Presentation is loading. Please wait.

Presentation is loading. Please wait.

Iliano Cervesato ITT Industries, NRL Washington, DC

Published byErica McDaniel Modified over 6 years ago

Similar presentations

Presentation on theme: "Iliano Cervesato ITT Industries, NRL Washington, DC "— Presentation transcript:

1 Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols
Iliano Cervesato ITT Industries, NRL Washington, DC Joint work with S. Bistarelli, G. Lenzini, and F. Martinelli UMBC meeting June 10-11, 2003

2 Objective Non-Objective (for now)
Relate specification languages for security protocols MSR <-> strands [CSFW’00] MSR <-> linear logic [MFPS’00] MSR <-> Process Algebras Non-Objective (for now) Reachability analysis <-> bisimulation Verification methodologies not considered MSR <-> PA

3 Why MSR? Model of specification underlies numerous languages and tools
CIL/CAPSL NRL Protocol Analyzer Paulson’s Isabelle specifications Murf Simple and well-understood foundations Distributed systems Petri nets Linear logic Rewriting theory MSR <-> PA

4 Multiset Rewriting + Existentials
msets of 1st-order atomic formulas Rules: r: F(x)  n. G(x,n) Application This is MSR 1.0 r M’, F(t)  M’, G(t,c) M  M2 MSR 2.0: + strong typing + constraints + domain-specific enhancements c not in M1 MSR <-> PA

5 Which Process Algebra? “PA” Inspired to
CCS p-calculus Only primitives used for protocols As a programming language for protocols Reachability Not simulation/equivalence MSR <-> PA

6 Q || a(t).P || a(t’).P’ -> Q || P || [q]P’
Sequential processes P ::= 0 | a(t).P | a(t).P | nx.P Parallel processes Q ::= 0 | P || Q | !P || Q (P, ||, 0) monoid Equivalence  Reaction t = [q]t’ Q || a(t).P || a(t’).P’ -> Q || P || [q]P’ MSR <-> PA

7 MSR  PA … in General Very different paradigms Non trivial
state transition PA contact evolution Non trivial MSR -> PA: granularity of actions PA -> MSR: excise state Reachability-preserving Non bijective Many attempts in the literature Chemical abstract machine, … MSR <-> PA

8 MSR  PA … for Protocols Much simpler! Take natural specifications
in MSR in PA Bijective correspondence (to a large extent) MSR <-> PA

9 MSR for Security Protocols
Fixed predicates N(m) Network messages I(m) Intruder info. Ai(t1,…,tni) Role states Pr, PrvK, PubK, … Persistent info. Fixed format Protocol given as set of roles Dolev-Yao intruder spec. (more freedom in MSR 2.0) MSR <-> PA

10 Captures only immediate decryption protocols
Roles in MSR One instantiation rule p(x)  $n. A0(x,n), p(x) Several execution rules Send Ai(z)  Ai+1(z), N(t) Receive Ai(z), N(t)  Ai+1(z,xt) Captures only immediate decryption protocols MSR <-> PA

11 NSPK (initiator) in MSR
pA(A,B)  A0(A,B), pA(A,B) A0(A,B)  NA. A1(A,B,NA), N({NA,A}KB) A1(A,B, NA), N({NA,NB}KA)  A2(A,B,NA,NB) A2(A,B,NA,NB)  A3(A,B,NA,NB), N({NB}KB) where pA(A,B) = Pr(A), PrvK(A,KA-1), Pr(B), PubK(B,KB) MSR <-> PA

12 MSR Configurations Rules State Ur Protocol roles rI Intruder role
N(t) Network messages Ai(t) Role state predicates p(t) Persistent knowledge I(t) Intruder knowledge MSR <-> PA

13 Security Protocols in PA
Captures only immediate decryption protocols Fixed set of name Ni, No, p, I Fixed structure of “Security Process” Q!net = ! Ni(x). No(x). 0 Network process Q!r = ||r Pr Roles ! p(x). nn. P’ input on No output on Ni Q!I Dolev-Yao Intruder Q!p Persistent information QI0 Initial intruder knowledge Q! MSR <-> PA

14 NSPK (initiator) in PA pA(A,B). nNA Ni({NA,A}KB) . No({NA,NB}KA). Ni({NB}KB) . 0 MSR <-> PA

15 Process State Q! Replicated process Q Unreplicated part
QI Intruder knowledge Qnet Buffered network messages Qr Roles in mid-execution MSR <-> PA

16 Captures only immediate decryption protocols
MSR into PA Rules Ur  Q!r + Q!net Instantiation rule  “! p(x). nn.” prefix “Ai(z)  Ai+1(z), N(t)”  Ni(t). <ri+1> “Ai(z), N(t)  Ai+1(z,xt)”  No(t). <ri+1> rI  Q!I State N(t)  Qnet Ai(t)  Qr p(t)  Q!p I(t)  QI NSPKMSR  NSPKPA MSR <-> PA

17 (for a-convertible Ai’s)
PA into MSR Essentially the inverse transformation Q!r  Ur Invent Ai’s Carry over substitutions Q!I  rI NSPKPA  NSPKMSR (for a-convertible Ai’s) MSR <-> PA

18 The Intruder 1-1 correspondence, but …
I(<x1,x2>) -> I(x1), I(x2) I(x) -> I(x), I(x) I(x1), I(x2) -> I(<x1,x2>) I(<x1,x2>). I(x1). 0 I(<x1,x2>). I(x2). 0 I(x). I(x). I(x). 0 I(x1). I(x2). I(<x1,x2>). 0 MSR <-> PA

19 Correspondence Proof technique: weak bi-simulation Observables * MSR
PA * Proof technique: weak bi-simulation Observables Network messages Intruder knowledge MSR <-> PA

20 Delayed Decryption Protocols
Arguments of Ai’s may be terms Explicit pattern matching in PA Add non-trivial complications Requires proper scheduling of matchings Matching after input may cause deadlock Solutions WITS’03 unsatisfactory Intermediate MSR with explicit scheduling MSR <-> PA

21 Conclusions … And future work Formal relation between MSR and PA
As used for security protocols Non trivial (yet mostly bijective) Technique similar to MSR <-> strands … And future work MSR 3.0 Strict comparison with spi-calculus Relating methodologies MSR <-> PA

Download ppt "Iliano Cervesato ITT Industries, NRL Washington, DC "

Similar presentations

Synthesis of Protocol Converter Using Timed Petri-Nets Anh Dang Balaji Krishnamoorthy Manoj Iyer Presented by:

Synthesis of Protocol Converter Using Timed Petri-Nets Anh Dang Balaji Krishnamoorthy Manoj Iyer Presented by:
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
Introduction to Petri Nets Hugo Andrés López

Introduction to Petri Nets Hugo Andrés López
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Game-theoretic simulation checking tool Peter Bulychev, Vladimir Zakharov, Igor Konnov Moscow State University.

Game-theoretic simulation checking tool Peter Bulychev, Vladimir Zakharov, Igor Konnov Moscow State University.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.

August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
Behavioral Equivalence Hossein Hojjat Formal Lab University of Tehran.

Behavioral Equivalence Hossein Hojjat Formal Lab University of Tehran.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
The design and implementation of a workflow analysis tool Vasa Curcin Department of Computing Imperial College London.

The design and implementation of a workflow analysis tool Vasa Curcin Department of Computing Imperial College London.
Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.

Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,

A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,
MSR 3: One Year Later Iliano Cervesato ITT Industries, NRL Washington, DC Protocol eXchange.

MSR 3: One Year Later Iliano Cervesato ITT Industries, NRL Washington, DC Protocol eXchange.
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato ITT Industries, NRL Washington,

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato ITT Industries, NRL Washington,
1 Synchronization strategies for global computing models Ivan Lanese Computer Science Department University of Bologna.

1 Synchronization strategies for global computing models Ivan Lanese Computer Science Department University of Bologna.
December 7, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 9: Automated Verification Iliano Cervesato

December 7, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 9: Automated Verification Iliano Cervesato
FunState – An Internal Design Representation for Codesign A model that enables representations of different types of system components. Mixture of functional.

FunState – An Internal Design Representation for Codesign A model that enables representations of different types of system components. Mixture of functional.

Similar presentations

Ads by Google