The Formal Method CAPSL Kyle Taylor Zhenxiao Yang

CAPSL Common Authentication Protocol Specification Language Message list protocol description A B: {A, N a } PB B A: {N a, N b } PA A B: {N b } PB AB {A, N a } PB {N a, N b } PA {N b } PB

Overview

CAPSL Notation Declarations – Imports – Types – Variables – Functions – Constants Modules – Typespec – Protocol – Environment

Typespec Introduce New Types Define Functions for a Type Extend Existing Types Syntax – Declarations – Axioms TYPESPEC PPK; IMPORTS SPKE; TYPES PKUser : Principal Functions pk(PKUser): Pkey; sk(PKUser): Pkey, PRIVATE; VARIABLES A: PKUser; X: Field; Axioms ped(sk(A), ped(pk(A), X)) = X; ped(pk(A), ped(sk(A), X)) = X; INVERT ped(pk(A), X): X | sk(A); INVERT ped(sk(A), X): X | pk(A);

Protocol The Message List Syntax – Declaration – Assumptions – Messages – Goals PROTOCOL Simple; VARIABLES A, B: Principal; K: Skey, FRESH, CRYPTO; F: Field; ASSUMPTIONS HOLDS A: B; MESSAGES A -> B: {A,K}pk(B); GOALS SECRET K;

Protocol Declaration and Assumptions Declaration – Denotes Allows a variable to be defined as the value of an expression Assumptions – Boolean-valued terms or equalities – BELIEVES Used to indicate a initial belief – HOLDS Used to indicate knowledge of another entity – KNOWS Belief plus truth Example: BELIEVES A : BELIEVES B : HOLDS A : K

Protocol Messages Message Format – id. sender -> receiver : field, …; Concatenation of Fields – {,} denotes associative concatenation – [,] denotes non-associative concatenation Encryption – Built in functions ped(), pk(), se(), sd() – {A, K}pk(B) == ped(pk(B), {A, K}) – {X}K == se(K, X) and {X}’K == sd(K, X)

Protocol Messages Continued Arithmetic – Allows +, -, *, /, and ^ with built in type Skey %-operator – Distinguishes between the senders and the receivers view of a message – {A%B, C%D} Sender constructs {A, C} Receiver constructs {B, D}

Protocol Messages Continued Actions – Assignment or comparison test – Assume and Prove Assumptions and Goals that are associated with intermediate states rather than initial and final states Phrases – Phrase = message + actions before and after it – “/” used to separate receiver actions from sender actions A -> B: X; X < Y;/ A -> C: Z;

Protocol Messages Continued Subprotocols – A protocol may invoke a different protocol using the INCLUDE P; – No statements may follow and INCLUDE Conditional Selection – IF A=B THEN INCLUDE P2; – ELSE INCLUDE P3; ENDIF;

Protocol Goals States security objectives SECRET V : P 1, … – Variable V is a secret shared only by P 1, … PRECEDES A : B | V 1, V 2 – If B reaches its final state, it agrees with A on V 1, V 2 AGREE A, B : V 1, … | W 1, … – If A and B agree on W 1 then they must agree on V 1

Environment Used for setup Syntax – Declaration – Agent Define Roles – Exposed Defines initial knowledge of an attacker – Axioms Defines assumptions about constants – Order Species series parrallel sequencing of agents ENVIORNMENT Test IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; EXPOSED {Bob}sk(Alice); END;

Needham-Schroeder Public Key Handshake ENVIORNMENT Test IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; EXPOSED {Bob}sk(Alice); END; PROTOCOL NSPK; Variables A, B: PKUser; Na, Nb: Nonce, CRYPTO; ASSUMPTIONS HOLDS A: B; MESSAGES A-> B: {A, Na}pk(B); B-> A: {Na, Nb}pk(A); A-> B: {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END;

CIL CAPSL Intermediate Language Two purposes – Defines CAPSL Semantics – Interface to tool support Uses Multiset Term Rewriting Rules

CIL Design General and Expressive enough to represent a wide range of protocols At a low enough level to be useful to verification and model checking tools Represents state-transitions in a pattern- matching style, with symbolic terms to represent encryption and other computations

Rewrite Rules 0 + x -> x s(x) + y -> s(x +y) 0 * x -> 0 s(x) * y -> y + (x * y) fact(0) -> s(0) fact(s(x)) -> s(x) * fact(x) gcd(0, x) -> x gcd(x, x+y) -> gcd(x, y) Examples Fact(s(s(0)))) ->s(s(0)) * fact(s(0)) ->s(s(0)) * s(0) * fact(0) ->s(s(0)) * s(0) * s(0) ->s(s(0)) * s(0) + (0 * s(0)) ->s(s(0)) * s(0) + 0 ->s(s(0)) * s(0) ->s(s(0)) + (0 * s(s(0))) ->s(s(0)) + 0 ->s(s(0) = 2 s(s(s(0))) = 3 s(0) + (0 * s(0)) ->s(0) + 0 ->s(0) = 1 gcd(s(s(s(s(0)))), s(s(0))) ->gcd(s(s(0)), s(s(0))) ->gcd(0, s(s(0))) ->s(s(0)) = 2

Multi-Set Rewrite F 1, …, F k  (  X 1, …, X m ) G 1, …, G n –  i,j F i and G j are facts – Existentially quantified variables are instantiated with fresh (unused) constants A rule is eligible to fire when the facts on the left side can be matched with facts in the multiset When a rule fires, facts on the left side of the rule are removed from the multiset and facts on the right side of the rule are inserted into the multiset after being instantiated according to the substitution required by the pattern match.

MSR Example Rule that defines two new agents –  A 0 (A, B),B 0 (B) The message “A  B: A, {N}sk(A) results in at least two rules – A 0 (A,B)  (  N)A 1 (A,B,N), M(A, B, { A, {N}sk(A)} – B 0 (B), M(X, B, { A, {N}sk(A)})  B 1 (B, A, N)

Translation Output Slot Table – Maps each protocol variable to an argument position in the state predicate of each role Symbol Table – Contains all identifiers declared in all the specification modules Axioms – Single list generated form Typespec and Environment Localized Assumptions and Goals – Axioms localized to a particular state Protocol Rewrite Rules – MSR rules Environment Information – CIL AST representation of an Environment

Translation Stages Parsing – Checks syntax and produces a parse tree Type Checking – Confirms consistency of type and signature declarations Syntax Transformations – Syntactical sugar is removed Rule Generation – Creation of rewrite rules from messages and actions Local Assertions – Transformation of Assertions from interleaved to Associated Optimization – Reduces the number or rules and the number of states per role by 50%

CAPSL Example AP1.0

CAPSL Example AP1.0 (cont’d) PROTOCOL AP10; VARIABLES A, B: Principal; ASSUMPTIONS HOLDS A:B; MESSAGES A -> B: A; END;

CAPSL Example AP2.0

CAPSL Example AP2.0 (cont’d) PROTOCOL AP20; VARIABLES A, B: Principal; IP: Field; ASSUMPTIONS HOLDS A: B, IP; MESSAGES A -> B: {A,IP}; END;

CAPSL Example AP3.0

CAPSL Example AP3.0 (cont’d) PROTOCOL AP30; VARIABLES A, B: Principal; C: Field; P: Field, CRYPTO; ASSUMPTIONS HOLDS A: B, P; HOLDS B: C; MESSAGES A -> B: {A, P}; B -> A: C; END;

CAPSL Example AP4.0

CAPSL Example AP4.0 (cont’d) PROTOCOL AP40; VARIABLES A, B: Principal; R: Nonce; K: Skey; S: Field; ASSUMPTIONS HOLDS A: B, K; HOLDS B: K, S; MESSAGES A -> B: A; B -> A: R; A -> B: {R}K; B -> A: S; END;

CAPSL Example AP5.0

CAPSL Example AP5.0 (cont’d) PROTOCOL AP50; VARIABLES A, B: PKUser; R: Nonce; C, S: Field; ASSUMPTIONS HOLDS A: B; HOLDS B: S, C; MESSAGES A -> B: A; B -> A: R; A -> B: {R}sk(A); B -> A: S; A -> B: pk(A); B -> A: C; END;

CAPSL Example AP5.0 (cont’d)

Tools Support Translators Connectors Maude, PVS, NRL, etc.

Translator CAPSL Parser and Type Checker – Checks syntax and type consistency Rule Generator – Uses maude to generate CIL rewrite rules CIL Optimizer – Optimizes CIL while preserving behavior

Connectors Objective – A bridge between CIL and various analyzer tools Example Connectors – cil2pvs – cil2maude

Maude Rewriting Logic Interpreter Contains an LTL Model Checker Reflective Computation Through Meta-Level Modules

Conclusion and Discussions Good Idea – Unambiguous because of CIL – Simple to describe protocols – Inflexible in that it only specifies protocols – The power of this language is in the tool support – Insightful in the abstraction of the tool support More Connectors Needed Better documentation of Tool Support MuCAPSL

References CAPSL Homepage: G. Denker and J. Millen. CAPSL intermediate language. In N. Heintze and E. Clarke, editor, Workshop on Formal Methods and Security Protocols (FMSP99), Trento, Italy, URL: G. Denker, J. Millen, and H. Ruess. The CAPSL integrated protocol environment. Technical Report SRI-CSL , Oct URL:

References Grit Denker. Design of a CIL connector to maude. In 2000 Workshop on Formal Methods and Computer Security, Chicago, USA, July URL: Narciso Mart-Oliet and Jos Meseguer. Rewriting logic: Roadmap and bibliography. Theoretical Computer Science, 285(2): , Aug URL: citeseer.nj.nec.com/ html