Event-based Methods for Security Protocols Federico Crazzolara - - PowerPoint PPT Presentation

event based methods for security protocols
SMART_READER_LITE
LIVE PREVIEW

Event-based Methods for Security Protocols Federico Crazzolara - - PowerPoint PPT Presentation

Dec 09, 2023 322 likes •596 views

Event-based Methods for Security Protocols Federico Crazzolara C&C Laboratories, NEC Europe (joint work with G. Winskel while at BRICS) DIMACS, July 8, 2003 Road map 1) Security Protocol Language (SPL) Transition vs.

slide-1
SLIDE 1

Event-based Methods for Security Protocols

Federico Crazzolara C&C Laboratories, NEC Europe

(joint work with G. Winskel while at BRICS)

DIMACS, July 8, 2003

slide-2
SLIDE 2

Road map

1) Security Protocol Language (SPL)

  • Transition vs. event-based semantics

2) Relation between models (finite behaviours)

SPL & Basic Nets, Event Structures, Inductive Rules

SPL & Strand Spaces

Strand Spaces & Event Structures

slide-3
SLIDE 3

High level, special purpose language

Program, verify & compile

program: concise & precise protocol description

formal semantics that supports protocol verification => reduce gap between protocol & model

compile verified program => correct protocol code

slide-4
SLIDE 4

Security Protocol Language (SPL)

  • asynchronous, process oriented language
  • abstracts concrete network with a tuple space
  • messages: v | k | M,M' | {M}k |
  • prefixing:
  • new-name generation & send: out new(x) M . p
  • input with pattern matching:

in pat( ) N . p

  • parallel composition of processes:

i∈ ∈ ∈ ∈I pi

slide-5
SLIDE 5

ISO mutual authentication in SPL

Resp(B, A)

in pat(x) x .

  • ut new(y,z) {x, y, B, Key(z)}Key(A,B) .

in {x, y}Key(A,B) RESP

B∈Agents A∈Agents ! Resp(B,A)

ISO

p∈{INIT,RESP,SPY} p

(1) A B : n (2) B A : {n, m, B, K}Key(A,B) (3) A B : {n, m}Key(A,B)

slide-6
SLIDE 6

Transition Semantics

  • utput:

provided n ∉ s

input:

provided M[N/ ] ∈ t

parallel composition:

<out new(x) M . p, s, t> <p[n/x], s {n}, t {M[n/x]}>

  • ut new(n) M[n/x]

<in pat( ) M . p, s, t> <p[N/ ], s , t>

in M[N/ ]

<pj, s, t> <p'j, s' , t'> <

i pj, s, t>

<

i p'j, s' , t'>

j:

where p'i is p'j for i=j, else pi

slide-7
SLIDE 7

Transitions & security properties

Secrecy of session key: For all runs where Key(A,B) t0 stage w . Key(b) tw Possible proof strategy: assume does not hold => exists earliest violating action derive contradiction from causally preceding events ?

<pj, sj, tj> <pj+1, sj+1 , tj+1>

resp:B,A:i:out new(m,b) {n, m, B, Key(b)}Key(A,B)

Transition semantics masks local dependencies !

slide-8
SLIDE 8

Petri nets with persistence

Def: Petri net with persistent conditions consists of

B set of conditions,

P ⊆ B persistent conditions,

E set of events,

pre,post: E Pow(B) pre and postcondition maps. Def: Token game: M M' iff •e ⊆ M & (M \ (•e P)) e• = where M' = (M \ •e) e• (M P)

e

slide-9
SLIDE 9

Event Semantics

SPL Petri net

conditions C N O events (with pre- and postcondition maps) events can carry indices to identify component

i:outnew(x) M . p i:outnew(n) M[n/x] M[n/x] n i:Ic(p[n/x]) i:inpat( ) M . p i:Ic(p[N/ ]) i:in M[N/ ] M[N/ ]

control names

  • utput

(persistent)

slide-10
SLIDE 10

Net of an SPL process

Ev(out new(x) M. p) =

n Ev(p[n/x])

{ | n names } Ev (in pat ( ) M. p) =

M Ev([M/ ]) { | M messages}

Ev (

i∈I pi) = i

I i: Ev(pi)

i:outnew(x) M . p i:outnew(n) M[n/x] M[n/x] n i:Ic(p[n/x]) i:inpat( ) M . p i:Ic(p[N/ ]) i:in M[N/ ] M[N/ ]

slide-11
SLIDE 11

Relating transition and event semantics

Th: If then for some event e with act(e) = .

Th: If then and M = Ic(p') s' t' for some closed process term p', names s' and messages t'. <p, s, t> <p', s' , t' >

act(e)

Ic(p) s t Ic(p') s' t'

e

Ic(p) s t M

e

<p, s, t> <p', s' , t' >

slide-12
SLIDE 12

Protocol verification – proof strategy

Use event-based semantics of SPL:

formalize security property P in terms of events (as safety property),

assume the run contains event violating P (take first such event),

use dependencies among events & derive contradiction (case analysis on the events of a protocol).

slide-13
SLIDE 13

Derived proof principles

Well foundedness: in a protocol run at some stage P => first stage s.t. P

Freshness of m in a run: at most one event s.t. m en

Precedence: control: if b cei either b Ic(p0) or ej, j<i s.t. b ec

j

  • utput input:

if M oei either M t0

  • r

ej, j<i s.t. M eo

j

slide-14
SLIDE 14

Summary (I)

Event based semantics of SPL => non interleaving models useful for security- protocol analysis.

Transition semantics of SPL easy to implement.

Relation between event-based & transition sem. + correct impl. of transition sem. => properties of protocol model are properties of protocol implementation.

slide-15
SLIDE 15

Relation between models

(relate finite behaviours)

E (event st.) TL (trace languages) N (basic nets) TS (tran. sys.)

traditional, well studied new, special purpose

StrandSp NetPers IR (Paulson)

SPL SPL

  • ther models

Spi, CSP, ...

slide-16
SLIDE 16

SPL Nets, Trace Languages, Event Structures

E TL N TS

traditional, well studied new, special purpose

StrandSp NetPers IR (Paulson)

SPL SPL e P Ø => e does not

  • ccur more than once in a run
slide-17
SLIDE 17

SPL and Inductive Rules

E TL N TS

traditional, well studied new, special purpose

StrandSp NetPers IR (Paulson)

SPL SPL p* SPL process (all actions replicated)

slide-18
SLIDE 18

Strand Spaces with conflict

Strand Spaces: <si>i∈

∈ ∈ ∈I

  • nly limited form of nondeterminism

difficult to compose using traditional process op. Extension: (<si>i∈

∈ ∈ ∈I , #)

# ∈ ∈ ∈ ∈ I× × × ×I , symmetric & irreflexive (conflict relation)

unique orig. on the bundles not on entire space Compose Strand Spaces: a.S , S || S' , S+S' ( abbreviation ||k∈

∈ ∈ ∈

✆ ✆ ✆ ✆

(<si>i∈I , #) = !(<si>i∈I , #) )

slide-19
SLIDE 19

Conflict relation is inessential

Def: binary, symmetric relation s.t. S S' iff b bundle of S => b' bundle of S' s.t. b and b' are isomorphic graphs. Th:

b bundle of !(<si>i∈I , #) then b bundle of !(<si>i∈I , ∅)

b bundle of !(<si>i∈I , ∅) then re-indexing s.t. (b) bundle of !(<si>i∈I ,# ). Cor: !(<si>i∈

∈ ∈ ∈I , #) (<si>i∈Ι ∈Ι ∈Ι ∈Ι , ∅

∅ ∅ ∅)

slide-20
SLIDE 20

SPL and Strand Spaces

max seq. in Ev(p) coinciding at control (p “par” process)

Th: Seq. of events in Net(p) <=> lineariz. of bundle in S(p)

if p is “!-par” process then S(p) = !(<si>i∈

∈ ∈ ∈I ,# ) !(<si>i∈ ∈ ∈ ∈I ,∅

∅ ∅ ∅)

i:in M1 i:in Mi i:out M

Net(p)

i:out M i:in Mi i:in M1 i:out M

S(p) #

slide-21
SLIDE 21

Prime Event Structures

Prime Event Structure (E,#, ) binary conflict relation #, symmetric and irreflexive {e' | e' e} finite e#e' e'' => e#e''

configurations F(E) are x E s.t. x is conflict free x is left closed (e' e x => e' x)

slide-22
SLIDE 22

Strand Spaces and Event Structures

bundles are graphs, i.e. sets of nodes and edges (B, )

b B bundle, e

b

e b = {b' B e b' and b' b} (primes) Prop:

e b is a bundle

if b B then b = {p | p b, p prime}

e b b' b''

e b

slide-23
SLIDE 23

Strand Spaces and Event Structures (II)

Def: Pr(B) = (P,#, )

P the primes of B

p#p' if prime p'' s.t. p p'' and p' p'' (p,p' not compatible)

Th: Pr(B) is a prime event structure & : (B ) (Ffin Pr(B), ) where

(b) = {p | p b, p prime} iso of partial orders with

inverse : Ffin Pr(B) B where (x) = x .

slide-24
SLIDE 24

Summary (II)

traditional, well studied

E TL N TS

new, special purpose

StrandSp NetPers IR (Paulson)

SPL SPL !par SPL processes p* SPL process (all actions replicated) e P Ø => e does not

  • ccur more than once in a run
slide-25
SLIDE 25

References

  • F. Crazzolara. Language, Semantics, and Methods for

Security Protocols. Ph.D. Thesis, BRICS, May 2003.

  • F. Crazzolara, G. Winskel. Composing Strand Spaces.

FSTTCS'02.

  • F. Crazzolara, G. Winskel. Events in Security Protocols.

ACM CCS'01.

  • F. Crazzolara, G. Winskel. Petri nets in Cryptographic
  • Protocols. FMPPTA'01.
  • F. Crazzolara, G. Milicia. Implementation of SPL @

www.chispaces.com.