1 protocol composition and refinement patterns february, 2003 dusko pavlovic kestrel institute

1

Protocol compositionand refinement patternsProtocol composition

and refinement patterns

February, 2003

Dusko PavlovicKestrel Institute

2

ProtocolsProtocols

3

ProtocolsProtocols

&d

p(d)$p(d)

dA B

wants = 0has = d + $(a-p(d)) has = $p(d)

has = dwants = dhas = $a

4

&dp(d)

$p(d)d

A B

abstraction

ProblemProblem

5

SolutionSolution

&dp(d)

$p(d)d

A B

6

refinement

SolutionSolution

&dp(d)

$p(d)d

A B

7

“Security Science”“Security Science”

logic(belief, knowledge)

process(CSP,CCS,spi)

crypto(next 700 models)

security

8





security

security protocols

“idealizations”

9





security

propositions-as-typesproofs-as-processes

security protocols

Dolev-Yao

10

Derivational approachDerivational approach

Protocol derivation

• components

• refinements

• transformations

Proof derivation

• axioms

• proof rules

• proof transformations

truth is just anothersecurity property

• derivation patterns

11

OutlineOutline

• Protocol logic

• Derivation patterns1. Authenticated DH

• CR STS

2. Identity and DoS protection

• STS JFK

3. DH refinements

• KAMQV

4. Combine 2. and 3.

• MQVMQV+

• Tool demo

12

PapersPapers

• Deriving, attacking and defending

GDOI

– with C. Meadows» submitted

• Abstraction and refinement in

protocol derivation

– with A. Datta and A. Derek and J. Mitchell» to appear in Proceedings of CSFW 2004

• Secure protocol composition

– with A. Datta and A. Derek and J. Mitchell

» Proceedings of MFPS 2003 (ext. abstract in

FMCS 2003)

• Derivation system for security protocols and its logical formalization

– with A. Datta and A. Derek and J. Mitchell» Proceedings of CSFW 2003

• Compositional logic for protocol correctness

– with N. Durgin and J. Mitchell» JCS 2003 (eariler version in CSFW 2001)

• Composition and refinement of behavioral specifications

– with D. Smith» ASE 2002

• Guarded transitions in evolving specifications

– with D. Smith» AMAST 2002

http://www.kestrel.edu/users/pavlovic/

13

Protocol logicProtocol logic

• term calculus

• names, variables

• operations

• equality

• action calculus

• send at:ABC

• receive b(x: XY)Z

• new (x)C

• match (t/p(x))C

• tR (x)S R S(t/x)

• (p(t)/p(x))R R(t/x)

14


• atomic predicates

• a = b -- actions a and b are equal

• a -- action a has occurred

• a < b -- action a has occurred before b

• e.g.,

• tA < (x)Y -- some tA precedes some (x)Y

• a = tA -- a is in the form tA

• sA = tB -- s = t and A = B

15


• statements

• A : () »

• e.g.,

• A : (x) »

cABxA <((rABx))A

cABxA < ((cABx))B < rABxB <((rABx))A

16


• abbreviations

• (t) (x)(x/t)

• t U(t/x)

• ((t)) (U(t/x))

• tA< a = tA b = tB . a ≤ b

• tA< a = tA b = tB . a ≤ b

• t U(t/x)

• H(t,x) UHV(t,x) | X,YZ

17


• general axioms

• (t) a = t a < (t)

(rcv)

• (x)M aA. x FV(a) (x) < aA (new)

A ≠ M (x)M < xM < ((x))A ≤ aA

18


• challenge-response axiom

• A : (x) »

(cr)

cABxA < ((rABx))A

cABxA < ((cABx))B < rABxB <((rABx))A

(x)A

cABxA

((rABx))A

((cABx))B

rABxB

19

Challenge-responseChallenge-response

CR

CRK

CRKICRKO

CRP

CRECRS

20

CR


CRK

CRKICRKO

CRP

CRECRS

A B

m

rABm

cABm

21

CR


CRK

CRKICRKO

CRP

CRECRS

A: (m)A< cABmA <(rABm)A

» cABmA < ((rABm))A

cABmA<((cABm))B<rABmB<((rABm))A

A: (m)A< cABmA<((cABm))B<

rABmB< (rABm)A

22

CR


CRK

CRKICRKO

CRP

CRECRS

A B

m

SB(A,m)

m

SBt = SBu t = u (sig1)

SBt X< X=B (sig2)

VB(y,t) y = SBt (sig3)

23

CR


CRK

CRKICRKO

CRP

CRECRS

SBt = SBu t = u (sig1)

SBt X< X=B (sig2)

VB(y,t) y = SBt (sig3)

(sig1) (sig2) (sig3) (cr)

24

CR


CRK

CRKICRKO

CRP

CRECRS

A B

m

m

EB(A,m)

(m)A<EBmA <mX< (enc)

X=A X=B

25

CR


CRK

CRKICRKO

CRP

CRECRS

A B

m

KAB(A,m)

m

KABt = KABu t = u (hk1)

KABt X< X=A X=B (hk2)

26

CR


CRK

CRKICRKO

CRP

CRECRS

A B

m

m

KAB(A,m)

KABt = KABu t = u (hk1)

KABt X< X=A X=B (hk2)

27

Composing authenticationComposing authentication

SBm

mm

SAn

nn

CRS[A,B] CRS[B,A]

NestSeq

2CRSSeq

SAn

n, SBmn

mm

SBm

2CRSNest

SAn

nn

mm

28


SBm

mm

SAn

nn

CRS[A,B] CRS[B,A]

SB(m,n)

PoP STS0

NestSeq

SA(n,m)

n, SB(m,n)n

mm

SA(m,n)

nn

mm

29

Reasoning in PoPReasoning in PoP

((m))B

SB(m,y)B

(m)A

mA

(n)A

SA(m,n)A

(SB(m,n))A

nY<

(rcv)

n = y

(sig1) n = y

yB

(SA(m,y))B

(y)B

30

Reasoning in PoPReasoning in PoP

((m))B

SB(m,y)B

(m)A

mA

(n)A

SA(m,n)A

(SB(m,n))A

nY<

(rcv)

n = y

(sig1) n = y

yB

(SA(m,y))B

(y)B

31


SBm

mm

SAn

nn

CRS[A,B] CRS[B,A]

SB(m,n)

PoP STS0

NestSeq

SA(n,m)

n, SB(m,n)n

mm

SA(m,n)

nn

mm

32

STS familySTS family

m=gx, n=gy

k=gxy

STSa

STSH

STS0

distributecertificates

cookie

openresponder

JFK0

symmetrichash

JFK

protect identities

STSP

STS0H

STSaH

STS JFK1

STSPH

RFK

33

m=gx, n=gy

k=gxy

m

SB(m,n),n

SA(n,m)



cookie

openresponder

symmetrichash

protect identities

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

34

m=gx, n=gy

k=gxy



cookie

openresponder

m

n, Hmn

m, n, Hmn,SA(m,n)

SB(n,m)

symmetrichash

protect identities

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

35

m=gx, n=gy

k=gxy

m

CB, SB(m,n),n

CA, SA(n,m)



cookie

openresponder

symmetrichash

protect identities

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

36

m=gx, n=gy

k=gxy

m

n, Hmn

m, n, Hmn,CA, SA(m,n)

CB, SB(n,m)



cookie

openresponder

symmetrichash

protect identities

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

37

m=gx, n=gy

k=gxy

m

n, CB, Hmn

m, n, Hmn,CA, SA(m,n)

SB(n,m)



cookie

openresponder

protect identities

symmetrichash

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

38

m=gx, n=gy

k=gxy

m

n, CB, Ek(SB(n, m))

CA, Ek(SA(m,n))

m=gx

n=gy

k=gxy



cookie

openresponder

protect identities

symmetrichash

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

39

m

n, Hmn

m, n, Hmn,CA, Ek(SA(m,n))

CB, Ek(SB(n, m))

m=gx

n=gy

k=gxy

m=gx, n=gy

k=gxy



cookie

openresponder

protect identities

symmetrichash

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

40

m=gx, n=gy

k=gxy



cookie

openresponder

m

n, CB, Hmn

m, n, Hmn,CA,Ek(SA(m,n,CB))

Ek(SB(n, m))

m=gx

n=gy

k=gxy

protect identities

symmetrichash

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

41

m

n, Ek(CB, SB(n, m))

Ek(CA, SA(m,n))

m=gx

n=gy

k=gxy

m=gx, n=gy

k=gxy



cookie

openresponder

symmetrichash

protect identities

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

42

m

n, Hmn

m, n, Hmn,Ek(CA, SA(m,n))

Ek(CB, SB(n, m))

m=gx

n=gy

k=gxy

m=gx, n=gy

k=gxy



cookie

openresponder

symmetrichash

protect identities

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

43

m=gx, n=gy

k=gxy



cookie

openresponder

symmetrichash

protect identities

m

n, CB, Hmn

m, n, Hmn,Ek(CA, SA(m,n,CB))

Ek(SB(n, m))

m=gx

n=gy

k=gxy

STS0 STS0H

STSa STSaH JFK0

STS STSH JFK1

STSP STSPH JFK

RFK

44

m

n, Hmn

m, n, Hmn,Ek(CA,SA(m,n)), #(I)

Ek(CB,SB(n, m)), #(R)

m=gx

n=gy

k=gxy

m=gx, n=gy

k=gxy


STS0H

STSaH

STS

STSPH

JFK1


cookie

openresponder

symmetrichash

protect identities

RFK

STS0

STSa JFK0

STSH

STSP JFK

45

MQV familyMQV family

MTI/A

MQV

KA

MTI/B

DH

MTI/C

UM

46


mA

mB

KA

DH

MTI/B MTI/C

MTI/A

UM

MQV

47


gx

gy

k=gxy

KA

DH

MTI/B MTI/C

MTI/A

UM

MQV

48

(gb)x

(ga)y

k=(gay)1/a gx =(gbx)1/b gy


KA

DH

MTI/B MTI/C

MTI/A

UM

MQV

49


(gb)x

(ga)y

k=(gay)x/a =(gbx)y/b

KA

DH

MTI/B MTI/C

MTI/A

UM

MQV

50


gx, GA

gy , GB

k = {(gy)a (gb)x}

= {(gx)b (ga)y}

GA={A,ga}TA

GB={B,gb}TA

KA

DH

MTI/B MTI/C

MTI/A

UM

MQV

51


gx, GA

gy , GB

k = {(gy)a ||(gb)x} = {(gx)b || (ga)y}

GA={A,ga}TA

GB={B,gb}TA

k = {(gy)x ||(gb)a} = {(gx)y || (ga)b}or

KA

DH

MTI/B MTI/C

MTI/A

UM

MQV

52


gx, GA

gy , GB

k = gf(a,x) f(b,y) where

GA={A,ga}TA

GB={B,gb}TA

f(a,x) = agx + x

KA

DH

MTI/B MTI/C

MTI/A

UM

MQV

53


DH

MTI/C

UM

gx, GA

gy , GB

k = gf(a,x) f(b,y) where

GA={A,ga}TA

GB={B,gb}TA

f(a,x) = agx + x gf(a,x) = F(ga, gx) is 1-way in gx.

E.g., given a one-way function H(n), such

that H(gx) = gh(x), take

F(m,n)= m H(n) and f(a,x) = a+h(x)

gf(a,x) = F(ga, gx) is 1-way in gx.

E.g., given a one-way function H(n), such

that H(gx) = gh(x), take

F(m,n)= m H(n) and f(a,x) = a+h(x)

KA

MTI/B

MTI/A

MQV

54

add certificatesk=gf(a,x)f(b,y)

m=gx, n=gy

k=gxy

MQV refinementsMQV refinements

cookie

openresponder

symmetrichash

JFK

STSP

MQVCP

KA

key

keyconf.

MQVJFK

authenticate

protect identities

encryption

signature

DH

RFK

symmetrichash

STSa

STS STSPH

MQV MQVCMQVCPH

MQVRFK

55

mA

mB


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

56

mA

mB, CB, SB(n, mA)

CA, SA(mA, mB)


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

57

gx

gy


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

58

gx

gy, CB, Ek(SB(gy,gx))

CA, Ek(SA(gx, gy))

k=gxy


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

59

gx

gy, Ek(CB, SB(gy,gx))

Ek(CA, SA(gx, gy))k=gxy


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

60

gx

gy, Hgx, gy, H, Ek(CA, SA(gx, gy))

Ek(CB, SB(gy, gx)) k=gxy


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

61

gx

gy, CB, H,gx, gy, H, Ek(CA, SA(gx, gy, CB))

Ek(SB(gy, gx)) k=gxy


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

62

gx

gy, H,gx, gy, H, Ek(CA, SA(gx, gy)), #(I)

Ek(CB, SB(gy, gx)), #(R) k=gxy


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

63


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

gx, GA

gy, GB

GA={A,ga}TA

GB={B,gb}TA

k=gf(a,x)f(b,y)

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

64


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

GA={A,ga}TA

GB={B,gb}TA

k=gf(a,x)f(b,y)

gx, ga

gy,GB,Ek(gy,gx)

GA, Ek(gx, gy)

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

65


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

GA={A,ga}TA

GB={B,gb}TA

k=gf(a,x)f(b,y)

gx, ga

gy,gb, Ek(GB,gy,gx)

Ek(GA,gx, gy)

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

66


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

GA={A,ga}TA

GB={B,gb}TA

k=gf(a,x)f(b,y)

gx, ga

gy, gb, H,gx, ga, gy, gb, H, Ek(GA,gx,gy))

Ek(GB,gy,gx)

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

67

GA={A,ga}TA

GB={B,gb}TA

k=gf(a,x)f(b,y)

gx

gy, gb, H,gx, ga, gy, H, Ek(GA,gx, gb, gy))

Ek(GB,gy, gx)


m=gx, n=gy

k=gxy


cookie

openresponder

symmetrichash

key

keyconf.

authenticate

protect identities

encryption

signature

KA STSa

DH STS STSP STSPH

JFK

MQV

RFK

MQVC MQVCPMQVCPH

MQVJFK

MQVRFK

68


m=gx, n=gy

k=gxy


STSa

STSPH

cookie

openresponder

symmetrichash

MQVCPHMQV MQVC

key

keyconf.

MQVRFK

authenticate

protect identities

encryption

signature

STS

gx, ga

gy, gb, H,gx, ga, gy, gb, H, Ek(GA,gx,gy), #(I)

Ek(GB,gy,gx), #(R)

GA={A,ga}TA

GB={B,gb}TA

k=gf(a,x)f(b,y)

KA

DH STSP

JFK

RFK

MQVCP

MQVJFK

69

SummarySummary

STS

CR

1

JFK2

DH

MQV

KA

3

MQV+4

70

SummarySummary

mA

mB

gx

gy, CB, Hmn

gx, gy, Hmn,Ek

Ek

c

r

gx

gy

gx, GA

gy, GB

gx

gy, CB, EK

CA , EK

gx

gy, gb, H n

gx, ga,… H, Ek

Ek

71

Future workFuture work

• Populate taxonomy

• Interface crypto• complexity algebra

• Quantify utility• evolutionary equilibria

• distributed fixpoint programming

1 protocol composition and refinement patterns february, 2003 dusko pavlovic kestrel institute

Documents

b slide

models security slide

b abstraction problem

refinement solution

security science logic

protocol logic statements

protocol correctness

models security propositions