How to Do Things with Cryptographic Protocols Joshua D. Guttman - - PowerPoint PPT Presentation

How to Do Things with Cryptographic Protocols

Joshua D. Guttman

The MITRE Corporation

Thanks to the MITRE-Sponsored Research program

Asian Computer Science Conference, 2007

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 1 / 27

Protocols coordinate distributed systems

Protocols allow principals To agree on values

◮ While preserving their secrecy

To accept, select, or refuse commitments Often dependent on

◮ Commitments received ◮ Current local state

To coordinate state changes between themselves Despite presence of malicious adversaries

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 2 / 27

Electronic purchase

Using a money order (EPMO protocol)

Bank Customer Merchant

• ✲ •
• ✛
• ✛
• ✲ •
• ✲ •
• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 3 / 27

EPMO Goals

Agree on values Preserve confidentiality Allow decision-making Cause state change

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 4 / 27

EPMO Goals

Agree on values:

◮ C, M, B agree on each other’s identities and price ◮ C, M agree on goods; C, B agree on account number

Preserve confidentiality Allow decision-making Cause state change

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 4 / 27

EPMO Goals

Agree on values:

◮ C, M, B agree on each other’s identities and price ◮ C, M agree on goods; C, B agree on account number

Preserve confidentiality: Protect

◮ C’s account number from M, outsiders ◮ goods from B, outsiders ◮ price from outsiders ◮ M’s identity from B, unless C decides to complete ◮ Occurrence of transaction from outsiders

Allow decision-making Cause state change

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 4 / 27

EPMO Goals

Agree on values:

◮ C, M, B agree on each other’s identities and price ◮ C, M agree on goods; C, B agree on account number

Preserve confidentiality: Protect

◮ C’s account number from M, outsiders ◮ goods from B, outsiders ◮ price from outsiders ◮ M’s identity from B, unless C decides to complete ◮ Occurrence of transaction from outsiders

Allow decision-making:

◮ C decides to spend price for goods from M ◮ M decides to sell goods to C for price ◮ B decides to transfer price

Cause state change

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 4 / 27

EPMO Goals

Agree on values:

◮ C, M, B agree on each other’s identities and price ◮ C, M agree on goods; C, B agree on account number

Preserve confidentiality: Protect

◮ C’s account number from M, outsiders ◮ goods from B, outsiders ◮ price from outsiders ◮ M’s identity from B, unless C decides to complete ◮ Occurrence of transaction from outsiders

Allow decision-making:

◮ C decides to spend price for goods from M ◮ M decides to sell goods to C for price ◮ B decides to transfer price

Cause state change:

◮ B transfers funds ◮ M issues shipping order Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 4 / 27

Layers of analysis

Protocol mechanics Trust management State and state change

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 5 / 27

Layers of analysis

Protocol mechanics

◮ Who sends what messages ◮ Accounts for ⋆ Confidentiality ⋆ Authentication and agreement

Trust management State and state change

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 5 / 27

Layers of analysis

Protocol mechanics

◮ Who sends what messages ◮ Accounts for ⋆ Confidentiality ⋆ Authentication and agreement

Trust management

◮ Decision making ◮ Accounts for ⋆ Commitments made at each step ⋆ Protocol branching or early termination

State and state change

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 5 / 27

Layers of analysis

Protocol mechanics

◮ Who sends what messages ◮ Accounts for ⋆ Confidentiality ⋆ Authentication and agreement

Trust management

◮ Decision making ◮ Accounts for ⋆ Commitments made at each step ⋆ Protocol branching or early termination

State and state change

◮ Conditions and effects of the protocol run ◮ Accounts for ⋆ Initial premises supplied to trust management ⋆ Changes induced by successful run Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 5 / 27

EPMO Protocol Structure, 1

C

✲ M

• ✛
• B ✛
• ✲ •
• ✲ •
• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 6 / 27

EPMO Protocol Structure, 1

C { |C, Nc, goods| }M✲ M

• ✛
• B ✛
• ✲ •
• ✲ •
• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 6 / 27

EPMO Protocol Structure, 1

C { |C, Nc, goods| }M✲ M

• ✛

{ |Nc, Nm, M, price| }C •

• B ✛
• ✲ •
• ✲ •
• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 6 / 27

EPMO Protocol Structure, 1

C { |C, Nc, goods| }M✲ M

• ✛

{ |Nc, Nm, M, price| }C •

• B ✛
• ✲ •
• . . . Nm . . .

✲ •

• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 6 / 27

EPMO Done Wrong

C { |C, Nc, goods| }M✲ M

• ✛

{ |Nc, Nm, M, price| }C •

• B ✛
• ✲ •
• . . . Nm . . .

✲ •

• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 7 / 27

EPMO Done Wrong

C { |C, Nc, goods| }M✲ M

• ✛

{ |Nc, Nm, price| }C •

• B ✛
• ✲ •
• . . . Nm . . .

✲ •

• ✛
• What if M’s name omitted?

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 7 / 27

Lowe-style attack

B C M′ M

• {

|C, Nc, goods′| }M′

✲ •

{ |C, Nc, goods| }M

✲ •

• ✛{

|Nc, Nm, price| }C

• ✛
• ✲ •
• . . . Nm . . .

✲ • ✲ •

• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 8 / 27

EPMO Protocol Structure, 2

C { |C, Nc, goods| }M

✲ M

• ✛{

|Nc, Nm, M, price| }C

• B ✛

{ |C, Nc, Nm, acct#, price| }B •

• mo, {

|Nc, Nb| }C

✲ •

• mo, Nb

✲ •

• ✛

M, hash(B, M, Nb, Nm) •

• mo = [

[ hash(C, Nc, Nb, Nm, price) ] ]B

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 9 / 27

Protocol Executions are Bundles

Vertical columns are strands

◮ Local, session-specific sequences ◮ Could also represent adversary activity Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 10 / 27

Protocol Executions are Bundles

Vertical columns are strands

◮ Local, session-specific sequences ◮ Could also represent adversary activity

Transmissions, receptions on strands called “nodes”

◮ Positive for send ◮ Negative for receive Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 10 / 27

Protocol Executions are Bundles

Vertical columns are strands

◮ Local, session-specific sequences ◮ Could also represent adversary activity

Transmissions, receptions on strands called “nodes”

◮ Positive for send ◮ Negative for receive

Bundle B: causally well-founded execution Finite acyclic graph where

◮ Every reception −t has a unique transmission +t

where +t → −t

◮ When ni ⇒ ni+1 on same strand, and ni+1 in B,

then ni in B

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 10 / 27

Protocol Executions are Bundles

Vertical columns are strands

◮ Local, session-specific sequences ◮ Could also represent adversary activity

Transmissions, receptions on strands called “nodes”

◮ Positive for send ◮ Negative for receive

Bundle B: causally well-founded execution Finite acyclic graph where

◮ Every reception −t has a unique transmission +t

where +t → −t

◮ When ni ⇒ ni+1 on same strand, and ni+1 in B,

then ni in B

Edges are arrows: → msg transmission arrows ⇒ strand succession arrows

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 10 / 27

Precedence within a Bundle

Bundle precedence ordering B n B n ′ means sequence of 0 or more arrows →, ⇒ lead from n to n ′ B is a partial order by acyclicity B is well-founded by finiteness

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 11 / 27

Precedence within a Bundle

Bundle precedence ordering B n B n ′ means sequence of 0 or more arrows →, ⇒ lead from n to n ′ B is a partial order by acyclicity B is well-founded by finiteness Bundle induction: Every non-empty subset of B has B-minimal members Reasoning about protocols combines

◮ Bundle induction ◮ Induction on message structure Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 11 / 27

Guarantees in Purchasing

C

✲ M

• ✛
• B ✛
• ✲ •
• ✲ •
• ✛
• Joshua D. Guttman (MITRE)

Doing Things with Protocols Asian 2007 12 / 27

Guarantees in Purchasing

C

✲ M

• ✛

γm,2

• B ✛
• ✲ •
• ✲ •
• ✛
• γm,2: I will ship C goods, if paid price

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 12 / 27

Guarantees in Purchasing

C

✲ M

• ✛

γm,2

• B ✛
• γb,2
• ✲ •
• ✲ •
• ✛
• γb,2: I will pay price from acct# to the bearer P, if P authorized by C

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 12 / 27

Guarantees in Purchasing

C

✲ M

• ✛

γm,2

• B ✛
• γb,2
• ✲ •
• γc,5
• ✲ •
• ✛
• γc,5: I authorize payment from acct# to M

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 12 / 27

Guarantees in Purchasing

C

✲ M

• ✛

γm,2

• B ✛
• γb,2
• ✲ •
• γc,5
• ✲ •
• ✛

γm,4

• γm,4: I request payment and will ship C goods

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 12 / 27

Relying on others

C

✲ M

ρc,2

• ✛

γm,2

• B ✛
• γb,2
• ✲ •
• γc,5
• ✲ •
• ✛

γm,4

• ρc,2: M says γm,2

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 13 / 27

Relying on others

C

✲ M

ρc,2

• ✛

γm,2

• B ✛
• γb,2
• ✲ ρc,4
• γc,5
• ✲ •
• ✛

γm,4

• ρc,4: B says γb,2

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 13 / 27

Relying on others

C

✲ M

ρc,2

• ✛

γm,2

• B ✛
• γb,2
• ✲ ρc,4
• γc,5
• ✲ ρm,3
• ✛

γm,4

• ρm,3: B says B will pay if authorized and

C says C authorizes payment to M

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 13 / 27

Relying on others

C

✲ M

ρc,2

• ✛

γm,2

• B ✛
• γb,2
• ✲ ρc,4
• γc,5
• ✲ ρm,3
• ρb,3
• ✛

γm,4

• ρb,3: C says C authorizes payment from acct# to M and

M says M requests payment

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 13 / 27

Lowe-style attack

C { |C, Nc, goods′| }M′

✲ M′ {

|C, Nc, goods| }M

✲ M

• ✛

{ |Nc, Nm, price| }C

• B ✛
• ✲ •
• . . . Nm . . .

✲ • ✲ •

• ✛
• γc,5: I authorize payment from acct# to M′

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 14 / 27

Lowe-style attack

C { |C, Nc, goods′| }M′

✲ M′ {

|C, Nc, goods| }M

✲ M

• ✛

{ |Nc, Nm, price| }C

• B ✛
• ✲ •
• . . . Nm . . .

✲ • ✲ •

• ✛
• ρm,3: B says B will pay if authorized and

C says C authorizes payment to M

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 14 / 27

Protocol Soundness

Protocol Π is sound iff, for all executions B of Π, and message receptions n ∈ B {prin(m) says γm : m ≺B n} − →L ρn where − →L is the consequence relation of the underlying logic ≺B is the bundle partial order Soundness follows from authentication properties

◮ Strand space authentication methods work fine ◮ Recency easy to incorporate

Soundness means Π strong enough for its trust interpretation

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 15 / 27

Trust and State

EPMO needs to consult state M must know goods in stock; price is right B must know price available in acct# EPMO needs to modify state when successful M needs to decrement inventory; produce shipping order B needs to transfer price from C to M

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 16 / 27

Events involving state

Bank run with events shown:

• =

⇒ E hold(. . .) = ⇒ • = ⇒ • = ⇒ E transfer(. . .)

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 17 / 27

Maintaining state

Multiset rewriting

◮ A simple and appealing formalism

Represents state as multiset of facts Rewrite rule ρ = E( t0), . . . , F( t1) → G( t2), . . . , H( t3) consumes facts matching E( t0), . . . , F( t1), produces facts matching G( t2), . . . , H( t3)

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 18 / 27

Maintaining state

Multiset rewriting

◮ A simple and appealing formalism

Represents state as multiset of facts Rewrite rule ρ = E( t0), . . . , F( t1) → G( t2), . . . , H( t3) consumes facts matching E( t0), . . . , F( t1), produces facts matching G( t2), . . . , H( t3) Assume all variables in t2, . . . , t3 appear in t0, . . . , t1

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 18 / 27

Applying ρ = E( t0), . . . , F( t1) → G( t2), . . . , H( t3)

Rule ρ is applicable to state Σ0 if Σ0 = Σ1, E( t0 · σ), . . . , F( t1 · σ) Produces transition of form Σ1, E( t0 · σ), . . . , F( t1 · σ)

ρ,σ

→ Σ1, G( t2 · σ), . . . , H( t3 · σ) “Computation” means path C = Σ0

ρ0,σ0

→ Σ1

ρ1,σ1

→ Σ2 . . .

ρ2,σ2

→

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 19 / 27

A convention of use: Locality

We assume

1

Every predicate is of the form F(p, t) where p is a principal

2

Every rule takes form ρ = E(p, t0), . . . , F(p, t1) → G(p, t2), . . . , H(p, t3) Every computation step affects a single principal p

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 20 / 27

Consequence of locality: Concurrency

Events on different principals are always concurrent If p · σ1 = p · σ2 and (ρ1, σ1), (ρ2, σ2) can happen, so can reverse: Σ0

ρ1,σ1

→ Σ1

ρ2,σ2

→ Σ2 implies Σ0

ρ2,σ2

→ Σ′

1 ρ1,σ1

→ Σ2

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 21 / 27

Consequence of locality: Concurrency

Events on different principals are always concurrent If p · σ1 = p · σ2 and (ρ1, σ1), (ρ2, σ2) can happen, so can reverse: Σ0

ρ1,σ1

→ Σ1

ρ2,σ2

→ Σ2 implies Σ0

ρ2,σ2

→ Σ′

1 ρ1,σ1

→ Σ2 Rules never coordinate different principals;

• nly protocols coordinate principals

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 21 / 27

Second convention of use: Events

We assume

1

Finite set of predicates {Ei(p, ti)}i∈I is distinguished, called the events

2

Each rule ρ either produces one event: F1(p, t0), . . . , Fk(p, t1) → Ei(p, t2)

• r consumes one event:

Ei(p, t0) → G1(p, t1), . . . , Gℓ(p, t2) where F1, . . . , Fk, G1, . . . Gℓ are not events

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 22 / 27

Second convention of use: Events

We assume

1

Finite set of predicates {Ei(p, ti)}i∈I is distinguished, called the events

2

Each rule ρ either produces one event: F1(p, t0), . . . , Fk(p, t1) → Ei(p, t2)

• r consumes one event:

Ei(p, t0) → G1(p, t1), . . . , Gℓ(p, t2) where F1, . . . , Fk, G1, . . . Gℓ are not events Every computation equivalent to one in which every event is immediately consumed

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 22 / 27

Redefine strand traces

Add events to strands The trace tr(s) is a sequence of nodes of three kinds:

1

Message transmissions

2

Message receptions

3

Events Ei(p, t)

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 23 / 27

Compatible bundles and computations

Bundle B is compatible with computation C iff there is a bijection φ from Event nodes n of B to Event consumption steps ρ, σ of C such that The event Ei(p, t) at n is the event consumed on φ(n) n0 B n1 implies φ(n0) precedes φ(n1) in C

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 24 / 27

Execution model

(B, C) is an execution for a protocol and a set of rules iff B is a bundle for the protocol C is a computation for the rules B and C are compatible

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 25 / 27

Protocols coordinate distributed systems

Protocols allow principals To agree on values

◮ While preserving their secrecy

To accept, select, or refuse commitments Often dependent on

◮ Commitments received ◮ Current local state

To coordinate state changes between themselves Despite presence of malicious adversaries

Joshua D. Guttman (MITRE) Doing Things with Protocols Asian 2007 26 / 27