Team Automata for Security Analysis of MulticastBroadcast Communication

1
Team Automata for Security Analysis(of
Multicast/Broadcast Communication)

• Maurice ter Beek1, Gabriele Lenzini1,2, Marinella
  Petrocchi3
• 1 ISTI, CNR, Pisa, Italy
• 2 Dept. of CS, University of Twente, The
  Netherlands
• 3 Istituto di Informatica e Telematica, CNR,
  Pisa, Italy
• WISP 2003
• 1st Workshop on Issues in Security and Petri nets
• Eindhoven, The Netherlands, 23 June 2003
• Technical Report, University of Twente, The
  Netherlands

2
Multicast/Broadcast technology
Unicast sending a message through a
point-to-point connection Broadcast flooding
a message to all the connected recipients
using a single local transmit operation (e.g.
ordinary TV) Multicast sending a message to a
set of designated recipients using a single
local transmit operation (e.g. pay-per-view
TV) M/B technology was born with the intent of
saving resources (e.g. bandwidth CPU time)
w.r.t. unicast
3
Stream signature protocols

• send digital streams, i.e. long (potentially
  infinite) sequences of bits, as packets
• guarantee authenticity and integrity
• aim at minimizing the computational cost of
  signing and verifying packets

a sender broadcasts a
continuous stream to a possibly
unbounded number of receivers Features
receivers use information retrieved in
earlier packets to authenticate later packets
(or v.v.)
4
Tolerating packet loss

• digital streams are usually sent over the User
  Data Protocol, an unreliable transport protocol
• this may cause packet loss, i.e. the stream may
  be received incomplete by (a part of) the
  recipients
• a stream signature protocol tolerates packet loss
  if it still allows a recipient to verify all
  packets that are not lost

5
The EMSS family of protocols

• Efficient Multi-chained Stream Signature family
  of protocols to sign digital streams (Perrig et
  al., IEEE SP 2000)
• basic idea a hash of packet Pi is appended to
  packet Pi-1 (whose hash is in turn appended to
  packet Pi-2 , etc.)
• signature packet Psign at the end of the stream
• each packet contains multiple hashes of previous
  packets and the signature packet contains hashes
  of multiple packets
• multiple copies of the signature packet are sent

6
The (1,2) deterministic EMSS
Packet Pi
Packet Pi1
Packet Pi-1
Mi Hash(Pi-1) Hash(Pi-2)
Mi-1 Hash(Pi-2) Hash(Pi-3)
Mi1 Hash(Pi) Hash(Pi-1)
. . .
Time / Number of packets
EMSS achieves (some) robustness against packet
loss
7
Broadcast communication in TA max-ai
broadcast TA S,R1,,Ri,,Rn
8
The insecure communication scenario
TR
TR
TS
assertions
TR
public send
public receive
TIC
TP
TI
eavesdrop
inject
(Lynch, CSFW99)
9
Generalized Non-Deducibility on Compositions

• P ? GNDC iff (P ) \C
  ?(P)
• A system specification P satisfies GNDC if the
  behavior of P,
• despite the presence of the most general
  intruder ,
• with initial knowledge and communication
  channels ,
• appears to be the same (w.r.t. a behavioural
  relation )
• as the expected (correct) behaviour of
  P
• (Focardi-Martinelli, FM99 Focardi et al.,
  ICALP00)
• 
  composition, hiding

Top
?
Top
?
C
?
?(P)
\