Relating Multiset Rewriting and Process Algebra for Security Protocol Specification PowerPoint PPT Presentation

presentation player overlay
1 / 20
About This Presentation
Transcript and Presenter's Notes

Title: Relating Multiset Rewriting and Process Algebra for Security Protocol Specification


1
Relating Multiset Rewritingand Process
Algebrafor Security Protocol Specification
  • Iliano Cervesato iliano_at_itd.nrl.navy.mil
  • ITT Industries, inc _at_ NRL Washington, DC
  • http//www.cs.stanford.edu/iliano

Joint work with S. Bistarelli, G. Lenzini, and F.
Martinelli
Tulane University, New Orleans, LA
April 17, 2003
2
Objective
  • Relate specification languages for security
    protocols
  • MSR lt-gt strands CSFW00
  • MSR lt-gt linear logic MFPS00
  • MSR lt-gt Process Algebras
  • Non-Objective (for now)
  • Reachability analysis lt-gt bisimulation
  • Verification methodologies not considered

3
Why MSR?
  • Model of specification underlies numerous
    languages and tools
  • CIL/CAPSL
  • NRL Protocol Analyzer
  • Paulsons Isabelle specifications
  • Murf
  • Simple and well-understood foundations
  • Distributed systems
  • Petri nets
  • Linear logic
  • Rewriting theory

4
Multiset Rewriting Existentials
  • msets of 1st-order atomic formulas
  • Rules
  • r F(x) ? ?n. G(x,n)
  • Application
  • This is MSR 1.0

MSR 2.0 strong typing constraints
domain-specific enhancements
c not in M1
5
Which Process Algebra?
  • PA
  • Inspired to
  • CCS
  • p-calculus
  • Only primitives used for protocols
  • As a programming language for protocols
  • Reachability
  • Not simulation/equivalence

6
PA
  • Sequential processes
  • P 0 a(x).P a(t).P xtP nx.P
  • Parallel processes
  • Q 0 P Q !P Q
  • (P, , 0) monoid
  • Equivalence ?
  • Reaction

Q a(t).P a(x).P -gt Q P t/xP
7
MSR ? PA in General
  • Very different paradigms
  • MSR
  • state transition
  • PA
  • contact evolution
  • Non trivial
  • MSR -gt PA granularity of actions
  • PA -gt MSR excise state
  • Reachability-preserving
  • Non bijective

8
MSR ? PA for Protocols
  • Much simpler!
  • Take natural specifications
  • in MSR
  • in PA
  • Bijective correspondence
  • (to a large extent)

9
MSR for Security Protocols
  • Fixed predicates
  • N(m) Network messages
  • I(m) Intruder info.
  • Ai(t1,,tni) Role states
  • Pr, PrvK, PubK, Persistent info.
  • Fixed format
  • Protocol given as set of roles
  • Dolev-Yao intruder spec.
  • (more freedom in MSR 2.0)

10
Roles in MSR
  • One instantiation rule
  • p(x) ? n. A0(x,n), p(x)
  • Several execution rules
  • Send
  • Ai(z) ? Ai1(z), N(t)
  • Receive
  • Ai(t), N(t) ? Ai1(zt,xt)

11
NSPK (initiator) in MSR
  • pA(A,B) ? A0(A,B), pA(A,B)
  • A0(A,B) ? ?NA. A1(A,B,NA), N(NA,AKB)
  • A1(A,B, NA), N(NA,NBKA) ? A2(A,B,NA,NB)
  • A2(A,B,NA,NB) ? A3(A,B,NA,NB), N(NBKB)

where pA(A,B) Pr(A), PrvK(A,KA-1),
Pr(B), PubK(B,KB)
12
MSR Configurations
  • Rules
  • Ur Protocol roles
  • rI Intruder role
  • State
  • N(t) Network messages
  • Ai(t) Role state predicates
  • p(t) Persistent knowledge
  • I(t) Intruder knowledge

13
Security Protocols in PA
  • Fixed set of name
  • Ni, No, p, I
  • Fixed structure of Security Process
  • Q!net ! Ni(x). No(x). 0 Network process
  • Q!r r Pr Roles
  • ! p(x). nn. P
  • input on No
  • output on Ni
  • pattern matching
  • Q!I Dolev-Yao Intruder
  • Q!p Persistent information
  • QI0 Initial intruder knowledge

14
NSPK (initiator) in PA
  • pA(A,B). nNA Ni(NA,AKB) .No(x). x
    NA,NBKANi(NBKB) .0

15
Process State
  • Q! Replicated process
  • Q Unreplicated part
  • QI Intruder knowledge
  • Qnet Buffered network messages
  • Qr Roles in mid-execution

16
MSR into PA
  • Rules
  • Ur ? Q!r Q!net
  • Instantiation rule ? ! p(x). nn. prefix
  • Ai(z) ? Ai1(z), N(t) ? Ni(t). ltri1gt
  • Ai(t), N(t) ? Ai1(zt,xt) ? No(x). xt
    zt ltri1gt
  • rI ? Q!I
  • State
  • N(t) ? Qnet
  • Ai(t) ? Qr
  • p(t) ? Q!p
  • I(t) ? QI

NSPKMSR ? NSPKPA (once reducing variable
renamings) xx
17
PA into MSR
  • Essentially the inverse transformation
  • Q!r ? Ur
  • Invent Ais
  • Carry over substitutions
  • Q!I ? rI

NSPKPA ? NSPKMSR (for a-convertible Ais)
18
The Intruder
1-1 correspondence, but
  • I(ltx1,x2gt) -gt I(x1), I(x2)
  • I(x) -gt I(x), I(x)
  • I(x1), I(x2) -gt I(ltx1,x2gt)
  • I(ltx1,x2gt). I(x1). 0
  • I(ltx1,x2gt). I(x2). 0
  • I(x). I(x). I(x). 0
  • I(x1). I(x2). I(ltx1,x2gt). 0

19
Correspondence
MSR
PA
  • Proof technique weak bi-simulation
  • Observables
  • Network messages
  • Intruder knowledge

20
Conclusions
  • Formal relation between MSR and PA
  • As used for security protocols
  • Non trivial (yet mostly bijective)
  • Technique similar to MSR lt-gt strands
  • And future work
  • MSR 3.0
  • Strict comparison with spi-calculus
  • Relating methodologies
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Relating Multiset Rewriting and Process Algebra for Security Protocol Specification" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!