1 protocol composition and refinement patterns february, 2003 dusko pavlovic kestrel institute
Post on 21-Dec-2015
217 views
TRANSCRIPT
1
Protocol compositionand refinement patternsProtocol composition
and refinement patterns
February, 2003
Dusko PavlovicKestrel Institute
2
ProtocolsProtocols
3
ProtocolsProtocols
&d
p(d)$p(d)
dA B
wants = 0has = d + $(a-p(d)) has = $p(d)
has = dwants = dhas = $a
4
&dp(d)
$p(d)d
A B
abstraction
ProblemProblem
5
SolutionSolution
&dp(d)
$p(d)d
A B
6
refinement
SolutionSolution
&dp(d)
$p(d)d
A B
7
“Security Science”“Security Science”
logic(belief, knowledge)
process(CSP,CCS,spi)
crypto(next 700 models)
security
8
“Security Science”“Security Science”
logic(belief, knowledge)
process(CSP,CCS,spi)
crypto(next 700 models)
security
security protocols
“idealizations”
9
“Security Science”“Security Science”
logic(belief, knowledge)
process(CSP,CCS,spi)
crypto(next 700 models)
security
propositions-as-typesproofs-as-processes
security protocols
Dolev-Yao
10
Derivational approachDerivational approach
Protocol derivation
• components
• refinements
• transformations
Proof derivation
• axioms
• proof rules
• proof transformations
truth is just anothersecurity property
• derivation patterns
11
OutlineOutline
• Protocol logic
• Derivation patterns1. Authenticated DH
• CR STS
2. Identity and DoS protection
• STS JFK
3. DH refinements
• KAMQV
4. Combine 2. and 3.
• MQVMQV+
• Tool demo
12
PapersPapers
• Deriving, attacking and defending
GDOI
– with C. Meadows» submitted
• Abstraction and refinement in
protocol derivation
– with A. Datta and A. Derek and J. Mitchell» to appear in Proceedings of CSFW 2004
• Secure protocol composition
– with A. Datta and A. Derek and J. Mitchell
» Proceedings of MFPS 2003 (ext. abstract in
FMCS 2003)
• Derivation system for security protocols and its logical formalization
– with A. Datta and A. Derek and J. Mitchell» Proceedings of CSFW 2003
• Compositional logic for protocol correctness
– with N. Durgin and J. Mitchell» JCS 2003 (eariler version in CSFW 2001)
• Composition and refinement of behavioral specifications
– with D. Smith» ASE 2002
• Guarded transitions in evolving specifications
– with D. Smith» AMAST 2002
http://www.kestrel.edu/users/pavlovic/
13
Protocol logicProtocol logic
• term calculus
• names, variables
• operations
• equality
• action calculus
• send at:ABC
• receive b(x: XY)Z
• new (x)C
• match (t/p(x))C
• tR (x)S R S(t/x)
• (p(t)/p(x))R R(t/x)
14
Protocol logicProtocol logic
• atomic predicates
• a = b -- actions a and b are equal
• a -- action a has occurred
• a < b -- action a has occurred before b
• e.g.,
• tA < (x)Y -- some tA precedes some (x)Y
• a = tA -- a is in the form tA
• sA = tB -- s = t and A = B
15
Protocol logicProtocol logic
• statements
• A : () »
• e.g.,
• A : (x) »
cABxA <((rABx))A
cABxA < ((cABx))B < rABxB <((rABx))A
16
Protocol logicProtocol logic
• abbreviations
• (t) (x)(x/t)
• t U(t/x)
• ((t)) (U(t/x))
• tA< a = tA b = tB . a ≤ b
• tA< a = tA b = tB . a ≤ b
• t U(t/x)
• H(t,x) UHV(t,x) | X,YZ
17
Protocol logicProtocol logic
• general axioms
• (t) a = t a < (t)
(rcv)
• (x)M aA. x FV(a) (x) < aA (new)
A ≠ M (x)M < xM < ((x))A ≤ aA
18
Protocol logicProtocol logic
• challenge-response axiom
• A : (x) »
(cr)
cABxA < ((rABx))A
cABxA < ((cABx))B < rABxB <((rABx))A
(x)A
cABxA
((rABx))A
((cABx))B
rABxB
19
Challenge-responseChallenge-response
CR
CRK
CRKICRKO
CRP
CRECRS
20
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
rABm
cABm
21
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A: (m)A< cABmA <(rABm)A
» cABmA < ((rABm))A
cABmA<((cABm))B<rABmB<((rABm))A
A: (m)A< cABmA<((cABm))B<
rABmB< (rABm)A
22
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
SB(A,m)
m
SBt = SBu t = u (sig1)
SBt X< X=B (sig2)
VB(y,t) y = SBt (sig3)
23
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
SBt = SBu t = u (sig1)
SBt X< X=B (sig2)
VB(y,t) y = SBt (sig3)
(sig1) (sig2) (sig3) (cr)
24
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
m
EB(A,m)
(m)A<EBmA <mX< (enc)
X=A X=B
25
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
KAB(A,m)
m
KABt = KABu t = u (hk1)
KABt X< X=A X=B (hk2)
26
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
m
KAB(A,m)
KABt = KABu t = u (hk1)
KABt X< X=A X=B (hk2)
27
Composing authenticationComposing authentication
SBm
mm
SAn
nn
CRS[A,B] CRS[B,A]
NestSeq
2CRSSeq
SAn
n, SBmn
mm
SBm
2CRSNest
SAn
nn
mm
28
Composing authenticationComposing authentication
SBm
mm
SAn
nn
CRS[A,B] CRS[B,A]
SB(m,n)
PoP STS0
NestSeq
SA(n,m)
n, SB(m,n)n
mm
SA(m,n)
nn
mm
29
Reasoning in PoPReasoning in PoP
((m))B
SB(m,y)B
(m)A
mA
(n)A
SA(m,n)A
(SB(m,n))A
nY<
(rcv)
n = y
(sig1) n = y
yB
(SA(m,y))B
(y)B
30
Reasoning in PoPReasoning in PoP
((m))B
SB(m,y)B
(m)A
mA
(n)A
SA(m,n)A
(SB(m,n))A
nY<
(rcv)
n = y
(sig1) n = y
yB
(SA(m,y))B
(y)B
31
Composing authenticationComposing authentication
SBm
mm
SAn
nn
CRS[A,B] CRS[B,A]
SB(m,n)
PoP STS0
NestSeq
SA(n,m)
n, SB(m,n)n
mm
SA(m,n)
nn
mm
32
STS familySTS family
m=gx, n=gy
k=gxy
STSa
STSH
STS0
distributecertificates
cookie
openresponder
JFK0
symmetrichash
JFK
protect identities
STSP
STS0H
STSaH
STS JFK1
STSPH
RFK
33
m=gx, n=gy
k=gxy
m
SB(m,n),n
SA(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
34
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
m
n, Hmn
m, n, Hmn,SA(m,n)
SB(n,m)
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
35
m=gx, n=gy
k=gxy
m
CB, SB(m,n),n
CA, SA(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
36
m=gx, n=gy
k=gxy
m
n, Hmn
m, n, Hmn,CA, SA(m,n)
CB, SB(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
37
m=gx, n=gy
k=gxy
m
n, CB, Hmn
m, n, Hmn,CA, SA(m,n)
SB(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
38
m=gx, n=gy
k=gxy
m
n, CB, Ek(SB(n, m))
CA, Ek(SA(m,n))
m=gx
n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
39
m
n, Hmn
m, n, Hmn,CA, Ek(SA(m,n))
CB, Ek(SB(n, m))
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
40
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
m
n, CB, Hmn
m, n, Hmn,CA,Ek(SA(m,n,CB))
Ek(SB(n, m))
m=gx
n=gy
k=gxy
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
41
m
n, Ek(CB, SB(n, m))
Ek(CA, SA(m,n))
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
42
m
n, Hmn
m, n, Hmn,Ek(CA, SA(m,n))
Ek(CB, SB(n, m))
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
43
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
m
n, CB, Hmn
m, n, Hmn,Ek(CA, SA(m,n,CB))
Ek(SB(n, m))
m=gx
n=gy
k=gxy
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
44
m
n, Hmn
m, n, Hmn,Ek(CA,SA(m,n)), #(I)
Ek(CB,SB(n, m)), #(R)
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
STS0H
STSaH
STS
STSPH
JFK1
distributecertificates
cookie
openresponder
symmetrichash
protect identities
RFK
STS0
STSa JFK0
STSH
STSP JFK
45
MQV familyMQV family
MTI/A
MQV
KA
MTI/B
DH
MTI/C
UM
46
MQV familyMQV family
mA
mB
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
47
MQV familyMQV family
gx
gy
k=gxy
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
48
(gb)x
(ga)y
k=(gay)1/a gx =(gbx)1/b gy
MQV familyMQV family
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
49
MQV familyMQV family
(gb)x
(ga)y
k=(gay)x/a =(gbx)y/b
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
50
MQV familyMQV family
gx, GA
gy , GB
k = {(gy)a (gb)x}
= {(gx)b (ga)y}
GA={A,ga}TA
GB={B,gb}TA
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
51
MQV familyMQV family
gx, GA
gy , GB
k = {(gy)a ||(gb)x} = {(gx)b || (ga)y}
GA={A,ga}TA
GB={B,gb}TA
k = {(gy)x ||(gb)a} = {(gx)y || (ga)b}or
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
52
MQV familyMQV family
gx, GA
gy , GB
k = gf(a,x) f(b,y) where
GA={A,ga}TA
GB={B,gb}TA
f(a,x) = agx + x
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
53
MQV familyMQV family
DH
MTI/C
UM
gx, GA
gy , GB
k = gf(a,x) f(b,y) where
GA={A,ga}TA
GB={B,gb}TA
f(a,x) = agx + x gf(a,x) = F(ga, gx) is 1-way in gx.
E.g., given a one-way function H(n), such
that H(gx) = gh(x), take
F(m,n)= m H(n) and f(a,x) = a+h(x)
gf(a,x) = F(ga, gx) is 1-way in gx.
E.g., given a one-way function H(n), such
that H(gx) = gh(x), take
F(m,n)= m H(n) and f(a,x) = a+h(x)
KA
MTI/B
MTI/A
MQV
54
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
JFK
STSP
MQVCP
KA
key
keyconf.
MQVJFK
authenticate
protect identities
encryption
signature
DH
RFK
symmetrichash
STSa
STS STSPH
MQV MQVCMQVCPH
MQVRFK
55
mA
mB
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
56
mA
mB, CB, SB(n, mA)
CA, SA(mA, mB)
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
57
gx
gy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
58
gx
gy, CB, Ek(SB(gy,gx))
CA, Ek(SA(gx, gy))
k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
59
gx
gy, Ek(CB, SB(gy,gx))
Ek(CA, SA(gx, gy))k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
60
gx
gy, Hgx, gy, H, Ek(CA, SA(gx, gy))
Ek(CB, SB(gy, gx)) k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
61
gx
gy, CB, H,gx, gy, H, Ek(CA, SA(gx, gy, CB))
Ek(SB(gy, gx)) k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
62
gx
gy, H,gx, gy, H, Ek(CA, SA(gx, gy)), #(I)
Ek(CB, SB(gy, gx)), #(R) k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
63
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
gx, GA
gy, GB
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
64
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx, ga
gy,GB,Ek(gy,gx)
GA, Ek(gx, gy)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
65
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx, ga
gy,gb, Ek(GB,gy,gx)
Ek(GA,gx, gy)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
66
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx, ga
gy, gb, H,gx, ga, gy, gb, H, Ek(GA,gx,gy))
Ek(GB,gy,gx)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
67
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx
gy, gb, H,gx, ga, gy, H, Ek(GA,gx, gb, gy))
Ek(GB,gy, gx)
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
68
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
STSa
STSPH
cookie
openresponder
symmetrichash
MQVCPHMQV MQVC
key
keyconf.
MQVRFK
authenticate
protect identities
encryption
signature
STS
gx, ga
gy, gb, H,gx, ga, gy, gb, H, Ek(GA,gx,gy), #(I)
Ek(GB,gy,gx), #(R)
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
KA
DH STSP
JFK
RFK
MQVCP
MQVJFK
69
SummarySummary
STS
CR
1
JFK2
DH
MQV
KA
3
MQV+4
70
SummarySummary
mA
mB
gx
gy, CB, Hmn
gx, gy, Hmn,Ek
Ek
c
r
gx
gy
gx, GA
gy, GB
gx
gy, CB, EK
CA , EK
gx
gy, gb, H n
gx, ga,… H, Ek
Ek
71
Future workFuture work
• Populate taxonomy
• Interface crypto• complexity algebra
• Quantify utility• evolutionary equilibria
• distributed fixpoint programming