Graduate Course on Computer Security Lecture 7: Specification Languages

1
Graduate Course on Computer SecurityLecture 7
Specification Languages

• Iliano Cervesato iliano_at_itd.nrl.navy.mil
• ITT Industries, Inc _at_ NRL Washington DC
• http//www.cs.stanford.edu/iliano/

2
Outline

• Dolev-Yao model
• Specification
• Evaluation criteria
• Some languages
• Usual notation
• BAN logic
• Spi calculus
• Strand spaces
• Inductive methods
• CAPSL

• MSR
• Motivations
• Syntax
• Type checking
• DAS Data Access Specification
• Execution

3
Why is Protocol Analysis Difficult?

• Subtle cryptographic primitives
• Dolev-Yao abstraction
• Lecture 4 a bit more in this lecture
• Distributed hostile environment
• Prudent engineering practice
• Lecture 4
• Inadequate specification languages
• This lecture

4
Dolev-Yao Network Model
Bob
Alice
Network
Server
Dan
Charlie
5
The Dolev-Yao Model of Security

• Symbolic data

kA
01001011010

• No bits

• Black-box cryptography

• No guessing of keys

• Partially abstract data access

• Found in most protocol analysis tools

• Tractability

6
Perfect Cryptography

• k-1 is needed to decrypt mk
• k-1 is just k for shared key ciphers
• No collisions
• m1kA m2kB iff m1 m2 and kA kB
• mk n never
• mk (m1 m2) never
• We will relax this to handle type violations

7
Public Knowledge Soup

• Free access to auxiliary data
• Abstracts actual mechanisms
• Transmission of certificates
• Invocation of subprotocols
• Caching
• But
• not all data are public
• keys
• secrets

8
Why is specification important?
good

• Documentation
• Communicate
• Engineering
• Implementation
• Verification tools
• Science
• Foundations
• Assist engineering

9
Languages to Specify What?

• Message flow
• Message constituents
• Operating environment
• Protocol goals

10
Desirable Properties

• Unambiguous
• Simple
• Flexible
• Adapts to protocols
• Powerful
• Applies to a wide class of protocols
• Insightful
• Gives insight about protocols

11
Language Families

• Usual notation
• (user interfaces)
• Knowledge logic
• BAN
• Process theory
• Spi-calculus
• Strands
• MSR
• FDR, Casper
• Petri nets
• Inductive methods

• Temporal logic
• Automata
• CAPSL
• NRL Protocol Analyzer
• Murf

• Why so many?
• Experience from mature fields
• Unifying problem
• Scientifically intriguing
• Funding opportunities
• Convergence of approaches

12
Running Example
Needham-Schroeder public key protocol(fragment)

• Devised in 78

• Broken in 95 !

• But
• purely academic
• attack subject to interpretation

Example of weak specification !
13
Usual Notation
A ? B nA, AkB B ? A nA, nBkA A ?
B nBkB
14
Evaluation of the Usual Notation
?

• Flow
• Expected run
• Constituents
• Side remarks
• Environment
• Side remarks
• Goals
• Side remarks

• Unambiguous
• Simple
• Flexible
• Powerful
• Insightful

?
?
?
?
15
BAN Logic Burrows, Abadi, Needham

• Roots in belief logic
• Reason about knowledge as protocol unfolds
• Security principals share same view
• Specification
• Usual notation
• Idealized protocol
• Assumptions
• Goals
• Verification
• Logical inference

16
BAN Idealization
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5
nB is a shared secretbetween A and B
nA provides evidenceto the fact that
A ? B nAkB B ? A ?A ?nB? B?nAkA A ? B ?A
?nA? B, B ? A ?nB? B ?nBkB
Believes
(more readable syntax proposed later)
17
BAN Assumptions
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5
kA is the publickey of A
nA is fresh

• A ? ?kA A
• A ? ?kB B
• A ? nA
• A ? A ?nA? B

• B ? ?kB B
• B ? ?kA A
• B ? nB
• B ? A ?nB? B

18
BAN Goals
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5

• Authentication goals expressed in terms of
• Mutual beliefs
• Beliefs about freshness
• B ? A ? A ?nA? B
• A ? B ? A ?nB? B
• A ? nB
• B ? nA
• Formally derived from BAN rules

19
Evaluation of BAN
?

• Flow
• Idealized run
• Constituents
• Assumptions
• Environment
• Implicit
• Goals
• BAN formulas

• Unambiguous
• Simple
• Flexible
• Powerful
• Insightful

?
?
?
?
20
The Spi-Calculus Abadi, Gordon

• p-calculus with cryptographic constructs
• Specification
• 1 process for each role
• Instance to be studied
• Intruder not explicitly modeled
• Verification
• Process equivalence to reference process

21
The Syntax of Spi
22
Spi NS Initiator
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5

• init(A,B,cAB,kB,kA-)
• (nnA) cABlt A, nAkB gt .
• cAB(x) . case x of ykA- in
• let (y1,y2) y in y1 is nA
• cABlt y2 kB gt .
• 0

23
Spi NS Responder
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5

• resp(B,A,cAB,kA,kB-)
• cAB(x) . case x of ykB- in
• let (y1,y2) y in y1 is A
• (nnB) cABlt y2, nBkA gt .
• cAB(x) . case x of ykB- in y is nB
• 0

24
Spi NS Instance
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5

• inst(A,B,cAB)
• (nkA) (nkB)
• ( init(A,B,cAB,kB,kA-)
• resp(B,A,cAB,kA,kB-))

25
Evaluation of Spi
?

• Unambiguous
• Simple
• Flexible
• Powerful
• Insightful

• Flow
• Role-based
• Constituents
• Informal math.
• Environment
• Implicit
• Goals
• Reference process

?
?
?
?
26
Strand Spaces Guttman, Thayer

• Roots in trace theory
• Lamports causality
• Mazurkiewiczs traces
• Specification
• Strands
• Sets of principals, keys,
• Verification
• Authentication tests
• Model checking

27
Strands
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5
Initiator strand
Responder strand
28
Evaluation of Strands
?

• Flow
• Role-based
• Constituents
• Informal math.
• Environment
• Side remarks
• Goals
• Side remarks

• Unambiguous
• Simple
• Flexible
• Powerful
• Insightful

?
?
?
?
29
Inductive Methods Paulson

• Protocol inductively defines traces
• Specification
• 1 inductive rule for each protocol rule
• Universal intruder based on language
• Verification
• Theorem proving (Isabelle HOL)
• Related methods
• Bolignano

30
IMs NS
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5

• NS1 evs ? ns A ? B Nonce NA? used evs
• ? Says A B Nonce NA, Agent A KB evs ? ns
• NS2 evs ? ns A ? B Nonce NB? used evs
• Says A B Nonce NA, Agent A KB ? set
  evs
• ? Says B A Nonce NA, Nonce NA KA evs ? ns
• NS3 evs ? ns
• Says A B Nonce NA, Agent A KB ? set evs
• Says B A Nonce NA, Nonce NA KA ? set evs
• ? Says A B Nonce NA KB evs ? ns

31
IMs Environment

• Nil ? ns
• Fake evs ? ns B?Spy X ? synth(analz (spies
  evs))
• ? Says Spy B X evs ? ns
• synth, analz, spies, protocol independent

32
Evaluation of Inductive Methods
?

• Unambiguous
• Simple
• Flexible
• Powerful
• Insightful

• Flow
• Trace-based
• Constituents
• Formalized math.
• Environment
• Immutable
• Goals
• Imposs. traces

?
?
?
?
33
CAPSL Millen

• Ad-hoc model checker
• Specification
• Special-purpose language
• Intruder built-in
• Implementation
• CIL Denker -gt similar to MSR
• Related systems
• Murf Shmatikov, Stern
• SMV Clarke, Jha, Marrero

34
CAPSL
A ? B A,nAkB B ? A nA,nBkA A ? B nBkB
NS-PK 3-5

• PROTOCOL NS
• VARIABLES
• A, B PKUser
• Na, Nb Nonce, CRYPTO
• ASSUMPTIONS
• HOLDS A B

MESSAGES A -gt B A, Napk(B) B -gt A
Na,Nbpk(A) A -gt B Nbpk(B) GOALS SECRET
Na SECRET Nb PRECEDES A B Na PRECEDES B
A Nb END
35
Evaluation of CAPSL
?

• Unambiguous
• Simple
• Flexible
• Powerful
• Insightful

• Flow
• Explicit run
• Constituents
• Declarations
• Environment
• Implicit
• Goals
• Properties

?
?
?
?
36
MSR Cervesato, Durgin, Lincoln, Mitchell,
Scedrov

• A specification language based on
• MultiSet Rewriting with existentials
• MSR 1.0
• Designed to prove theundecidability ofprotocol
  correctnessverification
• Poor specificationlanguage
• Error-prone
• Limited automatedassistance
• Limited support forverification

• MSR 2.0
• Redesign of MSR 1.0 as a specification language
• Easy to use
• Support for automation
• New background in type-theory
• Margin for verification
• Current techniques can be adapted

37
Evaluation of MSR 2.0
?

• Unambiguous
• Simple
• Flexible
• Powerful
• Insightful

• Flow
• Role-based
• Constituents
• Strong typing
• Environment
• In part
• Goals

?
?
?
?
38
Roadmap to MSR

• Step-by-step specification of example
• Neuman-Stubblebine protocol
• Language description
• Syntax
• Typing
• Data Access Control DAS
• Execution semantics
• Properties
• More examples
• NS-PK3-5

39
Multiset Rewriting

• Multiset set with repetitions allowed
• Rewrite rule
• r N1 ? N2
• Application
• Multi-step transition, reachability

r
M1 ? M2
r
M, N1 ? M, N2
40
NSt-I Bs Role
A ? B A,nA B ? S B,A,nA,tBkBS ,nB S ? A
B,nA,kAB,tBkAB,T A ? B T,nBkAB where T
A,kAB,tBkBS
A ? B A, nA B ? S B, A, nA, tBkBS, nB S ?
A B, nA, kAB, tBkAS, A, kAB, tBkBS, nB A ?
B A, kAB, tBkBS, nBkAB
Neuman-Stubblebine phase I
41
NSt-I Ss Role
A ? B A,nA B ? S B,A,nA,tBkBS ,nB S ? A
B,nA,kAB,tBkAB,T A ? B T,nBkAB where T
A,kAB,tBkBS
A ? B A, nA B ? S B, A, nA, tBkBS, nB S ?
A B, nA, kAB, tBkAS, A, kAB, tBkBS, nB A ?
B A, kAB, tBkBS, nBkAB
Neuman-Stubblebine phase I
42
NSt-I As Role
A ? B A,nA B ? S B,A,nA,tBkBS ,nB S ? A
B,nA,kAB,tBkAB,T A ? B T,nBkAB where T
A,kAB,tBkBS
A ? B A, nA B ? S B, A, nA, tBkBS, nB S ?
A B, nA, kAB, tBkAS, A, kAB, tBkBS, nB A ?
B A, kAB, tBkBS, nBkAB
Neuman-Stubblebine phase I
X
X
Ticket
Ticket
43
Sending / Receiving Messages
N(A, nA)
?
?
Network predicate N(m) m is a message in transit
Network predicate N(m) m is a message in transit
Network predicate N(m) m is a message in transit
N(B,nA,kAB,tBkAS,X,nB)
N(X,nBkAB)
?
44
Terms

• Atomic terms
• Principal names A
• Keys k
• Nonces n
• Term constructors
• (_ _)
• __

45
Nonces
A ? B A,nA B ? S B,A,nA,tBkBS ,nB S ? A
B,nA,kAB,tBkAB,T A ? B T,nBkAB
Neuman-Stubblebine phase I
?
?
N(A, nA)
N(B,nA,kAB,tBkAS, X, nB)
N(X, nBkAB)
?
46
MSet Rewriting with Existentials

• Multisets of 1st-order atomic formulas
• Rules
• r F(x) ? ?n. G(x,n)
• Application

c not in M1
47
Sequencing Actions
A ? B A,nA B ? S B,A,nA,tBkBS ,nB S ? A
B,nA,kAB,tBkAB,T A ? B T,nBkAB
Neuman-Stubblebine phase I
N(A, nA)
?
?
?nA.
?
N(X, nBkAB)
N(B,nA,kAB,tBkAS, X, nB)
48
Role State Predicates
Ll(A,t, , t)

• Hold data local to a role instance
• Lifespan role
• Invoke next rule
• Ll control
• (A,t, , t) data

49
Remembering Things
A ? B A,nA B ? S B,A,nA,tBkBS ,nB S ? A
B,nA,kAB,tBkAB,T A ? B T,nBkAB
Neuman-Stubblebine phase I
?L.
L(A,nA) N(A, nA)
?
?
?nA.
L(A,nA)N(B,nA,kAB,tBkAS, X, nB)
N(X, nBkAB)
?
50
Memory Predicates
MA(t, , t)

• Hold private info. across role exec.
• Support for subprotocols
• Communicate data
• Pass control
• Interface to outside system
• Implements intruder

51
Role Owner
A ? B A,nA B ? S B,A,nA,tBkBS ,nB S ? A
B,nA,kAB,tBkAB,T A ? B T,nBkAB
Neuman-Stubblebine phase I
?L.
L(A,nA) N(A, nA)
?
?
?nA.
L(A,nA)N(B,nA,kAB,tBkAS, X, nB)
N(X, nBkAB)TktA(B,kAB,X)
?
52
What is what?
?A
?L princ x nonce.
L(A,nA) N(A, nA)
?
?
?nAnonce.
L(A,nA)N(B,nA,kAB,tBkAS, X, nB)
N(X, nBkAB)TktA(B,kAB,X)
?
53
Types of Terms

• A princ
• n nonce
• k shK A B
• k pubK A
• k privK k
• (definable)

• A princ
• n nonce

54
Subtyping
t msg

• Allows atomic terms in messages
• Definable
• Non-transmittable terms
• Sub-hierarchies

55
Type of predicates
Sx t. t

• Dependent sums
• t(x) x t
• Forces associations among arguments
• E.g. princ(A) x pubK A(kA) x privK kA

x
56
Type Checking
New
? P
G t t
t has type t in G
P is well-typed in S

• Catches
• Encryption with a nonce

• Transmission of a long term key

57
Typing Terms

• t1 msg G t2 msg
• G t1 t2 msg

• t msg G k shK A B
• G tk msg

G, x t, G x t

• Similar rules for
• Public key encryption
• Digital signatures,

58
Typing Types
G msg
G nonce
G time

• A princ G B princ
• G shK A B

• Typing for dependent types relies on typing for
  terms

59
Some Subtyping Rules
t t G t t G t t
princ msg
nonce msg
time msg
shK A B msg
60
Typing Tuples and Tuple Types
G ? ?
G x t G t t/xt G (x,t) t(x) ? t
G ?
G x t G, xt t G t(x) ? t
61
Typing Predicates
G tmsg G N(t)
G, Lt, G t t G, Lt, G L(t)
G, M_t, G (A,t ) t G, M_t, G MA(t)
62
Typing Protocol Rules
G lhs G rhs G lhs ? rhs
G t G, xt r G ? xt. r
63
Typing Roles
G ?
G t G, Lt r G Lt. r
G r G r G r, r
64
Typing Protocol Theories
G ?
S P S, Aprinc r S P, r?A
S , Aprinc P S, Aprinc r S , Aprinc
P, rA
65
Data Access Specification DAS
? ? P
New
r is DAS-valid for A in G
P is DAS-valid in S
G ?A r

• Catches
• A signing/encrypting with Bs key

• A accessing Bs private data,

• Gives meaning to Dolev-Yao intruder

66
An Overview of Access Control

• Interpret incoming information
• Collect received data
• Access unknown data
• Construct outgoing information
• Generate data
• Use known data
• Access new data
• Verify access to data

67
Processing a Rule
Context
G ?A lhs gtgt D G D ?A rhs G ?A lhs ? rhs
68
Processing Predicates on the LHS
G D ?A t gtgt D G D ?A N(t) gtgt D

• Network messages

G D ?A t1,,tn gtgt D G D ?A MA(t1,,tn) gtgt D

• Memory predicates

69
Interpreting Data on the LHS
G D ?A t1, t2 gtgt D G D ?A (t1, t2) gtgt D

• Pairs

G D ?A k gtgt D G D ?A t gtgt D G D ?A tk
gtgt D

• Encryptedterms

G (D,x) ?A x gtgt (D,x)

• Elementary terms

(G,x?) D ?A x gtgt (D,x)
70
Accessing Data on the LHS
G (D,k) ?A k gtgt (D,k)

• Shared keys

(G,xshK A B) D ?A x gtgt (D,x)
(G,kpubK A,kprivK k) (D,k) ?A k gtgt (D,k)

• Publickeys

(G,kpubK A,kprivK k) D ?A k gtgt (D,k)
71
Generating Data on the RHS
(G, xnonce) (D, x) ?A rhs G D ?A ?xnonce.
rhs

• Nonces

72
Constructing Terms on the RHS
G D ?A t1 G D ?A t2 G D ?A (t1, t2)

• Pairs

G D ?A t G D ?A k G D ?A tk

• Shared-key encryptions

73
Accessing Data on the RHS
G, Bprinc ?A B

• Principal

G, Bprinc, kshK A B ?A k

• Shared key

G, Bprinc, kpubK B ?A k

• Public key

G, kpubK A, kprivK k ?A k

• Private key

74
NS-I Bs point of view
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
75
NS-I Bs role
?B
?nBnonce.
76
Constraints
New
c

• Guards over interpreted domain
• Abstract
• Modular
• Invoke constraint handler
• E.g. timestamps
• (TE TN Td)
• (TN lt TE)

77
NS-I Ss point of view
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
78
NS-I Ss role
?kAB shK A B.
79
Neuman-Stubblebine Phase II
A ? B nA , A, kAB, TBkBS B ? A nB ,
nAkAB A ? B nBkAB
80
NS-II As role
?A
?L princ(A) x princ(B) x shK A B x nonce.
?nAnonce.
? Bprinc.? kAB shK A B? X msg
N(nA, X)
?
TktA(B,kAB,X)
TktA(B,kAB,X)
L(A, B ,kAB,nA)
? .? nA,nB nonce
L(A, B ,kAB,nA) N(nB, nAkAB)
N(nBkAB)
?
81
NS-II Bs role
?B
?L princ(B) x princ(A) x shK A B x nonce.
?L princ(B) x princ(A) x shK A B x nonce.
?nBnonce.
? nA nonce? kBS shK B S? Aprinc.? kAB shK
A B ? TB,Te time? Tnow time
N(nA, A,kAB,TBkBS)
N(nB, nAkAB)
?
AuthB(A, kAB,TB,Te)
AuthB(A, kAB,TB,Te)
ClkB(Tnow)
ClkB(Tnow)
(Tnow lt Te)
L(B,A,kAB ,nB)
L(B,A,kAB ,nB)
? . ? nB nonce
?
N(nBkAB)
82
Summary Rules

• N(t) Network
• L(t, , t) Local state
• MA(t, , t) Memory
• c Constraints

• N(t) Network
• L(t, , t) Local state
• MA(t, , t) Memory

83
Summary Roles

• Genericroles
• Anchoredroles

84
Summary Snapshots
Active roleset
C SRS

• Signature
• a t
• Ll t
• M_ t

• State
• N(t)
• Ll(t, , t)
• MA(t, , t)

85
Summary Execution Model
1-step firing
P ? C ? C

• Activate roles
• Generates new role state pred. names
• Instantiate variables
• Apply rules
• Skips rules

86
Summary Rule application
r F, c ? ?nt. G(n)

• Constraint check
• ? c (constraint handler)

87
Configurations
Active roleset
C SRS

• Signature
• a t
• Ll t
• M_ t

• State
• N(t)
• Ll(t, , t)
• MA(t, , t)

88
Execution Model
1-step firing
P ? C ? C

• Activate roles
• Generates new role state pred. names
• Instantiate variables
• Apply rules
• Skips rules

89
Variable Instantiation
SR (?xt.r,r) AS ? SR (t/xr,r) AS
S t t SR (?xt.r,r) AS ? SR
(t/xr,r) AS

• Not fully realistic for verification
• Redundancy realizes typing,
• but not completely

90
Rule Application
r F, c ? ?nt. G(n)

• Constraint check
• ? c (constraint handler)

91
Properties

• Admissibility of parallel firing
• Type preservation
• Access control preservation
• Completeness of Dolev-Yaointruder

92
MSR 2.0 NS Initiator
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
93
MSR 2.0 NS Responder
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
?B
94
Readings

• R. Needham and M. Schroeder, Using Encryption for
  Authentication in Large Networks of Computers,
  1978
• M. Burrows, M. Abadi, and R. Needham, A Logic of
  Authentication, 1989
• M. Abadi and A. Gordon, A Calculus for
  Cryptographic Protocols The Spi-Calculus, 1999
• J. Thayer-Fabrega, J. Herzog, and J. Guttman,
  Strand Spaces Why is a Security Protocol
  Correct, 1998
• Iliano Cervesato, Typed MSR Syntax and Examples,
  2000

95
Exercises for Lecture 7

• Give MSR 2.0 encodings of one of the following
  protocols from the Clark and Jacob
  library(http//www-users.cs.york.ac.uk/jac/drare
  view.ps.gz)
• Needham-Schroeder public key 6.3.1
• Amended Needham-Schroeder 6.3.4
• Wide-Mouthed Frog 6.3.5
• Yahalom6.3.6
• Woo-Lam 6.3.10 P
• Kehne-Langendorfer-Shoenwalder 6.3.5
• Kao-Chow 6.5.4

96
Next

• Intruder Models