Deconstructing Alice & BobDeconstructing Alice & Bob Carlos Caleiro CLC, Dep. Mathematics, IST, TU Lisbon, Portugal Luca Vigano and David Basin` Dep. Computer Science, ETH Zurich,

Deconstructing Alice & Bob

Carlos Caleiro

CLC, Dep. Mathematics, IST, TU Lisbon, Portugal

Luca Vigano and David Basin

Dep. Computer Science, ETH Zurich, Switzerland

ARSPA’05 – Lisbon, Portugal – July 16, 2005

Deconstructing Alice & Bob – p. 1

The context

Formal analysis of security protocols

Strand spaces, multiset rewriting, theorem proving ...

– p. 2

The context

Formal analysis of security protocols

Strand spaces, multiset rewriting, theorem proving ...

Distributed temporal logic

Caleiro, Viganò and Basin. Relating strand spaces and distributed temporal logic forsecurity protocol analysis. Logic Journal of the IGPL, in print.

Caleiro, Viganò and Basin. Metareasoning about security protocols using distributedtemporal logic. ENTCS 125(1):67–89, 2005.

Caleiro, Viganò and Basin. Towards a metalogic for security protocol analysis. InProceedings of the CombLog’04 Workshop, 2004.

– p. 3

The problem

The Needham-Schroeder Public-Key Authentication Protocol

(nspk1) a → b : (n1). {n1; a}Kb

(nspk2) b → a : (n2). {n1; n2}Ka

(nspk3) a → b : {n2}Kb

– p. 4

The problem


(nspk1) a → b : (n1). {n1; a}Kb

(nspk2) b → a : (n2). {n1; n2}Ka


How to formalize a protocol specified in Alice&Bob-notation?

What is the meaning of such protocol descriptions?

How much is made explicit or left implicit?

What is the expressive power of Alice&Bob-style protocolspecifications?

– p. 5

A little philosophy and literary theory

deconstruction

“(noun) a method of critical analysis of language and text whichemphasizes the relational quality of meaning and the assumptions implicitin forms of expression”

taken from the Compact Oxford English Dictionary

– p. 6

The plan

Preliminaries

The standard semantics

Good examples and bad examples

Message forwarding and conditional abortion

Opaque and transparent messages

Incremental symbolic runs

Characterization theorems

Conclusion and further work

– p. 7

Preliminaries

Messages are built from atomic messages (identifiers, numbers, andvariables) by pairing, encryption and hashing

Perfect cryptography

Every message can be used as an encryption key and has aninverse for decryption

Communication is asynchronous and takes place over a hostilenetwork

– p. 8

Preliminaries

Messages are built from atomic messages (identifiers, numbers, andvariables) by pairing, encryption and hashing

Perfect cryptography

Every message can be used as an encryption key and has aninverse for decryption

Communication is asynchronous and takes place over a hostilenetwork

Honest actionss(M, A) — sending the message M to the principal A

r(M) — receiving the message M

f(N) — generating the fresh number N

– p. 9

Preliminaries

In general, a protocol description in Alice&Bob-notation involves acollection of principal variables corresponding to protocol participants (ai)and of number variables (nj), and consists of a sequence 〈step1 . . . stepm〉

of message exchange steps, each of the form

(stepq) as → ar : (nq1, . . . , nqt

). M

These steps are meant to prescribe a sequence of actions to be executedby each of the participants in a run of the protocol. But how?

– p. 10

Preliminaries

In general, a protocol description in Alice&Bob-notation involves acollection of principal variables corresponding to protocol participants (ai)and of number variables (nj), and consists of a sequence 〈step1 . . . stepm〉

of message exchange steps, each of the form


). M

These steps are meant to prescribe a sequence of actions to be executedby each of the participants in a run of the protocol. But how?

– p. 11

The standard semantics


). M

The sequence of actions corresponding to the execution of a’s role in theprotocol is a-run = stepa

1 � · · · � stepam, where stepa

q is defined by

stepaq =

〈f(nq1) . . . f(nqt

) . s(M, ar)〉 if a = as

〈r(M)〉 if a = ar

〈〉 otherwise

– p. 12

A good example


(nspk1) a → b : (n1). {n1; a}Kb

(nspk2) b → a : (n2). {n1; n2}Ka


a-run : 〈f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka

) . s({n2}Kb, b)〉

b-run : 〈r({n1; a}Kb) . f(n2) . s({n1; n2}Ka

, a) . r({n2}Kb)〉

– p. 13

A good example


(nspk1) a → b : (n1). {n1; a}Kb

(nspk2) b → a : (n2). {n1; n2}Ka



) . s({n2}Kb, b)〉

– p. 14

A good example


(nspk1) a → b : (n1). {n1; a}Kb

(nspk2) b → a : (n2). {n1; n2}Ka



) . s({n2}Kb, b)〉

b-run : 〈r({n1; a}Kb) . f(n2) . s({n1; n2}Ka

, a) . r({n2}Kb)〉

– p. 15

Another example

The Otway-Rees Authentication/Key-Exchange Protocol

(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas

(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs

(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs

(or4) b → a : i; {n1; k}Kas

– p. 16

Another example





(or4) b → a : i; {n1; k}Kas

b-run : b-possrun :

〈r(i; a; b; {n1; i; a; b}Kas) . 〈r(i; a; b; m1) .

f(n2) . f(n2) .

s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs

, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .

r(i; {n1; k}Kas; {n2; k}Kbs

) . r(i; m2; {n2; k}Kbs) .

s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉

– p. 17

A bad example





(or4) b → a : i; {n1; k}Kas

b-run : b-possrun :


f(n2) . f(n2) .


, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .


) . r(i; m2; {n2; k}Kbs) .

s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉

– p. 18

Message variables





(or4) b → a : i; {n1; k}Kas

b-run : symbolic b-possrun :


f(n2) . f(n2) .


, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .


) . r(i; m2; {n2; k}Kbs) .

s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉

– p. 19

Message variables





(or4) b → a : i; {n1; k}Kas

b-run : symbolic b-possrun :


f(n2) . f(n2) .


, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .


) . r(i; m2; {n2; k}Kbs) .

s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉

MessageForwarding

– p. 20

Another bad example

The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol

(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1

a

(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1

a; H(n2)}K

−1

b

(asw3) a → b : n1

(asw4) b → a : n2

– p. 21

Another bad example


(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1

a

(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1

a; H(n2)}K

−1

b

(asw3) a → b : n1

(asw4) b → a : n2

b-run :

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

– p. 22

Another bad example


(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1

a

(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1

a; H(n2)}K

−1

b

(asw3) a → b : n1

(asw4) b → a : n2

b-run :

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

Message VariablesNeeded

– p. 23

Even so ...


(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1

a

(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1

a; H(n2)}K

−1

b

(asw3) a → b : n1

(asw4) b → a : n2

b-possrun :

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

b-possrun :

〈r({Ka; Kb; t; m1}K−1

a)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

– p. 24

Even so ...


(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1

a

(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1

a; H(n2)}K

−1

b

(asw3) a → b : n1

(asw4) b → a : n2

b-possrun :

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

b-possrun :

〈r({Ka; Kb; t; m1}K−1

a)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

Eager CheckNeeded

– p. 25

With eager checking


(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1

a

(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1

a; H(n2)}K

−1

b

(asw3) a → b : n1

(asw4) b → a : n2

b-possrun :

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

b-possruns :

〈r({Ka; Kb; t; m1}K−1

a)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

– p. 26

With eager checking


(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1

a

(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1

a; H(n2)}K

−1

b

(asw3) a → b : n1

(asw4) b → a : n2

b-possrun :

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

b-possruns :

〈r({Ka; Kb; t; m1}K−1

a)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2)〉

〈r({Ka; Kb; t; m1}K−1

a) . f(n2) .s({{Ka; Kb; t; m1}K

−1

a; H(n2)}K

−1

b

, a)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1)〉

〈r({Ka; Kb; t; H(n1)}K−1

a) . f(n2) .s({{Ka; Kb; t; H(n1)}K

−1

a; H(n2)}K

−1

b

, a) .r(n1) . s(n2, a)〉

ConditionalAbortion

– p. 27

Forwarding and conditional abortion

symbolic

incremental symbolic runs

standard

– p. 28


symbolic


standard

– p. 29


symbolic


standard

– p. 30


analysisM1; M2

M1

M1; M2

M2

{M}K K−1

M

synthesisM1 M2

M1; M2

M K

{M}K

M

H(M)

synthesis ︸︷︷︸

close(S)

– p. 31


a-run = 〈act1, . . . , acts〉 initial data D0a

act1 act2 act3 acts−1 actsD0

a// D1

a// D2

a// . . . // Ds−1

a// Ds

a

Di+1a =

Dia if acti+1 = s(M, y)

close(Dia ∪ {M}) if acti+1 = r(M)

close(Dia ∪ {n}) if acti+1 = f(n)

– p. 32




a// D1

a// D2

a// . . . // Ds−1

a// Ds

a

Di+1a =

Dia if acti+1 = s(M, y)

close(Dia ∪ {M}) if acti+1 = r(M)

close(Dia ∪ {n}) if acti+1 = f(n)

Executabilityfor each participant a and 1 ≤ i ≤ t, if acti = s(M, b) then M ∈ Di−1

a

– p. 33


Given the closed dataset D

vD(M) =

M if M is atomicvD(M1); vD(M2) if M = M1; M2

{vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D

H(vD(M1)) if M = H(M1) and M1 ∈ D

mM otherwise

– p. 34



vD(M) =




mM otherwise

Abadi and Rogaway. Reconciling two views of cryptography. Journal of Cryptology15(2):103–127, 2002.

– p. 35



vD(M) =




mM otherwise

A message M is

D-transparent if vD(M) = M

D-opaque if vD(M) = mM , i.e.

M = {M1}K , K−1 /∈ D and {M1, K} * D, or else

M = H(M1) and M1 /∈ D

– p. 36



vD(M) =




mM otherwise

A message M is

D-transparent if vD(M) = M

D-opaque if vD(M) = mM , i.e.

M = {M1}K , K−1 /∈ D and {M1, K} * D, or else

M = H(M1) and M1 /∈ D

Eagerness

– p. 37




a// D1

a// D2

a// . . . // Ds−1

a// Ds

a

– p. 38




a// D1

a// D2

a// . . . // Ds−1

a// Ds

a

a-possrun1 : 〈act11〉a-possrun2 : 〈act21 . act22〉a-possrun3 : 〈act31 . act32 . act33〉. . .

a-possruns : 〈acts1 . acts2 . acts3 . . . . . actss〉

where each a-possruni = vDia(a-run|i), i.e. actij = vDi

a(actj)

– p. 39



(nspk1) a → b : (n1). {n1; a}Kb

(nspk2) b → a : (n2). {n1; n2}Ka



) . s({n2}Kb, b)〉

a-possrun1 : 〈f(n1)〉

a-possrun2 : 〈f(n1) . s({n1; a}Kb, b)〉

a-possrun3 : 〈f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka

)〉


) . s({n2}Kb, b)〉

– p. 40



(nspk1) a → b : (n1). {n1; a}Kb

(nspk2) b → a : (n2). {n1; n2}Ka



) . s({n2}Kb, b)〉

a-possrun1 : 〈f(n1)〉

a-possrun2 : 〈f(n1) . s({n1; a}Kb, b)〉


)〉


) . s({n2}Kb, b)〉

– p. 41


TheoremThe standard sequence a-run is representative if and only ifevery received message is transparent when it is received, i.e.if acti = r(M), then M is Di

a-transparent.

– p. 42


TheoremThe standard sequence a-run is representative if and only ifevery received message is transparent when it is received, i.e.if acti = r(M), then M is Di

a-transparent.

For instance, NSPK fulfils this conditionOtway-Rees and Asokan-Shoup-Waidner do not

– p. 43






(or4) b → a : i; {n1; k}Kas

b-possrun :

〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs

) . s(i; m2, a)〉

b-possruns :

〈r(i; a; b; m1)〉

〈r(i; a; b; m1) . f(n2)〉

〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s)〉


)〉


) . s(i; m2, a)〉

– p. 44






(or4) b → a : i; {n1; k}Kas

b-possrun :


) . s(i; m2, a)〉

b-possruns :

〈r(i; a; b; m1)〉

〈r(i; a; b; m1) . f(n2)〉

〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s)〉


)〉


) . s(i; m2, a)〉

– p. 45


TheoremThe symbolic sequence a-possrun is representative if and only ifevery received message preserves the message variables that occur inthe views of previously received messages, i.e.if j < i, actj and acti are receiving actions, and mM occurs invD

i−1

x(actj), then mM also occurs in vDi

x(actj).

– p. 46


TheoremThe symbolic sequence a-possrun is representative if and only ifevery received message preserves the message variables that occur inthe views of previously received messages, i.e.if j < i, actj and acti are receiving actions, and mM occurs invD

i−1

x(actj), then mM also occurs in vDi

x(actj).

For instance, NSPK and Otway-Rees fulfill this conditionStill, Asokan-Shoup-Waidner does not

– p. 47



standard

symbolic

all protocols

– p. 48


Denotational semantics of Alice&Bob-style protocol specificationsIncremental symbolic runsMessage forwardingConditional abortion

Operational semanticsBasis for automated protocol analysis toolsStep towards implementation

Fill in the gap between Alice&Bob-notation and HLPSL


Object level and metalevel reasoningReduction resultsCalculus

– p. 49


Denotational semantics of Alice&Bob-style protocol specificationsIncremental symbolic runsMessage forwardingConditional abortion

Operational semanticsBasis for automated protocol analysis toolsStep towards implementation

Fill in the gap between Alice&Bob-notation and HLPSL


Object level and metalevel reasoningReduction resultsCalculus

Thank you!

– p. 50

Documents

Deconstructing Alice & BobDeconstructing Alice & Bob Carlos Caleiro CLC, Dep. Mathematics, IST, TU Lisbon, Portugal Luca Vigano and David Basin` Dep. Computer Science, ETH Zurich,