Process Theory: Strands

1
Process Theory Strands
A Tutorial Presented by Brian Kellogg
and Jack G. Nestell
Michigan State University Computer Science and
Engineering Course CSE914 Professor Dr. Cheng
2
Tutorial Overview

• Brief FM discussion Academia vs. Industry
• Strands Introduction
• Concepts
• Syntax and semantics
• Example
• Tool support-Athena
• Strands as applied to real-world
• Conclusion
• References

3
Informal Discussion on Formal Methods
It is critical that one understand terms, syntax,
and semantics. Build the foundation. 1 ½ hour is
not nearly Enough to go into much depth and
detail on syntax and semantics on any
language. At this point, for our presentations,
it is critical to understand the ideas and
utilization, and differences, between each FM,
specification languages, and support tools. How
are these FM's currently being used? What is
potential for the real-world? The two
different worlds of computer science That of
industry/commercial and that of academia.
That of industry/commercial and that of
academics. I think that ultimately industry
determines to a great extent what the
needs are and how they can/will be used. But,
academics is able to developed and deliver
those needs and new technologies. I want to know
how this "cool stuff" is being applied to my
world and my IT collogues out here
implementing, managing, and maintaining IT
solutions everyday of our lives. Who really
cares about something (technology) that has
no potential of ever doing anything for folks
like me and the companies we work for?
Two different ways to approach our
discussion In our lectures are we trying to
build support for what our FM's and specification
language is capable of? Or, are we trying to
defend the specification language and stating
that it is worthy? The objective of this course
is to demonstrate how these FM's and
specification languages can used to prove
security protocols under a given dynamic and
often unique environment.
4
Informal Discussion on Formal Methods
Due to the dynamic and unique environment, FMs
need to be put to the test by the authors in a
real-world proof, not by a bench-mark. I know
the value of benchmarks in my world, the computer
networking world. I was hoping that the authors
actually proved how well and how valuable Formal
Methods are, by testing, validating, and proving
the correctness of some neat, new, security
protocol. This, to me, is what I crave.
Ultimately the language has to be used in a
real world if it is to prove the correctness of
real world protocols. Our job here as
researchers, scholars and academics is to prove
the correctness of real-world protocols that will
keep my company that I work for and our partners
from having performance, fault-tolerant and
security issues and breeches What has
it done and where is it used. FM's have to be
proven and designed and security protocols have
to be proven and designed as well. How
was this benchmark designed? Who designed it?
What security protocol is it modeled after? Is
if modeled after an existing security
protocol at all? If not, what good is the
benchmark? If not, what good is the specification
language? If so, tell me more. Convince
me that the purpose of the specification language
and the benchmark and therefore the security
protocol That my companies uses on our
Extranet and VPN is all good. Convince me that I
am doing my job by using this protocol
solution. I am not saying to go into
detail on a complicated security protocol. But,
using it against a benchmark is boring me. Let's
face it, you don't do something at this
level to have it be forgotten and deemed useless.
I understand the value of a good benchmark and I
also understand its purpose. We are
studying/testing FM's, not protocols. Or are we?
Or, visa versa? A security protocol benchmark
is not something that is used to protect
my company and our partners from the real-world.
Then what good is it? It is good to test our FM,
but for our FM to be proven doesn't it
have to be tested against "real-world" data in a
real world environment? That is my point. I just
want to take our studies a step further. Don't
tell me just how (I'll learn that in
text books)..........tell me who, where, when,
why and for what reasons. This issue is much
more complex than it may first appear. How are
FM's as applied to network security relate to its
usefulness and intent in the world of IT
management and industry ................. CONCLUSI
ON Real world case studies.
5
Strands Introduction
Security protocols are often found later to have
flaws. We need a way to eliminate poor
design. Therefore, goal of any FM We need to
find errors in bad protocols and prove correct
those protocols that contain no flaws. Strands
utilizes both model checking and theorem proving
techniques. Strand Space Model allows one to
represent the problem domain in a very natural
way. SSM Advantage It contains the exact casual
participant relation information. This allows
one to Derive simply proofs of a protocols
correctness (as compared to TBM). Under the
conditions of a Strand concept Proving or
disproving a protocol must be expressed in terms
of the interactions and connections between
strands of different kinds.
6
Assumptions Made by Authors

• Certain data items (nonces and keys) are fresh
  and arise in more than one run of protocol
• Work with an explicit model of potential
  penetrator actions
• Allows one to prove the the notions of secrecy
  and authentication correctness.
• Important point A strand space models the
  assumption that some values are impossible for
• a penetrator to guess.
• Strand must must be sent before it can be
  received.
• Keys will be invented only once during the life
  time of the protocol. The effectiveness of a
  security
• protocol and the correctness of the protocol
  depends on the freshness and Validity of the
  data, keys, and
• nonces.
• Only one strand originates the data by
  initially sending message containing it.
• Goal of this tutorial to demonstate how this
  method allows one to clearly observe why the
• Protocol is correct, and the assumptions
  required.

7
Strands Concepts
Term-used to represent the messages in a
protocol. Text terms (?)principal names, nonces,
or data (bank account numbers) Key terms (?) a
set of keys disjoint from ?. Actions The set of
actions Act that protocol principles follow
throughout the execution of a protocol. Include
send() and receive(-). Events A pair
(action,a) where action ? Act, and a ? A is the
argument of the action from the set of terms. A
and (A) Protocol-defines the sequence of
events/rules for each principals role. Strand-
A prinipals actions in a specific protocol run
(is a instance of a role) a sequence of events. A
representation of an execution by a Legitimate
party in a security protocol or a sequenve of
actions by a Penetrator. A sequence of events
that a single principal may engage in. A linear
structure, the squence on a principals message
sends and recieves. Strand Space- a
collection of strands and a graph
structuregenerated by casual interaction. A
sequence of message Transmisions And
receptionswith specific values of all data.
Therefore, a Sequential process. Contains all
the legitinate executions of the Protocol
expected within its useful lifetime, together
with penetrator Strands. Graph Structure-
Explain in detail this graph structure. How is it
Build?
8
Strands Concepts

• Penetrator strandterm transmissions and
  receptions that model a basic capability that one
  may assume the
• penetrator posses.
• Penetrator Strands include
• Obtaining a symmetric key and a term encrypted
  using that key, and then being able to send the
  result of
• decrypted message.
• Obtaining two terms and sending the result of
  concatenating them. How can this be a threat?
• Sending a data item that the penetrator strand
  may know.
• Penetrator actions are therefore modeled by
  connecting different penetrator strands.

9
Strands Concepts
Bundles Agreement on the act of communication.
A portion of a strand space. Hooked together
strands where one strand sends a message to
another and another receives that same Message.
Does this make sense? How could a security
protocol be correct if one strand for each
legitimate pricipal involved in session to agree
on the the nonces, session keys and rules of the
protocol. IMPORTANT Point Penetrator strands
may be included in a bundle of a correctly proven
protocol. However, They should not keep
legitimate parties from agree on data values or
protecting the secrecy of the values Chosen. Why
is this? As compared to strands is a
graph-structured entity, representing the
communication between a number of Strands. Why
do we have/need a linear and a graph-structered
represention of strands? To validate the
legitmacy of the strands. Under the conditions
of a Strand concept Proving or disproving a
protocol must be expressed in terms of the
interactions and connections between strands of
different kinds.
10
Syntax, Semantics, and Definitions

• Set A, elemnts are possible messages to be
  exchange between principles.
• t0 t1 means t0 is a subterm of t1
• Transmission (or occurrence) of term with
  sign and reception with -.
• Definition A signed term is a pair (?,a) with a
  ? A and ? one of the symbols ,-. Signed term
• can be written as t or t. (A) is the set of
  finite sequences of signed terms.
• Definition A strand space over A (possible
  message) is a set ? together with a trace mapping
  
• tr ? ? (A).

11
Syntax, Semantics, and Definitions

• Definition For a fixed strand space
• A node is a pair (s,i), with s ? ? and I is an
  integer satisfying 1 lt I lt length(tr(s)).
• Set of nodes denoted by N.
• If n(s,I) ? N then index(n)i and strand(n)s.
• There is an edge n1?n2 if and only if
  term(n1)a and term(n2)-a for some a ? A.
• n1 sends a message to n2, recording a casual
  link between two strands.
• When n1 (s,i) and n2(s,i1) are members of N,
  there is an edge n1 ? n2
• An unsigned term t occurs in n ? N iff t ?
  term(n). What is this stating?
• Set I is a set of unsigned terms. The node n ? N
  is an entry point for I iff term(n) t
• for some t ? I, and whenever n? n, term(n)
  ? I.
• An unsigned term t originates on n ? N iff n is
  an entry point for the set
• I tt ? t.

12
Syntax, Semantics, and Definitions

• Bundles
• Definitions Suppose ?c ? ? suppose ? c ? ?
  and suppose C (Nc, ?c ? ? c)) is a subgraph
• Of (N,(? ? ?)). C is a bundle if
• C is finite
• If n2 ? Nc and term(n2) is negative, then there
  is a unique n1 ?c n2.
• If n2 ? Nc and n1? n2 then n1?c n2.
• C is acyclic.
• In conditions 2 and 3, n2 ? Nc because C is a
  graph.
• Therefore, the above definition formalizes our
  strand process communication model with three
  properties
• A process (strand) may send or recive a
  message, but not at the same time.
• When a strand recieves a message m, there is a
  unique node trnsmitting m from which the message
  was
• immediately received
• When a strand tramsmits a message m, many
  strands may immediately receive m.

13
Bundle Example
b
a
-a
-c
c
c
-d
d
-e
-e
-f
f
g
14
Syntax, Semantics, and Definitions
A node n is in a bundle C(Nc,?c, ? c), written n
? C, if n2 ? Nc a strand s is in C if all of its
nodes are in Nc. If C is a bundle, then C-height
of a strand s is the largest i such that (s,i) ?
C. Definition If S is a set of edges, I.e. S ?
???,then lts is the transitive closure of S, and
lt s is the reflexive, Transitive closure of
S. Lemma Suppose C is a bundle. Then lt c is a
partial order, I.e. a reflexive, antisymmetric,
transitive relation. Every non-empty subset of
the nodes in C has lt c minimal members.
What did he
know and when did he know it? Lemma Suppose C
is a bundle, and S ? C is a set of nodes such
that uns_term(m) uns_term(m) implies that m ?
S iff m ? S, for all nodes m,m. If n is a ltc
-minimal member of S, then the sign of n is
positive. PROOF If term(n) were negative, then
by the bundle proprty, n? n for some n ? C and
sign apart, term(n) term(n). Hence, n ? S,
violating the minimality property of n. Lemma
Suppose C is a bundle, t ? A and n ? C is a a ltc
-minimal element of m ? C t term(m). The
node n is an originating occurrence for
t. PROOF By Lemma 2.7, the sign of n is
positive. If n lt n lies on the strand of n, then
n ? C, therefore by the minimality property of
n, t term(n). Thus n is originating for t.
Terms and Encryption (Examples to be given on
board)
15
Penetrator Strands
Ideals a method to prove additional bounds on
the abilities of the penetrator. A penetrators
effectiveness relies on a set of keys known
initially to the penetrator and a set of strands
that allow the penetrator create new messages
from compromised messages. Atomic actions that a
penetrator can envoke are encoded in a set of
penetrator traces. Definition Penetrator
traces M. Test message (t) where t ? T F.
Flushing (-g) T. Tee (-g,g,g) C.
Concatenation (-g,-h,gh) S. Separation into
components (-gh,g,h) K. Key (K) where K ?
Kp. E. Encryption (-K,-h,hK). D. Decryption
(-K-1,-hK, h). Definition An infiltrated
strand space is a pair (?,P) with ? a strand
space and P ? ? such that tr(p) is a penetrator
trace for all p ? P.
16
Example Needham-Schroeder Protocol
1.
A
B
2.
3.
Note The original protocol has 7 steps. This
is reduced to 3 steps by removing communication
to a key server.
17
Flaw in Needham-Schroeder Protocol

• Introduce an Intruder I
• A establishes a session with I (A?I, NA,
  APK(I))
• I establishes a session with B using As info
  (I?B, NA, APK(B))
• B responds to I (B?I, NA, NBPK(A))
• I uses A as an oracle (I?A, NA, NBPK(A))
• A returns NB to I (A?I, NBPK(I))
• I decrypts NB and returns it to B (I?B,
  NBPK(B))
• B now believes it has successfully run the
  protocol with A

18
Needham-Schroeder-Lowe Protocol
1.
A
B
2.
3.
19
NSL Strand Spaces

• S, ? in an infiltrated NSL space if S is the
  union of three types of strands
• Penetrator strands s ? P
• Initiator strands with trace s ? Init(A, B, Na,
  Nb) defined as ltNaAKB,
  -NaNbBKA, NbKBgt
  where A, B are ? Tname, Na, Nb
  ? T but Na ? Tname.
• Responder strands with trace s ? Resp(A, B, Na,
  Nb) defined as lt-NaAKB,
  NaNbBKA, -NbKBgt
  where A, B are ? Tname, Na, Nb
  ? T but Nb ? Tname.

20
Example Responders Guarantee

• Suppose the following
• S is an NSL space, C is a bundle in S, and s is a
  responder strand in RespA, B, Na, Nb
• Ka-1 ? KP
• Na ? Nb and Nb is uniquely originating in S
• What we want to prove
• C contains the initiators strand t ? InitA, B,
  Na, Nb

21
Responders Guarantee Continued

• A few definitions
• Node lts,2gt outputs the value NaNbBKA and is
  referred to as node n0 with term v0
• Node lts,2gt outputs the value NbKB and is
  referred to as node n3 with term v3
• Nodes n1 and n2 will be introduced in the proof
  such that n0 lt n1 lt n2 lt n3

22
Responders Guarantee First Lemma

• Lemma 1 Nb originates at n0
• By assumptions made on last slide Nb v0 and
  n0 has a positive sign, so we only need to check
  that Nb n, where n is the node lts,1gt that
  comes before n0 on the same strand.
• Proof
• n NaAKB so we just need to make sure that Na
  ? Nb and A ? Nb
• Na ? Nb is part of the hypothesis
• A ? Nb is true because in the definition Nb ?
  Tname

23
Figure for Lemma 1
NaAKB
lts,1gt
v0
NaNbBKA
n0
. . . Nb . . .
n2
v3
NbKB
n3
24
Responders Guarantee Second Lemma

• Lemma 2 Establish that the crucial step is taken
  by a regular strand and not a penetrator strand
  such that set
• S n ? C Nb term(N) v0 term(n)
  has a ?-minimal node n2 that is a regular strand
  with a positive sign.
• Proof
• We first establish that S is not an empty set
• Since n3 ? C and n3 contains Nb but it is not a
  subterm of v0, S is non-empty
• Due to lemmas stated earlier, S has at least a
  minimal element n2 and it is positive

25
Second Lemma Continued

• Now confirm n2 is a normal strand as opposed to a
  penetrator strand
• M. lttgt where t ? T. For NSL, it has trace tr(p)
  in the form of lttgt so t Nb. This implies Nb
  originates on this strand but that is a
  contradiction of our first lemma.
• F. The trace tr(p) has the form lt-ggt. But we
  have positive nodes so this is not valid.
• (etc) Many other atomic actions a penetrator has
  available must be proven false.

26
Outline of Rest of Proof

• The remainder of the proof is similar to the
  above adding more definitions and lemmas. It
  goes on to prove n1 precedes n2 on strand t and
  that t is the initiator strand. It also shows
  that term n1 contains NaNbBKA. This satisfies
  what we originally wanted to prove
• C contains the initiators strand t ? InitA,
  B, Na, Nb

27
Tool Support Athena

• Implemented using Standard ML (Meta Language) of
  New Jersey
• ML is a functional programming language written
  in the 1980s by the Laboratory for Foundations
  of Computer Science (LFCS)
• Attractive language for formal methods since it
  is safe i.e. all bugs are caught at compile
  time or handled gracefully at run time
• Input consists of a protocol description and a
  set of security properties. You can also specify
  additional pruning theorems if available.

28
Tool Support Athena

• Athena extends the Strand Space Model and uses
  model checking and theorem proving approaches
• Able to determine error in the Needham-Schroeder
  protocol in a fraction of a second
• Example of extension Adds in the notation of an
  interm relation ?, such that a1 is an interm of
  a2 if a1 can be extracted from a2 without needing
  decryption.
• Paper cites reference for information on Athena,
  but the link only links to the authors papers and
  research interest. Other than a link to the
  paper on Athena, there is no place to download
  this tool.

29

Strands as applied to real-world Conclusion
30
References
1) F. Javier Thayer Fábrega, Jonathon C. Herzog,
and Joshua D. Guttman Strand Spaces
Proving Security Protols Correct, the MITRE
Corporation, 1998 IEEE 2) F. Javier Thayer
Fábrega, Jonathon C. Herzog, and Joshua D.
Guttman Strand Spaces Proving security
Protocols Correct, Appears in Joutnal of
Computer Security, 7 (1999) pages 191-230 3)
Dawn Song, Sergey Berezin, Adrian Perrig
Athena a novel approach to efficient automatic
security protocol analysis dept. of
Computer Science, UC Berkley dept. of
Computer Science, Carnegie Mellon University 4)
Dawn X. Song, Athena a New Efficient Automatic
Checker for Security Protocol Analysis 5)
John Rushby, Security Requirements
Specifications How and What?, Computer Science
Laboratory, SRI International 6) F. Javier
Thayer Fábrega, Jonathon C. Herzog, and Joshua D.
Guttman Honest Ideals on strand Spaces,
The MITRE Corporation 7) Joshua D. Guttman,
Security Goals Packet Trajectories and Strand
Spaces 8) Scott D. Stoller, A bound on Attacks
on Authentication Protocols, January 15, 2001