Cross-Tool Semantics for Protocol Security Goals SSR December 5, - - PowerPoint PPT Presentation

cross tool semantics for protocol security goals
SMART_READER_LITE
LIVE PREVIEW

Cross-Tool Semantics for Protocol Security Goals SSR December 5, - - PowerPoint PPT Presentation

Jan 27, 2023 112 likes •704 views

Cross-Tool Semantics for Protocol Security Goals SSR December 5, 2016 Gaithersburg, MD Joshua D. Guttman, John D. Ramsdell, Paul D. Rowe The MITRE Corporation {guttman, ramsdell, prowe}@mitre.org 2 Transparency in Security Standardization

slide-1
SLIDE 1

SSR December 5, 2016 Gaithersburg, MD Joshua D. Guttman, John D. Ramsdell, Paul D. Rowe The MITRE Corporation {guttman, ramsdell, prowe}@mitre.org

Cross-Tool Semantics for Protocol Security Goals

slide-2
SLIDE 2

§ Public trust in standardized security protocols is based in transparency

– Rigorous analysis can help rule out hidden insecurities

§ True transparency requires

– Reproducibility of results – By multiple, independent parties – Using a diversity of methods or tools

§ Sometimes analysis can be opaque

– Reliance on expert knowledge – Reliance on specific tool set

2

Transparency in Security Standardization

slide-3
SLIDE 3

§ Standardized framework for the verification of cryptographic protocols § Highest assurance level (4) requires

– Formal, tool-supported, analysis of unbounded sessions

§ Reproducibility calls for tool-independent inputs

– We claim our first-order language of security goals is tool-independent

Self-assessment evidence Protocol description Adversary model Security properties

3

ISO/IEC 29128

slide-4
SLIDE 4

Impact:

§

Improve reproducibility of formal analyses

Technical:

§

New semantics of first-order language for security goals – Originally designed for strand spaces (CPSA) – Adapted for applied 𝜌 (ProVerif)

§

Proof of compatibility of the two semantics

4

Main Contributions

slide-5
SLIDE 5

5

Compatible Cross-Tool Semantics

P ℙ 𝒣ℒ(P) 𝒣ℒ(ℙ)

strand runs traces

⊨ ⊨ 𝑔 𝐶*+,

  • 𝐶

.*

  • Strand spaces

Applied 𝝆

slide-6
SLIDE 6

6

Simple Example Protocol (SEP) 𝑩 ⟶ 𝑪: 𝑙 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

𝑪 ⟶ 𝑩: 𝒆

< 𝒕

Clients 𝐵 may not always choose symmetric key 𝑙 randomly Servers 𝐶 always choose data d randomly

slide-7
SLIDE 7

If 𝑩 has finished a session with 𝑪; and 𝑪’s private decryption key 𝒒𝒍 𝑪 ?𝟐 is uncompromised and the session key 𝒍 is freshly chosen

7

Sample Goals

then 𝑪 previously transmitted 𝒆 with matching parameters then 𝒆 remains confidential

slide-8
SLIDE 8

§ Ordering and equality

– Preceq(m,n), Coll(m,n), d = d’

§ Freshness and secrecy

– Unq(d), UnqAt(m,d), Non(sk(a))

8

Goal Language

Protocol-Dependent Protocol-Independent

§ Role position predicates

– InitStart(n), RespDone(m)

§ Parameter predicates

– Self(n,a), SessKey(m,k)

slide-9
SLIDE 9

If 𝑩 has finished a session with 𝑪; and 𝑪’s private decryption key 𝒒𝒍 𝑪 ?𝟐 is uncompromised and the session key 𝒍 is freshly chosen

9

Sample Goal Formalized

then 𝑪 previously transmitted 𝒆 with matching parameters

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(n,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-10
SLIDE 10

𝑄, 𝑅 = in 𝑑, 𝑦 . 𝑄

  • utℓ 𝑑, 𝑣 . 𝑄

let 𝑦 ∶ s = 𝑤 in 𝑄 else 𝑅 (𝑄 ∣ 𝑅) new 𝑜 ∶ s . 𝑄 sum 𝑜R ∶ s . 𝑄 !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . 𝑄 ℓ . 𝑄

10

Applied 𝝆 Syntax

(𝑑, 𝑢𝑗𝑒 ∈ 𝐷ℎ, 𝑦 ∈ 𝒴, 𝑜 ∈ 𝒪

[\, 𝑜R ∈ 𝒪 [])

slide-11
SLIDE 11

11

Applied 𝝆 Protocols

sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙: skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

Init = Resp = !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

𝑩 ⟶ 𝑪: 𝑙 [<(`)

a<(b) `

𝑪 ⟶ 𝑩: 𝑒

< [

slide-12
SLIDE 12

12

Operational Trace Semantics

sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-13
SLIDE 13

13

Operational Trace Semantics

sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-14
SLIDE 14

14

Operational Trace Semantics

sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-15
SLIDE 15

15

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-16
SLIDE 16

16

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-17
SLIDE 17

17

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-18
SLIDE 18

18

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-19
SLIDE 19

19

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-20
SLIDE 20

20

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-21
SLIDE 21

21

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-22
SLIDE 22

22

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-23
SLIDE 23

23

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-24
SLIDE 24

24

Operational Trace Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕) sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . sum 𝑙: skey . outInitStart(𝑢𝑗𝑒, 𝑙 [<(`)

a<(b) `

) . in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙 ∶ skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data . outRespDone(𝑢𝑗𝑒, 𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 .

slide-25
SLIDE 25

25

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-26
SLIDE 26

26

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-27
SLIDE 27

27

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-28
SLIDE 28

28

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-29
SLIDE 29

29

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-30
SLIDE 30

30

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-31
SLIDE 31

31

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

slide-32
SLIDE 32

32

Security Goal Semantics

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). (⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

InitDone(n) ∧ Self(n,a) ∧ Peer(n,b) ∧ SessKey(n,k) ∧ Data(n,d) ∧ Non(pk(b)-1) ∧ Unq(k)

RespDone(m) ∧ Self(m,b) ∧ Peer(m,a) ∧ SessKey(m,k) ∧ Data(m,d) ∧ Preceq(m,n) ∀ n,a,b,k,d. ∃ m.

A protocol achieves a goal Γ iff all admitted traces satisfy Γ

slide-33
SLIDE 33

§ An entity originates a value if it transmits it without having received it

– An entity must know or create a value to originate it

§ Method for expressing freshness and secrecy of values

– Characterizes the effects of randomness and secrecy

§ Traces allow us to identify points of origination for values

33

Origination

Unique origination: A randomly chosen value can

  • nly originate at most once.

Non-origination: Keys kept secret never originate.

slide-34
SLIDE 34

§ !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . 𝑄

– Replication is bound to channel restriction – Enables sensible semantics for Coll(m,n)

§ Diverse trace elements

– Labels: semantics for role position predicates – Msg events: semantics for origination

§ Labels occur in two ways

– outℓ 𝑑, 𝑣 . 𝑄 and ℓ . 𝑄 – Required for compatibility with strand space semantics

§ sum 𝑜R ∶ s . 𝑄

– Acts as infinite choice operator 𝑄 + 𝑅 – Allows multiple origination of values – Finite choice may suffice (e.g. bounded agent set)

34

Notable Details

slide-35
SLIDE 35

§ Independent replication of results depends on:

– Analyzing compatible protocols § Roles must create same traces – Compatible semantics for predicates

§ Λ 𝑔 𝜐 𝜍{@𝑘

= 𝜍{@𝑘

§ We provide

– Prototype compiler from strands to applied 𝜌 – Semantic criterion for compatibility

35

Compatible Protocols

𝜐 Λ

slide-36
SLIDE 36

36

Compilation

Main Idea: +𝑛 ⟼ outℓ(𝑢𝑗𝑒, 𝑛) −𝑛 ⟼ in 𝑢𝑗𝑒, 𝑨 . … . ℓ

Sequence of let bindings to parse 𝑨 as 𝑛

slide-37
SLIDE 37

37

Compilation

Main Idea: +𝑛 ⟼ outℓ(𝑢𝑗𝑒, 𝑛) −𝑛 ⟼ in 𝑢𝑗𝑒, 𝑨 . … . ℓ

Sequence of let bindings to parse 𝑨 as 𝑛

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . Resp

slide-38
SLIDE 38

38

Compilation

Main Idea: +𝑛 ⟼ outℓ(𝑢𝑗𝑒, 𝑛) −𝑛 ⟼ in 𝑢𝑗𝑒, 𝑨 . … . ℓ

Sequence of let bindings to parse 𝑨 as 𝑛

𝑙 [<(`)

a<(b) `

in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙: skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . Resp

slide-39
SLIDE 39

39

Compilation

Main Idea: +𝑛 ⟼ outℓ(𝑢𝑗𝑒, 𝑛) −𝑛 ⟼ in 𝑢𝑗𝑒, 𝑨 . … . ℓ

Sequence of let bindings to parse 𝑨 as 𝑛

𝑙 [<(`)

a<(b) `

𝑒

< [

in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙: skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart .

  • utRespDone(𝑢𝑗𝑒,

𝑒

< [) . 𝟏

!new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . Resp

slide-40
SLIDE 40

40

Compilation

Main Idea: +𝑛 ⟼ outℓ(𝑢𝑗𝑒, 𝑛) −𝑛 ⟼ in 𝑢𝑗𝑒, 𝑨 . … . ℓ

Sequence of let bindings to parse 𝑨 as 𝑛

𝑙 [<(`)

a<(b) `

𝑒

< [

in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙: skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart .

  • utRespDone(𝑢𝑗𝑒,

𝑒

< [) . 𝟏

sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . Resp

slide-41
SLIDE 41

41

Compilation

Main Idea: +𝑛 ⟼ outℓ(𝑢𝑗𝑒, 𝑛) −𝑛 ⟼ in 𝑢𝑗𝑒, 𝑨 . … . ℓ

Sequence of let bindings to parse 𝑨 as 𝑛

𝑙 [<(`)

a<(b) `

𝑒

< [

in(𝑢𝑗𝑒, 𝑨) . let 𝑦: ⊤ = 𝑒𝑓𝑑` 𝑨, 𝑡𝑙(𝑐) in let 𝑙: skey = 𝑤𝑓𝑠 𝑦, 𝑞𝑙(𝑏) in RespStart . new 𝑒 ∶ data .

  • utRespDone(𝑢𝑗𝑒,

𝑒

< [) . 𝟏

sum 𝑏 ∶ agt . sum 𝑐 ∶ agt . !new 𝑢𝑗𝑒 . out 𝑑, 𝑢𝑗𝑒 . Resp 𝑒 : fresh

slide-42
SLIDE 42

42

Compatibility Criterion: Local Bisimulation 𝐶k

  • (𝜅; 𝒯, 𝑄, ℰ) iff 𝜅 and (𝒯, 𝑄, ℰ) have
  • compatible pasts
  • compatible possible next steps
slide-43
SLIDE 43

43

Compatibility Criterion: Local Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 𝑙 [<(`)

a<(b) `

𝑒

< [

𝐶k

  • (𝜅; 𝒯, 𝑄, ℰ) iff 𝜅 and (𝒯, 𝑄, ℰ) have

𝜅 = 𝒯 = 𝑄 = ℰ =

𝓕𝟐 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕, 𝑢𝑗𝑒 ↦ 𝒖𝒋𝒆𝟐}

(init, 1, 𝜏 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕})

  • compatible pasts
  • compatible possible next steps
slide-44
SLIDE 44

44

Compatibility Criterion: Local Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 𝑙 [<(`)

a<(b) `

𝑒

< [

𝐶k

  • (𝜅; 𝒯, 𝑄, ℰ) iff 𝜅 and (𝒯, 𝑄, ℰ) have

𝜅 = 𝒯 = 𝑄 = ℰ =

𝓕𝟐 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕, 𝑢𝑗𝑒 ↦ 𝒖𝒋𝒆𝟐}

(init, 1, 𝜏 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕})

  • compatible pasts
  • compatible possible next steps
slide-45
SLIDE 45

45

Compatibility Criterion: Local Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 𝑙 [<(`)

a<(b) `

𝑒

< [

𝐶k

  • (𝜅; 𝒯, 𝑄, ℰ) iff 𝜅 and (𝒯, 𝑄, ℰ) have

𝜅 = 𝒯 = 𝑄 = ℰ =

𝓕𝟐 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕, 𝑢𝑗𝑒 ↦ 𝒖𝒋𝒆𝟐}

(init, 1, 𝜏 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕})

  • compatible pasts
  • compatible possible next steps
slide-46
SLIDE 46

46

Compatibility Criterion: Local Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). in(𝑢𝑗𝑒, 𝑨) . let 𝑒 ∶ data = 𝑒𝑓𝑑[ 𝑨, 𝑙 in InitDone . 𝟏 𝑙 [<(`)

a<(b) `

𝑒

< [

𝐶k

  • (𝜅; 𝒯, 𝑄, ℰ) iff 𝜅 and (𝒯, 𝑄, ℰ) have

𝜅 = 𝒯 = 𝑄 = ℰ =

𝓕𝟐 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕, 𝑢𝑗𝑒 ↦ 𝒖𝒋𝒆𝟐}

(init, 1, 𝜏 = {a ↦ 𝒃, 𝑐 ↦ 𝒄, 𝑡 ↦ 𝒕})

  • compatible pasts
  • compatible possible next steps

(⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕)

slide-47
SLIDE 47

47

Global Bisimulation

Init Resp

slide-48
SLIDE 48

48

Global Bisimulation

𝒍 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

Init Resp

slide-49
SLIDE 49

49

Global Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). 𝒍 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

Init Resp

slide-50
SLIDE 50

50

Global Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). 𝒍 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

Init Resp

slide-51
SLIDE 51

51

Global Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). 𝒍 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

Init Resp

slide-52
SLIDE 52

52

Global Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓). 𝒍 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

𝒆

𝒍 𝒕

Init Resp

slide-53
SLIDE 53

53

Global Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓).(⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕) 𝒍 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

𝒆

𝒍 𝒕

Init Resp

slide-54
SLIDE 54

54

Global Bisimulation

(InitStart, out 𝑢𝑗𝑒, 𝑛k , 𝓕𝟐). (⊥, in 𝑢𝑗𝑒, 𝑛n , 𝓕𝟑). (RespStart, ⊥, 𝓕𝟒). (RespDone, out 𝑢𝑗𝑒, 𝑛q , 𝓕𝟓).(⊥, in 𝑢𝑗𝑒, 𝑛s , 𝓕𝟔). (InitDone, ⊥, 𝓕𝟕) 𝒍 𝒕𝒍(𝒃)

𝒒𝒍(𝒄) 𝒃

𝒆

𝒍 𝒕

Init Resp

Theorem: Compatible protocols are globally bisimilar

slide-55
SLIDE 55

55

Goal Preservation Theorem

Suppose 𝓠 and ℙ are globally bisimilar protocols. If 𝓠 achieves 𝚫 then ℙ achieves 𝒈(𝚫)

slide-56
SLIDE 56

56

Converse is Not Always True

∀m,n.Preceq(m,n) ∨ Preceq(n,m) Strand spaces Applied 𝝆 Totally ordered traces Partially ordered executions Restricted goals: Preceq does not occur, or ∨ does not occur Trichotomy

slide-57
SLIDE 57

57

Conjecture: Partial Converse

Suppose 𝓠 and ℙ are globally bisimilar protocols, and 𝚫 is a restricted goal If ℙ achieves 𝒈(𝚫) Then 𝓠 achieves 𝚫

slide-58
SLIDE 58

§

Improve reproducibility of formal analyses

§

Demonstrate tool-independence of security goal language – Provide goal semantics for applied 𝜌 – Prove compatibility with goal semantics for strand spaces

58

Summary

Self-assessment evidence Protocol description Adversary model Security properties