1 / 8

Security Protocol Specification Languages: An Overview of Alice and Bob Framework

This document provides a comprehensive overview of security protocol specification languages using the Alice and Bob framework. It discusses various specification styles, including normal message lists and role-process specifications, as well as notable languages like CAPSL, Casper, and HLPSL. Key concepts such as nonce generation, message confidentiality, and attacker capabilities are examined, along with the specifications of the Needham-Schroeder protocol. Additionally, insights into the design issues and model checking techniques for security protocols are presented, ensuring a clearer understanding of protocol verification.

jirair
Télécharger la présentation

Security Protocol Specification Languages: An Overview of Alice and Bob Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Alice & Bob Specifications Jon Millen June 2005

  2. Security Protocol Specification Languages • Alice & Bob • Textbook and article style • Specification is a normal message list • A  B: {A,Na}Kb • CAPSL, Casper, HLPSL, ISL, ... • Role process specifications • Separate specifications for each participant • Some form of state transition spec • Semantics is easier to understand • Varying degrees of customization, convenience • Prolog, CSP, PVS, Maude, pi-calculus: existing languages • MSR, CPPL, Spi-calculus: specialized languages • CIL, IF: just intermediate languages • May or may not support code generation

  3. CAPSL PROTOCOL NeedhamSchroederPK; VARIABLES A, B: PKUser; Na, Nb: Nonce, FRESH; ASSUMPTIONS HOLDS A: B; MESSAGES 1. A -> B: {Na, A}pk(B); 2. B -> A: {Na, Nb}pk(A); 3. A -> B: {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb; END; ENVIRONMENT Test1; IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; END; Translated to CIL; from there to Athena, Csolve, PVS, Maude, NRL-PA, and Java code

  4. Casper Example from Lowe's Web page -- Needham Schroeder Public Key Protocol, -- 3 message version #Free variables A, B : Agent na, nb : Nonce PK : Agent -> PublicKey SK : Agent -> SecretKey InverseKeys = (PK, SK) #Processes INITIATOR(A,na) knows PK, SK(A) RESPONDER(B,nb) knows PK, SK(B) #Protocol description 0. -> A : B 1. A -> B : {na, A}{PK(B)} 2. B -> A : {na, nb}{PK(A)} 3. A -> B : {nb}{PK(B)} #Specification Secret(A, na, [B]) Secret(B, nb, [A]) Agreement(A,B,[na,nb]) Agreement(B,A,[na,nb]) #Actual variables Alice, Bob, Mallory : Agent Na, Nb, Nm : Nonce #Functions symbolic PK, SK #System INITIATOR(Alice, Na) RESPONDER(Bob, Nb) #Intruder Information Intruder = Mallory IntruderKnowledge = {Alice, Bob, Mallory, Nm, PK, SK(Mallory)} Translated to CSP and Java

  5. AVISPA OFMC Page

  6. HLPSL PROTOCOL NSPK; Identifiers A, B: user; Na, Nb: number; Ka, Kb: public_key; Knowledge A: B,Ka,Ka',Kb; B: A,Ka,Kb,Kb'; Messages 1. A -> B: {Na,A}Kb 2. B -> A: {Na,Nb}Ka 3. A -> B: {Nb}Kb Session_instances [ A:a, B:b, Ka:ka, Kb:kb ] [ A:a, B:I, Ka:ka, Kb:ki ]; Intruder divert, impersonate; Intruder_knowledge I, b, ka, kb, ki; Goal A authenticate B on Nb; Goal B authenticate A on Na;

  7. Design Issues • A  B: source, destination; part of the message or not? (no) • Principal-to-key and key inverse relations • public_key(A,Ka) vs. pk(A) • pk(A) only (free algebra) or inverse(Kpa,Ksa) • Message views (hidden structure) and implicit message actions • Lowe "%" notation: A  B: {M}Kc%F where B sees only "blob" F • Role and parameter identification • Which parameters are independent inputs • Which nonces and session keys are generated by whom • Security goal statements • Other issues • Data types and extensibility • Attacker capabilities and knowledge • Scenario specification for model checking • Implementability checking - definedness of variables • Some of these issues apply to role process specs as well

  8. Non sequitur: Constraint Solver (Csolve) • Bounded-process model checker in Prolog • Parametric strand specifications • SWI-Prolog/XPCE for diagrams • Working on translation from CPPL

More Related