© 2005 The MITRE Corporation. All rights reserved For Internal MITRE Use Alice & Bob Specifications Jon Millen June 2005

© 2005 The MITRE Corporation. All rights reserved 2 Security Protocol Specification Languages n Alice & Bob –Textbook and article style –Specification is a normal message list A  B: {A,Na}Kb –CAPSL, Casper, HLPSL, ISL,... n Role process specifications –Separate specifications for each participant –Some form of state transition spec –Semantics is easier to understand –Varying degrees of customization, convenience Prolog, CSP, PVS, Maude, pi-calculus: existing languages MSR, CPPL, Spi-calculus: specialized languages CIL, IF: just intermediate languages –May or may not support code generation

© 2005 The MITRE Corporation. All rights reserved 3 CAPSL PROTOCOL NeedhamSchroederPK; VARIABLES A, B: PKUser; Na, Nb: Nonce, FRESH; ASSUMPTIONS HOLDS A: B; MESSAGES 1. A -> B: {Na, A}pk(B); 2. B -> A: {Na, Nb}pk(A); 3. A -> B: {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END; ENVIRONMENT Test1; IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; END; Translated to CIL; from there to Athena, Csolve, PVS, Maude, NRL-PA, and Java code Translated to CIL; from there to Athena, Csolve, PVS, Maude, NRL-PA, and Java code

© 2005 The MITRE Corporation. All rights reserved 4 Casper -- Needham Schroeder Public Key Protocol, -- 3 message version #Free variables A, B : Agent na, nb : Nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INITIATOR(A,na) knows PK, SK(A) RESPONDER(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A,B,[na,nb]) Agreement(B,A,[na,nb]) #Actual variables Alice, Bob, Mallory : Agent Na, Nb, Nm : Nonce #Functions symbolic PK, SK #System INITIATOR(Alice, Na) RESPONDER(Bob, Nb) #Intruder Information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)} Example from Lowe's Web page Translated to CSP and Java Translated to CSP and Java

© 2005 The MITRE Corporation. All rights reserved 5 AVISPA OFMC Page

© 2005 The MITRE Corporation. All rights reserved 6 HLPSL PROTOCOL NSPK; Identifiers A, B: user; Na, Nb: number; Ka, Kb: public_key; Knowledge A: B,Ka,Ka',Kb; B: A,Ka,Kb,Kb'; Messages 1. A -> B: {Na,A}Kb 2. B -> A: {Na,Nb}Ka 3. A -> B: {Nb}Kb Session_instances [ A:a, B:b, Ka:ka, Kb:kb ] [ A:a, B:I, Ka:ka, Kb:ki ]; Intruder divert, impersonate; Intruder_knowledge I, b, ka, kb, ki; Goal A authenticate B on Nb; Goal B authenticate A on Na;

© 2005 The MITRE Corporation. All rights reserved 7 Design Issues n A  B: source, destination; part of the message or not? (no) n Principal-to-key and key inverse relations –public_key(A,Ka) vs. pk(A) –pk(A) only (free algebra) or inverse(Kpa,Ksa) n Message views (hidden structure) and implicit message actions –Lowe "%" notation: A  B: {M}Kc%F where B sees only "blob" F n Role and parameter identification –Which parameters are independent inputs –Which nonces and session keys are generated by whom n Security goal statements n Other issues –Data types and extensibility –Attacker capabilities and knowledge –Scenario specification for model checking –Implementability checking - definedness of variables –Some of these issues apply to role process specs as well

© 2005 The MITRE Corporation. All rights reserved 8 Non sequitur: Constraint Solver (Csolve) n Bounded-process model checker in Prolog n Parametric strand specifications n SWI-Prolog/XPCE for diagrams n Working on translation from CPPL