4' MSR 2'0

1
4. MSR 2.0

• Iliano Cervesato iliano_at_itd.nrl.navy.mil
• ITT Industries, inc _at_ NRL Washington, DC
• http//theory.stanford.edu/iliano

2
Last Lecture

• How does MSR compare ?
• Strand spaces
• Dynamic strands
• Canonical MSR to Strands
• Decorated strands to MSR
• Linear logic interpretation
• MSR in LL / Strands in LL
• Analysis within LL
• More comparisons later

Preservesreachability
Sound butonly partiallycomplete
3
Lecture Outline

• Is MSR any good in practice ?
• well
• Extension and rationalization
• MSR 2.0
• Typing infrastructure
• Execution model
• more to come

4
An Evaluation of MSR 1.0

• Theorists point of view
• Very simple
• Powerful meta-theoretic language
• Decidability and complexity results
• Comparison with other formalisms
• BUT
• Subtle reasoning
• Easy to make mistakes
• Holes in logical foundations
• Practitioners point of view
• Ugh!! Only NSPK ever specified
• Inflexible
• Very easy to make mistakes
• Akin to an assembly language

• Syntax is frozen
• Fixed constructors
• Fixed format of rules
• Non-modular
• Subprotocols
• Subsystems
• Separate intruder

• persistent predicates
• Meaning of terms
• Not bound to terms
• External
• Easy to forget
• Easy to misplace
• No automated help
• Easy to mis-specify

5
MSR 2.0

• Multiset rewriting with existentials
• A bit more existential
• A lot more flexible
• Dependent types w/ subsorting
• Replace memory predicates
• Memory predicates
• Subprotocols, intruder, more
• Constraints
• External modules

New
New
New
6
Neuman-Stubblebine Phase I
A wants to access aservice provided by B
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
S is the keydistribution center
7
Neuman-Stubblebine Phase II
A ? B nA , A, kAB, TBkBS B ? A nB ,
nAkAB A ? B nBkAB
Ticket
A wants to use the service provided by B again
and again and again
8
NS-I Bs Point of view
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
9
NS-I Ss Point of View
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
10
NS-I As Point of View
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
X
X
Ticket
Ticket
11
Sending / Receiving Messages
N(A, nA)
?
?
Network predicate N(t) t is a message in transit
Network predicate N(t) t is a message in transit
Network predicate N(t) t is a message in transit
N(B,nA,kAB,TBkAS,X,nB)
N(X,nBkAB)
?
New
12
Terms

• Atomic terms
• Principal names A
• Keys k
• Nonces n
• Term constructors
• (_ _)
• _

13
Nonces
?
?
N(A, nA)
N(B,nA,kAB,TBkAS, X, nB)
N(X, nBkAB)
?
14
Rewriting with Existentials (reminder)

• Multisets of 1st-order atomic formulas
• Rules
• r F(x) ? ?n. G(x,n)
• Application

r
s1 ? s2
c not in s1
s, F(t)
s, G(t,c)
15
Sequencing Actions
N(A, nA)
?
?
?nA.
?
N(X, nBkAB)
N(B,nA,kAB,TBkAS, X, nB)
16
Role State Predicates
Ll(A,t, , t)

• Hold data local to a role instance
• Lifespan role
• Invoke next rule
• Ll control
• (A,t, , t) data
• No restrictions
• Can be omitted
• Call graph can be arbitrary

New
17
Remembering Things
?L.
L(A,nA) N(A, nA)
?
?
?nA.
L(A,nA)N(B,nA,kAB,TBkAS, X, nB)
N(X, nBkAB)
?
18
Memory Predicates
New
MA(t, , t)

• Hold private info. across role exec.
• Support for subprotocols
• Communicate data
• Pass control
• Interface to outside system
• Implements intruder

19
Role Owner
New
?L.
L(A,nA) N(A, nA)
?
?
?nA.
L(A,nA)N(B,nA,kAB,TBkAS, X, nB)
N(X, nBkAB)TktA(B,kAB,X)
?
20
What is What?
?A
?L princ x nonce.
L(A,nA) N(A, nA)
?
?
?nAnonce.
L(A,nA)N(B,nA,kAB,TBkAS, X, nB)
N(X, nBkAB)TktA(B,kAB,X)
?
21
Types of Terms
New

• A princ
• n nonce
• k shK A B
• k pubK A
• k privK k
• (definable)

• A princ
• n nonce

22
Typing Terms
t x c t t tk tk
G, x t, G x t
S, c t, G c t
G t1 msg G t2 msg G t1 t2 msg
G t msg G k shK A B G tk msg
G t msg G k pub A G tk msg

S ? S, ct S, M_t G S
G, xt G, Lt
23
Typing Types
t msg princ nonce time shK
t t pubK t privK t
G msg
G nonce
G time
G princ
G A princ G B princ G shK A B
G A princ G pubK A
G k pubK A G privK k

24
Subsorting
New
t lt msg

• Allows atomic terms in messages
• Definable
• Non-transmittable terms
• Sub-hierarchies
• Discriminant for type-flaw attacks

25
Some Subsorting Rules

• t t t lt t
• G t t

princ lt msg
nonce lt msg
time lt msg
shK A B lt msg
pubK A B lt msg

• No rule for public keys
• Prevent transmission

26
Type of Predicates
Sx t. t

• Dependent sums
• t(x) x t
• Forces associations among arguments
• E.g. princ(A) x pubK A(kA) x privK kA

x
27
Typing Tuples and Tuple Types
t ? (t, t)
G ? ?
G x t G t t/xt G (x,t) t(x) ? t
t ? t(x) ? t
G ?
G x t G, xt t G t(x) ? t
28
Typing Predicates and Rules
Q N(t) MA(t) L(t)
G t msg G N(t)
G, Lt, G t t G, Lt, G L(t)
G, M_t, G (A,t ) t G, M_t, G MA(t)
lhs x Q, lhs rhs lhs
?nt. rhs r lhs ? rhs ? xt. r
G lhs G rhs G lhs ? rhs
G t G, xt r G ? xt. r
29
Typing Roles and Theories
r ? r, r Lt. r
G ?
G r G r G r, r
G t G, Lt r G Lt. r
P ? P, r?A P, rA
G ?
S P S, Aprinc r S P, r?A
S , Aprinc P S, Aprinc r S , Aprinc
P, rA
30
Type Checking
New
? P
G t t
t has type t in G
P is well-typed in S

• Catches
• Encryption with a nonce
• Transmission of long-term keys
• Can be automated
• Sanity check

31
NS-I Bs point of view
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
32
NS-I Bs role
?B
?nBnonce.
33
Constraints
New
c

• Guards over interpreted domain
• Abstract
• Modular
• Guards over uninterpreted domains
• Lookup-only predicates
• Invoke constraint handler
• E.g. timestamps
• (TE TN Td)
• (TN lt TE)

34
NS-I Ss point of view
A ? B A, nA B ? S B, A, nA, TBkBS, nB S ?
A B, nA, kAB, TBkAS, A, kAB, TBkBS, nB A ?
B A, kAB, TBkBS, nBkAB
35
NS-I Ss role
?kAB shK A B.
36
Neuman-Stubblebine Phase II
A ? B nA , A, kAB, TBkBS B ? A nB ,
nAkAB A ? B nBkAB
37
NS-II As role
?A
?L princ(A) x princ(B) x shK A B x nonce.
?nAnonce.
? Bprinc.? kAB shK A B? X msg
N(nA, X)
?
TktA(B,kAB,X)
TktA(B,kAB,X)
L(A, B ,kAB,nA)
? .? nA,nB nonce
L(A, B ,kAB,nA) N(nB, nAkAB)
N(nBkAB)
?
38
NS-II Bs role
?B
?L princ(B) x princ(A) x shK A B x nonce.
?L princ(B) x princ(A) x shK A B x nonce.
?nBnonce.
? nA nonce? kBS shK B S? Aprinc.? kAB shK
A B ? TB,Te time? Tnow time
N(nA, A,kAB,TBkBS)
N(nB, nAkAB)
?
AuthB(A, kAB,TB,Te)
AuthB(A, kAB,TB,Te)
ClkB(Tnow)
ClkB(Tnow)
(Tnow lt Te)
L(B,A,kAB ,nB)
L(B,A,kAB ,nB)
? . ? nB nonce
?
N(nBkAB)
39
Summary Rules

• N(t) Network
• L(t, , t) Local state
• MA(t, , t) Memory
• c Constraints

• N(t) Network
• L(t, , t) Local state
• MA(t, , t) Memory

40
Summary Roles

• Genericroles
• Anchoredroles

41
Configurations

• Active role set
• (r, , r)A
• Closed subrole

New
C SRS

• State
• N(t)
• Ll(t, , t)
• MA(t, , t)

• Signature
• a t
• Ll t
• M_ t

Ground
42
Execution Model
1-step firing
P C ? C

• Activate roles
• Generates role state predicate names
• Instantiate variables
• Apply rules
• Skips rules

New
New
New
New
43
Role Activation and ? Instantiation
(P,rA) SRS ? SRrAS
S A princ t (P,r?a) SRS ?
SR(A/ar)AS
S A princ P SR(?Lt.r)AS ?
SR(B/Lr)A(S, Bt)
44
? Instantiation and Skip
S t t P SR((?xt.r),r)AS ?
SR((t/xr),r)AS
P SR(r,r)AS ? SR(r)AS
P SR(r)AS ? SRS
45
Rule Application
r c F ? ?nt. G(n)

• Constraint check
• ? c (constraint handler)

46
Properties

• Decidability of type checking
• Type preservation

S - P is decidable
If - C, S - P and P C ? C,then - C
47
References

• ic, Typed MSR Syntax and Examples, Springer
  LNCS 2052, 2001 www
• ic, A Specification Language for
  Crypto-Protocols based on Multiset Rewriting,
  Dependent Types and Subsorting, 2001 www

48
Next Lecture

• Meta-reasoning in MSR 2.0
• Data Access Specification
• Intruders
• Most powerful attacker
• Equivalence of DAS and Dolev-Yao intruder