Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Deconstructing Alice & Bob
Carlos Caleiro
CLC, Dep. Mathematics, IST, TU Lisbon, Portugal
Luca Vigano and David Basin
Dep. Computer Science, ETH Zurich, Switzerland
ARSPA’05 – Lisbon, Portugal – July 16, 2005
Deconstructing Alice & Bob – p. 1
The context
Formal analysis of security protocols
Strand spaces, multiset rewriting, theorem proving ...
– p. 2
The context
Formal analysis of security protocols
Strand spaces, multiset rewriting, theorem proving ...
Distributed temporal logic
Caleiro, Viganò and Basin. Relating strand spaces and distributed temporal logic forsecurity protocol analysis. Logic Journal of the IGPL, in print.
Caleiro, Viganò and Basin. Metareasoning about security protocols using distributedtemporal logic. ENTCS 125(1):67–89, 2005.
Caleiro, Viganò and Basin. Towards a metalogic for security protocol analysis. InProceedings of the CombLog’04 Workshop, 2004.
– p. 3
The problem
The Needham-Schroeder Public-Key Authentication Protocol
(nspk1) a → b : (n1). {n1; a}Kb
(nspk2) b → a : (n2). {n1; n2}Ka
(nspk3) a → b : {n2}Kb
– p. 4
The problem
The Needham-Schroeder Public-Key Authentication Protocol
(nspk1) a → b : (n1). {n1; a}Kb
(nspk2) b → a : (n2). {n1; n2}Ka
(nspk3) a → b : {n2}Kb
How to formalize a protocol specified in Alice&Bob-notation?
What is the meaning of such protocol descriptions?
How much is made explicit or left implicit?
What is the expressive power of Alice&Bob-style protocolspecifications?
– p. 5
A little philosophy and literary theory
deconstruction
“(noun) a method of critical analysis of language and text whichemphasizes the relational quality of meaning and the assumptions implicitin forms of expression”
taken from the Compact Oxford English Dictionary
– p. 6
The plan
Preliminaries
The standard semantics
Good examples and bad examples
Message forwarding and conditional abortion
Opaque and transparent messages
Incremental symbolic runs
Characterization theorems
Conclusion and further work
– p. 7
Preliminaries
Messages are built from atomic messages (identifiers, numbers, andvariables) by pairing, encryption and hashing
Perfect cryptography
Every message can be used as an encryption key and has aninverse for decryption
Communication is asynchronous and takes place over a hostilenetwork
– p. 8
Preliminaries
Messages are built from atomic messages (identifiers, numbers, andvariables) by pairing, encryption and hashing
Perfect cryptography
Every message can be used as an encryption key and has aninverse for decryption
Communication is asynchronous and takes place over a hostilenetwork
Honest actionss(M, A) — sending the message M to the principal A
r(M) — receiving the message M
f(N) — generating the fresh number N
– p. 9
Preliminaries
In general, a protocol description in Alice&Bob-notation involves acollection of principal variables corresponding to protocol participants (ai)and of number variables (nj), and consists of a sequence 〈step1 . . . stepm〉
of message exchange steps, each of the form
(stepq) as → ar : (nq1, . . . , nqt
). M
These steps are meant to prescribe a sequence of actions to be executedby each of the participants in a run of the protocol. But how?
– p. 10
Preliminaries
In general, a protocol description in Alice&Bob-notation involves acollection of principal variables corresponding to protocol participants (ai)and of number variables (nj), and consists of a sequence 〈step1 . . . stepm〉
of message exchange steps, each of the form
(stepq) as → ar : (nq1, . . . , nqt
). M
These steps are meant to prescribe a sequence of actions to be executedby each of the participants in a run of the protocol. But how?
– p. 11
The standard semantics
(stepq) as → ar : (nq1, . . . , nqt
). M
The sequence of actions corresponding to the execution of a’s role in theprotocol is a-run = stepa
1 � · · · � stepam, where stepa
q is defined by
stepaq =
〈f(nq1) . . . f(nqt
) . s(M, ar)〉 if a = as
〈r(M)〉 if a = ar
〈〉 otherwise
– p. 12
A good example
The Needham-Schroeder Public-Key Authentication Protocol
(nspk1) a → b : (n1). {n1; a}Kb
(nspk2) b → a : (n2). {n1; n2}Ka
(nspk3) a → b : {n2}Kb
a-run : 〈f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka
) . s({n2}Kb, b)〉
b-run : 〈r({n1; a}Kb) . f(n2) . s({n1; n2}Ka
, a) . r({n2}Kb)〉
– p. 13
A good example
The Needham-Schroeder Public-Key Authentication Protocol
(nspk1) a → b : (n1). {n1; a}Kb
(nspk2) b → a : (n2). {n1; n2}Ka
(nspk3) a → b : {n2}Kb
a-run : 〈f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka
) . s({n2}Kb, b)〉
– p. 14
A good example
The Needham-Schroeder Public-Key Authentication Protocol
(nspk1) a → b : (n1). {n1; a}Kb
(nspk2) b → a : (n2). {n1; n2}Ka
(nspk3) a → b : {n2}Kb
a-run : 〈f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka
) . s({n2}Kb, b)〉
b-run : 〈r({n1; a}Kb) . f(n2) . s({n1; n2}Ka
, a) . r({n2}Kb)〉
– p. 15
Another example
The Otway-Rees Authentication/Key-Exchange Protocol
(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas
(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs
(or4) b → a : i; {n1; k}Kas
– p. 16
Another example
The Otway-Rees Authentication/Key-Exchange Protocol
(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas
(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs
(or4) b → a : i; {n1; k}Kas
b-run : b-possrun :
〈r(i; a; b; {n1; i; a; b}Kas) . 〈r(i; a; b; m1) .
f(n2) . f(n2) .
s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .
r(i; {n1; k}Kas; {n2; k}Kbs
) . r(i; m2; {n2; k}Kbs) .
s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉
– p. 17
A bad example
The Otway-Rees Authentication/Key-Exchange Protocol
(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas
(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs
(or4) b → a : i; {n1; k}Kas
b-run : b-possrun :
〈r(i; a; b; {n1; i; a; b}Kas) . 〈r(i; a; b; m1) .
f(n2) . f(n2) .
s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .
r(i; {n1; k}Kas; {n2; k}Kbs
) . r(i; m2; {n2; k}Kbs) .
s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉
– p. 18
Message variables
The Otway-Rees Authentication/Key-Exchange Protocol
(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas
(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs
(or4) b → a : i; {n1; k}Kas
b-run : symbolic b-possrun :
〈r(i; a; b; {n1; i; a; b}Kas) . 〈r(i; a; b; m1) .
f(n2) . f(n2) .
s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .
r(i; {n1; k}Kas; {n2; k}Kbs
) . r(i; m2; {n2; k}Kbs) .
s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉
– p. 19
Message variables
The Otway-Rees Authentication/Key-Exchange Protocol
(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas
(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs
(or4) b → a : i; {n1; k}Kas
b-run : symbolic b-possrun :
〈r(i; a; b; {n1; i; a; b}Kas) . 〈r(i; a; b; m1) .
f(n2) . f(n2) .
s(i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
, s) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) .
r(i; {n1; k}Kas; {n2; k}Kbs
) . r(i; m2; {n2; k}Kbs) .
s(i; {n1; k}Kas, a)〉 s(i; m2, a)〉
MessageForwarding
– p. 20
Another bad example
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol
(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a; H(n2)}K
−1
b
(asw3) a → b : n1
(asw4) b → a : n2
– p. 21
Another bad example
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol
(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a; H(n2)}K
−1
b
(asw3) a → b : n1
(asw4) b → a : n2
b-run :
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
– p. 22
Another bad example
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol
(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a; H(n2)}K
−1
b
(asw3) a → b : n1
(asw4) b → a : n2
b-run :
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
Message VariablesNeeded
– p. 23
Even so ...
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol
(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a; H(n2)}K
−1
b
(asw3) a → b : n1
(asw4) b → a : n2
b-possrun :
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
b-possrun :
〈r({Ka; Kb; t; m1}K−1
a)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
– p. 24
Even so ...
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol
(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a; H(n2)}K
−1
b
(asw3) a → b : n1
(asw4) b → a : n2
b-possrun :
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
b-possrun :
〈r({Ka; Kb; t; m1}K−1
a)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
Eager CheckNeeded
– p. 25
With eager checking
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol
(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a; H(n2)}K
−1
b
(asw3) a → b : n1
(asw4) b → a : n2
b-possrun :
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
b-possruns :
〈r({Ka; Kb; t; m1}K−1
a)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
– p. 26
With eager checking
The Asokan-Shoup-Waidner Optimistic Fair-Exchange Subprotocol
(asw1) a → b : (n1). {Ka; Kb; t; H(n1)}K−1
a
(asw2) b → a : (n2). {{Ka; Kb; t; H(n1)}K−1
a; H(n2)}K
−1
b
(asw3) a → b : n1
(asw4) b → a : n2
b-possrun :
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
b-possruns :
〈r({Ka; Kb; t; m1}K−1
a)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2)〉
〈r({Ka; Kb; t; m1}K−1
a) . f(n2) .s({{Ka; Kb; t; m1}K
−1
a; H(n2)}K
−1
b
, a)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1)〉
〈r({Ka; Kb; t; H(n1)}K−1
a) . f(n2) .s({{Ka; Kb; t; H(n1)}K
−1
a; H(n2)}K
−1
b
, a) .r(n1) . s(n2, a)〉
ConditionalAbortion
– p. 27
Forwarding and conditional abortion
symbolic
incremental symbolic runs
standard
– p. 28
Forwarding and conditional abortion
symbolic
incremental symbolic runs
standard
– p. 29
Forwarding and conditional abortion
symbolic
incremental symbolic runs
standard
– p. 30
Opaque and transparent messages
analysisM1; M2
M1
M1; M2
M2
{M}K K−1
M
synthesisM1 M2
M1; M2
M K
{M}K
M
H(M)
synthesis ︸ ︷︷ ︸
close(S)
– p. 31
Opaque and transparent messages
a-run = 〈act1, . . . , acts〉 initial data D0a
act1 act2 act3 acts−1 actsD0
a// D1
a// D2
a// . . . // Ds−1
a// Ds
a
Di+1a =
Dia if acti+1 = s(M, y)
close(Dia ∪ {M}) if acti+1 = r(M)
close(Dia ∪ {n}) if acti+1 = f(n)
– p. 32
Opaque and transparent messages
a-run = 〈act1, . . . , acts〉 initial data D0a
act1 act2 act3 acts−1 actsD0
a// D1
a// D2
a// . . . // Ds−1
a// Ds
a
Di+1a =
Dia if acti+1 = s(M, y)
close(Dia ∪ {M}) if acti+1 = r(M)
close(Dia ∪ {n}) if acti+1 = f(n)
Executabilityfor each participant a and 1 ≤ i ≤ t, if acti = s(M, b) then M ∈ Di−1
a
– p. 33
Opaque and transparent messages
Given the closed dataset D
vD(M) =
M if M is atomicvD(M1); vD(M2) if M = M1; M2
{vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D
H(vD(M1)) if M = H(M1) and M1 ∈ D
mM otherwise
– p. 34
Opaque and transparent messages
Given the closed dataset D
vD(M) =
M if M is atomicvD(M1); vD(M2) if M = M1; M2
{vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D
H(vD(M1)) if M = H(M1) and M1 ∈ D
mM otherwise
Abadi and Rogaway. Reconciling two views of cryptography. Journal of Cryptology15(2):103–127, 2002.
– p. 35
Opaque and transparent messages
Given the closed dataset D
vD(M) =
M if M is atomicvD(M1); vD(M2) if M = M1; M2
{vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D
H(vD(M1)) if M = H(M1) and M1 ∈ D
mM otherwise
A message M is
D-transparent if vD(M) = M
D-opaque if vD(M) = mM , i.e.
M = {M1}K , K−1 /∈ D and {M1, K} * D, or else
M = H(M1) and M1 /∈ D
– p. 36
Opaque and transparent messages
Given the closed dataset D
vD(M) =
M if M is atomicvD(M1); vD(M2) if M = M1; M2
{vD(M1)}vD(K) if M = {M1}K and K−1 ∈ D or M1, K ∈ D
H(vD(M1)) if M = H(M1) and M1 ∈ D
mM otherwise
A message M is
D-transparent if vD(M) = M
D-opaque if vD(M) = mM , i.e.
M = {M1}K , K−1 /∈ D and {M1, K} * D, or else
M = H(M1) and M1 /∈ D
Eagerness
– p. 37
Incremental symbolic runs
a-run = 〈act1, . . . , acts〉 initial data D0a
act1 act2 act3 acts−1 actsD0
a// D1
a// D2
a// . . . // Ds−1
a// Ds
a
– p. 38
Incremental symbolic runs
a-run = 〈act1, . . . , acts〉 initial data D0a
act1 act2 act3 acts−1 actsD0
a// D1
a// D2
a// . . . // Ds−1
a// Ds
a
a-possrun1 : 〈act11〉a-possrun2 : 〈act21 . act22〉a-possrun3 : 〈act31 . act32 . act33〉. . .
a-possruns : 〈acts1 . acts2 . acts3 . . . . . actss〉
where each a-possruni = vDia(a-run|i), i.e. actij = vDi
a(actj)
– p. 39
Characterization theorems
The Needham-Schroeder Public-Key Authentication Protocol
(nspk1) a → b : (n1). {n1; a}Kb
(nspk2) b → a : (n2). {n1; n2}Ka
(nspk3) a → b : {n2}Kb
a-run : 〈f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka
) . s({n2}Kb, b)〉
a-possrun1 : 〈f(n1)〉
a-possrun2 : 〈f(n1) . s({n1; a}Kb, b)〉
a-possrun3 : 〈f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka
)〉
a-possrun4 : 〈f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka
) . s({n2}Kb, b)〉
– p. 40
Characterization theorems
The Needham-Schroeder Public-Key Authentication Protocol
(nspk1) a → b : (n1). {n1; a}Kb
(nspk2) b → a : (n2). {n1; n2}Ka
(nspk3) a → b : {n2}Kb
a-run : 〈f(n1).s({n1; a}Kb, b) . r({n1; n2}Ka
) . s({n2}Kb, b)〉
a-possrun1 : 〈f(n1)〉
a-possrun2 : 〈f(n1) . s({n1; a}Kb, b)〉
a-possrun3 : 〈f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka
)〉
a-possrun4 : 〈f(n1) . s({n1; a}Kb, b) . r({n1; n2}Ka
) . s({n2}Kb, b)〉
– p. 41
Characterization theorems
TheoremThe standard sequence a-run is representative if and only ifevery received message is transparent when it is received, i.e.if acti = r(M), then M is Di
a-transparent.
– p. 42
Characterization theorems
TheoremThe standard sequence a-run is representative if and only ifevery received message is transparent when it is received, i.e.if acti = r(M), then M is Di
a-transparent.
For instance, NSPK fulfils this conditionOtway-Rees and Asokan-Shoup-Waidner do not
– p. 43
Characterization theorems
The Otway-Rees Authentication/Key-Exchange Protocol
(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas
(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs
(or4) b → a : i; {n1; k}Kas
b-possrun :
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs
) . s(i; m2, a)〉
b-possruns :
〈r(i; a; b; m1)〉
〈r(i; a; b; m1) . f(n2)〉
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s)〉
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs
)〉
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs
) . s(i; m2, a)〉
– p. 44
Characterization theorems
The Otway-Rees Authentication/Key-Exchange Protocol
(or1) a → b : (n1). i; a; b; {n1; i; a; b}Kas
(or2) b → s : (n2). i; a; b; {n1; i; a; b}Kas; {n2; i; a; b}Kbs
(or3) s → b : ( k ). i; {n1; k}Kas; {n2; k}Kbs
(or4) b → a : i; {n1; k}Kas
b-possrun :
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs
) . s(i; m2, a)〉
b-possruns :
〈r(i; a; b; m1)〉
〈r(i; a; b; m1) . f(n2)〉
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s)〉
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs
)〉
〈r(i; a; b; m1) . f(n2) . s(i; a; b; m1; {n2; i; a; b}Kbs, s) . r(i; m2; {n2; k}Kbs
) . s(i; m2, a)〉
– p. 45
Characterization theorems
TheoremThe symbolic sequence a-possrun is representative if and only ifevery received message preserves the message variables that occur inthe views of previously received messages, i.e.if j < i, actj and acti are receiving actions, and mM occurs invD
i−1
x(actj), then mM also occurs in vDi
x(actj).
– p. 46
Characterization theorems
TheoremThe symbolic sequence a-possrun is representative if and only ifevery received message preserves the message variables that occur inthe views of previously received messages, i.e.if j < i, actj and acti are receiving actions, and mM occurs invD
i−1
x(actj), then mM also occurs in vDi
x(actj).
For instance, NSPK and Otway-Rees fulfill this conditionStill, Asokan-Shoup-Waidner does not
– p. 47
Characterization theorems
incremental symbolic runs
standard
symbolic
all protocols
– p. 48
Conclusion and further work
Denotational semantics of Alice&Bob-style protocol specificationsIncremental symbolic runsMessage forwardingConditional abortion
Operational semanticsBasis for automated protocol analysis toolsStep towards implementation
Fill in the gap between Alice&Bob-notation and HLPSL
Distributed temporal logic
Object level and metalevel reasoningReduction resultsCalculus
– p. 49
Conclusion and further work
Denotational semantics of Alice&Bob-style protocol specificationsIncremental symbolic runsMessage forwardingConditional abortion
Operational semanticsBasis for automated protocol analysis toolsStep towards implementation
Fill in the gap between Alice&Bob-notation and HLPSL
Distributed temporal logic
Object level and metalevel reasoningReduction resultsCalculus
Thank you!
– p. 50