Toward Logical Foundations for Security Protocol Analysis

1
Toward Logical Foundations for Security
Protocol Analysis

• Nancy Durgin, Patrick Lincoln, John
  Mitchell, Andre Scedrov
• Iliano Cervesato, Max Kanovich
• Supported by ONR MURI

2
Common Intruder Model

• Derived from positions taken in Needham-Schroeder
  1978 and Dolev-Yao 1983
• Idealization that makes protocol analysis
  palatable
• Adversary is nondeterministic process
• Adversary can
• Block network traffic
• Read any message, decompose into parts
• Decrypt if key is known to adversary
• Insert new message from data it has observed
• Adversary cannot
• Gain partial knowledge
• Guess part of a key
• Perform statistical tests

3
Formalizing the Dolev-Yao Model

• Accomplishments
• Developed an extension of multiset rewriting with
  existential quantification (MSR)
  Cervesato, Durgin, Lincoln, Mitchell, Scedrov
  CSFW99
• Relationship to strand spaces Guttman et al.
  Cervesato, Durgin, Lincoln, Mitchell, Scedrov
  CSFW00
• Representations of MSR and strands in linear
  logic Cervesato, Durgin, Kanovich, Scedrov
• Basic secrecy property (unreachability)

4
Formalizing the Dolev-Yao Model

• Directions
• Compositional specification methods
• Interfaces among tools
  
• CAPSL Millen, Denker, Athena Song,
• Maude Meseguer, Lincoln
• Agreement Lowe , precedence Schneider ,

5
Related work

• Specifications of distributed systems
• Kanovich, Okada, Scedrov
• Changeable real-time constraints
• Potentially unbounded number of agents
• Dynamically configurable communication
• topology among agents

6
Technical Challenges

• Dynamic evolution of parametric strands
• Precise formalization of parametric strands
• Describe a way of incrementally growing bundles
• MSR initialization has no counterpart in strands
• Assume initialization has been carried out
• Extend strands model?
• When are fresh values chosen?
• In strands only at the beginning, in MSR at any
  point
• Two different interpretations in linear logic

7
Roadmap

• Overview of
• MSR
• Strands and Bundles
• Decorated Strands Fringes
• Execution Model for Strands (Growing Bundles)
• Relationships
• MSR, Strands, Linear Logic

8
MSR Protocol Notation

• Non-deterministic infinite-state systems
• Facts
• F P(t1, , tn)
• t x c f(t1, , tn)
• States F1, ..., Fn
• Multiset of facts
• Includes network messages, private state
• Intruder will see messages, not private state
• Multiset allows duplicated messages, states

Multi-sorted first-order atomic formulas
9
State Transitions in MSR

• Transition rule
• F1, , Fk ?? ?x1 ?xm. G1, , Gn
• What this means
• If F1, , Fk in state ?, then a next state ? has
• Facts F1, , Fk removed
• G1, , Gn added, with x1 xm replaced by new
  symbols
• Other facts in state ? carry over to ?
• Free variables in rule universally quantified
• Pattern matching in F1, , Fk can invert
  functions
• Linear Logic F1??Fk ?? ?x1 ?xm(G1??Gn)

10
Protocol theory

• Initialization theory
• Describes initial conditions such as key
  generation or other shared information
• Role generation theory
• Designates possibly multiple roles that each
  participant may play (such as initiator,
  responder, client, or server)
• Agent theory
• Disjoint union of bounded subtheories that each
  characterize a possible role

11
Strands Guttman et al.

• Present information about causal interactions
• among protocol participants
• Events
• message sent, message received
• Strands
• finite sequences of events
• s1 ? s2 ? ? sk , each sj an event
• Parametric strands
• messages may contain variables
• (some marked fresh)

12
Parametric Strands for NS

• Strand space
• a set of strands with an additional relation ?
• transmission of message from sender to receiver

13
Decorated Strands for NS
14
Bundle and Fringe

• Bundle Guttman et al.
• a snapshot of an execution of a protocol
• each send node has at most one outgoing ? ,
• each receive node has exactly one incoming ? ,
• no cycles through ? , ?
• Fringe of a bundle
• dangling send events
• messages sent but not yet received

15
Lowe Attack on NS - Strands
16
Execution Model for Strands

• Bundle configuration
• Bundle S embedded in strand space S
• S contains enough events to complete S
• 4 one-step transition rules
• Instantiation substitution for fresh variables
• Activation substitution for other variables,
  bundle
• Send a message
• Receive a message

17
Instantiation of fresh variables
18
Other instantiations activation
19
Sending a message
20
Receiving a message
21
Correspondence

• Strands to Multiset Rewriting
• Decorate strand with initial and terminal nodes,
  states
• Multiset Rewriting to Strands
• Assume initialization of MSR, normalize protocol
  theory
• nonces preemptively chosen in the first rule
• add extra fields to role state predicates
• Equivalence
• One-to-one correspondence between MSR and strand
  transition sequences (bisimulation)
• Equivalence for basic secrecy

22
MSR and Strands in Linear Logic

• Two different semantics
• MSR in linear logic
• ?x1 ?xm(F1??Fk ?? ?y1 ?yi(G1??Gn) )
• linear logic proof ?? MSR transition sequence
• Strands in linear logic
• ?q1 ?qs ?y1 ?yi ?z1 ??zm
• (N0 ?? N1 ? P(q1) ? ( P(q1) ?? N2 ? P(q2) ? (
  P(q2) ?? )))
• linear logic proof ?? strand transition
  sequence
• Not logically equivalent
• Differences for more refined security properties
  ?

23
MSR and Strands in Linear Logic
MSR
Strands
Linear logic
Linear logic
24
Conclusions

• Two formalizations of the Dolev-Yao model
• Multiset rewriting with existential
  quantification
• Strand spaces
• Describe strand bundle transition steps
• One-to-one correspondence between MSR and
• strand transition sequences (bisimulation)
• Two formalisms agree on the secrecy property
• MSR, strands have two different interpretations
  in linear logic
• Two formalisms may differ on other security
  properties?