Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols
description
Transcript of Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols
Relating Multiset Rewritingand Process Algebrafor Immediate Decryption Protocols
Iliano [email protected]
ITT Industries, inc @ NRL Washington, DChttp://www.cs.stanford.edu/~iliano
UMBC meeting June 10-11, 2003
Joint work with S. Bistarelli, G. Lenzini, and F. Martinelli
MSR <-> PA
Objective
Relate specification languages for security protocolsMSR <-> strands [CSFW’00]
MSR <-> linear logic [MFPS’00]
MSR <-> Process Algebras
Non-Objective (for now)
Reachability analysis <-> bisimulationVerification methodologies not considered
MSR <-> PA
Why MSR?
Model of specification underlies numerous languages and toolsCIL/CAPSLNRL Protocol AnalyzerPaulson’s Isabelle specificationsMur…
Simple and well-understood foundationsDistributed systems
Petri netsLinear logicRewriting theory
MSR <-> PA
Multiset Rewriting + Existentials
msets of 1st-order atomic formulas Rules:
r: F(x) n. G(x,n) Application
This is MSR 1.0
rM’, F(t) M’, G(t,c)
r M1 M2
c not in M1
MSR 2.0:
+ strong typing
+ constraints
+ domain-specific enhancements
MSR <-> PA
Which Process Algebra?
“PA” Inspired to
CCS-calculus
Only primitives used for protocols As a programming language for
protocolsReachabilityNot simulation/equivalence
MSR <-> PA
“PA”
Sequential processesP ::= 0 | a(t).P | a(t).P | x.P
Parallel processesQ ::= 0 | P || Q | !P || Q
(P, ||, 0) monoidEquivalence
Reactiont = []t’
Q || a(t).P || a(t’).P’ -> Q || P || []P’
MSR <-> PA
MSR PA … in General
Very different paradigmsMSR
state transitionPA
contact evolution
Non trivial MSR -> PA: granularity of actions PA -> MSR: excise state
Reachability-preservingNon bijective
Many attempts in the literatureChemical abstract machine, …
MSR <-> PA
MSR PA … for Protocols
Much simpler!
Take natural specificationsin MSRin PA
Bijective correspondence(to a large extent)
MSR <-> PA
MSR for Security Protocols
Fixed predicatesN(m) Network messages I(m) Intruder info.Ai(t1,…,tni) Role statesPr, PrvK, PubK, … Persistent info.
Fixed formatProtocol given as set of rolesDolev-Yao intruder spec.
(more freedom in MSR 2.0)
MSR <-> PA
Roles in MSR
One instantiation rule(x) n. A0(x,n), (x)
Several execution rulesSend
Ai(z) Ai+1(z), N(t)
ReceiveAi(z), N(t) Ai+1(z,xt)
Capturesonly
immediatedecryptionprotocols
MSR <-> PA
NSPK (initiator) in MSR
A(A,B) A0(A,B), A(A,B)
A0(A,B) NA. A1(A,B,NA), N({NA,A}KB)
A1(A,B, NA), N({NA,NB}KA) A2(A,B,NA,NB)
A2(A,B,NA,NB) A3(A,B,NA,NB), N({NB}KB)
whereA(A,B) = Pr(A), PrvK(A,KA-1),
Pr(B), PubK(B,KB)
MSR <-> PA
MSR Configurations
RulesU Protocol roles I Intruder role
StateN(t) Network messagesAi(t) Role state predicates(t) Persistent knowledgeI(t) Intruder knowledge
MSR <-> PA
Security Protocols in PA
Fixed set of nameNi, No, , I
Fixed structure of “Security Process”Q!net = ! Ni(x). No(x). 0 Network processQ! = || P Roles
!(x). n. P’• input on No
• output on Ni
Q!I Dolev-Yao IntruderQ! Persistent informationQI0 Initial intruder knowledge
Q!
Capturesonly
immediatedecryptionprotocols
MSR <-> PA
NSPK (initiator) in PA
A(A,B). NA
Ni({NA,A}KB) .
No({NA,NB}KA).
Ni({NB}KB) .
0
MSR <-> PA
Process State
Q! Replicated process
Q Unreplicated partQI Intruder knowledge
Qnet Buffered network messages
Q Roles in mid-execution
MSR <-> PA
MSR into PA
RulesU Q! + Q!net
Instantiation rule “!(x). n.” prefix “Ai(z) Ai+1(z), N(t)” Ni(t). <ri+1> “Ai(z), N(t) Ai+1(z,xt)” No(t). <ri+1>
I Q!I
StateN(t) Qnet
Ai(t) Q
(t) Q!
I(t) QI
NSPKMSR NSPKPA
Capturesonly
immediatedecryptionprotocols
MSR <-> PA
PA into MSR
Essentially the inverse transformationQ! U
Invent Ai’s Carry over substitutions
Q!I I
NSPKPA NSPKMSR
(for -convertible Ai’s)
MSR <-> PA
The Intruder
I(<x1,x2>) -> I(x1), I(x2)
I(x) -> I(x), I(x)
I(x1), I(x2) -> I(<x1,x2>)
I(<x1,x2>). I(x1). 0
I(<x1,x2>). I(x2). 0
I(x). I(x). I(x). 0
I(x1). I(x2). I(<x1,x2>). 0
1-1 correspondence, but …
MSR <-> PA
Correspondence
Proof technique: weak bi-simulationObservables
Network messages Intruder knowledge
MSR
PA*
*
MSR <-> PA
Delayed Decryption Protocols
Arguments of Ai’s may be termsExplicit pattern matching in PA
Add non-trivial complicationsRequires proper scheduling of matchingsMatching after input may cause deadlock
SolutionsWITS’03 unsatisfactory Intermediate MSR with explicit scheduling
MSR <-> PA
Conclusions
Formal relation between MSR and PAAs used for security protocolsNon trivial (yet mostly bijective)Technique similar to MSR <-> strands
… And future workMSR 3.0Strict comparison with spi-calculusRelating methodologies