A Formal Semantics For Protocol Narrations - Spi

A Formal Semantics For Protocol Narrations S. Briais

U. Nestmann

School of Computer and Communication Sciences École Polytechnique Fédérale de Lausanne

Symposium on Trustworthy Global Computing Edinburgh, UK, April 7-9, 2005

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

1 / 39

Introduction

What is a protocol narration?

Sequence of message exchanges A→B:M

read

“From A to B send M”

Messages M, N ::= A | n | (M . N) | {M}N | · · ·

Briais, Nestmann (EPFL)

∈M

A Formal Semantics For Protocol Narrations

TGC 2005

2 / 39

Introduction

What is a protocol narration?

Sequence of message exchanges A→B:M

read

“From A to B send M”

Messages M, N ::= A | n | (M . N) | {M}N | · · ·

Briais, Nestmann (EPFL)

∈M

A Formal Semantics For Protocol Narrations

TGC 2005

2 / 39

Introduction

What is a protocol narration?

Sequence of message exchanges A→B:M

read

“From A to B send M”

Messages M, N ::= A | n | (M . N) | {M}N | · · ·

Briais, Nestmann (EPFL)

∈M

A Formal Semantics For Protocol Narrations

TGC 2005

2 / 39

Introduction

The Yahalom protocol

S

A

Briais, Nestmann (EPFL)

B

A Formal Semantics For Protocol Narrations

TGC 2005

3 / 39

Introduction

The Yahalom protocol

S

A

1

B

A → B : (A . nA )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

3 / 39

Introduction

The Yahalom protocol

S

A

1

A → B : (A . nA )

2

B → S : (B . {(A . (nA . nB ))}kBS )

Briais, Nestmann (EPFL)

B

A Formal Semantics For Protocol Narrations

TGC 2005

3 / 39

Introduction

The Yahalom protocol

S

A

B

1

A → B : (A . nA )

2

B → S : (B . {(A . (nA . nB ))}kBS )

3

S → A : ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

3 / 39

Introduction

The Yahalom protocol

S

A

B

1

A → B : (A . nA )

2

B → S : (B . {(A . (nA . nB ))}kBS )

3

S → A : ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS )

4

A → B : ({(A . kAB )}kBS . {nB }kAB )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

3 / 39

Introduction

The Yahalom protocol in spi-calculus (νkAS , kBS ) (νnA ) Bh(A . nA )i.A(x2 ).φ2 Bh(π2 (x2 ) . {π2 (π2 (DkAS (π1 (x2 ))))}π2 (π1 (Dk

AS

(π1 (x2 )))) )i. 0

||(νnB ) B(x0 ).φ0 Sh(B . {(A . (π2 (x0 ) . nB ))}kBS )i.B(x3 ).φ3 0 ||(νkAB ) S(x1 ).φ1 Ah({((B . kAB ) . (π1 (π2 (DkBS (π2 (x1 )))) . π2 (π2 (DkBS (π2 (x1 ))))))}kAS . {(A . kAB )}kBS )i. 0

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

4 / 39

Introduction

The Yahalom protocol in spi-calculus (νkAS , kBS ) (νnA ) Bh(A . nA )i.A(x2 ).φ2 Bh(π2 (x2 ) . {π2 (π2 (DkAS (π1 (x2 ))))}π2 (π1 (Dk

AS

(π1 (x2 )))) )i. 0

||(νnB ) B(x0 ).φ0 Sh(B . {(A . (π2 (x0 ) . nB ))}kBS )i.B(x3 ).φ3 0 ||(νkAB ) S(x1 ).φ1 Ah({((B . kAB ) . (π1 (π2 (DkBS (π2 (x1 )))) . π2 (π2 (DkBS (π2 (x1 ))))))}kAS . {(A . kAB )}kBS )i. 0

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

4 / 39

Introduction

The Yahalom protocol in spi-calculus (νkAS , kBS ) (νnA ) Bh(A . nA )i.A(x2 ).φ2 Bh(π2 (x2 ) . {π2 (π2 (DkAS (π1 (x2 ))))}π2 (π1 (Dk

AS

(π1 (x2 )))) )i. 0

||(νnB ) B(x0 ).φ0 Sh(B . {(A . (π2 (x0 ) . nB ))}kBS )i.B(x3 ).φ3 0 ||(νkAB ) S(x1 ).φ1 Ah({((B . kAB ) . (π1 (π2 (DkBS (π2 (x1 )))) . π2 (π2 (DkBS (π2 (x1 ))))))}kAS . {(A . kAB )}kBS )i. 0

φ0 = [ π1 (x0 ) : M ] ∧ [ π2 (x0 ) : M ] ∧ [ π1 (x0 ) = A ] φ1 = [ π1 (x1 ) : M ] ∧ [ π2 (x1 ) : M ] ∧ [ DkBS (π2 (x1 )) : M ] ∧ [ π1 (DkBS (π2 (x1 ))) : M ] ∧ [ π2 (DkBS (π2 (x1 ))) : M ] ∧ [ π1 (π2 (DkBS (π2 (x1 )))) : M ] ∧ [ π2 (π2 (DkBS (π2 (x1 )))) : M ] ∧ [ π1 (x1 ) = B ] ∧ [ π1 (DkBS (π2 (x1 ))) = A ] φ2 = [ π1 (x2 ) : M ] ∧ [ π2 (x2 ) : M ] ∧ [ DkAS (π1 (x2 )) : M ] ∧ [ π1 (DkAS (π1 (x2 ))) : M ] ∧ [ π2 (DkAS (π1 (x2 ))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x2 )))) : M ] ∧ [ π2 (π1 (DkAS (π1 (x2 )))) : M ] ∧ [ π1 (π2 (DkAS (π1 (x2 )))) : M ] ∧ [ π2 (π2 (DkAS (π1 (x2 )))) : M ] ∧ [ π1 (π2 (DkAS (π1 (x2 )))) = nA ] ∧ [ π1 (π1 (DkAS (π1 (x2 )))) = B ] φ3 = [ π1 (x3 ) : M ] ∧ [ π2 (x3 ) : M ] ∧ [ DkBS (π1 (x3 )) : M ] ∧ [ Dπ2 (Dk (π1 (x3 ))) (π2 (x3 )) : M ] ∧ [ π1 (DkBS (π1 (x3 ))) : M ] ∧ [ π2 (DkBS (π1 (x3 ))) : M ] ∧ BS [ π1 (DkBS (π1 (x3 ))) = A ] ∧ [ Dπ2 (Dk (π1 (x3 ))) (π2 (x3 )) = nB ] BS

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

4 / 39

Introduction

Related work

Spyer (with Gensoul) Casper (Lowe) CAPSL (Millen) LySa (Bodei, Buchholtz, Degano, Nielson, Nielson)

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

5 / 39

Introduction

Related work

Spyer (with Gensoul) Casper (Lowe) CAPSL (Millen) LySa (Bodei, Buchholtz, Degano, Nielson, Nielson) (Sumii, Tatsuzawa, Yonezawa)

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

5 / 39

Introduction

Outline

1

Extending protocol narrations

2

Compiling protocol narrations

3

Executing protocol narrations

4

Rewriting protocol narrations... in spi-calculus

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

6 / 39

Extending protocol narrations

Outline

1

Extending protocol narrations

2

Compiling protocol narrations

3

Executing protocol narrations

4

Rewriting protocol narrations... in spi-calculus

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

7 / 39

Extending protocol narrations

The Yahalom protocol

A B S A

B:(A . nA ); S:(B . {(A . (nA . nB ))}kBS ); A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); B:({(A . kAB )}kBS . {nB }kAB )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

8 / 39

Extending protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ;

A B S A

B:(A . nA ); S:(B . {(A . (nA . nB ))}kBS ); A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); B:({(A . kAB )}kBS . {nB }kAB )

A secret key kAS is assumed to be shared between A and S

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

8 / 39

Extending protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ; private kBS ; B knows kBS ; S knows kBS ;

A B S A

B:(A . nA ); S:(B . {(A . (nA . nB ))}kBS ); A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); B:({(A . kAB )}kBS . {nB }kAB )

A secret key kAS is assumed to be shared between A and S A secret key kBS is assumed to be shared between B and S

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

8 / 39

Extending protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ; private kBS ; B knows kBS ; S knows kBS ; A generates nA ; A B S A

B:(A . nA ); S:(B . {(A . (nA . nB ))}kBS ); A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); B:({(A . kAB )}kBS . {nB }kAB )

A secret key kAS is assumed to be shared between A and S A secret key kBS is assumed to be shared between B and S A generates a fresh nonce nA

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

8 / 39

Extending protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ; private kBS ; B knows kBS ; S knows kBS ; A generates nA ; B generates nB ; A B S A

B:(A . nA ); S:(B . {(A . (nA . nB ))}kBS ); A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); B:({(A . kAB )}kBS . {nB }kAB )

A secret key kAS is assumed to be shared between A and S A secret key kBS is assumed to be shared between B and S A generates a fresh nonce nA B generates a fresh nonce nB

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

8 / 39

Extending protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ; private kBS ; B knows kBS ; S knows kBS ; A generates nA ; B generates nB ; S generates kAB ; A B:(A . nA ); B S:(B . {(A . (nA . nB ))}kBS ); S A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); A B:({(A . kAB )}kBS . {nB }kAB ) A secret key kAS is assumed to be shared between A and S A secret key kBS is assumed to be shared between B and S A generates a fresh nonce nA B generates a fresh nonce nB S creates a fresh key kAB Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

8 / 39

Compiling protocol narrations

Outline

1

Extending protocol narrations

2

Compiling protocol narrations

3

Executing protocol narrations

4

Rewriting protocol narrations... in spi-calculus

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

9 / 39

Compiling protocol narrations

Concurrency

A C

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C A C:M

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C

N

B A C:M

Briais, Nestmann (EPFL)

B

C:N

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A C

M N

B

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A C

M N

B

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A C

M N

B

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C B A C:M

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C B A:C!M

Briais, Nestmann (EPFL)

C:?M

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C

N

B A:C!M

Briais, Nestmann (EPFL)

C:?M

B:C!N

C:?N

A Formal Semantics For Protocol Narrations

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C

N

B A:C!M

C:?M

B:C!N

C:?N

A : ···;B : ··· ∼ = B : ···;A : ···

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

if A 6= B

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C

N

B A:C!M

B:C!N

C:?M

C:?N

A : ···;B : ··· ∼ = B : ···;A : ···

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

if A 6= B

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C

N

B B:C!N

A:C!M

C:?M

C:?N

A : ···;B : ··· ∼ = B : ···;A : ···

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

if A 6= B

TGC 2005

10 / 39

Compiling protocol narrations

Concurrency

A

M

C

N

B B:C!N

A:C!M

C:?M

C:?N

A : ···;B : ··· ∼ = B : ···;A : ···

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

if A 6= B

TGC 2005

10 / 39

Compiling protocol narrations

How to generate the checks?

A B:M

Briais, Nestmann (EPFL)

→

A:B!M; B:?M

A Formal Semantics For Protocol Narrations

TGC 2005

11 / 39

Compiling protocol narrations

How to generate the checks?

A B:M

Briais, Nestmann (EPFL)

→

A:B!M; B:?x

A Formal Semantics For Protocol Narrations

TGC 2005

11 / 39

Compiling protocol narrations

How to generate the checks?

A B:M

Briais, Nestmann (EPFL)

→

A:B!M; B:?x; B:[ x = M ]

A Formal Semantics For Protocol Narrations

TGC 2005

11 / 39

Compiling protocol narrations

How to generate the checks?

A B:M

Briais, Nestmann (EPFL)

→

A:B!M; B:?x; B:φx

A Formal Semantics For Protocol Narrations

TGC 2005

11 / 39

Compiling protocol narrations

How to generate the checks?

A B:M

→

A:B!M; B:?x; B:φx

B expects x to have the same type as M

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

11 / 39

Compiling protocol narrations

How to generate the checks?

A B:M

→

A:B!M; B:?x; B:φx

B expects x to have the same type as M B can use his acquired knowledge to check x consistency

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

11 / 39

Compiling protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ; private kBS ; B knows kBS ; S knows kBS ; A generates nA ; B generates nB ; S generates kAB ; A B:(A . nA ); B S:(B . {(A . (nA . nB ))}kBS ); S A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); A B:({(A . kAB )}kBS . {nB }kAB ) A secret key kAS is assumed to be shared between A and S A secret key kBS is assumed to be shared between B and S A generates a fresh nonce nA B generates a fresh nonce nB S creates a fresh key kAB Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

12 / 39

Compiling protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ; private kBS ; B knows kBS ; S knows kBS ; A generates nA ; B generates nB ; S generates kAB ; A B:(A . nA ); B S:(B . {(A . (nA . nB ))}kBS ); S A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); A B:({(A . kAB )}kBS . {nB }kAB ) A secret key kAS is assumed to be shared between A and S A secret key kBS is assumed to be shared between B and S A generates a fresh nonce nA B generates a fresh nonce nB S creates a fresh key kAB Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

12 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

13 / 39

Compiling protocol narrations

The Yahalom protocol private kAS ; A knows kAS ; S knows kAS ; private kBS ; B knows kBS ; S knows kBS ; A generates nA ; B generates nB ; S generates kAB ; A B:(A . nA ); B S:(B . {(A . (nA . nB ))}kBS ); S A:({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ); A B:({(A . kAB )}kBS . {nB }kAB ) A secret key kAS is assumed to be shared between A and S A secret key kBS is assumed to be shared between B and S A generates a fresh nonce nA B generates a fresh nonce nB S creates a fresh key kAB Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

14 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

15 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

x

TGC 2005

15 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

A B S kAS nA x

TGC 2005

15 / 39

Compiling protocol narrations

What is a knowledge set?

It is a finite subset of M × E. It connects reality to expectations.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

16 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

A B S kAS nA x

TGC 2005

17 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

A B S kAS nA x π1 (x) π2 (x)

TGC 2005

17 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS ((B . kAB ) . (nA . nB ))

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

A B S kAS nA x π1 (x) π2 (x) DkAS (π1 (x))

TGC 2005

17 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS ((B . kAB ) . (nA . nB )) (B . kAB ) (nA . nB )

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

A B S kAS nA x π1 (x) π2 (x) DkAS (π1 (x)) π1 (DkAS (π1 (x))) π2 (DkAS (π1 (x)))

TGC 2005

17 / 39

Compiling protocol narrations

Analysing a knowledge set A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS ((B . kAB ) . (nA . nB )) (B . kAB ) (nA . nB ) B kAB nA nB Briais, Nestmann (EPFL)

A B S kAS nA x π1 (x) π2 (x) DkAS (π1 (x)) π1 (DkAS (π1 (x))) π2 (DkAS (π1 (x))) π1 (π1 (DkAS (π1 (x)))) π2 (π1 (DkAS (π1 (x)))) π1 (π2 (DkAS (π1 (x)))) π2 (π2 (DkAS (π1 (x))))

A Formal Semantics For Protocol Narrations

TGC 2005

17 / 39

Compiling protocol narrations

Analysis of a knowledge set A(K ) =

S

n∈N An (K )

ANA - INC - REC

ANA - FST

ANA - INC - INIT

(M, E) ∈ An (K )

(M, π1 (E)) ∈ An+1 (K )

Briais, Nestmann (EPFL)

M ∈N ∪A

ANA - SND

({M}N , E) ∈ An (K )

ANA - DEC - REC

(M, E) ∈ A0 (K )

(M, E) ∈ An+1 (K )

((M . N), E) ∈ An (K )

ANA - DEC

(M, E) ∈ K

((M . N), E) ∈ An (K ) (N, π2 (E)) ∈ An+1 (K )

(N, F ) ∈ S(An (K ))

(M, DF (E)) ∈ An+1 (K ) ({M}N , E) ∈ An (K )

(N, F ) 6∈ S(An (K ))

({M}N , E) ∈ An+1 (K ) A Formal Semantics For Protocol Narrations

TGC 2005

18 / 39

Compiling protocol narrations

How to generate the checks?

A B:M

→

A:B!M; B:?x; B:φx

B expects x to have the same type as M B can use his acquired knowledge to check x consistency

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

19 / 39

Compiling protocol narrations

Computing the formula A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS ((B . kAB ) . (nA . nB )) (B . kAB ) (nA . nB ) B kAB nA nB Briais, Nestmann (EPFL)

A B S kAS nA x π1 (x) π2 (x) DkAS (π1 (x)) π1 (DkAS (π1 (x))) π2 (DkAS (π1 (x))) π1 (π1 (DkAS (π1 (x)))) π2 (π1 (DkAS (π1 (x)))) π1 (π2 (DkAS (π1 (x)))) π2 (π2 (DkAS (π1 (x))))

A Formal Semantics For Protocol Narrations

TGC 2005

20 / 39

Compiling protocol narrations

Computing the formula A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS ((B . kAB ) . (nA . nB )) (B . kAB ) (nA . nB ) B kAB nA nB Briais, Nestmann (EPFL)

A B S kAS nA x π1 (x) π2 (x) DkAS (π1 (x)) π1 (DkAS (π1 (x))) π2 (DkAS (π1 (x))) π1 (π1 (DkAS (π1 (x)))) π2 (π1 (DkAS (π1 (x)))) π1 (π2 (DkAS (π1 (x)))) π2 (π2 (DkAS (π1 (x))))

A Formal Semantics For Protocol Narrations

TGC 2005

20 / 39

Compiling protocol narrations

The result of the computation

[ A : M ] ∧ [ B : M ] ∧ [ S : M ] ∧ [ kAS : M ] ∧ [ nA : M ] ∧ [ x : M ] ∧ [ π1 (x) : M ] ∧ [ π2 (x) : M ] ∧ [ DkAS (π1 (x)) : M ] ∧ [ π1 (DkAS (π1 (x))) : M ] ∧ [ π2 (DkAS (π1 (x))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π2 (DkAS (π1 (x)))) : M ]

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

21 / 39

Compiling protocol narrations

Computing the formula A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS ((B . kAB ) . (nA . nB )) (B . kAB ) (nA . nB ) B kAB nA nB Briais, Nestmann (EPFL)

A B S kAS nA x π1 (x) π2 (x) DkAS (π1 (x)) π1 (DkAS (π1 (x))) π2 (DkAS (π1 (x))) π1 (π1 (DkAS (π1 (x)))) π2 (π1 (DkAS (π1 (x)))) π1 (π2 (DkAS (π1 (x)))) π2 (π2 (DkAS (π1 (x))))

A Formal Semantics For Protocol Narrations

TGC 2005

22 / 39

Compiling protocol narrations

The result of the computation

[ A : M ] ∧ [ B : M ] ∧ [ S : M ] ∧ [ kAS : M ] ∧ [ nA : M ] ∧ [ x : M ] ∧ [ π1 (x) : M ] ∧ [ π2 (x) : M ] ∧ [ DkAS (π1 (x)) : M ] ∧ [ π1 (DkAS (π1 (x))) : M ] ∧ [ π2 (DkAS (π1 (x))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) = B ]

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

23 / 39

Compiling protocol narrations

Computing the formula A B S kAS nA ({((B . kAB ) . (nA . nB ))}kAS . {(A . kAB )}kBS ) {((B . kAB ) . (nA . nB ))}kAS {(A . kAB )}kBS ((B . kAB ) . (nA . nB )) (B . kAB ) (nA . nB ) B kAB nA nB Briais, Nestmann (EPFL)

A B S kAS nA x π1 (x) π2 (x) DkAS (π1 (x)) π1 (DkAS (π1 (x))) π2 (DkAS (π1 (x))) π1 (π1 (DkAS (π1 (x)))) π2 (π1 (DkAS (π1 (x)))) π1 (π2 (DkAS (π1 (x)))) π2 (π2 (DkAS (π1 (x))))

A Formal Semantics For Protocol Narrations

TGC 2005

24 / 39

Compiling protocol narrations

The result of the computation

[ A : M ] ∧ [ B : M ] ∧ [ S : M ] ∧ [ kAS : M ] ∧ [ nA : M ] ∧ [ x : M ] ∧ [ π1 (x) : M ] ∧ [ π2 (x) : M ] ∧ [ DkAS (π1 (x)) : M ] ∧ [ π1 (DkAS (π1 (x))) : M ] ∧ [ π2 (DkAS (π1 (x))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) = B ] ∧ [ π1 (π2 (DkAS (π1 (x)))) = nA ]

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

25 / 39

Compiling protocol narrations

The formula of an analysed knowledge set

def

V

Φ(K ) =

∧

Briais, Nestmann (EPFL)

V

(M,E)∈K [ E : M ] (M,Ei )∈K ∧ (M,Ej )∈K ∧ Ei 6=Ej

A Formal Semantics For Protocol Narrations

[ Ei = Ej ]

TGC 2005

26 / 39

Compiling protocol narrations

Removing redundancies

[ A : M ] ∧ [ B : M ] ∧ [ S : M ] ∧ [ kAS : M ] ∧ [ nA : M ] ∧ [ x : M ] ∧ [ π1 (x) : M ] ∧ [ π2 (x) : M ] ∧ [ DkAS (π1 (x)) : M ] ∧ [ π1 (DkAS (π1 (x))) : M ] ∧ [ π2 (DkAS (π1 (x))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) = B ] ∧ [ π1 (π2 (DkAS (π1 (x)))) = nA ]

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

27 / 39

Compiling protocol narrations

Removing redundancies

[ π2 (x) : M ]

∧ [ π2 (π1 (DkAS (π1 (x)))) : M ] ∧ [ π2 (π2 (DkAS (π1 (x)))) : M ] ∧ [ π1 (π1 (DkAS (π1 (x)))) = B ] ∧ [ π1 (π2 (DkAS (π1 (x)))) = nA ]

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

27 / 39

Executing protocol narrations

Outline

1

Extending protocol narrations

2

Compiling protocol narrations

3

Executing protocol narrations

4

Rewriting protocol narrations... in spi-calculus

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

28 / 39

Executing protocol narrations

Labelled transition system S END

JEK = M ∈ M

R ECEIVE

A:B!M

A:?M

A:?x; X −−−→ X {M/x }A

A:B!E; X −−−−→ X

M∈M

A:β

X −−→ X 0

C HECK

A:β

A:φ; X −−→ X

0

JφK = true

˜) B!M A:(ν n

O PEN

X −−−−−−→ X 0 ˜) B!M A:(νz n

˜} z ∈ n(M) \ {n

νz; X −−−−−−−→ X

R EARRANGE

Briais, Nestmann (EPFL)

0

A:β

X ∼ =α X 0

X 0 −−→ X 00 A:β

X −−→ X 00

A Formal Semantics For Protocol Narrations

TGC 2005

29 / 39

Executing protocol narrations

Labelled transition system S END

JEK = M ∈ M

R ECEIVE

A:B!M

A:?M

A:?x; X −−−→ X {M/x }A

A:B!E; X −−−−→ X

M∈M

A:β

X −−→ X 0

C HECK

A:β

A:φ; X −−→ X

0

JφK = true

˜) B!M A:(ν n

O PEN

X −−−−−−→ X 0 ˜) B!M A:(νz n

˜} z ∈ n(M) \ {n

νz; X −−−−−−−→ X

R EARRANGE

Briais, Nestmann (EPFL)

0

A:β

X ∼ =α X 0

X 0 −−→ X 00 A:β

X −−→ X 00

A Formal Semantics For Protocol Narrations

TGC 2005

29 / 39

Executing protocol narrations

Labelled transition system S END

JEK = M ∈ M

R ECEIVE

A:B!M

A:?M

A:?x; X −−−→ X {M/x }A

A:B!E; X −−−−→ X

M∈M

A:β

X −−→ X 0

C HECK

A:β

A:φ; X −−→ X

0

JφK = true

˜) B!M A:(ν n

O PEN

X −−−−−−→ X 0 ˜) B!M A:(νz n

˜} z ∈ n(M) \ {n

νz; X −−−−−−−→ X

R EARRANGE

Briais, Nestmann (EPFL)

0

A:β

X ∼ =α X 0

X 0 −−→ X 00 A:β

X −−→ X 00

A Formal Semantics For Protocol Narrations

TGC 2005

29 / 39

Rewriting protocol narrations... in spi-calculus

Outline

1

Extending protocol narrations

2

Compiling protocol narrations

3

Executing protocol narrations

4

Rewriting protocol narrations... in spi-calculus

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

30 / 39

Rewriting protocol narrations... in spi-calculus

Translation of executable narrations in spi

X/A = “projection of X on A”

def

T JX K =(νn) n∈R(X )

Briais, Nestmann (EPFL)

Y A∈A(X )

A Formal Semantics For Protocol Narrations

X/A

TGC 2005

31 / 39

Conclusion

Conclusion Abadi, 2000. 1

One should make explicit what is known (public, private) before a protocol run, and what is to be generated freshly during a protocol run.

2

One should make explicit which checks the individual principals are expected to carry out on the reception of messages.

3

Principals act concurrently, in contrast to the apparently sequential idealized execution of a run according to a narration.

4

Concurrency occurs also at the level of different protocol sessions, which may happen to be executed simultaneously while sharing principals across.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

32 / 39

Conclusion

Conclusion Abadi, 2000. 1

One should make explicit what is known (public, private) before a protocol run, and what is to be generated freshly during a protocol run.

2

One should make explicit which checks the individual principals are expected to carry out on the reception of messages.

3

Principals act concurrently, in contrast to the apparently sequential idealized execution of a run according to a narration.

4

Concurrency occurs also at the level of different protocol sessions, which may happen to be executed simultaneously while sharing principals across.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

32 / 39

Conclusion

Conclusion Abadi, 2000. 1

One should make explicit what is known (public, private) before a protocol run, and what is to be generated freshly during a protocol run.

2

One should make explicit which checks the individual principals are expected to carry out on the reception of messages.

3

Principals act concurrently, in contrast to the apparently sequential idealized execution of a run according to a narration.

4

Concurrency occurs also at the level of different protocol sessions, which may happen to be executed simultaneously while sharing principals across.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

32 / 39

Conclusion

Conclusion Abadi, 2000. 1

One should make explicit what is known (public, private) before a protocol run, and what is to be generated freshly during a protocol run.

2

One should make explicit which checks the individual principals are expected to carry out on the reception of messages.

3

Principals act concurrently, in contrast to the apparently sequential idealized execution of a run according to a narration.

4

Concurrency occurs also at the level of different protocol sessions, which may happen to be executed simultaneously while sharing principals across.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

32 / 39

Conclusion

Conclusion Abadi, 2000. 1

One should make explicit what is known (public, private) before a protocol run, and what is to be generated freshly during a protocol run.

2

One should make explicit which checks the individual principals are expected to carry out on the reception of messages.

3

Principals act concurrently, in contrast to the apparently sequential idealized execution of a run according to a narration.

4

Concurrency occurs also at the level of different protocol sessions, which may happen to be executed simultaneously while sharing principals across.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

32 / 39

Conclusion

Future work

Concurrency at the level of protocol sessions.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

33 / 39

Conclusion

Future work

Concurrency at the level of protocol sessions. A

Briais, Nestmann (EPFL)

S:{M}kAS

A Formal Semantics For Protocol Narrations

TGC 2005

33 / 39

Conclusion

Future work

Concurrency at the level of protocol sessions. A

Briais, Nestmann (EPFL)

S:{M}kAS

A Formal Semantics For Protocol Narrations

TGC 2005

33 / 39

Conclusion

Future work

Concurrency at the level of protocol sessions. A

S:{M}kAS

Formal reasoning using executable narrations.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

33 / 39

Questions?

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

34 / 39

Appendix

Bibliography

J.A. Clark and J.L. Jacob A Survey Of Authentication Protocol Literature. Technical Report 1.0, University of York, 1997. M. Abadi Security Protocols And Their Properties. Foundations of Secure Computation, 2000.

Briais, Nestmann (EPFL)

A Formal Semantics For Protocol Narrations

TGC 2005

35 / 39

Appendix

Synthesis of a knowledge set

K ⊂ S(K ) SYN - PAIR

SYN - ENC

Briais, Nestmann (EPFL)

(M, E) ∈ S(K )

(N, F ) ∈ S(K )

((M . N), (E . F )) ∈ S(K ) (M, E) ∈ S(K )

(N, F ) ∈ S(K )

({M}N , {E}F ) ∈ S(K )

A Formal Semantics For Protocol Narrations

TGC 2005

36 / 39

Appendix

Consistency formula of a knowledge set

def

V

Φ(K ) =

Briais, Nestmann (EPFL)

∧

V

∧

V

((M . N),E)∈K

([ π1 (E) : M ] ∧ [ π2 (E) : M ])

({M}N ,E)∈K ∧ (N,F )∈S(K )

[ DF (E) : M ]

(M,Ei )∈K ∧ (M,Ej )∈K ∧ Ei 6=Ej

[ Ei = Ej ]

A Formal Semantics For Protocol Narrations

TGC 2005

37 / 39

Appendix

Adding hashing

SYN - HASH

def

Φ(K ) = · · · ∧

Briais, Nestmann (EPFL)

V

(M, E) ∈ S(K ) (H(M), H(E)) ∈ S(K )

(H(M),E)∈K ∧ (M,F )∈S(K )

A Formal Semantics For Protocol Narrations

[ E = H(F ) ]

TGC 2005

38 / 39

Appendix

Consistency formula of a knowledge set

def

V

Φ(K ) =

∧

Briais, Nestmann (EPFL)

V

(M,E)∈K

[E :M ]

(M,Ei )∈K ∧ (M,Ej )∈S(K ) ∧ Ei 6=Ej

A Formal Semantics For Protocol Narrations

[ Ei = Ej ]

TGC 2005

39 / 39