relating multiset rewriting and process algebra for immediate decryption protocols
DESCRIPTION
Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols. Iliano Cervesato [email protected] ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano. Joint work with S. Bistarelli, G. Lenzini, and F. Martinelli. UMBC meeting. - PowerPoint PPT PresentationTRANSCRIPT
Relating Multiset Rewritingand Process Algebrafor Immediate Decryption Protocols
Iliano [email protected]
ITT Industries, inc @ NRL Washington, DChttp://www.cs.stanford.edu/~iliano
UMBC meeting June 10-11, 2003
Joint work with S. Bistarelli, G. Lenzini, and F. Martinelli
MSR <-> PA
Objective
Relate specification languages for security protocolsMSR <-> strands [CSFW’00]
MSR <-> linear logic [MFPS’00]
MSR <-> Process Algebras
Non-Objective (for now)
Reachability analysis <-> bisimulationVerification methodologies not considered
MSR <-> PA
Why MSR?
Model of specification underlies numerous languages and toolsCIL/CAPSLNRL Protocol AnalyzerPaulson’s Isabelle specificationsMur…
Simple and well-understood foundationsDistributed systems
Petri netsLinear logicRewriting theory
MSR <-> PA
Multiset Rewriting + Existentials
msets of 1st-order atomic formulas Rules:
r: F(x) n. G(x,n) Application
This is MSR 1.0
rM’, F(t) M’, G(t,c)
r M1 M2
c not in M1
MSR 2.0:
+ strong typing
+ constraints
+ domain-specific enhancements
MSR <-> PA
Which Process Algebra?
“PA” Inspired to
CCS-calculus
Only primitives used for protocols As a programming language for
protocolsReachabilityNot simulation/equivalence
MSR <-> PA
“PA”
Sequential processesP ::= 0 | a(t).P | a(t).P | x.P
Parallel processesQ ::= 0 | P || Q | !P || Q
(P, ||, 0) monoidEquivalence
Reactiont = []t’
Q || a(t).P || a(t’).P’ -> Q || P || []P’
MSR <-> PA
MSR PA … in General
Very different paradigmsMSR
state transitionPA
contact evolution
Non trivial MSR -> PA: granularity of actions PA -> MSR: excise state
Reachability-preservingNon bijective
Many attempts in the literatureChemical abstract machine, …
MSR <-> PA
MSR PA … for Protocols
Much simpler!
Take natural specificationsin MSRin PA
Bijective correspondence(to a large extent)
MSR <-> PA
MSR for Security Protocols
Fixed predicatesN(m) Network messages I(m) Intruder info.Ai(t1,…,tni) Role statesPr, PrvK, PubK, … Persistent info.
Fixed formatProtocol given as set of rolesDolev-Yao intruder spec.
(more freedom in MSR 2.0)
MSR <-> PA
Roles in MSR
One instantiation rule(x) n. A0(x,n), (x)
Several execution rulesSend
Ai(z) Ai+1(z), N(t)
ReceiveAi(z), N(t) Ai+1(z,xt)
Capturesonly
immediatedecryptionprotocols
MSR <-> PA
NSPK (initiator) in MSR
A(A,B) A0(A,B), A(A,B)
A0(A,B) NA. A1(A,B,NA), N({NA,A}KB)
A1(A,B, NA), N({NA,NB}KA) A2(A,B,NA,NB)
A2(A,B,NA,NB) A3(A,B,NA,NB), N({NB}KB)
whereA(A,B) = Pr(A), PrvK(A,KA-1),
Pr(B), PubK(B,KB)
MSR <-> PA
MSR Configurations
RulesU Protocol roles I Intruder role
StateN(t) Network messagesAi(t) Role state predicates(t) Persistent knowledgeI(t) Intruder knowledge
MSR <-> PA
Security Protocols in PA
Fixed set of nameNi, No, , I
Fixed structure of “Security Process”Q!net = ! Ni(x). No(x). 0 Network processQ! = || P Roles
!(x). n. P’• input on No
• output on Ni
Q!I Dolev-Yao IntruderQ! Persistent informationQI0 Initial intruder knowledge
Q!
Capturesonly
immediatedecryptionprotocols
MSR <-> PA
NSPK (initiator) in PA
A(A,B). NA
Ni({NA,A}KB) .
No({NA,NB}KA).
Ni({NB}KB) .
0
MSR <-> PA
Process State
Q! Replicated process
Q Unreplicated partQI Intruder knowledge
Qnet Buffered network messages
Q Roles in mid-execution
MSR <-> PA
MSR into PA
RulesU Q! + Q!net
Instantiation rule “!(x). n.” prefix “Ai(z) Ai+1(z), N(t)” Ni(t). <ri+1> “Ai(z), N(t) Ai+1(z,xt)” No(t). <ri+1>
I Q!I
StateN(t) Qnet
Ai(t) Q
(t) Q!
I(t) QI
NSPKMSR NSPKPA
Capturesonly
immediatedecryptionprotocols
MSR <-> PA
PA into MSR
Essentially the inverse transformationQ! U
Invent Ai’s Carry over substitutions
Q!I I
NSPKPA NSPKMSR
(for -convertible Ai’s)
MSR <-> PA
The Intruder
I(<x1,x2>) -> I(x1), I(x2)
I(x) -> I(x), I(x)
I(x1), I(x2) -> I(<x1,x2>)
I(<x1,x2>). I(x1). 0
I(<x1,x2>). I(x2). 0
I(x). I(x). I(x). 0
I(x1). I(x2). I(<x1,x2>). 0
1-1 correspondence, but …
MSR <-> PA
Correspondence
Proof technique: weak bi-simulationObservables
Network messages Intruder knowledge
MSR
PA*
*
MSR <-> PA
Delayed Decryption Protocols
Arguments of Ai’s may be termsExplicit pattern matching in PA
Add non-trivial complicationsRequires proper scheduling of matchingsMatching after input may cause deadlock
SolutionsWITS’03 unsatisfactory Intermediate MSR with explicit scheduling
MSR <-> PA
Conclusions
Formal relation between MSR and PAAs used for security protocolsNon trivial (yet mostly bijective)Technique similar to MSR <-> strands
… And future workMSR 3.0Strict comparison with spi-calculusRelating methodologies