Deconstructing Alice & Bob Carlos Caleiro CLC, Dep. - - PowerPoint PPT Presentation
Deconstructing Alice & Bob Carlos Caleiro CLC, Dep. Mathematics, IST, TU Lisbon, Portugal Luca Vigan` o and David Basin Dep. Computer Science, ETH Zurich, Switzerland ARSPA05 Lisbon, Portugal July 16, 2005 Deconstructing
Carlos Caleiro
CLC, Dep. Mathematics, IST, TU Lisbon, Portugal
Luca Vigan`
David Basin
ARSPA’05 – Lisbon, Portugal – July 16, 2005
Deconstructing Alice & Bob – p. 1
Formal analysis of security protocols Strand spaces, multiset rewriting, theorem proving ...
– p. 2
Formal analysis of security protocols Strand spaces, multiset rewriting, theorem proving ... Distributed temporal logic
Caleiro, Viganò and Basin. Relating strand spaces and distributed temporal logic for security protocol analysis. Logic Journal of the IGPL, in print. Caleiro, Viganò and Basin. Metareasoning about security protocols using distributed temporal logic. ENTCS 125(1):67–89, 2005. Caleiro, Viganò and Basin. Towards a metalogic for security protocol analysis. In Proceedings of the CombLog’04 Workshop, 2004.
– p. 3
The Needham-Schroeder Public-Key Authentication Protocol (nspk1) a → b : (n1). {n1; a}Kb (nspk2) b → a : (n2). {n1; n2}Ka (nspk3) a → b : {n2}Kb
– p. 4
The Needham-Schroeder Public-Key Authentication Protocol (nspk1) a → b : (n1). {n1; a}Kb (nspk2) b → a : (n2). {n1; n2}Ka (nspk3) a → b : {n2}Kb How to formalize a protocol specified in Alice&Bob-notation? What is the meaning of such protocol descriptions? How much is made explicit or left implicit? What is the expressive power of Alice&Bob-style protocol specifications?
– p. 5
deconstruction “(noun) a method of critical analysis of language and text which emphasizes the relational quality of meaning and the assumptions implicit in forms of expression” taken from the Compact Oxford English Dictionary
– p. 6
Preliminaries The standard semantics Good examples and bad examples Message forwarding and conditional abortion Opaque and transparent messages Incremental symbolic runs Characterization theorems Conclusion and further work
– p. 7
Messages are built from atomic messages (identifiers, numbers, and variables) by pairing, encryption and hashing Perfect cryptography Every message can be used as an encryption key and has an inverse for decryption Communication is asynchronous and takes place over a hostile network
– p. 8
Messages are built from atomic messages (identifiers, numbers, and variables) by pairing, encryption and hashing Perfect cryptography Every message can be used as an encryption key and has an inverse for decryption Communication is asynchronous and takes place over a hostile network Honest actions s(M, A) — sending the message M to the principal A r(M) — receiving the message M f(N) — generating the fresh number N
– p. 9
In general, a protocol description in Alice&Bob-notation involves a collection of principal variables corresponding to protocol participants (ai) and of number variables (nj), and consists of a sequence step1 . . . stepm
(stepq) as → ar : (nq1, . . . , nqt). M These steps are meant to prescribe a sequence of actions to be executed by each of the participants in a run of the protocol. But how?
– p. 10
In general, a protocol description in Alice&Bob-notation involves a collection of principal variables corresponding to protocol participants (ai) and of number variables (nj), and consists of a sequence step1 . . . stepm
(stepq) as → ar : (nq1, . . . , nqt). M These steps are meant to prescribe a sequence of actions to be executed by each of the participants in a run of the protocol. But how?
– p. 11
(stepq) as → ar : (nq1, . . . , nqt). M The sequence of actions corresponding to the execution of a’s role in the protocol is a-run = stepa
1 · · · stepa m, where stepa q is defined by
stepa
q =
f(nq1) . . . f(nqt) . s(M, ar) if a = as r(M) if a = ar
– p. 12
The Needham-Schroeder Public-Key Authentication Protocol (nspk1) a → b : (n1). {n1; a}Kb (nspk2) b → a : (n2). {n1; n2}Ka (nspk3) a → b : {n2}Kb a-run : f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka) . s({n2}Kb, b) b-run : r({n1; a}Kb) . f(n2) . s({n1; n2}Ka, a) . r({n2}Kb)
– p. 13
The Needham-Schroeder Public-Key Authentication Protocol (nspk1) a → b : (n1). {n1; a}Kb (nspk2) b → a : (n2). {n1; n2}Ka (nspk3) a → b : {n2}Kb a-run : f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka) . s({n2}Kb, b)
– p. 14
The Needham-Schroeder Public-Key Authentication Protocol (nspk1) a → b : (n1). {n1; a}Kb (nspk2) b → a : (n2). {n1; n2}Ka (nspk3) a → b : {n2}Kb a-run : f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka) . s({n2}Kb, b) b-run : r({n1; a}Kb) . f(n2) . s({n1; n2}Ka, a) . r({n2}Kb)
– p. 15
The Otway-Rees Authentication/Key-Exchange Protocol (or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas (or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs (or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs (or4) b → a : i; {n1; k}Kas
– p. 16
The Otway-Rees Authentication/Key-Exchange Protocol (or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas (or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs (or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs (or4) b → a : i; {n1; k}Kas b-run : b-possrun : r(i; a; b; {n1; i; a; b}Kas) . r(i; a; b; m1) . f(n2) . f(n2) . s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; {n1; k}Kas; {n2; k}Kbs) . r(i; m2; {n2; k}Kbs) . s(i; {n1; k}Kas, a) s(i; m2, a)
– p. 17
The Otway-Rees Authentication/Key-Exchange Protocol (or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas (or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs (or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs (or4) b → a : i; {n1; k}Kas b-run : b-possrun : r(i; a; b; {n1; i; a; b}Kas) . r(i; a; b; m1) . f(n2) . f(n2) . s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; {n1; k}Kas; {n2; k}Kbs) . r(i; m2; {n2; k}Kbs) . s(i; {n1; k}Kas, a) s(i; m2, a)
– p. 18
The Otway-Rees Authentication/Key-Exchange Protocol (or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas (or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs (or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs (or4) b → a : i; {n1; k}Kas b-run : symbolic b-possrun : r(i; a; b; {n1; i; a; b}Kas) . r(i; a; b; m1) . f(n2) . f(n2) . s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; {n1; k}Kas; {n2; k}Kbs) . r(i; m2; {n2; k}Kbs) . s(i; {n1; k}Kas, a) s(i; m2, a)
– p. 19
The Otway-Rees Authentication/Key-Exchange Protocol (or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas (or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs (or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs (or4) b → a : i; {n1; k}Kas b-run : symbolic b-possrun : r(i; a; b; {n1; i; a; b}Kas) . r(i; a; b; m1) . f(n2) . f(n2) . s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; {n1; k}Kas; {n2; k}Kbs) . r(i; m2; {n2; k}Kbs) . s(i; {n1; k}Kas, a) s(i; m2, a)
– p. 20
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol (asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a ; H(n2)}K−1 b
(asw3) a → b : n1 (asw4) b → a : n2
– p. 21
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol (asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a ; H(n2)}K−1 b
(asw3) a → b : n1 (asw4) b → a : n2
b-run : r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a)
– p. 22
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol (asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a ; H(n2)}K−1 b
(asw3) a → b : n1 (asw4) b → a : n2
b-run : r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a)
– p. 23
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol (asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a ; H(n2)}K−1 b
(asw3) a → b : n1 (asw4) b → a : n2
b-possrun : r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a) b-possrun : r({Ka; Kb; t; m1}K−1
a )
r({Ka; Kb; t; m1}K−1
a ) .
f(n2) r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a)
– p. 24
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol (asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a ; H(n2)}K−1 b
(asw3) a → b : n1 (asw4) b → a : n2
b-possrun : r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a) b-possrun : r({Ka; Kb; t; m1}K−1
a )
r({Ka; Kb; t; m1}K−1
a ) .
f(n2) r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a)
– p. 25
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol (asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a ; H(n2)}K−1 b
(asw3) a → b : n1 (asw4) b → a : n2
b-possrun : r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a) b-possruns : r({Ka; Kb; t; m1}K−1
a )
r({Ka; Kb; t; m1}K−1
a ) .
f(n2) r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a)
– p. 26
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol (asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a ; H(n2)}K−1 b
(asw3) a → b : n1 (asw4) b → a : n2
b-possrun : r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a) b-possruns : r({Ka; Kb; t; m1}K−1
a )
r({Ka; Kb; t; m1}K−1
a ) .
f(n2) r({Ka; Kb; t; m1}K−1
a ) .
f(n2) .s({{Ka; Kb; t; m1}K−1
a ;
H(n2)}K−1
b , a)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1)
r({Ka; Kb; t; H(n1)}K−1
a ) .
f(n2) .s({{Ka; Kb; t; H(n1)}K−1
a ;
H(n2)}K−1
b , a) .r(n1) .
s(n2, a)
– p. 27
– p. 28
– p. 29
– p. 30
analysis M1; M2 M1 M1; M2 M2 {M}K K−1 M synthesis M1 M2 M1; M2 M K {M}K M H(M) synthesis
– p. 31
a-run = act1, . . . , acts initial data D0
a
act1 act2 act3 acts−1 acts D0
a
D1
a
D2
a
. . . Ds−1
a
Ds
a
Di+1
a
= Di
a
if acti+1 = s(M, y) close(Di
a ∪ {M})
if acti+1 = r(M) close(Di
a ∪ {n})
if acti+1 = f(n)
– p. 32
a-run = act1, . . . , acts initial data D0
a
act1 act2 act3 acts−1 acts D0
a
D1
a
D2
a
. . . Ds−1
a
Ds
a
Di+1
a
= Di
a
if acti+1 = s(M, y) close(Di
a ∪ {M})
if acti+1 = r(M) close(Di
a ∪ {n})
if acti+1 = f(n) Executability for each participant a and 1 ≤ i ≤ t, if acti = s(M, b) then M ∈ Di−1
a
– p. 33
Given the closed dataset D vD(M) = M if M is atomic vD(M1); vD(M2) if M = M1; M2 {vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D H(vD(M1)) if M = H(M1) and M1 ∈ D mM
– p. 34
Given the closed dataset D vD(M) = M if M is atomic vD(M1); vD(M2) if M = M1; M2 {vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D H(vD(M1)) if M = H(M1) and M1 ∈ D mM
Abadi and Rogaway. Reconciling two views of cryptography. Journal of Cryptology 15(2):103–127, 2002.
– p. 35
Given the closed dataset D vD(M) = M if M is atomic vD(M1); vD(M2) if M = M1; M2 {vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D H(vD(M1)) if M = H(M1) and M1 ∈ D mM
A message M is D-transparent if vD(M) = M D-opaque if vD(M) = mM, i.e. M = {M1}K, K−1 / ∈ D and {M1, K} D, or else M = H(M1) and M1 / ∈ D
– p. 36
Given the closed dataset D vD(M) = M if M is atomic vD(M1); vD(M2) if M = M1; M2 {vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D H(vD(M1)) if M = H(M1) and M1 ∈ D mM
A message M is D-transparent if vD(M) = M D-opaque if vD(M) = mM, i.e. M = {M1}K, K−1 / ∈ D and {M1, K} D, or else M = H(M1) and M1 / ∈ D
– p. 37
a-run = act1, . . . , acts initial data D0
a
act1 act2 act3 acts−1 acts D0
a
D1
a
D2
a
. . . Ds−1
a
Ds
a
– p. 38
a-run = act1, . . . , acts initial data D0
a
act1 act2 act3 acts−1 acts D0
a
D1
a
D2
a
. . . Ds−1
a
Ds
a
a-possrun1 : act1
1
a-possrun2 : act2
1 . act2 2
a-possrun3 : act3
1 . act3 2 . act3 3
. . . a-possruns : acts
1 . acts 2 . acts 3 . . . . . acts s
where each a-possruni = vDi
a(a-run|i), i.e. acti
j = vDi
a(actj)
– p. 39
The Needham-Schroeder Public-Key Authentication Protocol (nspk1) a → b : (n1). {n1; a}Kb (nspk2) b → a : (n2). {n1; n2}Ka (nspk3) a → b : {n2}Kb a-run : f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka) . s({n2}Kb, b) a-possrun1 : f(n1) a-possrun2 : f(n1) . s({n1; a}Kb, b) a-possrun3 : f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka) a-possrun4 : f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka) . s({n2}Kb, b)
– p. 40
The Needham-Schroeder Public-Key Authentication Protocol (nspk1) a → b : (n1). {n1; a}Kb (nspk2) b → a : (n2). {n1; n2}Ka (nspk3) a → b : {n2}Kb a-run : f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka) . s({n2}Kb, b) a-possrun1 : f(n1) a-possrun2 : f(n1) . s({n1; a}Kb, b) a-possrun3 : f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka) a-possrun4 : f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka) . s({n2}Kb, b)
– p. 41
Theorem The standard sequence a-run is representative if and only if every received message is transparent when it is received, i.e. if acti = r(M), then M is Di
a-transparent.
– p. 42
Theorem The standard sequence a-run is representative if and only if every received message is transparent when it is received, i.e. if acti = r(M), then M is Di
a-transparent.
For instance, NSPK fulfils this condition Otway-Rees and Asokan-Shoup-Waidner do not
– p. 43
The Otway-Rees Authentication/Key-Exchange Protocol (or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas (or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs (or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs (or4) b → a : i; {n1; k}Kas
b-possrun : r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs) . s(i; m2, a) b-possruns : r(i; a; b; m1) r(i; a; b; m1) . f(n2) r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs) r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs) . s(i; m2, a)
– p. 44
The Otway-Rees Authentication/Key-Exchange Protocol (or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas (or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs (or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs (or4) b → a : i; {n1; k}Kas
b-possrun : r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs) . s(i; m2, a) b-possruns : r(i; a; b; m1) r(i; a; b; m1) . f(n2) r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs) r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs) . s(i; m2, a)
– p. 45
Theorem The symbolic sequence a-possrun is representative if and only if every received message preserves the message variables that occur in the views of previously received messages, i.e. if j < i, actj and acti are receiving actions, and mM occurs in vDi−1
x
(actj), then mM also occurs in vDi
x(actj).
– p. 46
Theorem The symbolic sequence a-possrun is representative if and only if every received message preserves the message variables that occur in the views of previously received messages, i.e. if j < i, actj and acti are receiving actions, and mM occurs in vDi−1
x
(actj), then mM also occurs in vDi
x(actj).
For instance, NSPK and Otway-Rees fulfill this condition Still, Asokan-Shoup-Waidner does not
– p. 47
incremental symbolic runs standard symbolic all protocols
– p. 48
Denotational semantics of Alice&Bob-style protocol specifications Incremental symbolic runs Message forwarding Conditional abortion Operational semantics Basis for automated protocol analysis tools Step towards implementation Fill in the gap between Alice&Bob-notation and HLPSL Distributed temporal logic Object level and metalevel reasoning Reduction results Calculus
– p. 49
Denotational semantics of Alice&Bob-style protocol specifications Incremental symbolic runs Message forwarding Conditional abortion Operational semantics Basis for automated protocol analysis tools Step towards implementation Fill in the gap between Alice&Bob-notation and HLPSL Distributed temporal logic Object level and metalevel reasoning Reduction results Calculus
– p. 50