The Wolf Within

1
The Wolf Within

• Iliano Cervesato iliano_at_itd.nrl.navy.mil
• ITT Industries, Inc _at_ NRL Washington DC
• http//www.cs.stanford.edu/iliano/

2
Outline
Work in progress

• MSR in brief
• Data Access Specification
• Dolev-Yao intruder
• DAS ? DY Intruder
• Protocol Spec. ? DAS

3

• Part I
• MSR

4
MSR

• Follows the Dolev-Yao abstraction
• Based on
• Multiset rewriting, linear logic
• Type theory
• Used to prove
• Undecidability of protocol verification
• Completeness of Dolev-Yao intruder
• Specifications
• So many protocols so little time
• Related to CIL, strands, spi-calculus

5
Whats in MSR 2.0 ?

• Multiset rewriting with existentials
• Dependent types w/ subsorting
• Memory predicates
• Constraints

New
New
New
6
Roles

• Genericroles
• Anchoredroles

7
Rules

• N(t) Network
• L(t, , t) Local state
• MA(t, , t) Memory
• c Constraints

• N(t) Network
• L(t, , t) Local state
• MA(t, , t) Memory

8
NS Initiator
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
9
NS Responder
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
?B
?L princ(B) x pubK B(kB) x privK kB x nonce.
10
Type Checking
New
? P
G t t
t has type t in G
P is well-typed in S

• Catches
• Encryption with a nonce

• Transmission of a long term key

• Circular key hierarchies,

11
Data Access Specification
New
? ? P
r is DAS-valid for A in G
G ?A r
P is DAS-valid in S

• Catches
• A signing/encrypting with Bs key

• A accessing Bs private data,

• Static

• Decidable

• Gives meaning to Dolev-Yao intruder

12
pictorially
s
a
ka
kb
13
An Overview of DAS

• Interpret incoming information
• Collect received data
• Access unknown data
• Construct outgoing information
• Generate data
• Use known data
• Access new data
• all along, verify access to data

14
Verifying a Rule
Context
G ?A lhs D G D ?A rhs G ?A lhs ? rhs
Role owner
15
Processing Predicates on the LHS
G D ?A t D G D ?A N(t) D

• Network messages

G D ?A t1,,tn D G D ?A MA(t1,,tn) D

• Memory predicates

16
Interpreting Data on the LHS
G D ?A t1, t2 D G D ?A (t1, t2) D

• Pairs

G D ?A k D G D ?A t D G D ?A tk
D

• Encryptedterms

G (D,x) ?A x (D,x)

• Elementary terms

(G,x?) D ?A x (D,x)
17
Accessing Data on the LHS
G (D,k) ?A k (D,k)

• Shared keys

(G,xshK A B) D ?A x (D,x)
(G,kpubK A,kprivK k) (D,k) ?A k (D,k)

• Publickeys

(G,kpubK A,kprivK k) D ?A k (D,k)
18
Generating Data on the RHS
(G, xnonce) (D, x) ?A rhs G D ?A ?xnonce.
rhs

• Nonces

19
Constructing Terms on the RHS
G D ?A t1 G D ?A t2 G D ?A (t1, t2)

• Pairs

G D ?A t G D ?A k G D ?A tk

• Shared-key encryptions

20
Accessing Data on the RHS
G, Bprinc ?A B

• Principal

G, Bprinc, kshK A B ?A k

• Shared key

G, Bprinc, kpubK B ?A k

• Public key

G, kpubK A, kprivK k ?A k

• Private key

21

• Part II
• Data Access Specification
• ?Dolev-Yao Intruder

22
The Dolev-Yao Intruder Model

• Interpret incoming information
• Collect received data
• Access unknown data
• Construct outgoing information
• Generate data
• Use known data
• Access new data

• Same operations as DAS!

23
DAS ? DY

• Interpret messages on LHS
• Access data (keys) on LHS
• Generate data on RHS
• Construct messages on RHS
• Access data on RHS

24
Accessing Principal Names
25
What did we do?

• RHS data access
• Instantiate acting principal to I
• Accessed data ? Intruder knowledge
• Meta-variables ? Rule variables
• Context provides types

26
Checking it out Shared Keys
G, Aprinc, Bprinc, kshK A B ?A k
dual
27
Getting Confident Pub./Priv. Keys
28
DAS ? DY

• Interpret messages on LHS
• Access data (keys) on LHS
• Generate data on RHS
• Construct messages on RHS
• Access data on RHS

29
Constructing Messages Pairs
G D ?A t1 G D ?A t2 G D ?A (t1, t2)
30
Now, what did we do?

• RHS message construction
• Instantiate acting principal to I
• Meta-variables ? Rule variables
• Premises ? antecedent
• Conclusion ? consequent
• Types from auxiliary typing derivation

31
Carrying on Shared-Key Encrypt.
G D ?A t G D ?A k G D ?A tk
Similar for public-key encryption
32
DAS ? DY

• Interpret messages on LHS
• Access data (keys) on LHS
• Generate data on RHS
• Construct messages on RHS
• Access data on RHS

33
Generating Nonces
(G, xnonce) (D, x) ?A rhs G D ?A ?xnonce.
rhs
I
? ? ?xnonce. MI(x)
Similarly for other generated data
34
Now, what did we do?

• Data generation on the RHS
• Instantiate acting principal to I
• Auxiliary typing derivation gives types
• Remember generated object
• Follow knowledge acquisition flow

35
DAS ? DY

• Interpret messages on LHS
• Access data (keys) on LHS
• Generate data on RHS
• Construct messages on RHS
• Access data on RHS

36
Accessing Shared Keys on the LHS
(G, kshK A B) D ?A k (D,k)
Similarly for other keys
37
Now, what did we do?

• LHS data access
• Instantiate acting principal to I
• Meta-variables ? Rule variables
• Types from auxiliary typing derivation
• Follow knowledge acquisition flow
• Remember generated object

Same target rules as for RHS data access
38
DAS ? DY

• Interpret messages on LHS
• Access data (keys) on LHS
• Generate data on RHS
• Construct messages on RHS
• Access data on RHS

39
Interpreting Shared-Key Encrypt.
G D ?A k D G D ?A t D G D ?A
tk D
Similar for public-key encryption and pairing
40
Now, what did we do?

• LHS message interpretation
• Instantiate acting principal to I
• Meta-variables ? Rule variables
• Types from auxiliary typing derivation
• Follow knowledge acquisition flow
• Conclusion ? antecedant
• Last premises ? consequent

41
Network Rules
LHS
G D ?A t D G D ?A N(t) D
RHS
G D ?A t G D ?A N(t)
42
Other Rules?

• Either
• redundant, or
• or, innocuous (but sensible)

43

• Part III
• Protocol Spec.
• ?Data Access Spec. Rules

44
Automating DAS Rule Design?

• One size does not fit all
• Look at protocol
• Typed MSR spec.
• Usage of constructs
• Involve construct declarations
• Not sufficient
• Use annotations

45
Generating DAS rules from use
Constructors atoms ? ? ? ? ? ? ?

• Interpret messagecomponents on LHS
• Access data (keys) on LHS
• Generate data on RHS
• Construct messages on RHS
• Access data on RHS

46
Accessing data
47
Generating data

• Again, annotate types

nonce type
shK princ - princ - type
48
Pattern-matching constructors

• Mark arguments as input or output

49
Annotating Declarations

• Integrates semantics of types and constructors
• Trimmed down version of DAS
• Allows constructing DAS rules
• and Dolev-Yao intruder

50
alternatively

• Compute DAS rules from protocol
• There are finitely many annotations
• Check protocol against each of them
• Keep the most restrictive ones that validate the
  protocol
• Exponential!
• More efficient algorithms?

51
Further Questions

• Relationship to intruder-less languages
• E.g. Spi-calculus