1 towards evolving specs of security protocols march 7, 2002 dusko pavlovic kestrel institute
TRANSCRIPT
1
Towards evolving specs of security protocols
Towards evolving specs of security protocols
March 7, 2002
Dusko PavlovicKestrel Institute
2
ClaimClaim
Security Engineering
is a part of
Software Engineering
3
ClaimClaim
• it is helpful to analyze:• protocols in context of architectures
• security as a part of of high assurance
• malicious attackers on connectors together with
unspecified environments of components
• both SE and SE are concerned with• distributed,
• multi-layered,
• heterogenous complex systems…
4
OutlineOutline
• Mobile proposals: – IPv4 vs IPv6
• Problem: – remote redirection (traffic hijacking)
• Adding authentication: – espec transformation
• Variations and ongoing work
5
PapersPapers
• Authentication for Mobile IPv6
– with A. Datta, J. Mitchell and F. Muller
• Composition and refinement of behavioral specifications
– with D. Smith
• Guarded transitions in evolving specifications
– with D. Smith
http://www.kestrel.edu/users/pavlovic/
6
Mobile IPv4Mobile IPv4
HAHA
MNMN
FAFA
CNCN
initial architecture
7
Mobile IPv4Mobile IPv4
HAMN
FA
CN
8
Mobile IPv4Mobile IPv4
HA
MN FA
CN
9
Mobile IPv4Mobile IPv4
HA
MN FA
CN
10
Mobile IPv4Mobile IPv4
HA
MN FA
CN
11
Mobile IPv4Mobile IPv4
HA
MN FA
CN
triangle routing!
12
Mobile IPv4Mobile IPv4
HAHA
MNMN
FAFA
CNCN
session architecture
13
Mobile IPv6Mobile IPv6
• avoid triangle routing:– use IPv6 Routing Header and tunneling
• minimize– network partitioning
– computational load on:
» routers
» nodes: no expensive encryptions or decryptions
– number of messages
– need for infrastructure: no global PKI
• maximize– performance and availability: no DoS
– end-to-end security: authenticate location information
14
Mobile IPv6Mobile IPv6
• home address – the node is always addressed by the same IP number
• care-of addresses (one or more)– bind dynamically to different subnet IP numbers
» all packets containing the binding information must be authenticated
» authentication relies upon previously established security associations
• Binding Update/Acknowledgement – realized through Destination Options Headers
– Binding Cache integrated with Destination Cache
15
Mobile IPv6 proposalMobile IPv6 proposal
HAHA
MNMN CNCN
initial architecture
16
HAMN
CN
17
Mobile IPv6Mobile IPv6
HA
MN
CNg y
k = gxy
g x
g y
{BU} k
18
Mobile IPv6Mobile IPv6
HA
MN
CN
19
Mobile IPv6Mobile IPv6
HA
MN
CN
20
Mobile IPv6 proposalMobile IPv6 proposal
MNMN CNCN
session architecture
21
EE
EE
EE
Mobile IPv6 proposalMobile IPv6 proposal
HAHA
MNMN CNCN
EE
actual initial architecture
22
Mobile IPv6Mobile IPv6
HA
MN
CN
g x
g v
g v
E
k = g uyEC
k = gME xv
g ug y
23
Mobile IPv6 proposalMobile IPv6 proposal
MNMN EE CNCN
possible session architecture
24
TaskTask
Use especs
to add authentication!
25
TaskTask
• Assess tradeoff between• maximizing strength of authentication
• minimizing need for infrastructure
26
MN’s viewMN’s view
(u) (ux/k)
gx (u) ux/k
(x) gx (u) ux/k
espec MN
27
CN’s viewCN’s view
gy (wy/k)
(y) gy (wy/k)
(w) (y) gy (wy/k)
espec CN
28
BU architectureBU architecture
espec CN
espec MN
espec HAespec Net espec BU
29
(aspects of especs)(aspects of especs)
• genericity– all agents are instances of cord espec
• automated – composition of agents
– trace generation
• support for formal analysis– model checking
– theorem proving
– invariant generation
30
BU architectureBU architecture
espec CN
espec MN
espec HAespec Net espec BU
31
BU architectureBU architecture
espec CN
espec MN
espec HAespec Net diag BU
32
(aspects of especs)(aspects of especs)
• adjustable abstraction level
• stratification:– agents: process calculus
– protocols: especs
– architectures: diagrams
» network connectors and components
» infrastructure and chain of trust
» information flow
» …
33
BU architectureBU architecture
diag BU
34
BU refinementBU refinement
diag BU
diagAuthKeyExch
diagKeyExch
diagAuthBU
Lib
Lib
35
(aspects of especs)(aspects of especs)
• development (programming, generation)– top-down: refinement
» morphisms: inheritance, genericity
– bottom-up: composition» pushouts
» emergent and vanishing properties
» game theory, linear logic (strategies)
– program transformation » authentication compiler (Bellare-Canetti-Krawczyk)
» optimization
– adaptation» specification-carrying software
36
BU refinementBU refinement
diag BU
diagAuthKeyExch
diagKeyExch
diagAuthBU
Lib
Lib
37
AuthBU architectureAuthBU architecture
especAuthCN
especAuthMN
especHACN
espec Net
especHAMN
diag AuthBU
38
gx (u,v) (v/{gx,u}hm) (ux/k)
(u,v) (v/{gx,u}hm) (ux/k)
(v/{gx,u}hm) (ux/k)
(x) gx (u,v) (v/{gx,u}hm) (ux/k)
especAuthMN
AuthMN’s viewAuthMN’s view
39
EE
EE
EE
Authenticated MIPv6Authenticated MIPv6
HAHA
MNMN CNCN
EEHAHA
initial architecture
40
MN CN
k = gxy
HA MN HA CN
g x
g , g ,{g , g } x y
hc
x y
g , g ,{g , g } x y
sg
x y
g ,{g , g } x y
hm
y
41
MN CN
HA MN HA CN
{iMN, gy, s}hc
s
{iCN, iMN, gy, s}pk {iCN, iMN, gy, s}sg
s = {iCN, iMN, gx , gy}k
{iMN, gy, s}hm
k = gxy
g x
42
MN CN
HA MN HA CN
{iMN, gy, s}hc
s
{iCN, iMN, gy, s, {iCN, iMN, gy, s}sg }pk
s = {iCN, iMN, gx , gy}k
{s, gy, iMN}hm
k = gxy
g x
43
Authenticated MIPv6Authenticated MIPv6
MNMN CNCN
assured session architecture
44
VariationsVariations
• weaker authentications:– one-way: no PKI, just certificates, or AAA - no anonymity
– first time unauthenticated (like SSH), then chained hashing
• stronger authentications:– privacy
– anonymity, non-repudiation
• dynamic infrastructure– no shared secret: databases of “fingerprints”
– authenticating by non-forgeable capability
– authenticating by divided secret
45
(aspects of especs)(aspects of especs)
• additional aspects:– information flow
– information hiding
– cryptography
– …
46
Ongoing workOngoing work
IMPLEMENT the tool!
47
PapersPapers
• Authentication for Mobile IPv6
– with A. Datta, J. Mitchell and F. Muller
• Composition and refinement of behavioral specifications
– with D. Smith
• Guarded transitions in evolving specifications
– with D. Smith
http://www.kestrel.edu/users/pavlovic/
48
(cord spaces)(cord spaces)
(names) N ::= X | A
(terms) t ::= x | a | N | t,...,t | {t}N
(strands) S ::= aS
(cords) C ::= [S]
(actions) a ::= t | (x) | (t/p(x))
(interaction) [(x)R] [tS] ... [R(t/x)] [S] ...
(reaction) [(p(t)/p(x))R] ... [R(t/x)]...
FV(t) =
FV(t) =
49
What are especs?What are especs?
• diagrams of specs
• specification-carrying programs
• in a development environment supporting– refinement (top-down)
– composition (bottom-up)
– synthesis of verified code
• programming language with– guarded commands
– logical annotations as first-class citizens (available at runtime)
– procedural abstraction and refinement
50
What are specs?What are specs?
spec Poset is sort X op < : X*X -> Bool ax trans is x<y /\ y<z => x<z ax sym...end-spec
spec Semilattice is sort X op V in : X*X -> X cons b : X
ax assoc is (xVy)Vz = xV(yVz)…end-spec
x<y xVy=y
spec BinR
spec AsymRspec RefR spec TranR
spec BinO
spec Comm spec Involspec Assoc
51
What are especs?What are especs?
espec Basic_Acct is spec … end-spec
prog stad Create init[X] is… stad Amount[self] is… … step Depos[self,d]: Amount[self] -> Amount[self,d] cond d>0 balance(self)|-> balance(self)+d end-step end-progend-espec
Create
AmountDepos
espec Savings_Acct is spec … end-spec
prog stad Create init[X] is … stad Accum… step Transfer… … end-step …
end-progend-espec
Create
AmountDepos Accum