsof the Model
In theRussianDolls model[14], objectsarestructuredin nestedconfigurationsof metaobjectsthatcancontrol(baseandmeta)objectsunderthem,calledsubobjects,with anarbitrarynumberof levelsof nesting.Thisallowsusto modelprocessingnodesasmetaobjectsthat encapsulateactors(baseandmeta)andmessages.Thus,we have threemaincomponentsin themodel:actors(baseandmeta),nodesandmessages.
Baseand meta actors: We usetheRussianDolls theoryto modelactorsasobjectswith identity andstate,con-figurationsassoupsof actorandmessages,andactorbehavior rulesasrewrite rules.Therefore,a baseactorsystemis representedasa specialcaseof objectmoduleconfiguration.A baseactoris representedasanobjectin somebaseactorclassIJC . Messageshavetheform �LKNM , where� is theactoridentifierof thetargetactorand M is themessagecontents.Baseactorrulesareconstrainedto have theform
�&�2� O @ �� � ����7P7Q ��R;SNT .+/ �U�2� O @WV �� � �� V �7P(X3Y�Z D >[=\> Y�Z D*]where I^C and I^CE_ arebaseclases,�*����� and �������9_ areattributevaluesetsappropriatefor thecorrespondingclasses,`;acb-d7e
is aconfigurationof newly createdbaseactorsandmessages,and fcg indicatesthatthemessagepartis optional.A metaactoris anobjectin somemetaactorclassBhC andmetamessageshave theform Mi�%KLMij , where Mi� is theidentifierof themetaactor. Metaactorsaregroupedassubobjectsconfigurationsof nodes.
Node:A nodeis anobjectof classk b4l�m andhasanattributeacb-d7e
whosevalueis aconfigurationcontainingmetaactorsandmessages.Eachnodehastwo specialmetaactors(seefigure2): A basebehavior taskmanagermetaactor` ��Mn� of classIpo!BhC thatrepresentsandcontrolsbaseexecutionbehavior, anda communicationmetaactor
a Mn� ofclassCqBhC thatrepresentsandcontrolsbasecommunicationsemantics.Thesemetaactorsalsoimplementtheeventhandlingsemanticsassociatedwith baseevents.Hence,a nodehastheform
�&r9� sLZ ];F Y�Z D > �#�UX< tSu�)� Owv � @ "#"#" �x�UY3Su�)� @ � @ "#"#" �ySLY�Z D > �
Fig.2. TheRussianDolls Model
Basebehavior task manager actor: A basebehavior taskmanagermetaobjectof class I�o%BhC hasattributes` B b4l,` C b-d7e ,
m-zEm){, | m)d(l�} j , ~����3�,� b-� .
�&X< tSL�2� OWv � @ X � Z ] � � O � P&X @ Z D > � � X�Y�P F��(F3� � F SL���4P&� F�D1]��7� � F�� P G � = t7Z���� ���I^B is the modulethatdescribesthe behavior of the baselevel objectasrewrite rulesandthus,thevalueof
` B b4lis themetarepresentationof thebasemodule I^B ; while thevalueof
` C b-d7e is themetarepresentationof thebaseconfiguration
;a. Hereweusetheconventionthatif � `;a denotesabaseentity then � � `;a denotesthemetarepresentation
of thatentity. Thefactthatrewriting logic is reflectiveguaranteesthat � � `;a is themetarepresentationof � `ca andsuchfaithful metarepresentationexists.
4
Theremainingattributesdealwith executionof eventhandling.An executioneventis themodificationof anode’sbaseactorconfigurationdueto applyingeithera baseor a metarule. An executionevent is representedby the term������� � `;acb-d7e�� � ��| l ��� m���a Mn�9|�� , where
;a2b-d7eis theinitially baseconfiguration,��| l �*� m is abaseconfigurationthatspec-
ifies new statesfor existing baseactorsaswell asnewly createdbaseactorsandmessages.a Mn�9| mapsnewly created
baseactorsandmessagesto identifiersof existing baseactorson whosebehalfthey werecreated.Eventhandlingismodeledbysendingnotificationsto metaactorsregisteredfor theevent.A metaactoris registered
for aneventonly if it hasaneventhandlingrule matchingthis eventthatgeneratesa reply to thenotifying actor. Thevalue
m Mi�9| of theattributem-z!m){
mapsanexecutioneventto thesetof namesof metaactorsthatareregisteredto benotifiedabouttheevent.Themapingis computedusingthe term ���1����� � m Mi�9| ��m j m9d ��� . Thevalue
m j of theattribute| m9d(l�} j is eitheran executionevent or a specialvalue
d(b-d(m, indicatingthat no event handlingis in progress.The
value � of ~������,� b-� is thesetof metaactoridentifiersfor which thenotificationreply hasnot beenreceived.Communication actor A communicationmetaobject of class CqBhC hasattributes � m9d(l�� , � �-� ��j m4� ,
m-zEm2{,
| m9d(l�} j , ~����3�,� b-� . The valueof � m9d(l�� is a list of outgoingmessagesof the form � � Mn� {&� �#� d(l1� � , representingre-questsfrom baseactor � d(l1� to sendmessageMn� { ; whereasthevaluesof � �9�-� �3j m4� is a list of incomingmessagesoftheform � � Mn� {&� �#� d(l*�4� ��Mn�9|�� representingthearrival of messageM�� { from baseactor � d(l*� with messageannotationmap �*Mn�9| . Theremainingattributesareeventhandlingattributessimilar to thoseof Ipo%BhC .
�&Y3SL�2� @ � @ � F�D1]�� � �,Su� � ��P(�c��� = �cF,� � �;SL� � ��P F��(F3� � F SL���4P&� F�D1]��7� � F�� P G � = t7Z���� ���
3.2 Meta level transitions
Sincea systemconfigurationcanbevisualizedasa soupof nodesandmessageswith baseandmetaactorsformingsubgroupsinsidethenodes,anodetransitionmightbeeithera communicationtransitionor anexecutiontransition.
A communicationtransitionmovesa messageto actorsonothernodesfrom thenode’sbuffer to theexternalsoupor movesamessageto anactoron thenodefrom theexternalsoupinto thenode’smail buffer. An executiontransitionfirst applieseitherabaseor metatransitionrule.If thereis anassociatedbaseevent,theneacheventhandlingrule thatmatchestheeventmustbeapplied(in anunspecifiedorder)andtheassociatedannotationupdateappliedto thenewlocalbaseconfigurationandmessages.In general,a metatransitionrulehastheform
Su�[Q SuSL� � T .+/p�<�t�� 69¡¢�£�¤�¥,¦ 8 SL� V PUSLY�Z D >A=\> Y�Z D*]whereMi� is a metaactor, f MiM�� { g is anoptionalmetamessageaddressedto Mi� , Mi��_ is thesamemetaactorwith itsstatepossiblymodified, M acb-d7e is a configurationof newly createdbaseactorsandmessagesand
a2b-d(lis a predicate
constrainingtheactor-messagepairsto which theruleapplies.�*| l ��� m is eitheremptyor hastheform � `;acb-d7e���a Mi�9|�� .Whentherule is applied,
;acb-d7eis boundto thebaseactorconfigurationon thenodewherethemetaactoris located.
As a resultof rule application,baseactorannotationsor messageannotationsmaybeupdated.Metaactorruleswithemptyupdatearerepresenteddirectlyasobjectrewrite rules
��SL�2� � @ �� � ����5Q SuSL� � T .+/ ��SL�2� � @7V �� � �� V �7PUSLY�Z D >A=\> Y�Z D*]Ruleswith non-emptyupdaterequiresynchronizationwith the
` ��Mn� sincethe` ��Mn� needsto notify all registered
metaactorsbeforeupdatingthe baseconfiguration.In order to clearly specifybaselevel execution,we divide theexecutionof a baseactor into four consecutive stepsor rewrite rules,eachof themmarked by a label of the formRR(label). (seefigure3). In eachstep,someattributesaremodifiedandtheir modificationwill enablethenext steptoexecute.Thatis, initially the
` ��Mi� will enquetheexecutioneventin its | m9d(l Bh� { attribute( step1),enablingstep2 toproceed,whichnotifiesall registeredmetaactorthattheevent
m j�� is goingto beexecuted.Notethat §�¨+©<ª «��1�+��� � � ��m j*���is thesetof messagesMi�qK d(b ��� e�¬ � m j*��� for Mi� in � . That is, � is thesetof metaactorsregisteredto benotifiedwhentheevent
m j*� occurs.Oncethenotificationshavebeensent,the` ��Mn� startsprocessingtheevent(step3), which
may producenew actorsandmessages.a Mi�9| mapsnew actorsandmessagesto actor � , That is, newly actorsand
messageswerecreatedon behalfof actor � . Whenthe executionof the event is beingprocessed(step4), the` ��Mi�
waits for acknowledgementsfrom the registeredMn� ’s. Whenall registeredmetaactorhave acknowledgednotifica-tion,
` ��Mn� completestheexecutioneventby updatingits modelof thebaseconfigurationandtransmittingnewly sent
5
messagesto thea Mi� (step5).
`;a _ is the resultof applying �*| l ��� m to � `;a , and �)M�� { �9_ containselementsof the form� � Mn� {&��a Mn�9| � � M�� { ��� for eachmessagespecifiedby ��| l ��� m
Step1 uu®�¯?°w±*²�³4´¶µ�·�¸º¹�»1¼L½+¾;´¿·�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ-´¿Í2´Ô¾-ÒÕ¹�·�Å+Ù2·3¾cÏEÆ-Ó�Å1Ú�¹;¾ÉÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ+Ó�Å1Ú�¹;¾LÛµ<Óx¾c½-· ÜLÜàß�á4ß ²3Ð Ç!¸âÆÑÐ Â�Ö Ò;Ð ã-×�Ï4Å4·3¾4Ò Ö Ä^Å2×ØÀ�Å+´¿ÏºÐ ã-×�Ï4Å4·�¾ Üåäcæ1ç-è)é<ß ²3Ð Ç!¸ÎÒ;Ð Â�Ö Ò�Ð Â�Ö�ê ÀStep2 uu®�¯?°w±*²�¹�·�Å+Ù2·�¸º¹�»1¼L½+¾;´¿·�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ+Ó�Å1Ú�¹;¾LÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ9·�Ù)ã�¾4Ò^ë�Å1µ�·3ìuÍ)Ù�Æ4íîÛLÒ´¿Íc·3µ<Ó�ï+Å1Ú?Ú�²�íiÒ�¾;½-·,ÀëNð�¾;Ù)¾ní Ü Åc×-×ØÚ\￲t¾;ÄJÅc×�Ò<¾;½-·,ÀStep3 uu®�¯?°w±*²�¹�·�Å+Ù2·3¼Éñ�¾ Ö ã�·3µtÍ2´ÔÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ-´¿Í2´Ô¾-ÒÕ¹�·�Å+Ù2·3¾cÏEÆ2·3Ù2ãؾLÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ+Ó�Å1Ú�¹;¾LÛµ<Óò²3Ð ÅØÒ�Ù2´¿Å+ÄÞ¾-Ò�¹�ã  ¹�·�ÀWóÕ¾;´¿Å  Ú?¾;Ïز3Ð Ç!¸ÎÒ�Ð Â�Ö À^Å+´¶ÏxÐ ã-×�Ï4Å4·�¾ ÜLÜ ã-×�Ï4Å4·�¾4²3Ð Ç%¸yÒ�Ð Â�Ö Ò;Ð ÅØÒ�Ù)´¿Å+ÄÞ¾-Ò�¹;ã  ¹�·,ÀpÅ1´¿ÏÖ ÄJÅc× ÜLÜ ÄJÅ1ô1¾ Ö ÄJÅc×&²3Ð ã-×�Ï4Å+·3¾-Ò�Ð Å*À�Å+´¿Ïõ¾;½-· ÜLÜ ¾;ñؾ4²3Ð Ç!¸öÆÑÐ Â�Ö Ò;Ð ã-×�Ï4Å+·3¾-Ò Ö Ä^Åc׿ÀStep4 uu®�¯?°w±*² Ö Í2´¿·�µt´¶ã�¾2¼Lñؾ Ö ã�·3µtÍ2´�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ9·�Ù)ã�¾4Ò^ë�Å1µ�·3ìuÍ)Ù�Æ4íºÄ^ÅqÛLÒ ·3Ä^Å�÷ø´¿Íc·3µ<Ó�µ�¾cÏ1ùÊÄ^ÅܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;½-·�ÒÞ¹�·3Å+Ùc·�¾;Ï!Æ9·�Ù)ã�¾4Ò^ë�Å1µ�·3ìuÍ)Ù�Æ4íîÛµ<Óy´¶Íc·�²�Ä^Å�óÕíúÀStep5 uu®�¯?°w±*² Ö Í2Ä!×ØÚ?¾�·3¾2¼Lñؾ Ö ã�·3µtÍ2´�ÀÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö ÒÕ¾cu¾�»qÆ4¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼L½EÆ4¾;ñؾ4²3Ð Ç!¸âÆÑÐ Â�Ö Ò;Ð ã-×�Ï4Å4·3¾4Ò Ö Ä^Å2×ØÀ�Ò¹�·�Å1Ùc·�¾;Ï!Æ2·3Ù2ãؾ-Ò^ëNÅ+µ�·�ìuÍ2Ù%Æ9Ä^·�ÛLÒ ÁûÖ ÄJÅpÆ+ËL¸xËEÌ ¹c¾;´¿Ï+ü5Æ+¹�ÄÕ¹�»*¹NÛܶÝÁà·3Ä^Å�Æ9ÇÉÈʸxËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç%¸yÒ Â ËÊÍ2´ÔÓÕÆÑÐ Â�Ö�ê ÒÕ¾cu¾�»EÆ-¾;ÄJÅc×�Ò�×ؾ;´¿Ï+¼É½qÆ)´¿Í)´¶¾-ÒA¹�·3Å+Ùc·�¾;ÏEÆ9·�Ù)ã�¾LÛLÒÁÃÖ ÄJÅpÆ+ËL¸xËEÌ ¹c¾;´¿Ï+ü5Æ+¹�ÄÕ¹�»*¹ ê Û
Fig.3. Executionrules
4 The ExtendedRussianDolls Model
TheRCFfunctionality is introducedin thebasicRussiandolls modelin orderto formalizeprotocolinteractionsandfor statingandproving certainpropertiesthatensuresafeprotocolcomposition.Basically, specializedprocessingofmessagesarehandledby theRCFbeforethey reachthe
a Mi� . TheRCFis aninstanceof classz CE�EM b4l ��ý m andhasan
attributeacb-d7e
whosevalueis aconfigurationcontaining:(i) acommunicationmanagermetaactor þ of classCqB {�� Cthatcoordinatesmessageprocessing,and(ii) asetof messenguermetaactorsÿ of classBh� {�� C thatcontrolsmessagesemanticsfor their baseactors.Thus,theRCFhastheform
����Y > � � @ (SLZ ]�� � F Y�Z D > ������ @ � � � @ "#"#" �x���1� � � � � @ "#"#" �xSLY�Z D > �We expandthecommunicationmanagerto encapsulateandcontrola setof availablecommunicationprotocols
�of classC�pC andapoolof messagecoordinatorsactors of classBhCqC , soit cancoordinatemessageprocessinginthenode.
6
Communication Manager: A metaobjectof classCqB {�� C hasattributes� d ,b �� , a |�C b-d7e ,
a2b-d7e. Thevaluesof
� d andb ��� arelists of incomingandoutgoingmessagesof theform � � M�� {�� � , representingprocessedmessages.The
valueofa |&C b-d7e is themetarepresentationof thecommunicationprotocolscurrentlyloaded;while thevalueof
acb-d7eis a configurationcontainingmessagecoordinatorsandcommunicationprotocols.
����� @ � � � @ = D � = SL� � P7Z � <� Z�SL� � P(Y�� @ Z D > � � Y��)��PUY�Z D > ��� c� � @7@ "#"#" �WPW����� @��(@ "#"#" �7P�SLY�Z D > �
MessageCoordinator: A metaobjectof class BhCqC hasattributes Mn���3ý�� , M^| � , M � �)� , Mi�?| ,b-�4l
, �)�,� {Øm , ��|¶� d .Thevalueof Mi����ý�� is a list of incomingmessagesof theform ��� � M�� {�� � � d(l*�4� ��Mn�)|&� � � M��9ý<� representingtherequesttoprocessmessageM�� { sentby baseactor � d(l*� andmessageannotationmap ��Mn�9| with thecommunicationprotocolsspecifiedin � Mn�9ý . Thevaluesof MJ| � , M � �)� and Mi�?| aremetarepresentationsof themasterprerequisites,restrictionsandinteractionparameters(respectively) of thecommunicationprotocolsspecifiedin � M��9ý ; while thevalueof
b-�-l ý isthemetarepresentationof thecompositionorderthatneedsto beobeyedto ensurecorrectcompositionof communi-cationprotocols.
�� c� � @7@ SL� = ��� � SL� � P��2��� �2� � �3 3PU���3 <� ���3 � �3 3P = �9� = � � �3 3PWZ�� ] � Z�� ] � P�3 �� �cF � �cY��3 �� �cF P��<� = D � > � � � F �
Communication Protocol: A metaobjectof class C�pC hasattributes � d(l � , �4a j�� , | � , � �)� , �\| , �)�,��� m4e ��ý<ý . Thevalueof � d(l � is a list of outgoingmessagesof theform � � Mn� { � � , representinga processedmessageto bereturnedtothecorresponding that requestedtheservice;whereasthevalueof
�-a j�� is a list of incomingmessagesof the form� � Mn� {&� �#� d(l1�4� �*Mn�9|�� representingthearrival of messageM�� { to beprocessedby theprotocol.Thevaluesof | � , � �)�and �?| aremetarepresentationsof theprotocolprerequisites,restrictionsandinteractionparametersrespectively.
����� @��(@ � D1] � � Z�Su� � PU��Y � � � = SL� � P��2��� �2� � �3 3PU���3 <� ���3 � �3 3P = �)� = � � �3 3PW�3 ��� F > � ��� � > � � � F �
Messenger:A metaobjectof classBh� {�� hasattributes�*| ,l ~ d , ý��Ø�)��Mn� { � l , ý<���)��M��9ý , M�� {�a ý<�Ø�9� . Thevaluesof
�*| andl ~ d arelistsof incomingandoutgoingmessagesof theform � � Mn� {&� �#� d(l*�4� ��Mn�9|�� , representingraw messages.
Thevaluesof ý��Ø�)��M�� { � l and ý��Ø�)��Mn�9ý aremetarepresentationsof themessageidentificationandmessageservicelistrespectively.
���1� � � � � @ � �)� ��Z�SL� � P ]�GUD � � = SL� � P � �c�3 tSL� � = ] � � SL� � = ] P � �c�� tSu� � � � SL� � �
Beforegiving a concreteillustrationof themodel,we needto formalizetheenqueingof a message,we definetheenqueingrelation
� ��� m9d7� � m � ��+� Mn� , � � is anenqueingof messageM onto��
by� ��� m9d7� � m � ��+� M�� { � ��� ���� �! ���"u� � for somesequence
� �$# M .
MessageArri val
Let usbriefly describethesystembehavior duringan incomingmessagewhentheRCFmoduleis both inactive andactive. A messagearrival eventhasthe form � �-� ��j m � � � �^KÉM�� � �#� d(l1�4� ��Mi�9|�� indicatingthearrival of messageM forbaseactor � , sentby � d(l*� and having annotations�*Mn�9| . On the other side,a messagesendevent hasthe form� m)d(l � � � �NK�Mn� � �#� d(l1�4� �*Mn�9|�� indicatingthatamessageM having annotations�*Mn�9| is goingto besentto � by � d(l*� 1.
Figure4showsthecommunicationrulesthatneedto beappliedwhenamessageof theforma Mi�LKN� �9� �3j m � � M�� {�� � � d(l*�4� ��Mn�)|&�
arrivesto the node.Sincethe RCF is not active by default, the messageis queuedfor laterprocessinginto thea Mn�
mail queue(step1). Beforethea Mi� candeliver a message,it needsto notify all metaactorsregisteredfor message
arrival (step2) andwaitsfor theacknowledgementof all notifiedmetaactors(step3). Finally, it deliversthemessageto the
` ��Mi� , which will deliver the messageto the target actor(step4). The completesemanticsof messagearrivalusingtheRCFis describedin theAppendixA.
1 wekeepmessageannotationsat themetalevel. In caseof baseactorannotations,welet themetaactorsmaintaintheminternally.Thus,annotationsaremodifiedthroughthemetalevel
7
Step1 u&%�°w±*²�Å+Ù2Ù)µt½+¾('9ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹NÛLÒ Ö Ä^ÅÊ÷ Å+Ù)Ù2µt½+¾4²3Ð ÄÞ¹�»ØÒ�Ð ¹�´¶Ï4Ù2Ò�Å+ÄJÅc׿ÀܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹*)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀWÛStep2 u&%�°w±*²�¹�·�Å1Ùc·,+�Ù)Ù2µt½4Å1Ú�ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹*)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�ÒJ¾cu¾�»qÆ-¾cÄ^Åc×�Ò�×ؾ;´¶Ï1¸x¹�»qÆ9´¿Í2´¶¾�ÛܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ4í ÛLÒJ´¿Íc·3µ<Ó�ï+Å1Ú?Ú�²�íiÒ,¾;½+¾;´¿·�Àµ<Óx¾c½+¾;´Ø· ÜLÜ Å+Ù)Ù2µt½+¾4²3Ð ÄÞ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿ÀqÅ+´¿ÏÎí ÜLÜ Åc×-×ØÚ\￲t¾;ÄJÅc×�Ò<¾;½+¾;´Ø·,ÀStep3 u %�°w± ² Ö Í)´Ø·�µ�´¿ãؾ-+�Ù)Ù2µt½4Å*Ú?ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ4íºÄJÅEÛLÒ Ö ÄJÅ�÷ø´¿Í2·�µ�Ó�µ�¾;Ïز�ÄJÅ*ÀܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ4í Ûµ<Óò²�ÄJÅ/.óÕíúÀStep4 u %�°w± ² Ö Í)Ä%×ØÚ?¾�·�¾-+�Ù)Ù2µt½4Å*Ú?ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9ÒÉ×ؾ;´¿Ï1¸º¹�»qÆÑÐ ÄÕ¹�»ØÒ^ëNÅ+µ�·�ìuÍ2Ù%Æ9Ä^·wÛLÒÁàÄJÅpÆ4Ç%¸ºËEÌ Â ¸yÍ2Ï�ÆÑÐ Ç%¸yÒ Â ËÊÍ)´ÔÓÞÆÑÐ Â�Ö Ò!×ؾ;´¶Ï1¸x¹�»qÆ-´¿Í2´Ô¾ÉÛܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ ×ؾ;´¶Ï1¸x¹�»pÆ9´¿Í2´Ô¾ÉÛLÒ Á  Ä^Å�Æ9Ç!¸xËEÌ Â ¸ÎÍ)ÏpÆÑÐ Ç!¸ÎÒ Â ËÊÍ2´ÔÓAÆ)Ï+¾cÚ\µt½+¾cÙ1²3Ð Ç!¸ÎÒ�Ð Â�Ö Ò�Ð ÄÕ¹�»*ÀwÛ
Fig.4. Messagearrival rules
5 Towards AdaptiveCommunication
In order to respondto suddenchangesin the communicationenvironmentwithout disruptingthe application,thecommunicationframework mustcontinuouslymonitorthenetwork environmentandadjust,replaceor composecom-municationprotocolsaccordingly. However, specificsof a communicationprotocolrestrict the adjustmentsthat canbemadeto theprotocolitself andmayposeconditions(on thesystemenvironment)thatpreventor constrainits com-binationor concurrentexecutionwith otherprotocols.Whentwo or morecommunicationprotocolsarecomposedinorderto obtaintheircombinedbenefitstheirguarantees(desirableproperties)arenotalwayspreserved.Preservationofprotocolguaranteesmaycrucially dependon thecompositionorderandtheir interactionparameters,which constraincommunicationprotocolbehaviors to achievetheir safecomposition.Check if safecompo-
sitionhasbeendefinedin theintro
Mostof thework on composablecommunication[27][19][20][2] hasfocusedon mechanismsto providedynamicprotocolcomposition.Much lesswork hasbeendoneto develop the underlyingsemanticsthatenablesus to reasonabouttheformalpropertiesof suchcompositionor to identify underwhatconditionsagivenprotocolimplementationsuceedsandhow (if at all) parameterscanchangeits performance.
5.1 CaseStudy: SecureDelivery in Hot-spots
Currentsecurityprotocolsareimplementedasa single(ordered)sequenceof messagesbetweenparticipantswithoutchoicepoints(ifs) or loops.In fact, they assumereliabletransferbetweenstaticend-pointsandstall all communica-tion (at theapplicationlevel) while theend-pointsareauthenticatedanda virtual secureconnectionis established(orre-established)betweenthem(i.e. theuseris watchinganhour-glasscursorall this time). As we briefly discussedinSection1, hot-spotsarecharacterizedby suddennetwork changesandmobileend-pointsthatconnectanddisconnectfrequently. In thisscenario,anestablishedmobile-to-mobileend-pointsessionmaycrosscutseveralnetwork domains,eachoneof themwith possibledifferentsecuritylevels andnetwork characteristics,andsessionrefreshmay be re-quired frequently. Thus, insteadof freezingall communicationevery time a refreshis triggered,we would like toexecutesessionrefresh(in thebackground)while (appliationlevel) communicationis in progress.For example,Let usconsiderthepopularSSL/TLSprotocol[4] asour secureprotocol.Here,we useRSA to authenticatebothend-points(the original motivation for SSL andstill by far its mostcommonuse).We recall thatRSA usesnonces2, a random
2 It is assumedthatthesenumbersaregeneratedin sucha way thatthey cannotbeguessed
8
numberthat is usedin a singleexecutionof the protocol,andpublic key cryptography. i.e. eachobjectpossessesapublic key which canbeaccessedby all objectsanda secretkey, which is requiredto decryptany messageencryptedwith its publickey. In orderto avoid freezingapplicationlevel communicationwhile thekey refreshis in progress,wemakea distinctionbetweenaconnectionandasession.A connectionrepresentsonespecificcommunicationchannel;while a sessionis avirtual contructrepresentingthenegotiatedalgorithmandthe Mn��)� m)�10 � m-a;�4m � usedto createthesecretkey. Then,we allow multiple connectionsto beassociatedto a givensessionandwe switchconnectionswhenthe new connectionis ready3. As a result,we candivide the executionof the combinedprotocolsin four phasesasfollows(seefigure5):
Sessionsetup: A securecommunicationchannelis createdby authenticatingboth the initiator 2 andtheresponderI andby establishingthekeying material(sharedsecretandparticipants’randomvalues)requiredto generateasecretkey4, which is usedto protectfurtherapplicationtraffic asfollows:
1. 2 createsa noncek32 , addsits addressasanidentifierandencryptsthis informationwith I ’s public key of�54ûI andsendsmessageB76 to I
2. Uponreceiving B76 , I decryptsthemessageusingits privatekey 894 I , createsanew noncekÃI , generatesa new sessionidentifier �)� l andchoosea ciphersuite,which determinestheencryptionalgorithmto beusedandsendsmessageB;: backto 2 , with a concatenationof both nonces,the sessionidentifier �)� l and thechipersuite
a �?|�< m9� encryptedwith 2 ’s publickey �54=23. 2 receives B;: anddecryptsit. In casethecontentsof B;: is theconcatenationof his own nonce( k32 ) plus
anothernonce( kÃI ), 2 generatesa | �4m>0 Mn���)� m9� secretandsendsit with the separatednonce kÃI to Iaspart of messageB@? . 2 usesthe | �-mA0 Mn�Ø�2� m9� secretin orderto generatethe secretkey 8B4 m9¬ usedtoactuallyencrypt/decryptfurther(application)traffic belongingto this session
4. Upon B@? reception,I decryptsit andusesthe | �4m$0 Mi�Ø�)� m9� secretto generatethesecretkey 8B4 m)¬Sessionestablished: Once B@? hasbeenreceived,thesessionis formally establishedandany furthercommunication
sentor receivedis encrypted/decryptedusingthesecretkeySessionrefresh: If oneof theparticipantssuspectseavesdroping,asessionrefreshmayberequested.Refreshreplaces
(partof) thesharedsecretusedto generatethesecretkey. In orderto avoid freezingapplicationlevel communica-tion while thekey refreshis in progress,wemakeadistinctionbetweenaconnectionandasession.A connectionrepresentsonespecificcommunicationchannel;while a sessionis a virtual contructrepresentingthenegotiatedalgorithm and the Mn���)� m9�C0 � m9ac�-m � usedto createthe secretkey. Then,we allow multiple connectionsto beassociatedto a givensessionandwe switchconnectionswhenthenew connectionis ready5:
1. 2 requestsasessionrefreshby sendingamessageBED with thecurrentsessionidentifier �)� l andanew noncek32 asparametersof therefreshrequest.D is encryptedusing 894 m9¬ andit is sentto I
2. Upon receiving BED , I decryptsthe messageandacceptsthe requestby generatinga new nonce kÃI andsendinga messageB;F back to 2 . B;F encapsulatesthe sessionidentifier and the concatenationof bothnoncesandit is encryptedby 8B4 m9¬
3. In casethecontentsof thereceivedanddecryptedB;F aretheconcatenationof 2 ’s nonce( k32 ) plusanothernonce( kÃI ) andthesessionidentifiercorrespondto thecurrentin progress,2 generatesa
d(m ~ 0 | �4m�0 Mn���)� m9�secretandsendsit with theseparatednoncekÃI andsessionidentifier �)� l to I asmessageB@G . Then,2 usesthe
d(m ~ 0 | �4m�0 Mn�Ø�)� m)� secretto generatea new secretkeyd(m ~�8B4 m9¬
4. When I receives B@G anddecryptsit, I usesthed(m ~ 0 | �4mH0 Mn�Ø�)� m)� secretto generatethenew secretkeyd(m ~�8B4 m9¬ andsendsbackan acknowledgementmessageBJI to 2 , with the sessionidentifier �2� l andthe
finishedkeyword, indicatingthatall furthercommunicationis processedusingthenew key5. Upon receiving BJI , 2 uses
d(m ~�894 m9¬ to processpreviously queued(applicationlevel) messagesandthekey refreshis terminated
Sessionteardown: When a securecommunicationis not longer desiredor needed,a teardown sessionrequestisgeneratedby oneof theparticipants,theconnectionis removed
3 Althoughall connectionsin a givensessionsharethesameÄJÅ*¹�·�¾;ÙLK�¹;¾ Ö Ù)¾�· , eachoneof themhasit own encryptionkeys.4 Thekey doesnotnecessarilyneedto bea symmetrickey5 Althoughall connectionsin a givensessionsharethesameÄJÅ*¹�·�¾;ÙLK�¹;¾ Ö Ù)¾�· , eachoneof themhasit own encryptionkeys.
9
Fig.5. Protocolsequencediagram.
Specifyingthe Protocolsin Our Model
Althoughbothprotocolsexecutecorrectlyin isolation,itis necesaryto ensurethatthey donot interactin harmfulwayswhenthey arecombinedandexecutedconcurrently. In orderto achievethis,weusetheextendedRussiandollsmodelto specify the combinedprotocolsas follows: We definethe class 2 {�m9d � asa genericclassandclassesM d ��������� b-�and
zEm ��| b-d(l*m9� asits subclasses,onefor eachpossiblerole of the protocol. 2 {Øm)d � have attributes � m-a 4 m9¬ , �)�,� {Øm ,m-acb M ,acb � d � m9� , � m �-�)� b-d ,
a �?|�< m)� �)����� m , �ON m9¬ , �-� m � m . Thevaluesof � m9a 4 m9¬ and �PN m)¬ aretheprivateandsecretkeys,a �?|�< m9� �)���3� m storesall the information regardingthe algorithm selected;whilem-acb M storesthe information about
the establishedcommunication.�2� l is the sessionidentifier, �)�,� {�m keepstrack of the protocol executionstage,soparticipantsknow whatmessagethey shouldexpect,and
acb � d � m9� is asequencenumber, usedto generatenonces.Thevalueof �-� m � m is a list of incomingmessagesof the form Mn� { representingthe requestto processmessageMn� { .M d �3������� b-� and
z!m ��| b-d(l�m9� have two privateattributes`;b+` M l and 2�ý�� a2m M l respectively.
`;b+` M l storestheidentifiersoftheintended
zEm ��| b-d(l�m9� ; while 2�ý�� acm M l storestheidentifierof the intended� d �3���3��� b-� . As a secondstep,we specifytheexecutionin rewriting rules,onefor eachmessageexchangedbetweenparticipants(seeFigures6-8).Finally, weintegratethemin to the extendedRussiandolls modelas follows (the completesetof rules requiredaredescribedin the AppendixB). Let us assumethatagent2 wishesto communicatewith agent I in a securemanner. When 2sendsmessageMQ6 to I , M=6 is interceptedby its correspondingmessengerBh� {�� � 2!� , who requests(on 2 ’s behalf)asecureconnectionby to its localcommunicationmanagerC!M {�� � 2!� . C!M {�� � 2%� in turnselectsamessagecoordinatorto handletherequestandinteractwith theprotocols(describedabove).Oncebothprotocolshave beenauthenticatedana securesessionhasbeenestablished,M=6 canbeencryptedandsendit securelyto throughthenetwork.
5.2 Reasoningabout SafeComposition
Isolatedprotocol properties,suchas confidentiality, data integrity, authenticationor secrecy of sessionskeys, areworthyof studyandhavebeenexpressedandprovedelsewhere.However, protocolspecificationandreasoningshould
10
Step1 uu¯SRUTc²�¹�·3Å+Ùc·�Êã�´ÔÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆZY+Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´¿·3¾;Ù!Æ\[*Ò�¹;¾2¹c¹;µtÍ2´[Æ)´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆ�])Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´¿·3¾;Ù!Æ\[5^_]9Ò�¹;¾2¹c¹;µtÍ2´�Æ)´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛLÒÇ ÷N¸`]9²t¾c´ Ö Ù)ïc×�·�²�²�´¶Í2´ Ö ¾4²a+�Òb[�À�Òc+uÀ�Ò\×�ã ÂdV ¾c￲tÇ%À�À�ÀStep2 uu¯SRUTc²�´¿Í)´ Ö ¾-e Ö ð�Å+´Ø»1¾2ÀÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆ9´¿Í)´¶¾-Ò�¹�·3Å4»1¾ÊÆZY+Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´Ø·3¾cÙ�Æ V Ò�¹;¾2¹c¹;µtÍ2´[Æ9´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ+¸f]-²t¾;´ Ö Ù2ïc×�·�²�²agC+ÉÒ,+ÊÀ�Òbh V Ç!ÀwÛܶÝÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆi]9Ò,¾ Ö Í)Ä Æ9´¿Í)´¶¾-Ò Ö Í2ã�´Ø·�¾;Ù%Æ V ^_]9Ò�¹;¾2¹c¹�µ�Í2´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛLÒ+ ÷ ¸kj+²t¾;´ Ö Ù)ïc×�·�²�²�²agC+�Ò�´¿Í)´ Ö ¾4²tÇqÒ V À�À�Ò,´¶¾;ëlW&µtÏزa+�Ò V À�Ò Ö µÑ×Øð�¾;Ù9À�Ò�×�ã ÂdV ¾c￲a+ÊÀ�À�À�µ�Ó�²tô1¾;ï\huÅ1µtÙ1²�W V ÇpÒmh V Ç!À�Å+´¿Ïز�¹�µtÏ Ü´¶¾;ë&WUµtÏزa+ÉÒ V À�À�ÀStep3 uu¯SRUTc²�´¿Í)´ Ö ¾n+ Ö ô*ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆ�])Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´¿·3¾;Ù!Æ\[5^_]9Ò�¹;¾2¹c¹;µtÍ2´�Æ)´¿Í)´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ+¸oj1²t¾;´ Ö Ù2ïc×�·�²�²�²agC+ÉÒ,gÞÇ%À�Ò�¹�µtÏ�Ò Ö µÑ×Øð�¾cÙ9À�Òbh V +ÊÀ�À�ÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆXj4Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�Æ\[5^=j4Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒÇ ÷N¸op1²t¾c´ Ö Ù)ïc×�·�²�²agÞÇpÒ�¹�µ�Ï�Ò?×�Ù9¾BK�ÄJÅ*¹�·�¾;Ù-À�Ò ×�ã ÂdV ¾;ﶲtÇ%À�À�Àµ<Ó�²tô1¾;ïihuÅ+µtÙ1²�W V +ÉÒ,h V +ÊÀ�Å1´¿ÏزagC+ ÜLÜ ´¿Í)´ Ö ¾4²a+ÉÒq[�À�À�Å+´¿Ïز�¹;µtÏ Ü ´¶¾;ëlW&µtÏزa+�Ò V À�À�Å+´¿Ïز�WUô*¾;ï Ü ÄJÅ1ô1¾ V ¾;￲#×�Ù)¾3KÄ^Å*¹�·3¾;Ù)Ò�gC+�ÒcgJÇ!À�À�ÀStep4 u ¯SRUT ²a+Nã*·�ð�¾;´Ø·3µ Ö Å4·3¾cÏ1ÀÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆi]9Ò,¾ Ö Í)Ä Æ9´¿Í)´¶¾-Ò Ö Í2ã�´Ø·�¾;Ù%Æ V ^_]9Ò�¹;¾2¹c¹�µ�Í2´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ+¸rp*²t¾;´ Ö Ù2ïc×�·�²�²agÞÇqÒ�¹�µtÏ�Ò�×�Ù)¾9K[Ä^Å�¹�·3¾cÙ9À�Ò,h V Ç%À�ÀwÛܶÝÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆZj+Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ V ^sj+Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒµ<Ó�²tô1¾;ïihuÅ+µtÙ1²�W V ÇqÒ,h V Ç%À�Å+´¿ÏزagÞÇ ÜLÜ ´¶Í2´ Ö ¾4²tÇqÒ V À�À�Å1´¿Ïز�¹�µtÏ Ü ´¶¾;ëlW&µtÏزa+�Ò V À�À�Å+´¿Ïز�WUô*¾;ï Ü Ä^Å1ô*¾ V ¾;￲#×�Ù9¾tKÄ^Å*¹�·3¾;Ù)Ò�gC+�ÒcgJÇ!À�À�À
Fig.6. Sessionsetupandsessionestablichedrules
concernnot only theseintrinsic propertiesbut alsotheir interactionwith otherprotocols(afterall, protocolsarepartof a largersystem)andhow farcantheassumptionsberelaxedwithout compromisingprotocolcorrectness.
e.g. Rekey andrefreshprotocolsblockcommunicationattheapplicationlayerin ordertoensuresafekey generationandexchange.Inthisparticularscenario,safemeansthatnoapplicationlevelmessagesarefloatingin thenetworkwhenthekey is generatedor exchanged,ensuringthatevery messagesendwith theold key will bereceivedanddecryptedbeforekeys areswitched.Allowing messagesto besendandreceive while therefreshprotocolis in progress,requireus to definea synchronizationpoint wherekeys canbeswitched(evenif they aremessagesfloating in thenetwork).This impliesawayto identify andkeeptrackof everymessage,somessagessentbut notreceivedbeforethekeyswereswitchedcanbeproperlyretransmittedusigthenew key. As a resultof removing thesynchronization
Sincemessagesmaybefloatingin thenetwork whentheswitchtookplace,old messagesmayarriveafterthekeyshave beenswitched,andwill bediscardedascorruptmessages(sincethereis no way to decryptthemandthey havebeenretransmittedusingthenew key). Weuseourmodelasa framework for statingandproving thefollowing (safetyandliveness)properties:
1. RefreshIdempotency: Thereis only onesessionrefreshin progressbetweenparticipantsat any point of time.2. No MessageLossdueto SessionRefresh:All (base-level) messagessentwhile thesessionrefreshis in progress
areeventuallydeliveredto theapplication.3. No MessageDuplication:No duplicatedmessageis deliveredto theapplication.
11
Step5 uu¯SRUTc²tu¾2Ó�Ù)¾)¹;ð�ʾ-'9ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆXj4Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh�Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆZp+Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh=^_])Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒÇ ÷N¸ru*²t¾c´ Ö Ù)ïc×�·�²�²�´¶Í2´ Ö ¾4²a+�ÒvhÉÀ�Òb+�Ò�¹�µ�Ï1À�ÒbW(ô1¾;ï*À�ÀStep6 uu¯SRUTc²tu¾2Ó�Ù)¾)¹;ð�+ Ö�Ö ¾,×*·�¾;Ï1ÀÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆZj+Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ4üEÒ�¹;¾2¹c¹�µ�Í2´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ+¸wu�²t¾;´ Ö Ù2ïc×�·�²agx+�Ò,+ÉÒ�¹�µtÏ1À�ÒcWUô*¾;ï*ÀwÛܶÝÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆOp1Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ4üQ^Q]9Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒ+�÷�¸ky+²t¾c´ Ö Ù)ïc×�·�²�²agC+�Ò�´¿Í2´ Ö ¾4²tÇpÒ�ü%À�Ò,¹;µtÏ1À�ÒcW V ¾;ï*À�Àµ<Ó�²�²a+ ÜLÜ Å1Ú\µ Ö ¾c³4Ï1À�Å+´¿Ïز�¹�µtÏ ÜLÜ »1¾�·,WUµtÏز�Ï+¾ Ö Ù2ïc×�·�²�¸wu*ÒvW V ¾;ï�À�À�À�ÀStep7 uu¯SRUTc²�´¶¾;ë V ¾;ï*ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆZp+Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh=^_])Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ+¸oy1²t¾;´ Ö Ù2ïc×�·�²�²agx+�Ò,gJÇpÒ�¹�µtÏ1À�ÒcW V ¾;ï�À�ÀWÛܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆOu1Ò,¾ Ö Í2Ä Æ4ÇqÒ Ö Í2ã�´Ø·�¾;Ù�ÆZh=^sj4Ò�¹;¾)¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¶¾;ëlWUô1¾;ï¿Òm')ã�¾cã�¾ÉÆ9´¶Í2´¶¾�ÛLÒÇ ÷N¸oz1²t¾c´ Ö Ù)ïc×�·�²�²agÞÇpÒ�¹�µ�Ï�Ò3´Ô¾;ëQK^×�Ù)¾9K�ÄJÅ*¹�·�¾;Ù9À�Ò,W V ¾;ï*À�Àµ<Ó�²�²agC+ ÜLÜ ´¿Í2´ Ö ¾4²a+�ÒbhÉÀ�À�Å+´¿Ïز�¹�µtÏ ÜLÜ »1¾�·,WUµtÏز�Ï+¾ Ö Ù2ïc×�·�²�¸oy+ÒvW V ¾;ï�À�À�À�ÀStep8 u ¯SRUT ²tìuµt´¿µ�¹;ð�¾;Ï1ÀÇ5Æ4ʾ)¹3×�Í2´¿Ï+¾;Ù�Ì ¹;¾ Ö�V ¾;ïEÆXW V ÇqÒ,Å*Ú µ Ö ¾;³4ÏEÆZ+�Ò,¹�·�Å4»1¾ÊÆZp1Ò�¾ Ö Í)Ä ÆZ+�Ò Ö Í2ã�´Ø·�¾;Ù%Æ-ü_^Q]9Ò�¹;¾2¹c¹;µtÍ2´[Æ4¹�µ�Ï�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ+¸rz*²t¾;´ Ö Ù2ïc×�·�²�²agJÇpÒ�¹�µtÏ�Ò�´¶¾;ëQK�×�Ù)¾LK[ÄJÅ*¹�·�¾;Ù9À�ÒbW V ¾;ï�À�ÀWÛܶÝÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆPu*Ò,¾ Ö Í)Ä ÆO+�Ò Ö Í)ã�´¿·3¾;Ù%Æ4üQ^3j+Ò�¹;¾2¹2¹�µtÍ2´[Æ4¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆ-´¶¾;ëlWUô1¾;ï¿Òm')ã�¾cã�¾ÉÆ9´¶Í2´¶¾�Û+�÷�¸k{+²t¾c´ Ö Ù)ïc×�·�²�²�Ó�µ�´¿µ<¹;ð�¾;Ï�Ò�¹�µtÏ1À�ÒcW V ¾cï*À�Àµ<Ó�²�²agÞÇ ÜLÜ ´¶Í2´ Ö ¾4²tÇqÒ�ü%À�À�Å+´¿Ïز�¹�µtÏ ÜLÜ »1¾�·,WUµtÏز�Ï+¾ Ö Ù2ïc×�·�²�¸rz1ÒmW V ¾;ï*À�À�À�À
Fig.7. Sessionrefreshrules
Step9 uu¯SRUTc²�W&µtÏ-Èʾ;Å+Ù}|EÍ)ë�´¶u¾('-ÀÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ-ÇqÒ�¹�·3Å4»1¾uÆ-µ�Ò,¾ Ö Í2Ä Æ-ÇpÒ Ö Í)ã�´¿·3¾;Ù%Æ4�Ò�¹;¾)¹c¹�µtÍ)´AÆ-¹;µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXWUô1¾cïØÒm')ãؾ;ãؾLÆ-´¿Í2´¶¾�ÛLÒܶÝÁ +xÆ-³4´¿µ�·3µtÅ4·3Í2Ù�Ì ¹;¾ Ö�V ¾;ïqÆXW V +�Ò Â Í Â ³4ÏqÆ9´¿Í2´Ô¾-Ò�¹�·3Å4»1¾uÆPY1Ò�¾ Ö Í2Ä Æ-´¿Í2´¶¾4Ò Ö Í2ã�´Ø·�¾;Ù!ÆPY1Ò�¹;¾2¹2¹�µtÍ2´[Æ9´¶Í2´¶¾-ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛLÒÇ ÷N¸y´(²t¾;´ Ö Ù2ï2×*·�²�² Ö Ú Í-¹;¾4²�¹�µ�Ï1À�À�ÒvWUô*¾;ï*À�ÀStep10 Ê ¯SRUT ²�W&µtÏ-ÈN¾;Å1Ù}|EÍ2ëN´ÔÀÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆO+�Ò�¹�·�Å+»1¾ÊÆ9µ�Ò,¾ Ö Í2Ä ÆZ+ÉÒ Ö Í2ã�´Ø·�¾;Ù%ÆZWUÒ,¹c¾2¹c¹�µtÍ)´AÆ+¹�µtÏ�ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ Ö µÑ×Øð�¾;Ù2Ò,¹;ô*¾;ïpÆXW V ¾;ïØÒv'2ãؾ;ãؾ�Æ-¸y´(²t¾;´ Ö Ù2ïc×�·�²�² Ö Ú\Í-¹;¾4²�¹�µtÏ1À�À�ÒbWUô*¾;ïpÛܶÝÁ ÇàÆ-u¾2¹3×�Í2´¿Ï+¾cÙ*Ì ¹;¾ ÖdV ¾;ïpÆOW V ÇpÒ,Å1Ú\µ Ö ¾c³4ÏEÆ9´¿Í)´¶¾-Ò�¹�·3Å4»1¾ÊÆZY+Ò,¾ Ö Í2Ä Æ-´¿Í2´Ô¾-Ò Ö Í)ã�´Ø·3¾cÙ�ÆZY+Ò�¹;¾)¹c¹�µtÍ)´[Æ9´¿Í2´¶¾4ÒÖ µÑ×Øð�¾;Ù-¹�ã�µ�·3¾LÆ9´¿Í)´¶¾-Ò�¹;ô*¾;ïpÆ-´¿Í2´Ô¾-Ò,'2ãؾ;ãؾLÆ-´¿Í2´Ô¾ÉÛ
Fig.8. Sessionteardown rules
12
4. RefreshProgress:For all possiblerefreshprotocolexecutions,eithera successfullsessionrefreshis achievedorthesessionrefreshrequestis denied.
5. RefreshTermination:Everyrefreshprotocolexecutioneventuallyterminates.
6 RelatedWork and Concluding Remarks
Commerciallyavailabledistributedmiddlewareinfrastructureshave incorporatedthe notion of reflectionin ordertoprovide the desiredlevel of configurabilityandopennessin a controlledmanner[5][1][25]. The focusof the workpresentedin this paperis on developingformal semanticsandreasoningfor safecompositionof middlewareservicesand communicationprotocols.The OpenOrbreflective architecture[17] [6] [11] is basedon the RM-ODP objectmodelandinspiredby theAL-1/D reflectiveprogramminglanguagefor distributedapplications[10]. In theOpenOrbarchitectureevery object is representedby multiple modelsallowing behavior to be describedat different levels ofabstractionandfrom differentpointsof view. Similarly, [12] providesa metalevel architectureat the languagelevelto supporta limited fault tolerantsystemmechanisms,in particularreplication.Two reflective architecturesfor actorcomputationhave beenusedasa basisfor definingandreasoningaboutcomposableservicesin dynamicadaptabledistributedsystems:Theonionskin model[15] andthetwo-level actormachine(TLAM) model[23] [22]. Theonionskin modelhasbeenusedto supporthigh level abstractionssuchassynchronizers[30], real time synchronizers[29],actorspaces[8], anddynamicarchitectures[18] [3]; while theTLAM hasbeenusedto reasonaboutsafecompositionof system-level activities, suchasdistributedgarbagecollection[24], migrationandglobalsnapshot[21], andglobalsnapshotin thepresenceof failures[28].
References
[1] AshishSinghai,AamodSaneandRoy Campbel.Reflective ORBs:supportingrobust,time-criticaldistribution. In Proceed-ingsof theEuropeanConferenceon Object-OrientedPrograming, 1997.
[2] BenoitGarbinatoandRachidGuerraoui.Using theStrategy DesignPatternto ComposeReliableDistributedProtocols.InUsenixConferenceon Object-OrientedTechnologiesandSystems, 1997.
[3] DanielSturman.ModularSpecificationof Interactionof InteractionPoliciesin DistributedComputing. PhDthesis,Universityof Illinois at Urbana-Champaing,1996.
[4] Eric Rescorla.SSLandTLS:DesigningandBuildingSecure Systems. Addison-Wesley, 2001.[5] Fabio Costa,GordonBlairandGeoff Coulson. Experimentswith Reflective Middleware. TechnicalReportMPG-98-11,
LancasterUniversity,1998.[6] F.M. Costaand G. Blair. Integrating meta-informationmanagementand reflectionin middleware. In 2nd International
SymposiumonDistributedObjectsandApplications(DOA’00), 2000.[7] Gul Agha. Actors: A modelof ConcurrentComputationin DistributedSystems. MIT Press,1986.[8] Gul Agha andCallsen. Actorspace:An OpenDistributedProgrammingParadigm. In Proceedingsof ACM symposiumon
PrinciplesandPracticeof Parallel Programming, 1993.[9] Gul Agha,IanA Mason,ScottF SmithandCarolynTalcott.A Foundationfor Actor Computation.FunctionalProgramming,
1993.[10] H. Okamura,Y. Ishikawa andM. Tokoro. AL-1/d: A distributedprogrammingsystemwith multimodelreflectionframework
. In ReflectionandMeta-level Architectures, 1992.[11] H.A. Duran-LimonandG. Blair. The importanceof ResourceManagementin EngineeringDsitributedObjects. In 2nd
InternationalWorkshoponEngineeringDistributedObjects, 2000.[12] Jean-CharlesFabreandTanguyPerennou.A MetaobjectArchitecturefor Fault-tolerantDistributedSystems:TheFRIENDS
Approach.In IEEETransactionson Computers, (47):78-95, 1998.[13] JoseMeseguer.ConditionalRewriting Logic asaUnifiedModelof Concurrency. In TheoreticalComputerScience96(1):73-
155, 1992.[14] JoseMeseguerandCarolynTalcott. SemanticModelsfor DistributedObjectReflection.In Stanford University, 2002.[15] JoseMeseguer,CarolynTalcottandDenker G. Rewriting Semanticsof Meta-ObjectsandComposableDistributedServices.
In Proceedingsof the3rd InternationalWorkshoponRewriting Logic andIts Applications, 2000.[16] LeslieLamport.Timeandclocksandtheorderingof eventsin adistributedsystem.Communicationsof theACM, 21(7):558-
565,1978.[17] LynneBlair andGordonBlair. The Impactof Aspect-OrientedProgrammingon Formal Methods. In Proceedingsof the
EuropeanConferenceon Object-OrientedPrograming, 1998.[18] Mark Astley andGul Agha. CustomizationandCompositionof DistributedObjects:MiddlewareAbstractionsfor Policy
Management.In 6th InternationalSymposiumon thefoundationof Software Engineering, 1998.
13
[19] Mark GarlandHayden.TheEnsembleSystem. PhDthesis,CornellUniversity,1998.Departmentof ComputerScience.[20] Matti A. Hiltunen,VijaykumarImmanuelandRichardD. Schlichting.SupportingCustomizedFailureModelsfor Distributed
Software.In DistributedSystemEngineering, (6):103-111, 1999.[21] Nalini VenkatasubramanianandCarolynTalcott. Integrationof ResourceManagementActivities in DistributedSystems.
TechnicalReportTR-Stanford,StanfordUniversity,1999.[22] Nalini Venkatasubramanianand Carolyn Talcott. A SemanticFramework for Modeling and ReasoningaboutReflective
Middleware. In IEEEDistributedSystemsOnline, 2(6), 2001.[23] Nalini Venkatasubramanian,CarolynTalcott andGul Agha. A FormalModel for ReasoningaboutAdaptive QoS-Enabled
Middleware. In FormalMethodsEurope(FME 2001), 2001.[24] Nalini Venkatasubramanian,Gul AghaandCarolynTalcott. ScalableDistributedGarbageCollectionfor Systemsof Active
Objects.In InternationalWorkshopon MemoryManagement, 1992.[25] Nalini Venkatasubramanian,MayurDeshpande,Shivjit Mohapatra,SebastianGutierrez-NolascoandJehanWickramasuriya.
DesignandImplementationof aComposableReflectiveMiddlewareFramework. In InternationalConferenceonDistributedComputerSystems, 2001.
[26] PLincoln, N Marti-Oliet andJMeseguer.Specification,TransformationandProgrammingof ConcurrentSystemsin Rewrit-ing Logic. In Specificationsof Parallel Algorithms, 1994.
[27] RobbertvanRenesse,KennethBirmanandSilvanoMaffeis. Horus:A Flexible GroupCommunicationSystem.Communi-cationof theACM, 39(4):76-83,1996.
[28] SebastianGutierrez-NolascoandNalini Venkatasubramanian.ReachabilitySnapshotsin thePresenceof Failures:An exercisein Protocol-ServiceComposition. In Proceedingsof the DSN2002Workshopon DependableMiddleware-BasedSystems,2002.
[29] ShangpingRen,Nalini Venkatasubramanianand Gul Agha. Formalizing Multimedia QoS Constraintsusing Actors. InProceedingsof SecondInternationalConferenceon FormalMethodsfor OpenObjectBasedDistributedSystems, 1997.
[30] SvendFrolund.CoordinatingDistributedObjects:An Actor-BasedApproach to Synchronization. MIT Press,1996.
A MessageArri val using the RCF:
Let us assumethat the RCF module is active, then every messagemay be processedby a set of communicationprotocolsthat the
a Mi� is not capableto identify or read.As a result,thea Mn� is not ableto extract theinformationit
requiresto determinethe possiblesetof metaactorsthatneedto be notified for a messagearrival. Thus,a messagemayneedto beunwrappedbeforethe
a Mn� cannotify its arrival. In orderto achieve this, we defineaninterface(seefigure9) betweenthe
�4a2eandthe
a Mn� suchthatall incomingmessagesareforwardedto the�4a2e
assoonasthearrivetobeunwrapped(step1) andall unwrappedmessagesarereturnedto the
a Mn� for furtheteventnotificationanddelivery(step2) following thesamemessagearrival rulesdescribedin figure4. We furtherdivide theunwrappingprocessinthreesections:messagehandling,messageprocessingandmessagedelivery.
Step1 ul~ %,� ² Ö Ä^Å�j Ö Ä�»+Ù-ÀÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9Ò3¹c¾;´¿Ï+üúÆ+¹�ÄÕ¹�»*¹ÊÛLÒ Ö ÄJÅN÷ Å+Ù)Ù2µt½+¾+²3Ð ÄÞ¹�»ØÒ�Ð ¹�´¶Ï4Ù2Ò�Å+ÄJÅc׿À�ÒÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛܶÝÁÃÖ ÄJÅpÆ+ËL¸xËEÌ Å1Ù2Ù2µ�½+¾cü5Æ-Å+ÄÕ¹�»*¹9Ò3¹c¾;´¿Ï+üúÆ+¹�ÄÕ¹�»*¹ÊÛLÒÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛ� ÷ Å+Ù2Ù)µt½+¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿ÀStep2 u ~ %,�+² Ö Ä�»+ÙOj Ö ÄJÅ*ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»&)u²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò3Å+Ä^Å2×ØÀ�Ò Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛLÒÖ ÄJÅ�÷ Å+Ù)Ù2µt½+¾+²3Ð ÄÞ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿À
Fig.9. RCFInterfacerules
Messagehandling: Whenthe communicationmanager, þ , receivesthe forwardedmessage,it queuesinto its � dqueuefor later processing(step1). Thus,we canintegratemessagequeuepriority in a straightforward mannerby
14
queueinga messagein a particularplace.Somequeuedmessagesmay not requireany processing(i.e. they arerawmessages),they mustbeidentifiedandsentto the
a Mn� for messagenotificationanddelivery. Sincethemessageservicelist ( M��9ý ) is alreadyincludedin themessage,thecommunicationmanagercanclassifymessagesasprocessedor rawmessageby inspectingits Mn�9ý . Raw messagesarequeuedinto the
b ��� queuein orderto bereturnedinmmediatelyto thea Mn� (step2). In orderto unwrapa processedmessage,thecommunicationmanagerassignsamessagecoordinator, ,to unwraptheprocessedmessage(step3) andtheassignedmessagecoordinatorqueuestherequestfor laterprocessing(step4). In orderto unwrapthemessage,themessagecoordinatorextractsthe M��9ý from themessageanddeterminesthe correct interactionparametervaluesand the remaininginformation of the communicationprotocolsspecified(step5). Figure10 shows themessagehandlingrulesdescribedabove.
Step1 u %�°�� ~)²�µ�´�'9ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛLÒ� ÷ Å+Ù2Ù)µt½+¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿ÀܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»l)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�Ò^Í2ã�·�Æ9Í)ÄÞ¹�»ØÒ Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛStep2 u %�°�� ~ ²?·3ã�´¿´¶¾cÚ�ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»l)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�Ò^Í2ã�·�Æ9Í)ÄÞ¹�»ØÒ Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»&)u²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò3Å+Ä^Å2×ØÀ�Ò Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛµ<Óò²�ÄÕ¹;Ú ÜLÜ ´¶ã�Ú?Ú�ÀStep3 u %�°�� ~ ² Ö Ä^»+ÙPj2Ä Ö ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»l)ʲ3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀ�Ò^Í2ã�·�Æ9Í)ÄÞ¹�»ØÒ Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ-´¿Í)´¶¾-Ò�Ù9¹�·�Æ9´¿Í2´¶¾4Ò,µÑ×ÞÆ9´¶Í2´¶¾-Ò,Í)Ù2ÏqÆ9´¿Í2´Ô¾ÉÛLÒ� ÷ø¾;ñؾ Ö ã*·�¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀStep4 uu°�%2²�Ä Ö ÄJÅ+µ�Ú�'9ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ-´¿Í)´¶¾-Ò�Ù9¹�·�Æ9´¿Í2´¶¾4Ò,µÑ×ÞÆ9´¶Í2´¶¾-Ò,Í)Ù2ÏqÆ9´¿Í2´Ô¾ÉÛ� ÷ø¾;ñؾ Ö ã*·�¾4²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò�Å+Ä^Å2×ØÀܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ-¾;ñؾ Ö ã�·3¾+²3Ð ÄÞ¹�»ØÒ,Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿À�Ò\×�ÙÉÆ-´¿Í)´¶¾-Ò,Ù9¹�·WÆ-´¿Í2´Ô¾-Ò,µÑ×ÞÆ-´¿Í2´¶¾4Ò3Í)Ù2ÏqÆ-´¿Í)´¶¾ÉÛStep5 u °�% ²t¾;ñ�·3Ù2Å Ö ·�ÄÕ¹;Ú�ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ-¾;ñؾ Ö ã�·3¾+²3Ð ÄÞ¹�»ØÒ,Ð ¹�´¿Ï4Ù)Ò�Å+ÄJÅc׿À�Ò\×�ÙÉÆ-´¿Í)´¶¾-Ò,Ù9¹�·WÆ-´¿Í2´Ô¾-Ò,µÑ×ÞÆ-´¿Í2´¶¾4Ò3Í)Ù2ÏqÆ-´¿Í)´¶¾ÉÛܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú�Û
Fig.10.RCFmessagehandlingrules
Messageprocessing:Oncetheinformationhave beenobtained,themessagecoordinatorproceedsto unwrapthemessageby coordinatingtheexecutionorderof theprotocolsasfollows(seefigure11):Messagecoordinatorrequeststo unwrapmessageto a specificcommunicationprotocol (step6). Note that the communicationprotocol,
�, only
receivesthe messageandafter finish its processing,returnsthe messageto the messagecoordinator, which selectsandrepeatsthe processif needed.That is, messagecoordinatorneedsto keeptrack the stageandprotocolcurrentlyprocessingthemessage.
If the protocol is statefull,it processesthe messageandnotifiesthe messagecoordinatorto expect future infor-mation(step7). Herewe usethespinflag to keepthemessagecoordinatorspinningandthestatefullflag to keepthe
15
protocolstate.Note that we usethe event handlingto notify messagecoordinatorthat it needsto spin, but we donot wait for anacknowledgement.In casetheprotocolis stateless,it processesthemessageandnotifiesthemessagecoordinatorwhenit finishes(step8).
Oncethemessagehasbeenunwrapped,theprotocolreturnsthemessageto themessagecoordinator(step9). Incasethemessageneedsto beprocessedby anotherprotocol,themessagecoordinatorwill repeattheprocess(step6)with thecorrespondingprotocol;otherwise,themessagehasbeencompletelyunwrapped.
Step6 uu°�%2²�Ä Ö j Ö ×¿ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú<Ò�¹�·�Å+»1¾uÆ)´¿Í)´¶¾�ÛLÒÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»pÛLÒ � ÷U×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*ÀܶÝÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»l)�×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*ÀWÛÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú<Ò�¹�·�Å+»1¾uÆ)Å Ö ·3ã�Å*Ú?¹�·�Å4»1¾LÛµ<Óò²�Å Ö ·3ã�Å1Ú�¹�·�Å+»1¾ ÜLÜ »1¾�·3Í2Ù2Ï+Ú�¹�·3Å4»1¾4²�À�ÀStep7 u %a� ²�¹�·�Å4·�¾2Ó�ãØÚ?Ú ×�Ù)Í Ö ¾2¹�µt´¿»*ÀÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»l)�×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*À�Ò,¹�·3Å4·�¾2Ó�ãØÚ\ÚÔÆ+Ó�Ú\Å*¹;¾-ÒJÄ Ö ¹3×�µt´¿´¿µ�´Ø»�Æ9´¿Í2´¶¾�ÛܶÝÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»*À�Ò�¹�·3Å4·�¾2Ó�ãØÚ?Ú�Æ)·3Ù2ãؾ-Ò3Ä Ö ¹3×�µt´¿´¶µt´Ø»�Æ � ÛLÒ � ÷NÓ�µt´¿µ�¹;ð�² � Ò;Ð ÄÕ¹�»*À´¿Íc·3µ<Ó�￲ � Ò,¹3×�µt´ÔÀStep8 u&%a�1²�¹�·�Å4·�¾cÚ?¾2¹c¹�×�Ù)Í Ö ¾2¹c¹�µ�´Ø»*ÀÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»l)�×�Ù2Í Ö ¾2¹2¹-² � Ò�Ð ÄÞ¹�»*À�Ò,¹�·3Å4·�¾2Ó�ãØÚ\ÚÔÆ+Ó�Ú\Å*¹;¾LÛܶÝÁ3� Æ4ËlhÉËEÌ ¹�´¿ÏZ'!Æ9Í2ÄÕ¹�»ØÒ�Ù Ö ½Z'!Æ9µtÄÞ¹�»*À�Ò�¹�·3Å4·�¾2Ó�ãØÚ?Ú�Æ4Ó�Ú\Å*¹;¾ÉÛLÒ � ÷�Ó�µt´¿µ<¹;ð�² � Ò;Ð ÄÕ¹�»*ÀStep9 u&%a�1² Ö ×�jcÄ Ö ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·wÆ9Ù-¹�·3Ú�¹�·�Ò3µÑ×ÞÆ9µ�×�Ú�¹�·�Ò3Í2Ù2Ï�Æ)Í)Ù2Ï+Ú�ÛLÒ� ÷�Ó�µt´¿µ<¹cðÔ² � Ò;Ð ÄÕ¹�»*ÀܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú�Û
Fig.11.RCFmessageprocessingrules
Messagedelivery: Beforethemessagecanbereturnedto thea Mn� , themessagecoordinatorchecksif themessage
wasprocessedby at leastonestatefullprotocol(seefigure12) in orerto determineif it needsto wait (spin)for furtherinformation(a tagor acknowledgement)beforeit canprocessanothermessage(step10); otherwiseit canbereuseitby thecommunicationmanager(step11).In bothcases,themessageis returnedto thecommunicationmanager, whichqueuesthemessageinto its
b ��� queue(step12)Oncetheunwrappedmessageis in thecommunicationmanager’sb ���
queue,it canbe forward it to thea Mn� (step2). Oncethemessageis receivedby the
a Mn� , messagenotificationanddelivery follows thesamerulesdescribedfor thecasewhenthe
�4a2emoduleis inactive(step1 to step4).
B CompleteSetof Rules
16
Step10 Ê °�% ²�¹�×�µ�´¿Ä Ö j Ö Ä^»+Ù9ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú<Ò�¹3×�µt´AÆ4Ó�Å1Ú�¹;¾ÉÛܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú<Ò�¹3×�µt´AÆ)·�Ù)ã�¾ÉÛLÒ� ÷U×�Ù2Í Ö ¾2¹c¹c¾;Ïز3Ð ÄÕ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿À
Step11 Êu°�%2²�Ä Ö j Ö Ä�»+Ù-ÀÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ4Ó�µt´¶µ<¹;ð�² � Ò�Ð ÄÕ¹�»*À�Ò?×�Ù�Æ�×�Ù)Ú�¹�·�Ò�Ù-¹�·�Æ)Ù9¹�·3Ú�¹�·�Ò�µ�×ÞÆ9µÑ×ØÚ�¹�·�Ò�Í2Ù2ÏpÆ9Í)Ù2Ï+Ú<Ò�¹3×�µt´AÆ4Ó�Å1Ú�¹;¾ÉÛܶÝÁ�� Æ4¸ºËLËEÌ ÄJÅ+µ�Ú�'!Æ9´¿Í)´¶¾-Ò�×�Ù�Æ-´¿Í)´¶¾-Ò�Ù9¹�·�Æ9´¿Í2´¶¾4Ò,µÑ×ÞÆ9´¶Í2´¶¾-Ò,Í)Ù2ÏqÆ9´¿Í2´Ô¾-Ò�¹3×�µt´AÆ+Ó�Å1Ú�¹;¾ÉÛLÒ� ÷U×�Ù2Í Ö ¾2¹c¹c¾;Ïز3Ð ÄÕ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿ÀStep12 Ê °�Tm� ~-²�Í)ã*·v'9ÀÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»ØÒ Ö ×¿ËÊÍ2´ÔÓÕÆÑÐ Ö ×ع-Ò Ö Í2´ÔÓAÆ Á3� Æ+¸xËLËEÌd�����1ÛLÒ Ás� Æ+ËlhÉËEÌc������ÛLÒ^Ä Ö Í)´ÔÓÞÛLÒ� ÷U×�Ù2Í Ö ¾2¹c¹c¾;Ïز3Ð ÄÕ¹�»ØÒ�Ð ¹;´¿Ï4Ù2Ò�Å+ÄJÅc׿ÀܶÝÁQ� Æ4ËL¸Î»+Ù9ËEÌ µ�´[Æ9µtÄÞ¹�»ØÒ^Í2ã�·�Æ-Í2ÄÕ¹�»&)u²3Ð ÄÕ¹�»ØÒ�Ð ¹�´¿Ï4Ù)Ò3Å+Ä^Å2×ØÀ�Ò Ö ×¿ËÊÍ2´�ÓÕÆÑÐ Ö ×¿¹9Ò Ö Í)´ÔÓÕÆ Á3� Æ+¸xËLËEÌq�(���1ÛLÒÁ3� Æ4ËlhÉËEÌq�d�(�*ÛLÒ^Ä Ö Í)´ÔÓAÛ
Fig.12.RCFmessagedelivery rules
17
Step1 uu¯SRUT ~ %v�1²v];À����� � %3¯�� ~(� � � � ������ T�� ~�� ����� � Tm� ~c�*� � � � � � �}� � �q� �\� ~b� °�Tm� � R ±(T3¯\°�Tm� ��� � R#°�T�� ���n� R ±(T3¯?°�TmR � R#°�TvR ����� ° �¡n¢�£��� � %3¯�� ~(� � � � ������ T�� ~�� ����� � Tm� ~c�*� � � � � ° � � � � � � � �q� �\� ~b� °�T�� � R ±�T3¯?°�Tm� ��� � °�Tm� ���-� R ±(T3¯\°�TvR � °�TvR �� � �S� � Tm� ~(� ��� ¡ � � ¯ � Tm� ~�� ���S� ± � �-� °�Tm� ��� ¡ �P� � � Tm� ���-� ° � �S� ± � �-� � ¡ � � ¯¥¤O� �n~ % � � ° � ��� ± � �-� � ¡ � � ¯S¦�± ~ � � ¯ � ° � �S� ± � �n� °�TvR ¡ % ~ � ±;¯ �v� TvR � ° � � � � � �S���Step2 u ¯SRUT ~ %v� ²�j)À�£� Tm� ~�� ����� � Tm� ~q��� � � � � ° � � � � � � � �q� �\� ~c� °�Tm� � R ±(T�¯?°�Tm� ��� � °�Tm� ���-� R ±(T3¯?°�TvR � °�TmR �¡n¢��� T�� ~�� ����� � Tm� ~c�*� � � � � � �}� � �q� �\� ~b� °�Tm� � R ±(T3¯\°�Tm� ��� � � � �}� � R ±(T�¯?°�TvR � � � �P� ���� °�� ~�� ��� � ° � � � � � � °�Tm� ���-� °�TmR �� � ��� °�� ~(� ��� ¡ � � ¯�%�° ���-� ���S�Step3 uu¯SRUT ~ %v�1²ap9À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � ° � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���°�% � � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S�� � �S� � � ¯?°�%,¬ ~ ��° � TvR � �v ¯ ~ ±d%3¯ � TvR � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S��� ¡�¡�®9¯ ¨\¨ � ± � �-� °�% � ¡ T � R � %3¯?°�% � °�%a���b�cR �S�S�Step4 u ¯SRUT ~ %v� ²ap2Å�À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � ° � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���°�% � � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v ¯ ~ ±�%�¯ � TmR � T � �-� ° � � � � � � °�T�� ���n� °�TvR �S�S���S�Step5 uu¯SRUT ~ %v�1²¥u-À� °�% � � � ���*� °w± � R ° � � T � �n� ° � � � � � � °�Tm� ���-� °�TvR ��� � � ~ � � � �P� � ~ T3¯ � � � �P� � � � � � � �}� � � ~,� � � � �P� � T3¯\±�� �q� ©d� T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ��±(RUT � ���%�� � ¦ ¨ ¤ � �S� �v� % ~c± �;¯ � ° � � � � � ��� � °�Tm� ���n� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v ¯ ~ ±d%3¯ � TvR � T � �n� ° � � � � � � °�Tm� ���-� °�TvR �S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�S�Step6 u ¯SRUT ~ %v� ²�y)À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � �S� �v� % ~b± ��¯ � ° � � � � � �S� � °�Tm� ���-� °�% � � � ~ �cR �q� � � �}� � T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� � � �P� � T,³ � ± � � � �P� � � %���° � � � �}� � � %���° �� � �P� � %m� � � ¯ � ~ � µ � T � TvT � � �X� � � �}� � T3¯ ±�� �c� ©d� T3¯ ±;¯ � � � RUR � ��±(RUT � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � ° � � ~ %m²q° � � � �P� � ~ �cR �q� ¶c� � ¯ � ±;¯�� ~,� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� � � �P� � T,³ � ± � � � �P� � � %���° � � � � %m��° � � � �P� � %m� � � ¯ � ~ � µ § � � T � TvT � � �\�� � �P� � T3¯\±�� �q� � � T3¯\±;¯ � � � RUR � ¯ ~c� � ���°�% � � � � � � � °�T�� ���n� T�� � � °�% �� � �S� � %m��°!·¡ � � ± � �n� � %���°l·¡ � � ± � �-� � � ¡ �v� % ~b± ��¯ �S� � � � % � � � � µO� � ��� � � � ®m³ � ±}� � �S�S� ± � �n� T�� � � °�% ¡ � � ¯S¤+¯ ±;¯ � � � RUR � �S�S�Step7 u ¯SRUT ~ %v� ²az9À� °�% � � � ���*� °w± � R ° � � � � � � � °�Tm� ���-� T�� � � °�% � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� � � T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ¯ ~b� � ���� °�� ~�� ��� � � � � � � °�Tm� ���n� °�TvR � °�% ��� �� � �S� � � ¡ �m� % ~b± ��¯ �S� � � � % � � � � µO� � ��� � � � ®�³ � ±}� � �S�S� ± � �-� T�� � � ¡ � � ¯¥¤}� � � °�% �S� � � � � � °�Tm� ���-� °�TmR � T�� � � °�% �S� ± � �-� T�� � � ¡�¡ ¦£¸ ¯�¹ � ± � �n� °�% ��� ¡�¡� � ¯\°�% ���n� °�% � �S���S�Step8 uu¯SRUT ~ %v�1²�{)À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm� � � � ¯ � ��°�Tm�d§ � � � � � � °�Tm� ���-� °�TmR � °�% � � � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���� °�� ~�� � � � � � � � � °�Tm� ���-� °�TvR �� � �S� TmRUT3¯ V ¡ ± �c�n� TvRUT3¯ � � °�TvR � °�% ��� �S�S� ± � �-��� °�� ~�� � � ¡ � � ¯�%3° ���n� � �S� ± � �-� � � ¡�¡ �m� % ~b± ��¯ �S� � � � % � � � � µO� � ��� � � � ®�³ � ±}� � �S�S�S�
Fig.13.TLS-RCFrules:message1
18
Step9 uu¯SRUT ~ %v�1²aº9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT3¯ � TvRUT3¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � ���°�% � ��~ %v² � � � � � � °�Tm� ���n� °�TvR �S�� � �S� � � ¯?°�%,¬ ~ ��° � TvR � �v ¯ ~ ±d%3¯ � TvR � � � � � � °�T�� ���n� °�TvR �S� ¡�¡�®9¯ ¨i¨ � ± � �n� °�% � ¡ T � R � %�¯?°�% � °�%��d�b�qR ���S�Step10 Ê ¯SRUT ~ %,� ²aº)Å*À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ � � � � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT3¯ � TvRUT3¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � ���°�% � ��~ %v² � � � � � � °�Tm� ���n� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v ¯ ~ ±�%�¯ � TmR � T � �-� ° � � � � � � °�T�� ���n� °�TvR �S�S���S�Step11 Êu¯SRUT ~ %,�1²a»-À� °�% � � � ���*� °w± � R ° � ��~ %v² � � � � � � °�T�� ���n� °�TvR �S� � � ~ � � � �P� � ~ T3¯ � � � �}� � � � � � � �P� � � ~,� � � � �}� � T3¯ ±�� �c� ©d� T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ��±(RUT � ���%�� � ¦ ¨ ¤ � �U� � % ~c± �;¯ � � � � � � � °�Tm� ���n� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v ¯ ~ ±d%3¯?°�TmR ��~ %v² � � � � � � °�Tm� ���-� °�TmR �S�S� ± � �n� °�% ��� ¡�¡ � � ¯\°�% ���n� °�% � �S���Step12 Ê ¯SRUT ~ %,� ²v](Y-À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � �U� � % ~b± ��¯ � � � � � � � °�Tm� ���-� °�% ��� � � ~ �cR �q� � � �P� � T � %,³ � ± � ¤X³ � � % � �-´ � ~ T �n� ¯ �q� � � �P� � Tv³ � ± � � � �P� � � %���° � � � �}� � � %���° �� � �P� � %m� � � ¯ � ~ � ³ � T � TvT � � �\� � � �P� � T�¯\±�� �q� ©d� T�¯\±;¯ � � � RUR � ��±(RUT � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¸ � T��d� � � � ~,� T � %v³ � ± � ¤\³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � � � �P� � � %m��° � � � � %m��° � � � �P� � %m� � � ¯ � ~ � ³�§ � � T � TvT � � �\�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% � � � � � � � °�Tm� ���-� T�� � � °�% �� � �S��¼ � ±(« ± ��~�� ¤X³ � � «�� ®�³ � ±}� � �S�S� ± � �-� � %���°l·¡ ��� ± � �n� � %���°l·¡ ��� ± � �n� �P� � ¤ ���n� � � ³ �S� ± � �n� Ta� � � °�% ¡ � � ¯¥¤4¯\±�¯ � � � RUR � �S� ± � �n� � � ¡�¡�v� % ~c± �;¯ ���S� ® � � � � � % � � � � ³ �S� � �}� � ¤ ���-� � � ³ � � % � �-´ � ~ � � � � ®m³ � ±}� ���S�S�S�Step13 Ê ¯SRUT ~ %,� ²v]P]cÀ� °�% � � � ���*� °w± � R ° � � � � � � � °�Tm� ���-� T�� � � °�% � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� � � T�� � �\� ��±(RUT � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� � � T�� � �X� ¯ ~b� � ���� °�� ~�� � � � � � � � � °�Tm� ���n� °�TvR � °�% ��� �� � �S� � � ¡�¡ �v� % ~b± ��¯ �S�S� ® � � � � � % � � � � ³ �S� � �P� � ¤ ���n� � � ³ � � % � �(´ � ~ � � � � ®�³ � ±}� ���S��� ± � �-� T�� � � ¡ � � ¯S¤P� � � °�% � � � � � � °�Tm� ���n� Ta� � � °�% �S� ± � �n� T�� � � ¡�¡¦£¸ ¯£¹ � ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step14 Ê ¯SRUT ~ %,� ²v]-j9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm� � � � ¯ � ��°�Tm��§ � � � � � � °�Tm� ���-� °�TmR � °�% ��� � � ¨X© RUT3¯ � TmRUT3¯ � %a� � � � � � ª %���T � %m� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���� °�� ~�� ��� � � � � � � °�Tm� ���-� °�TvR �� � �S� TmRUT3¯ V ¡ ± �c�n� TvRUT3¯ � � °�TvR � °�% ��� �S�S� ± � �-��� °�� ~�� ��� ¡ � � ¯�%3° ���-� ���S� ± � �n� � � ¡�¡ �v� % ~b± ��¯ �S�S� ® � � � � � % � � � � ³ �S� � �P� � ¤ ���n� � � ³ � � % � �(´ � ~ � � � � ®�³ � ±}� �����S�S�
Fig.14.TLS-RCFrules:message2
19
Step15 Ê ¯SRUT ~ %,� ²v](p-À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � � � � � � °�T�� ���n� °�TvR � � � � ¯ � ��°�T�� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���°�% � ��~ %v² � � � � � � °�Tm� ���-� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v ¯ ~ ±�%�¯ � TmR �S� � � � � � °�Tm� ���-� °�TvR ���S�S�Step16 Ê ¯SRUT ~ %,� ²v]�u4À� °�% � � � ���*� °w± � R ° � ��~ %v² � � � � � � °�Tm� ���-� °�TvR ��� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� � � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ½ � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ � �S� � � % ~b± �;¯ � � � � ���S� � °�Tm� ���-� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v ¯ ~ ±d%3¯?°�TmR ��~ %v² � � � � � � °�T�� ���n� °�TvR �S�S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step17 Êu¯SRUT ~ %,�1²v]-y9À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � ° � � ~ %v²c° � �S� � � % ~b± �;¯ � � � � ���S� � °�Tm� ���-� °�% ��� � � ~ �cR �q� ¶c� � ¯ � ±;¯�� ~,� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� � � �P� � T,³ � ± � � � �P� � � %���° � � � � %m��° �� � �P� � %m� � � ¯ � ~ � µ § � � T � TvT � � �\� � � �P� � T�¯\±�� �q� � � T�¯\±;¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � ° � � ~ %m²q° � � � �P� � ~ �cR �q� ¶c� � ¯ � ±;¯�� ~,� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±n� � %���° � � � � %m��° � � � %�� � � ¯ � ~ � µ § � � T � TvT � � �X�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% � � ��½ � � � °�T�� ���n� T�� � � °�% �� � �S��¼ � ±(« ± ��~�� ¤X³ � � « ³ ���S� ± � �-� ® � ¡�¡ � � � % � � � � µO�S� ± � �n� � %���° ¡�¡ � � ± � �-� T ��� ¡ �P� � ¤ ���n� � � ³ �S� ± � �n� ¤ ¼ � ± ¡ °w± ¼ � ³ � ±}� � ~ �q¾°w±(T3¯ � ~b� ® � � ® � �S� ± � �n� �$½ ¡�¡ �v� % ~b± ��¯ �S� ® � � T ���-� � ~ �q¾ °w±(T3¯ � ~ � � � � ®�³ � ±}� � �S�S� ± � �-� T�� � � °�% ¡ � � ¯¥¤4¯\±;¯ � � � RUR � �S���Step18 Êu¯SRUT ~ %,�1²v](z-À� °�% � � � ���*� °w± � R ° � � �$½ � � � °�Tm� ���-� T�� � � °�% � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� ½ � T�� � �\� ¯ ~c� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ¿ � T�� � �X� ¯ ~b� � ���� °�� ~�� ��� � ��½ � � � °�Tm� ���n� °�TvR �� � �S� �$½ ¡�¡ �v� % ~b± ��¯ �S� ® � � T ���-� � ~ �q¾ °w±(T3¯ � ~ � � � � ®�³ � ±}� � �S�S� ± � �-� T�� � � ¡ � � ¯¥¤}� � � °�% ��� ��½ � � � °�Tm� ���n� Ta� � � °�% �S�S�S�Step19 Êu¯SRUT ~ %,�1²v]-{9À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm� � � � ¯ � ��°�Tm�d§ � ��½ � � � °�Tm� ���-� °�TmR � � ¨X© RUT3¯ � TmRUT3¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���� °�� ~�� � � � �$½ � � � °�Tm� ���-� °�TvR �� � �S��� °�� ~�� � � ¡ � � ¯�%3° ���-� � ��� ± � �-� �$½ ¡�¡ �v� % ~b± �;¯ �S� ® � � T ���n� � ~ �q¾ °w±(T3¯ � ~ � � � � ®�³ � ±}� � �S�S�S�
Fig.15.TLS-RCFrules:message3
20
Step20 Ê ¯SRUT ~ %,� ²v](º-À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ � �$½ � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���°�% � ��~ %v² � ��½ � � � °�Tm� ���n� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v ¯ ~ ±�%�¯ � TmR �S� ��½ � � � °�T�� ���n� °�TvR �S�S���Step21 Ê ¯SRUT ~ %,� ²v](»-À� °�% � � � ���*� °w± � R ° � ��~ %v² � ��½ � � � °�T�� ���n� °�TvR �S� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� � � T�� � �\� ¯ ~c� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ½ � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ � �S� � � % ~b± �;¯ � ��½ � � �S� � °�Tm� ���-� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v ¯ ~ ±d%3¯?°�TmR �S��~ %v² � ��½ � � � °�Tm� ���n� °�TvR �S�S�S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step22 Êu¯SRUT ~ %,�1²�j}Y-À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � �S�U� � % ~b± ��¯ � �$½ � � ��� � °�Tm� ���n� °�% ��� � � ~ �cR �q� ¸ � T��d� � � � ~b� T � %,³ � ± � ¤X³ � � % � �-´ � ~ T �n� ¯ �q� % � �(´ � ~,� T,³ � ± � � � �}� � � %m��° � � � � %m��° �� � �P� � %m� � � ¯ � ~ � ³�§ � � T � TvT � � �\� T ���-� T3¯\±d� �q� � � T3¯\±�¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¸ � T��d� � � � ~,� T � %v³ � ± � ¤\³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %�� � � ¯ � ~ � ³�§ � � T � TvT � � �X�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% � � ��¿ � ���� � �S��¼ � ±(« ± ��~�� ¤X³ � � « ³ � �S� ± � �-� ® � ¡�¡ � � � % � � � � ³ �S� ± � �-�U� %m��° ¡�¡ ��� ± � �n� T ��� ¡ �P� � ¤ ���n� � � ³ �S� ± � �n� ¤ ¼ � ± ¡ °W± ¼ � ³ � ±}� � ~ �c¾°w±(T3¯ � ~b� ® � � ® � �S� ± � �n� �$¿ ¡�¡ �v� % ~b± ��¯ � � � � � Tv´ � �n� ¤X³ � ± �S�S�Step23 Êu¯SRUT ~ %,�1²�jX]cÀ� °�% � � � ���*� °w± � R ° � � �$¿ � ��� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� ½ � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� ¿ � T�� � �X� ¯ ~b� � ���� °�� ~�� � � � �$¿ � � � °�TvR �� � � �$¿ ¡�¡ �v� % ~b± �;¯ � � � � � T,´ � �-� ¤X³ � ± �S�Step24 Êu¯SRUT ~ %,�1²�jPj9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm� � � � ¯ � ��°�Tm��§ � �$¿ � � � °�TvR � � ¨\© RUT3¯ � TvRUT3¯ V � %a� � � � � � ª %���T � %m� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���� °�� ~�� ��� � ��¿ � � � °�TvR �� � �S��� °�� ~�� ��� ¡ � � ¯�%�° ���n� ���S� ± � �-� ��¿ ¡�¡ �v� % ~c± �;¯ � � � � � T,´ � �-� ¤X³ � ± ���S�
Fig.16.TLS-RCFrules:message4
21
Step25 Êu¯SRUT ~ %,�1²�j}p-À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm�d§ � ��¿ � � � °�TmR � � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TmRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���°�% � ��~ %v² � ��¿ � � � °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v ¯ ~ ±�%�¯ � TmR �S� � � � � � °�Tm� ���-� °�TvR ���S�S�Step26 Ê ¯SRUT ~ %,� ²�jnu4À� °�% � � � ���*� °w± � R ° � ��~ %v² � ��¿ � � � °�TvR �S� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~b� R � T3¯ ±�� �c� ¿ � T�� � �\� ¯ ~c� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� À � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ � �S� � � % ~b± �;¯ � ��¿ � ���S� � °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v ¯ ~ ±d%3¯?°�TmR ��~ %v² � ��¿ � � � °�TmR �S�S� ± � �n� °�% ��� ¡�¡ � � ¯\°�% ���n� °�% � �S���Step27 Ê ¯SRUT ~ %,� ²�jPy9À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � ° � � ~ %v²c° � �S� � � % ~b± �;¯ � ��¿ � ���S� � °�% ��� � � ~ �cR �q� ¶b� � ¯ � ±;¯�� ~,� T � %v³ � ± � ¤\³ � � % � �-´ � ~ T �n� ¯ �q� % � �(´ � ~b� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %m� � � ¯ � ~ �µ § � � T � TvT � � �\� T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¶b� � ¯ � ±;¯�� ~,� T � %v³ � ± � ¤\³ � � % � �-´ � ~ T �n� ¯ �q� % � �(´ � ~b� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %m� � � ¯ � ~ � µ § ½ � T � TvT � � �\�T ���-� T3¯ ±�� �c� ½ � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% � � �1À � � � °�T�� ��� �� � �S� �$¿ ¡�¡ �v� % ~b± ��¯ � � � � � Tv´ � �n� ¤X³ � ± �S� ± � �n� �1À ¡�¡ �v� % ~b± ��¯ � ° � � ¤\³ � ± �S�S�Step28 Êu¯SRUT ~ %,�1²�j}z-À� °�% � � � ���*� °w± � R ° � � ��À � � � °�Tm� ��� � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� À � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� Á � T�� � �X� ¯ ~b� � ���� °�� ~�� ��� � �1À � � � °�Tm� ���n� °�TvR �� � � ��À ¡�¡ �v� % ~b± �;¯ � ° � � ¤X³ � ± �S�Step29 Ê ¯SRUT ~ %,� ²�jP{9À� � °�� ~�� ����� � � � ~c��� � �X� � °�Tm� � � � ¯ � ��°�Tm�d§ � �1À � � � °�Tm� ���-� °�TmR � � ¨X© RUT3¯ � TmRUT3¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � �¡n¢� � °�� ~�� ����� � � � ~c��� � �\� � °�Tm� � � � ¯ � ��°�Tm� � ¨X© RUT3¯ � TvRUT3¯ V � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ���*� � � � ��� � %a� � ��«��*� � � � ��� °�%m� � � ���� °�� ~�� � � �S� �1À � � � °�Tm� ���-� °�TmR �� � �S��� °�� ~�� � � ¡ � � ¯�%3° ���-� � ��� ± � �-� ��À ¡�¡ �v� % ~b± �;¯ � ° � � ¤X³ � ± �S�S�
Fig.17.TLS-RCFrules:message5
22
Step30 Ê ¯SRUT ~ %,� ²�j}º-À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm��§ �S� ��À � � � °�Tm� ���-� °�TvR � � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ � %�� � � � � � ª %a�(T � %m� � � � � °�% � � ����� � � � ��� � %a� � ��«���� � � � ��� °�%�� � � ���°�% � ��~ %v² � �1À � � � °�Tm� ���n� °�TvR �S�� � � °�% � ¡�¡ � � � ¯?°�%v¬ ~ ��° � TvR � �v ¯ ~ ±�%�¯ � TmR � T � �-� ° � � � � � � °�T�� ���n� °�TvR �S�S���S�Step31 Êu¯SRUT ~ %,�1²�j}»-À� °�% � � � ���*� °w± � R ° � � � �}� � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯�RUT3¯ � � � � � ��RUT3¯ � � ~,� � � ~,� R � T3¯\±�� �q� ¿ � T�� � �\� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� À � T�� � �X� ¯ ~b� � ���%�� � ¦ ¨ ¤ � �S� � � % ~b± �;¯ � �1À � � �S� � °�Tm� ���-� °�% ��� �� � �S� ¦ ¨ ¤ ¡�¡ �v ¯ ~ ±d%3¯?°�TmR �S��~ %v² � �1À � � � °�Tm� ���n� °�TvR �S�S�S� ± � �-� °�% ��� ¡�¡ � � ¯?°�% ���-� °�% � �S�S�Step32 Ê ¯SRUT ~ %,� ²apPY-À� %�� � ¦ ¨ ¤ ��� ��«���� T � � ° � � � �P� � ~ %v²q° � � � �P� � ~ �qR �c� ¸ � T��d� � � � ~b� T � %,³ � ± � ¤X³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±n� � %���° � � � � %���° � � � %�� � � ¯ � ~ � ³�§ � � T � TmT � � �X�T ���-� T3¯ ±�� �c� � � T3¯ ±;¯ � � � RUR � ¯ ~b� � �¡n¢� %�� � ¦ ¨ ¤ ��� ��«��*� T � � ° � � � �}� � ~ %v²c° � � � �}� � ~ �cR �q� ¸ � T��d� � � � ~,� T � %v³ � ± � ¤\³ � � % � �(´ � ~ T �}� ¯ �q� % � �-´ � ~,� T,³ � ± � ¤X³ � ±}� � %m��° � � � � %m��° � � � %�� � � ¯ � ~ � ³�§ ½ � T � TvT � � �X�T ���-� T3¯ ±�� �c� ½ � T3¯ ±;¯ � � � RUR � ¯ ~b� � ���°�% � � ° � � � �� � � ° � ¡�¡ � � % ~b± �;¯ � �1À � ¤X³ � ± �S�Step33 Ê ¯SRUT ~ %,� ²ap\]cÀ� °�% � � � ���*� °w± � R ° � � ° � � � � � � ~ � � ~ RUT3¯ � ~ T3¯ � ~ T3¯SRUT3¯ � � � � � �(RUT�¯ � � ~,� � � ~,� R � T3¯\±d� �q� À � T�� � �X� ¯ ~b� � �¡n¢� °�% � � � ����� °w± � R ° � � � �}� � � ~ � � ~ RUT�¯ � ~ T3¯ � ~ T�¯SRUT3¯ � � � � � �(RUT3¯ � � ~b� � � ~,� R � T3¯\±�� �q� Á � T�� � �X� ¯ ~b� � ���� °�� ~�� � � � ° � � � �Step34 Êu¯SRUT ~ %,�1²apOj9À� � °�� ~�� � ��� � � � ~c�*� � �\� � °�Tm� � � � ¯ � ��°�Tm��§ � �$¿ � � � °�TvR � � ¨\© RUT3¯ � TvRUT3¯ V � %a� � � � � � ª %���T � %m� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%�� � � �¡n¢� � °�� ~�� � ��� � � � ~c�*� � �X� � °�Tm� � � � ¯ � ��°�Tm� � ¨\© RUT�¯ � TvRUT�¯ V � %a� � � � � � ª %���T � %�� � � � � °�% � � ����� � � � ��� � %�� � ��«���� � � � ��� °�%m� � � ���� Tm� ~�� � � � ° � � � �� � �S��� °�� ~�� � � ¡�¡ � � ¯�%3° ���n� � �S� ± � �-� � Tm� ~�� � � ¡ � � ¯ � Tm� ~�� � �S�S�Step35 Ê ¯SRUT ~ %,� ²apPp-À�£� Tm� ~�� � �a� � T�� ~c��� � � � � � �P� � �q� �\� ~b� °�T���§ � ° � � � R ±(T3¯?°�T�� ��� � R#°�Tm� ���-� R ±(T�¯?°�TvR � R#°�TvR ���� � � � %3¯�� ~(� � � � �¡n¢��� T�� ~�� � ��� � Tm� ~c��� � � � � � �P� � �d� �X� ~b� °�Tm� � R ±(T3¯?°�T�� ��� � R#°�Tm� ���-� R ±(T�¯?°�TvR � R#°�TvR ���� � � � %3¯�� ~(� °w± � R ° � ° � � � � � �
Fig.18.TLS-RCFrules
23