Download presentation
Presentation is loading. Please wait.
1
1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute
2
2 Protocols
3
3 &d p(d) $p(d) d A B wants = 0 has = d + $(a-p(d)) has = $p(d) has = d wants = d has = $a
4
4 &d p(d) $p(d) d A B abstraction Problem
5
5 Solution &d p(d) $p(d) d A B
6
6 refinement Solution &d p(d) $p(d) d A B
7
7 “Security Science” logic (belief, knowledge) process (CSP,CCS,spi) crypto (next 700 models) security
8
8 “Security Science” logic (belief, knowledge) process (CSP,CCS,spi) crypto (next 700 models) security security protocols “idealizations”
9
9 “Security Science” logic (belief, knowledge) process (CSP,CCS,spi) crypto (next 700 models) security propositions-as-types proofs-as-processes security protocols Dolev-Yao
10
10 Derivational approach Protocol derivation components refinements transformations Proof derivation axioms proof rules proof transformations truth is just another security property derivation patterns
11
11 Outline Protocol logic Derivation patterns 1.Authenticated DH CR STS 2. Identity and DoS protection STS JFK 3. DH refinements KA MQV 4. Combine 2. and 3. MQV MQV + Tool demo
12
12 Papers Deriving, attacking and defending GDOI –with C. Meadows »submitted Abstraction and refinement in protocol derivation –with A. Datta and A. Derek and J. Mitchell »to appear in Proceedings of CSFW 2004 Secure protocol composition –with A. Datta and A. Derek and J. Mitchell »Proceedings of MFPS 2003 (ext. abstract in FMCS 2003) Derivation system for security protocols and its logical formalization –with A. Datta and A. Derek and J. Mitchell »Proceedings of CSFW 2003 Compositional logic for protocol correctness –with N. Durgin and J. Mitchell »JCS 2003 (eariler version in CSFW 2001) Composition and refinement of behavioral specifications –with D. Smith »ASE 2002 Guarded transitions in evolving specifications –with D. Smith »AMAST 2002 http://www.kestrel.edu/users/pavlovic/
13
13 Protocol logic term calculus names, variables operations equality action calculus send a t:A B C receive b(x: X Y) Z new ( x) C match ( t/p(x) ) C t R (x)S R S(t/x) ( p(t)/p(x) ) R R(t/x)
14
14 Protocol logic atomic predicates a = b-- actions a and b are equal a-- action a has occurred a < b-- action a has occurred before b e.g., t A < (x) Y -- some t A precedes some (x) Y a = t A -- a is in the form t A s A = t B -- s = t and A = B
15
15 Protocol logic statements A : ( ) » e.g., A : ( x) » c AB x A <((r AB x)) A c AB x A < ((c AB x)) B < r AB x B <((r AB x)) A
16
16 Protocol logic abbreviations (t) (x) ( x/t ) t U(t/x) ((t)) (U(t/x)) t A< a = t A b = t B. a ≤ b t A< a = t A b = t B. a ≤ b t U(t/x) H(t,x) UHV(t,x) | X,Y Z
17
17 Protocol logic general axioms (t) a = t a < (t)(rcv) ( x) M a A. x FV(a) ( x) < a A (new) A ≠ M ( x) M < x M < ((x)) A ≤ a A
18
18 Protocol logic challenge-response axiom A : ( x) » (cr) c AB x A < ((r AB x)) A c AB x A < ((c AB x)) B < r AB x B <((r AB x)) A ( x) A c AB x A ((r AB x)) A ((c AB x)) B r AB x B
19
19 Challenge-response CR K CRKICRKO CR P CRE CRS
20
20 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m r AB m c AB m
21
21 CR Challenge-response CR K CRKICRKO CR P CRE CRS A: ( m) A < c AB m A <(r AB m) A » c AB m A < ((r AB m)) A c AB m A <((c AB m)) B < r AB m B <((r AB m)) A A: ( m) A < c AB m A <((c AB m)) B < r AB m B < (r AB m) A
22
22 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m S B (A,m) m S B t = S B u t = u (sig1) S B t X< X=B (sig2) V B (y,t) y = S B t (sig3)
23
23 CR Challenge-response CR K CRKICRKO CR P CRE CRS S B t = S B u t = u (sig1) S B t X< X=B (sig2) V B (y,t) y = S B t (sig3) (sig1) (sig2) (sig3) (cr)
24
24 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m m E B (A,m) ( m) A < E B m A < m X< (enc) X=A X=B
25
25 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m K AB (A,m) m K AB t = K AB u t = u (hk1) K AB t X< X=A X=B (hk2)
26
26 CR Challenge-response CR K CRKICRKO CR P CRE CRS AB m m K AB (A,m) K AB t = K AB u t = u (hk1) K AB t X< X=A X=B (hk2)
27
27 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] Nest Seq 2CRS Seq SAnSAn n, SBmn, SBm n m m SBmSBm 2CRS Nest SAnSAn n n m m
![27 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] Nest Seq 2CRS Seq SAnSAn n, SBmn, SBm n m m SBmSBm 2CRS Nest SAnSAn n n m m](http://images.slideplayer.com./16/5120585/slides/slide_27.jpg "27 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] Nest Seq 2CRS Seq SAnSAn n, SBmn, SBm n m m SBmSBm 2CRS Nest SAnSAn n n m m")
28
28 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] SB(m,n)SB(m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m SA(m,n)SA(m,n) n n m m
![28 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] SB(m,n)SB(m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m SA(m,n)SA(m,n) n n m m](http://images.slideplayer.com./16/5120585/slides/slide_28.jpg "28 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] SB(m,n)SB(m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m SA(m,n)SA(m,n) n n m m")
29
29 Reasoning in PoP ((m)) B S B (m,y) B ( m) A mAmA (n) A S A (m,n) A (S B (m,n)) A n Y< (rcv) n = y (sig1) n = y yByB (S A (m,y)) B ( y) B
30
30 Reasoning in PoP ((m)) B S B (m,y) B ( m) A mAmA (n) A S A (m,n) A (S B (m,n)) A n Y< (rcv) n = y (sig1) n = y yByB (S A (m,y)) B ( y) B
31
31 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] S B (m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m S A (m,n) n n m m
![31 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] S B (m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m S A (m,n) n n m m](http://images.slideplayer.com./16/5120585/slides/slide_31.jpg "31 Composing authentication SBmSBm m m SAnSAn n n CRS[A,B]CRS[B,A] S B (m,n) PoPSTS 0 Nest Seq S A (n,m) n, S B (m,n) n m m S A (m,n) n n m m")
32
32 STS family m=g x, n=g y k=g xy STS a STS H STS 0 distribute certificates cookie open responder JFK 0 symmetric hash JFK protect identities STS P STS 0H STS aH STSJFK 1 STS PH RFK
33
33 m=g x, n=g y k=g xy m S B (m,n),n S A (n,m) STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
34
34 m=g x, n=g y k=g xy STS family distribute certificates cookie open responder m n, H mn m, n, H mn,S A (m,n) S B (n,m) symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
35
35 m=g x, n=g y k=g xy m C B, S B (m,n),n C A, S A (n,m) STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
36
36 m=g x, n=g y k=g xy m n, H mn m, n, H mn,C A, S A (m,n) C B, S B (n,m) STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
37
37 m=g x, n=g y k=g xy m n, C B, H mn m, n, H mn,C A, S A (m,n) S B (n,m) STS family distribute certificates cookie open responder protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
38
38 m=g x, n=g y k=g xy m n, C B, E k (S B (n, m)) C A, E k (S A (m,n)) m=g x n=g y k=g xy STS family distribute certificates cookie open responder protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
39
39 m n, H mn m, n, H mn, C A, E k (S A (m,n)) C B, E k (S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family distribute certificates cookie open responder protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
40
40 m=g x, n=g y k=g xy STS family distribute certificates cookie open responder m n, C B, H mn m, n, H mn, C A,E k (S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy protect identities symmetric hash STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
41
41 m n, E k (C B, S B (n, m)) E k (C A, S A (m,n)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
42
42 m n, H mn m, n, H mn, E k (C A, S A (m,n)) E k (C B, S B (n, m)) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family distribute certificates cookie open responder symmetric hash protect identities STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
43
43 m=g x, n=g y k=g xy STS family distribute certificates cookie open responder symmetric hash protect identities m n, C B, H mn m, n, H mn, E k (C A, S A (m,n,C B )) E k (S B (n, m)) m=g x n=g y k=g xy STS 0 STS 0H STS a STS aH JFK 0 STS H JFK 1 STS P STS PH JFK RFK
44
44 m n, H mn m, n, H mn, E k (C A,S A (m,n)), #(I) E k (C B,S B (n, m)), #(R) m=g x n=g y k=g xy m=g x, n=g y k=g xy STS family STS 0H STS aH STS PH JFK 1 distribute certificates cookie open responder symmetric hash protect identities RFK STS 0 STS a JFK 0 STS H STS P JFK
45
45 MQV family MTI/A MQV KA MTI/B DH MTI/C UM
46
46 MQV family mAmA mBmB KA DH MTI/BMTI/C MTI/A UM MQV
47
47 MQV family gxgx gygy k=g xy KA DH MTI/BMTI/C MTI/A UM MQV
48
48 (g b ) x (g a ) y k=(g ay ) 1/a g x =(g bx ) 1/b g y MQV family KA DH MTI/BMTI/C MTI/A UM MQV
49
49 MQV family (g b ) x (g a ) y k=(g ay ) x/a =(g bx ) y/b KA DH MTI/BMTI/C MTI/A UM MQV
50
50 MQV family gx, GAgx, GA g y, G B k = {(g y ) a (g b ) x } = {(g x ) b (g a ) y } G A ={A,g a } TA G B ={B,g b } TA KA DH MTI/BMTI/C MTI/A UM MQV
51
51 MQV family gx, GAgx, GA g y, G B k = { (g y ) a || (g b ) x } = { (g x ) b || (g a ) y } G A ={A,g a } TA G B ={B,g b } TA k = { (g y ) x || (g b ) a } = { (g x ) y || (g a ) b } or KA DH MTI/BMTI/C MTI/A UM MQV
52
52 MQV family gx, GAgx, GA g y, G B k = g f(a,x) f(b,y) where G A ={A,g a } TA G B ={B,g b } TA f(a,x) = ag x + x KA DH MTI/BMTI/C MTI/A UM MQV
53
53 MQV family DH MTI/C UM gx, GAgx, GA g y, G B k = g f(a,x) f(b,y) where G A ={A,g a } TA G B ={B,g b } TA f(a,x) = ag x + x g f(a,x) = F(g a, g x ) is 1-way in g x. E.g., given a one-way function H(n), such that H(g x ) = g h(x), take F(m,n)= m H(n) and f(a,x) = a+h(x) g f(a,x) = F(g a, g x ) is 1-way in g x. E.g., given a one-way function H(n), such that H(g x ) = g h(x), take F(m,n)= m H(n) and f(a,x) = a+h(x) KA MTI/B MTI/A MQV
54
54 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash JFK STS P MQV CP KA key conf. MQV JFK authenticate protect identities encryption signature DH RFK symmetric hash STS a STS PH MQV C MQV CPH MQV RFK
55
55 mAmA mBmB add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
56
56 mAmA m B, C B, S B ( n, m A ) C A, S A ( m A, m B ) add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
57
57 gxgx gygy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
58
58 gxgx g y, C B, E k (S B ( g y, g x )) C A, E k (S A ( g x, g y )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
59
59 gxgx g y, E k (C B, S B ( g y, g x )) E k (C A, S A ( g x, g y )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
60
60 gxgx g y, H g x, g y, H, E k (C A, S A ( g x, g y )) E k (C B, S B ( g y, g x )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
61
61 gxgx g y, C B, H, g x, g y, H, E k (C A, S A ( g x, g y, C B )) E k (S B ( g y, g x )) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
62
62 gxgx g y, H, g x, g y, H, E k (C A, S A ( g x, g y )), #(I) E k (C B, S B ( g y, g x )), #(R) k=g xy add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
63
63 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature g x, G A g y, G B G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
64
64 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) g x, g a g y,G B,E k ( g y, g x ) G A, E k ( g x, g y ) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
65
65 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) g x, g a g y, g b, E k (G B, g y, g x ) E k (G A, g x, g y ) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
66
66 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) g x, g a g y, g b, H, g x, g a, g y, g b, H, E k (G A, g x, g y )) E k (G B, g y, g x ) KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
67
67 G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) gxgx g y, g b, H, g x, g a, g y, H, E k (G A, g x, g b, g y )) E k (G B, g y, g x ) add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements cookie open responder symmetric hash key conf. authenticate protect identities encryption signature KASTS a DH STS P STS PH JFK MQV RFK MQV C MQV CP MQV CPH MQV JFK MQV RFK
68
68 add certificates k=g f(a,x)f(b,y) m=g x, n=g y k=g xy MQV refinements STS a STS PH cookie open responder symmetric hash MQV CPH MQV C key conf. MQV RFK authenticate protect identities encryption signature STS g x, g a g y, g b, H, g x, g a, g y, g b, H, E k (G A, g x, g y ), #(I) E k (G B, g y, g x ), #(R) G A ={A,g a } TA G B ={B,g b } TA k=g f(a,x)f(b,y) KA DH STS P JFK RFK MQV CP MQV JFK
69
69 Summary STS CR 1 JFK 2 DH MQV KA 3 MQV + 4
70
70 Summary mAmA mBmB gxgx g y, C B, H mn g x, g y, H mn,E k EkEk c r gxgx gygy g x, G A g y, G B gxgx g y, C B, E K C A, E K gxgx g y, g b, H n g x, g a,… H, E k EkEk
71
71 Future work Populate taxonomy Interface crypto complexity algebra Quantify utility evolutionary equilibria distributed fixpoint programming
Similar presentations
