September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages...
-
date post
21-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages...
![Page 1: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/1.jpg)
September 17th, 2001 FOSAD 2001 – Bertinoro, Italy
Security Protocol Specification Languages
Iliano Cervesato [email protected]
ITT Industries, Inc @ NRL – Washington DC
http://www.cs.stanford.edu/~iliano/
![Page 2: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/2.jpg)
Security Protocol Specification Languages 2
Scope of this Course
Specification languages for cryptographic protocolsEvaluation criteriaAnthology of languagesScientific impact
Extras . . .Advertisement for MSR
![Page 3: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/3.jpg)
Security Protocol Specification Languages 3
This Course is not about
Cryptography
Applications of crypto-protocols
Taxonomy ofProtocolsAttacksTools
Verification
![Page 4: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/4.jpg)
Security Protocol Specification Languages 4
Outline
Hour 1: Specification languages
Hour 2: MSR
Hour 3: The most powerful attacker
Hour 4: Reconstructing the intruder
![Page 5: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/5.jpg)
Security Protocol Specification Languages 5
Hour 1
Specification Languages
![Page 6: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/6.jpg)
Security Protocol Specification Languages 6
Hour 1: Outline
Security protocols
Dolev-Yao abstraction
Specification targets
Major specification languagesOriginsExample (Needham-Schroeder)PropertiesEvaluation
![Page 7: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/7.jpg)
Security Protocol Specification Languages 7
Security Protocols
Use cryptographic means to ensureconfidentialityauthenticationnon-repudiation, …
in distributed/untrusted environment
Applicationse-commerce trade/military secretseveryday computing
Securitygoals
![Page 8: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/8.jpg)
Security Protocol Specification Languages 8
Why is Protocol Analysis Difficult?
Subtle cryptographic primitivesDolev-Yao abstraction
Distributed hostile environment“Prudent engineering practice”
Inadequate specification languages… the devil is in details …
![Page 9: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/9.jpg)
Security Protocol Specification Languages 9
Correctness vs. Security [Mitchell]
Correctness: satisfy specificationsFor reasonable inputs, get reasonable
output
Security: resist attacksFor unreasonable inputs, output not
completely disastrous
Main differenceActive interference from the
environment
![Page 10: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/10.jpg)
Security Protocol Specification Languages 10
Dolev-Yao Model of Security
NetworkNetwork
Alice
Bob
Charlie
Dan
Server
![Page 11: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/11.jpg)
Security Protocol Specification Languages 11
Dolev-Yao Abstraction
Symbolic dataNo bit-strings
Perfect cryptographyNo guessing of keys
Public knowledge soupMagic access to data
![Page 12: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/12.jpg)
Security Protocol Specification Languages 12
Perfect Cryptography
KA-1 is needed to decrypt {M}KA
No collisions{M1}KA = {M2}KB iff M1 = M2 and KA
= KA
…
![Page 13: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/13.jpg)
Security Protocol Specification Languages 13
Public Knowledge Soup
Free access to auxiliary dataAbstracts actual mechanisms
database subprotocols, …
But …not all data are public
keys secrets
![Page 14: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/14.jpg)
Security Protocol Specification Languages 14
… pictorially
a kakb
s
![Page 15: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/15.jpg)
Security Protocol Specification Languages 15
Why is specification important?
Documentationcommunicate
Engineering implementationverification tools
Science foundationsassist engineering
good
![Page 16: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/16.jpg)
Security Protocol Specification Languages 16
Languages to Specify What?
Message flow
Message constituents
Operating environment
Protocol goals
![Page 17: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/17.jpg)
Security Protocol Specification Languages 17
Desirable Properties
Unambiguous
Simple
FlexibleAdapts to protocols
PowerfulApplies to a wide class of protocols
InsightfulGives insight about protocols
![Page 18: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/18.jpg)
Security Protocol Specification Languages 18
Language Families
“Usual notation” Knowledge logic
BAN Process theory
FDR, CasperSpi-calculusPetri netsStrandsMSR
Inductive methods
Temporal logic Automata
NRL Prot. Analizer
CAPSLMur
![Page 19: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/19.jpg)
Security Protocol Specification Languages 19
Why so many?
Convergence of approachesexperience from mature fieldsunifying problemscientifically intriguing funding opportunities
Fatherhood pride
![Page 20: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/20.jpg)
Security Protocol Specification Languages 20
Needham-Schroeder Protocol
Devised in ’78
Example of weak specification !
Broken in ’95!
But …purely academicattack subject to interpretation
![Page 21: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/21.jpg)
Security Protocol Specification Languages 21
“Usual Notation”
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 22: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/22.jpg)
Security Protocol Specification Languages 22
How does it do?
FlowExpected run
ConstituentsSide remarks
EnvironmentSide remarks
GoalsSide remarks
Unambiguous
Simple
Flexible
Powerful
Insightful
![Page 23: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/23.jpg)
Security Protocol Specification Languages 23
BAN Logic[Burrows, Abadi, Needham]
Roots in belief logic reason about knowledge as prot. unfolds security: principals share same view
Specification usual notation “idealized protocol” assumptions Goals
Verification Logical inference
![Page 24: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/24.jpg)
Security Protocol Specification Languages 24
NS: BAN IdealizationA B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
A B: {nA}kB
B A: {A nB BnA}kA
A B: {A nA B, B | A nB B
nB}kBMore readable syntax proposed later
![Page 25: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/25.jpg)
Security Protocol Specification Languages 25
NS: BAN Assumptions
A | kA A
A | kB B
A | # nA
A | A nA B
B | kB B
B | kA A
B | # nB
B | A nB B
![Page 26: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/26.jpg)
Security Protocol Specification Languages 26
NS: BAN Goals
B | A | A nA B
A | B | A nB B
Formally derived from BAN rules
![Page 27: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/27.jpg)
Security Protocol Specification Languages 27
How does BAN do?
FlowIdealized run
ConstituentsAssumptions
EnvironmentImplicit
GoalsBAN formulas
Unambiguous
Simple
Flexible
Powerful
Insightful
![Page 28: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/28.jpg)
Security Protocol Specification Languages 28
CSP [Roscoe, Lowe]
Roots in process algebra [Hoare] non-interference
Specification 1 process for each role non-deterministic intruder process
Verification Refinement w.r.t. abstract spec. FDR: model checker for CSP Casper: interface to FDR
![Page 29: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/29.jpg)
Security Protocol Specification Languages 29
CSP: NS Initiator
Init(A, nA) =
user.A?B -> I_running.A.B ->comm!Msg1.A.B.encr.key(B).nA.a ->
comm.Msg2.B.A.encr.key(A)?nA’.nB ->
if nA = nA’
then comm!Msg3.A.B.encr.key(B).nB ->
I_commit.A.B -> session.A.B -> Skip
else Stop
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Responder is similar
![Page 30: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/30.jpg)
Security Protocol Specification Languages 30
CSP : Resp. authentication spec.
AR0 = R_running.A.B -> I_commit.A.B -> AR0
A1 = {| R_running.A.B, I_commit.A.B |}
AR = AR0 ||| Run (S \ A1)
![Page 31: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/31.jpg)
Security Protocol Specification Languages 31
Unambiguous
Simple
Flexible
Powerful
Insightful
How does CSP do?
FlowRole-based
ConstituentsFormalized
math.
EnvironmentExplicit
GoalsAbstract spec.
![Page 32: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/32.jpg)
Security Protocol Specification Languages 32
Casper Specification of NS
#Free variablesA, B: Agentna, nb : noncePK : Agent -> PublicKeySK : Agent -> SecretKeyInverseKeys = (PK, SK)
#ProcessesINIT(A,na) knows PK, SK(A)RESP(B,nb) knows PK,
SK(B)
#Protocol description0. -> A : B1. A -> B : {na, A}{PK(B)}2. B -> A : {na, nb}{PK(A)}3. A -> B : {nb}{PK(B)}
#SpecificationSecret(A, na, [B])Secret(B, nb, [A])Agreement(A, B, [na,nb])Agreement(B,A, [na,nb]
#Actual variablesAlice, Bob, Mallory: AgentNa, Nb, Nm: Nonce
…
#Intruder informationIntruder = MalloryIntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)
![Page 33: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/33.jpg)
Security Protocol Specification Languages 33
Spi-calculus[Abadi, Gordon]
-calculus with crypto. Constructs
Specification1 process for each role Instance to be studied Intruder not explicitly modeled
VerificationProcess equivalence to reference
proc.
![Page 34: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/34.jpg)
Security Protocol Specification Languages 34
Spi: NS Initiator
init(A,B,cAB,KB+,KA
-) =
(nA) cAB< {|A, nA|}KB+ > .
cAB(x) . case x of {|y|}KA- in
let (y1,y2) = y in [y1 is nA]
cAB< {| y2 |}KB+ > .
0
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 35: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/35.jpg)
Security Protocol Specification Languages 35
Spi: NS Responder
resp(B,A,cAB,KA+,KB
-) =
cAB(x) . case x of {|y|}KB- in
let (y1,y2) = y in [y1 is A]
(nB) cAB< {| y2, nB|}KA+ > .
cAB(x’) . case x’ of {|y’|}KB- in [y’ is nB]
0
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 36: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/36.jpg)
Security Protocol Specification Languages 36
Spi: NS Instance
inst(A,B,cAB) =
(KA) (KB)
( init(A,B,cAB,KB+,KA
-)
| resp(B,A,cAB,KA+,KB
-))
![Page 37: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/37.jpg)
Security Protocol Specification Languages 37
Unambiguous
Simple
Flexible
Powerful
Insightful
How does Spi do?
FlowRole-based
ConstituentsInformal math.
EnvironmentImplicit
GoalsReference proc.
![Page 38: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/38.jpg)
Security Protocol Specification Languages 38
Strand Spaces[Guttman, Thayer]
Roots in trace theory Lamport’s causality Mazurkiewicz’s traces
Specification Strands Sets of principals, keys, …
Verification Authentication tests Model checking
![Page 39: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/39.jpg)
Security Protocol Specification Languages 39
Strands
{nA, A}kB
{nA, nB}kA
{nB}kB
{nA, A}kB
{nA, nB}kA
{nB}kB
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 40: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/40.jpg)
Security Protocol Specification Languages 40
How do Strands do?
FlowRole-based
ConstituentsInformal math.
EnvironmentSide remarks
GoalsSide remarks
Unambiguous
Simple
Flexible
Powerful
Insightful
![Page 41: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/41.jpg)
Security Protocol Specification Languages 41
Inductive methods[Paulson]
Protocol inductively defines traces Specification
1 inductive rule for each protocol ruleUniversal intruder based on language
Verification theorem proving (Isabelle HOL)
Related methods [Bolignano]
![Page 42: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/42.jpg)
Security Protocol Specification Languages 42
IMs: NS
NS1 [evs ns; A B; Nonce NA used evs]
Says A B {Nonce NA, Agent A} KB # evs ns
NS2 [evs ns; A B; Nonce NB used evs;
Says A’ B {Nonce NA, Agent A} KB set evs]
Says B A {Nonce NA, Nonce NA} KA # evs ns
NS3 [evs ns; Says A B {Nonce NA, Agent A} KB set evs;
Says B’ A {Nonce NA, Nonce NA} KA set evs]
Says A B {Nonce NA} KB # evs ns
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 43: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/43.jpg)
Security Protocol Specification Languages 43
IMs: Environment
Nil [] ns
Fake [evs ns; BSpy; X synth(analz (spies evs))]
Says Spy B X # evs ns
synth, analz, spies, … protocol indep.
![Page 44: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/44.jpg)
Security Protocol Specification Languages 44
Unambiguous
Simple
Flexible
Powerful
Insightful
How do IMs do?
FlowTrace-based
ConstituentsFormalized
math.
EnvironmentImmutable
GoalsImposs. traces
![Page 45: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/45.jpg)
Security Protocol Specification Languages 45
NRL Protocol Analyzer[Meadows]
Roots in automata theory
Specification1 finite-state automata for each roleGrammar or words unaccessible to
attacker
VerificationBackward state explorationTheorem proving for finiteness
![Page 46: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/46.jpg)
Security Protocol Specification Languages 46
NPA: NS Resp., action 2
Subroutine rec_request(user(B,honest),N,T):
If: rcv msg(user(A,H),user(B,honest),[Z],N): verify(pke(privkey(user(B,honest)),Z),(W,user(A,H))), not(verify(W,(W1,W2))):
Then: rec_who := user(A,H), rec_self := user(B,honest), rec_gotnonce := W:
send msg(user(B,honest),[{rec_self},{rec_who}],N):
event(user(B,honest),[user(A,H)],rec_request,[W],N)
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 47: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/47.jpg)
Security Protocol Specification Languages 47
Unambiguous
Simple
Flexible
Powerful
Insightful
How does NPA do?
FlowRole-based
ConstituentsProlog code
EnvironmentExplicit
GoalsUnreachable
state
![Page 48: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/48.jpg)
Security Protocol Specification Languages 48
RTLA [Gray, McLean]
Roots in Temporal Logic (Lamport)
SpecificationState components that change during
a step
VerificationProof in temporal logic
EvaluationSimilar to NPA
![Page 49: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/49.jpg)
Security Protocol Specification Languages 49
CAPSL [Millen]
Ad-hoc model checker
Specification Special-purpose language Intruder built-in
Implementation CIL [Denker] -> similar to MSR
Related systems Mur [Shmatikov, Stern]
?? [Clarke, Jha, Marrero]
![Page 50: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/50.jpg)
Security Protocol Specification Languages 50
CAPSL: NS
PROTOCOL NS;
VARIABLESA, B: PKUser;Na, Nb: Nonce, CRYPTO
ASSUMPTIONSHOLDS A: B;
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
MESSAGESA -> B : {A, Na}pk(B);B -> A : {Na,Nb}pk(A);A -> B : {Nb}pk(B);
GOALSSECRET Na;SECRET Nb;PRECEDES A: B | Na;PRECEDES B: A | Nb;
END;
![Page 51: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/51.jpg)
Security Protocol Specification Languages 51
Unambiguous
Simple
Flexible
Powerful
Insightful
How does CAPSL do?
FlowExplicit run
ConstituentsDeclarations
EnvironmentImplicit
GoalsProperties
![Page 52: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/52.jpg)
Security Protocol Specification Languages 52
Two more …
MSR 1.x
MSR 2.0
… next hour
![Page 53: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/53.jpg)
Security Protocol Specification Languages 53
Hour 2
MSR
![Page 54: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/54.jpg)
Security Protocol Specification Languages 54
Hour 2: Outline
Origins
Language description
Access control
Execution model
![Page 55: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/55.jpg)
Security Protocol Specification Languages 55
MSR 1.x[Cervesato, Durgin, Lincoln, Mitchell, Scedrov]
Multiset rewriting with existentials
“Persistent predicates” model assumptions
Role state predicates thread rules through
![Page 56: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/56.jpg)
Security Protocol Specification Languages 56
MSR 1.x - Initiator
A0(A) L0(A), A0(A)
L0(A), A1(B) nA. L1(A,B,nA), N({nA,A}kB), A1(B)
L1(A,B,nA), N({nA,nB}kA) L2(A,B,nA,nB)
L2(A,B,nA,nB) L3(A,B,nA,nB), N({nB}kB)
whereA0(A) = Pr(A), PrvK(A,kA-1)
A1(B) = Pr(B), PubK(B,kB)
Nonce generatio
n
Messagetransmissi
on
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 57: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/57.jpg)
Security Protocol Specification Languages 57
MSR 1.x - Responder
B0(B) L0(B), B0(B)
L0(A), B1(A), N({nA,A}kB) L1(A,B,nA), B1(A)
L1(A,B,nA) nB. L2(A,B,nA,nB), N({nA,nB}kA)
L2(A,B,nA,nB), N({nB}kB) L3(A,B,nA,nB)
whereB0(B) = Pr(B), PrvK(B,kB-1)
B1(A) = Pr(A), PubK(A,kA)
Role state
predicate
Persistent Info.
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 58: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/58.jpg)
Security Protocol Specification Languages 58
Evaluation
Poor specification languageError-proneLimited automated assistance
Very insightfulUndecidability of protocol correctness
verification
![Page 59: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/59.jpg)
Security Protocol Specification Languages 59
Unambiguous
Simple
Flexible
Powerful
Insightful
How did we do?
FlowRole-based
ConstituentsPersistent info.
EnvironmentIn part
Goals
![Page 60: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/60.jpg)
Security Protocol Specification Languages 60
MSR 2.0[Cervesato]
Redesign MSR as a spec. languageEasy to useSupport for automation
Margin for verificationCurrent techniques can be adapted
InsightfulBackground in type-theory
![Page 61: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/61.jpg)
Security Protocol Specification Languages 61
Unambiguous
Simple
Flexible
Powerful
Insightful
How will we do?
FlowRole-based
ConstituentsStrong typing
EnvironmentIn part
Goals
![Page 62: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/62.jpg)
Security Protocol Specification Languages 62
What’s in MSR 2.0 ?
Multiset rewriting with existentials
Dependent types w/ subsorting
Memory predicates
Constraints
New
New
New
![Page 63: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/63.jpg)
Security Protocol Specification Languages 63
Terms
Atomic termsPrincipal names AKeys kNonces n…
Term constructors (_ _){_} _ {{_}}_
[_] _
…
Definable
![Page 64: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/64.jpg)
Security Protocol Specification Languages 64
Rules
y1: ’1.
…yn’: ’n’.
x1: 1. …
xn: n.lhs rhs
• N(t) Network
• L(t, …, t) Local state
• MA(t, …, t)Memory
• Constraints
• N(t) Network
• L(t, …, t) Local state
• MA(t, …, t) Memory
![Page 65: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/65.jpg)
Security Protocol Specification Languages 65
Types of Terms
A: princ
n: nonce
k: shK A B
k: pubK A
k’: privK k
… (definable)
A: princ
n: nonce
A: princ
n: nonce
k: shK A B
k: pubK A
k’: privK k
Types can dependon term
• Captures relationsbetween objects
• Subsumes persistentinformationStaticLocalMandatory
![Page 66: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/66.jpg)
Security Protocol Specification Languages 66
Subtyping
Allows atomic terms in messages
DefinableNon-transmittable termsSub-hierarchies
:: msg
![Page 67: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/67.jpg)
Security Protocol Specification Languages 67
Role State Predicates
Hold data local to a role instanceLifespan = role
Invoke next ruleLl = control (A,t, …, t) = data
Ll(A,t, …, t)
![Page 68: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/68.jpg)
Security Protocol Specification Languages 68
Memory Predicates
Hold private info. across role exec.
Support for subprotocolsCommunicate dataPass control
Interface to outside system
Implements intruder
New
MA(t, …, t)
![Page 69: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/69.jpg)
Security Protocol Specification Languages 69
Constraints
Guards over interpreted domainAbstractModular
Invoke constraint handler
E.g.: timestamps (TE = TN + Td) (TN < TE)
New
![Page 70: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/70.jpg)
Security Protocol Specification Languages 70
Type of Predicates
Dependent sums
(x) x
Forces associations among arguments
E.g.: princ(A) x pubK A(kA) x privK kA
x: .
x
![Page 71: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/71.jpg)
Security Protocol Specification Languages 71
Roles
Genericroles
Anchoredroles
y:’.x:. lhs rhs… … …
y:’.x:. lhs rhs
L: ’1(x1) x … x ’n
(xn)
…
Role state pred.var. declarations
A
Role owner
L: ’1(x1) x … x ’n
(xn)
…A
Role owner
y:’.x:. lhs rhs… … …
y:’.x:. lhs rhs
![Page 72: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/72.jpg)
Security Protocol Specification Languages 72
MSR 2.0 – NS Initiator
A
B: princkB: pubK B
nA:nonce.L(A,B,kB,nA) N({nA,A}kB)
…kA: pubK A
k’A: privK kA
nA,nB: nonce
L(A,B,kB,nA)N({nA,nB}kA)
N({nB}kB)
L: princ x princ(B) x pubK B x nonce.
B: princkB: pubK B
nA:nonce.L(A,B,kB,nA) N({nA,A}kB)
…kA: pubK A
k’A: privK kA
nA,nB: nonce
L(A,B,kB,nA)N({nA,nB}kA)
N({nB}kB)
L: princ x princ(B) x pubK B x nonce.
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 73: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/73.jpg)
Security Protocol Specification Languages 73
MSR 2.0 – NS Responder
B
kB: pubK B
k’B: privK kB
A: princnA: nonce
kA: pubK A
N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)
…nB: nonce
L(B,kB,k’B,nB) N({nB}kB)
L: princ(B) x pubK B(kB) x privK kB x nonce.
kB: pubK B
k’B: privK kB
A: princnA: nonce
kA: pubK A
N({nA,A}kB) nB:nonce.L(B,kB,k’B,nB) N({nA,nB}kA)
…nB: nonce
L(B,kB,k’B,nB) N({nB}kB)
L: princ(B) x pubK B(kB) x privK kB x nonce.
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
![Page 74: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/74.jpg)
Security Protocol Specification Languages 74
Transmission of a long term key
Catches:Encryption with a nonce
Type Checking |— P
|— t :
P is well-
typed in
t has type in
Decidable
Circular key hierarchies, …
Static and dynamic uses
New
![Page 75: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/75.jpg)
Security Protocol Specification Languages 75
Access Control
CatchesA signing/encrypting with B’s key
‖— P
‖—A rP is AC-valid in
r is AC-valid for A in
Decidable
A accessing B’s private data, …
Fully static
New
Gives meaning to Dolev-Yao
intruder
![Page 76: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/76.jpg)
Security Protocol Specification Languages 76
An Overview of Access Control
Interpret incoming informationCollect received dataAccess unknown data
Construct outgoing informationGenerate dataUse known dataAccess new data
Verify access to data
![Page 77: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/77.jpg)
Security Protocol Specification Languages 77
Processing a Rule
‖—A lhs >> ;‖—A rhs
‖—A lhs rhs
Knowledge set:
Collects what A knows
Knowledge set:
Collects what A knows
Context
![Page 78: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/78.jpg)
Security Protocol Specification Languages 78
Processing Predicates on the LHS
;‖—A t >>’
;‖—A N(t) >>’
;‖—A t1,…,tn >>’
;‖—A MA(t1,…,tn) >>’
• Network messages
• Memory predicates
![Page 79: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/79.jpg)
Security Protocol Specification Languages 79
Interpreting Data on the LHS
;‖—A k >> ’ ;’‖—A t >> ’’
;‖—A {t}k >> ’’
;‖—A t1, t2 >> ’
;‖—A (t1, t2) >> ’
;(,x)‖—A x >> (,x)
(,x:);‖—A x >> (,x)
• Pairs
• Encryptedterms
• Elementary terms
![Page 80: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/80.jpg)
Security Protocol Specification Languages 80
Accessing Data on the LHS
;(,k)‖—A k >> (,k)
(,x:shK A B);‖—A x >> (,x)
(,k:pubK A,k’:privK k);‖—A k >> (,k’)
(,k:pubK A,k’:privK k);(,k’)‖—A k >> (,k’)
• Shared keys
• Publickeys
![Page 81: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/81.jpg)
Security Protocol Specification Languages 81
Generating Data on the RHS
(, x:nonce);(, x)‖—A rhs
;‖—A x:nonce. rhs• Nonces
![Page 82: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/82.jpg)
Security Protocol Specification Languages 82
Constructing Terms on the RHS
;‖—A t1 ;‖—A t2
;‖—A (t1, t2)
;‖—A t ;‖—A k
;‖—A {t}k
• Shared-key encryptions
• Pairs
![Page 83: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/83.jpg)
Security Protocol Specification Languages 83
Accessing Data on the RHS
,B:princ ‖—A B
,B:princ,k:shK A B ‖—A k
,B:princ,k:pubK B ‖—A k
,k:pubK A,k’:privK k ‖—A k’
• Principal
• Shared key
• Private key
• Public key
![Page 84: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/84.jpg)
Security Protocol Specification Languages 84
Configurations
C = [S]R
Active roleset
Signature
• a : • Ll : • M_:
State
•N(t)•Ll(t, …, t)•MA(t, …, t)
![Page 85: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/85.jpg)
Security Protocol Specification Languages 85
Execution Model
Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules
P C C’
1-step firing
![Page 86: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/86.jpg)
Security Protocol Specification Languages 86
[S]R (x:.r,) A
[S]R ([t/x]r,)A
Variable Instantiation
Not fully realistic for verificationRedundancy realizes typing, …… but not completely
|— t :
[S]R (x:.r,) A
[S]R ([t/x]r,)A
![Page 87: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/87.jpg)
Security Protocol Specification Languages 87
Rule Application
S, F
[S2]RA
c:c not in S1
S, G(c)
[S1]R(r,)A
Firing
r = F, n:. G(n)
Constraint check
|= (constraint handler)
![Page 88: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/88.jpg)
Security Protocol Specification Languages 88
Properties
Admissibility of parallel firing
Type preservation
Access control preservation
Completeness of Dolev-Yaointruder
New
![Page 89: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/89.jpg)
Security Protocol Specification Languages 89
Completed Specifications
Full Needham-Schroeder public-key
Otway-Rees
Neuman-Stubblebine repeated auth.
OFT group key management
![Page 90: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/90.jpg)
Security Protocol Specification Languages 90
Hour 3
The Most PowerfulAttacker
![Page 91: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/91.jpg)
Security Protocol Specification Languages 91
Hour 3: Outline
Execution with an attacker
Specifying the Dolev-Yao intruder
Completeness of the Dolev-Yao intruder
![Page 92: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/92.jpg)
Security Protocol Specification Languages 92
Execution with an Attacker
P, PI C C’
Selected principal(s): I
Generic capabilities: PIWell-typedAC-valid
Modeled completely within MSR
![Page 93: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/93.jpg)
Security Protocol Specification Languages 93
The Dolev-Yao Intruder
Specific protocol suite PDY
Underlies every protocol analysis tool
Completeness still unproved !!!
![Page 94: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/94.jpg)
Security Protocol Specification Languages 94
Capabilities of the D-Y Intruder
Intercept / emit messages
Split / form pairs
Decrypt / encrypt with known key
Look up public information
Generate fresh data
![Page 95: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/95.jpg)
Security Protocol Specification Languages 95
DY Intruder – Net Interference
t: msgN(t) MI(t) I
MI(t) : Intruder knowledge
t: msgMI(t) N(t) I
![Page 96: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/96.jpg)
Security Protocol Specification Languages 96
DY Intruder – Decryption
MI(t)A,B: princk: shK A Bt: msg
I
MI({t}k)MI(k)
MI(t)
A: princk: pubK Ak’: privK A t: msg
I
MI({t}k)MI(k’)
![Page 97: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/97.jpg)
Security Protocol Specification Languages 97
DY Intruder – Encryption
MI ({t}k)A,B: princk: shK A Bt: msg
I
MI(t)MI(k)
MI ({t}k)A: princk: pubK At: msg
I
MI(t)MI(k)
![Page 98: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/98.jpg)
Security Protocol Specification Languages 98
DY Intruder – Pairs
MI( t1,t2)t1,t2: msgI
MI(t1)MI(t2)
MI( t1,t2) t1,t2: msgIMI(t1)
MI(t2)
![Page 99: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/99.jpg)
Security Protocol Specification Languages 99
DY Intruder – Structural Rules
MI( t) t: msgIMI(t)
MI(t)
MI( t) t: msgI
![Page 100: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/100.jpg)
Security Protocol Specification Languages 100
DY Intruder – Data Access
MI(k’)k: pubK Ik’: privK k
I
MI(k)A: princk: pubK A
I
MI(k)A: princk: shK I A
+ dualI
A: princ MI(A)I
No nonces, no other keys, …
![Page 101: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/101.jpg)
Security Protocol Specification Languages 101
DY Intruder – Data Generation
n:nonceMI(n)I
It depends on the protocol !!!Automated generation ?
Safe data
m:msgMI(m)I
Anything else ?
A,B:princ. k:shK A BMI(k)I
???
![Page 102: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/102.jpg)
Security Protocol Specification Languages 102
Completeness of D-Y Intruder
If P [S]R [S’]R’
’
with all well-typed and AC-valid
Then
P, PDY [S]R [S’]R’
’
![Page 103: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/103.jpg)
Security Protocol Specification Languages 103
Encoding of P, S,
P Remove roles anchored on I
S Map I’s state / mem. pred. using MI
Remove I’s role state pred.; add MI
![Page 104: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/104.jpg)
Security Protocol Specification Languages 104
Encoding of R
No encoding on structure of RLacks context!
Encoding on AC-derivation for R
A :: ‖— R
Associate roles from PDY to each AC
rule
![Page 105: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/105.jpg)
Security Protocol Specification Languages 105
Completeness Proof
Induction on execution sequence
Simulate every step with PDY
Rule application Induction on AC-derivation for R Every AC-derivation maps to execution
sequence relative to PDY
Rule instantiation AC-derivations preserved Encoding unchanged
![Page 106: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/106.jpg)
Security Protocol Specification Languages 106
DY Intruder Stretches AC to Limit
Well-typedAC-valid
Dolev-Yaointruder
![Page 107: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/107.jpg)
Security Protocol Specification Languages 107
Consequences
Justifies design of current tools
Support optimizationsD-Y intr. often too general/inefficient
Generic optimizations Per protocol optimizations Restrictive environments
Caps multi-intruder situations
![Page 108: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/108.jpg)
Security Protocol Specification Languages 108
Hour 4
Reconstructing the Intruder
![Page 109: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/109.jpg)
Security Protocol Specification Languages 109
Hour 4: Outline
Access Control Dolev-Yao intruder
MSR specification Access Control
![Page 110: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/110.jpg)
Security Protocol Specification Languages 110
The Dolev-Yao Intruder Model
Interpret incoming information Collect received data Access unknown data
Construct outgoing information Generate data Use known data Access new data
Same operations as AC!
![Page 111: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/111.jpg)
Security Protocol Specification Languages 111
Accessing Principal Names
B:princ MI(B)I
,B:princ ‖—A BI
![Page 112: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/112.jpg)
Security Protocol Specification Languages 112
What did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore context
![Page 113: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/113.jpg)
Security Protocol Specification Languages 113
Checking it out: Shared Keys
,A:princ,B:princ,k:shK A B ‖—A kI
MI(k)B: princk: shK I B
I
II
+ dual
![Page 114: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/114.jpg)
Security Protocol Specification Languages 114
Getting Confident: Pub./Priv. Keys
,B:princ,k:pubK B ‖—A k
MI(k)B: princk: pubK B
I
MI(k’)k: pubK Ik’: privK k
I
,A:princ,k:pubK A,k’:privK k ‖—A k’
I
II I
![Page 115: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/115.jpg)
Security Protocol Specification Languages 115
Constructing Messages: Pairs
t1,t2:msgMI(t1), MI(t2) MI((t1,t2))I
;‖—A t1 ;‖—A t2
;‖—A (t1, t2)I
I I
![Page 116: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/116.jpg)
Security Protocol Specification Languages 116
Now, what did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore and knowledge context
Premises antecedent
Conclusion consequent
Auxiliary typing derivation gives types
![Page 117: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/117.jpg)
Security Protocol Specification Languages 117
Carrying on: Shared-Key Encrypt.
;‖—A t ;‖—A k
;‖—A {t}kI
I I
MI(t), MI(k) MI({t}k)A,B: princk: shK A Bt: msg
I
Similar for public-key encryption
![Page 118: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/118.jpg)
Security Protocol Specification Languages 118
Generating Data: Nonces
(, x:nonce);(, x)‖—A rhs
;‖—A x:nonce. rhs
x:nonce. MI(x)I
I
I
Similarly for other generated data
![Page 119: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/119.jpg)
Security Protocol Specification Languages 119
Now, what did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore and knowledge context
Premises antecedent
Conclusion consequent
Auxiliary typing derivation gives types
One intruder rule for each AC rule
Save generated object
![Page 120: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/120.jpg)
Security Protocol Specification Languages 120
Interpreting Shared-Key Encrypt.
;‖—A k >> ’ ;’‖—A t >> ’’
;‖—A {t}k >> ’’I
I I
MI({t}k), MI(k) MI(t)A,B: princk: shK A Bt: msg
I
Similar for• public-key encryption• pairing
![Page 121: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/121.jpg)
Security Protocol Specification Languages 121
Now, what did we do?
Instantiate acting principal to I
Accessed data Intruder knowledge
Meta-variables Rule variables
Ignore and knowledge context
Premises antecedent
Conclusion consequent
Auxiliary typing derivation gives types
One intruder rule for each AC rule
Save generated object
Premises consequent
Conclusion antecedant
![Page 122: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/122.jpg)
Security Protocol Specification Languages 122
Network Rules
;‖—A t >>’
;‖—A N(t) >>’
;‖—A t
;‖—A N(t)t:msgMI(t) N(t)
I
t:msgN(t) MI(t)I
![Page 123: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/123.jpg)
Security Protocol Specification Languages 123
… Other Rules?
Either redundant
or, innocuous (but sensible)
t:msgN(t) N(t)I
t1,…,tn :msgM’I(t1,…,tn) MI(t1),…,MI(tn)I
![Page 124: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/124.jpg)
Security Protocol Specification Languages 124
Dissecting AC
5 activities: Interpret message
components on LHS
Access data (keys) on LHS
Generate data on RHS
Construct messages on RHS
Access data on RHS
Constructorsatoms
Trivial
Trivial
Trivial
Patternmatchin
g
![Page 125: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/125.jpg)
Security Protocol Specification Languages 125
Accessing Data
+
+ + +
* +
princ: type
Annotate the type of freely accessible data
privK: A: princ. pubK A -> type
pubK: princ -> type
Make it conditional for dep. types
![Page 126: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/126.jpg)
Security Protocol Specification Languages 126
Generating Data
Again, annotate types
shK: princ -> princ -> type
nonce: type
+ + !
!
shK: princ -> princ -> type + + !
![Page 127: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/127.jpg)
Security Protocol Specification Languages 127
Interpreting Constructors
Mark arguments as input or output
[_]_: msg -> A: princ. k: sigK A. verK k -> msg
_,_: msg -> msg -> msg
hash: msg -> msg
{_}_: msg -> A: princ. B: princ. shK A B -> msg
{{_}}_: msg -> A: princ. k: pubK A. privK k -> msg
+ * * *
- -
+
- + + +
- + + +
![Page 128: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/128.jpg)
Security Protocol Specification Languages 128
Annotating Declarations
Integrates semantics of types and constructors
“Trimmed down” version of AC
Allows constructing AC rules
Allows constructing the Dolev-Yao intruder
![Page 129: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/129.jpg)
Security Protocol Specification Languages 129
… alternatively
Compute AC rules from protocol
There are finitely many annotations
Check protocol against each of them
Keep the most restrictive ones that validate the protocol
Exponential!
More efficient algorithms?
![Page 130: September 17 th, 2001FOSAD 2001 – Bertinoro, Italy Security Protocol Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d585503460f94a37ff9/html5/thumbnails/130.jpg)
September 17th, 2001 FOSAD 2001 – Bertinoro, Italy
The end
http://www.cs.stanford.edu/~iliano/