Expressing Security Properties in CSP

Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and levels of threat ñ the intruders and their capabilities

We will consider the following security properties:

Secrecy

No information leakage

Authentication

No falsification of identity

Non-repudiation

Evidence of the involvement of the other party

Anonymity

Protecting the identity of agents wrt particular events

Secrecy and authentication

They are both safety properties: a certain bad thing should not happen

Explicit annotations: In the CSP approach, these properties are defined by ìenhancingî the code of the processes with explicit signal claiming the success of the protocol wrt theÝ intended property

Secrecy:ÝÝÝ Claim_secret. m

Information m has not become known to the intruder

Authentication:ÝÝ Run with A ,Ý Commit with B

The matching of these two events guarrantees the identities of A and B

Example: The Yahalom Protocol

The protocol

Message 1ÝÝ a -> b : a.n_a

Message 2ÝÝ b -> s : b.{a.n_a.n_b}_ServerKey(b)

Message 3ÝÝ s -> a : {b.k_ab.n_a.n_b}_ServerKey(a){a.k_ab}_ServerKey(b)

Message 4ÝÝ a -> b : {a.k_ab}_ServerKey(b).{n_b}_kab

Authentication of the participants

K_abshould remain secret

We may require secrecy also on n_b

Exm: Secrecy in the Yahalom protocol

CSP description of the two parties - Original

Initiator(a,n_a ) =

ÝÝÝ env?b: Agent

ÝÝÝÝÝÝÝÝ g send.a.b.a.n_a

ÝÝÝÝÝÝÝÝ g []_Ý(receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k}_ab_e_{KeyÝÝÝÝÝÝÝÝ}g send.a.b.m.{n_b}_k_ab

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ n}_b_e_{NonceÝÝÝÝÝÝ}g Session(a,b,k_ab,n_a,n_b) )

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ m}_e_T

Responder(b,n_b ) =

ÝÝÝ []_Ý(receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)

_{Ý

k}_ab_e_{KeyÝÝÝÝÝÝÝÝÝ}g receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab

_n_b_e_NonceÝ g Session(b,a,k_ab,n_a,n_b) )

_{ÝÝÝ m}_e_T

Exm: Secrecy in the Yahalom protocol

CSP description of the two parties - Enhanced

ÝÝÝ Initiatorí(a,n_a ) =

ÝÝÝ env?b: Agent

ÝÝÝÝÝÝÝÝ g send.a.b.a.n_a

ÝÝÝÝÝÝÝÝ g []_Ý(receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k}_ab_e_{KeyÝÝÝÝÝÝÝÝ}g send.a.b.m.{n_b}_k_ab

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ n}_b_e_{NonceÝÝÝÝÝÝ}g signal.Claim_Secret.a.b. k_ab

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(a,b,k_ab,n_a,n_b) )

Responderí(b,n_b ) =

ÝÝÝ []_Ý(receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)

_{Ý

k}_ab_e_{KeyÝÝÝÝÝÝÝÝÝ}g receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab

_n_b_e_NonceÝ g signal.Claim_Secret.a.b. k_ab

_{ÝÝ

m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(b,a,k_ab,n_a,n_b) )

Exm: Secrecy in the Yahalom protocol

CSP description of the server

Server(J,k_ab ) =

ÝÝÝ []_Ý(receive.b.J.b .{a.n_a.n_b}_ServerKey(b)

_{Ý

A,B}_e_{AgentÝÝÝÝÝÝÝÝÝ}g send.J.a. {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)

_N_b_,n_b_e_NonceÝ g Server(J,k_s ) )

_ÝServer(J)ÝÝ =Ý ||| Server(J,k_ab )

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k_ab e Keys_Server

Exm: Secrecy in the Yahalom protocol

CSP description of the intruder

ÝÝÝÝ Intruder(X) = learn?m: messages gIntruder(close(X U {m})

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ []

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ say!m: X /\ messages gIntruder(X)

Close(X) represents all the possible information that the attacker can infer from X. Typically we assume

Ý{k,m}Ý |-Ý encript(k,m)

{encript(k,m), k^-1}Ý |-Ý m

{Sq<x₁,Ö,x_n>} |- x_i

{x₁,Ö,x_n}Ý |-Ý Sq<x₁,Ö,x_n>}

Exm: Secrecy in the Yahalom protocol

Initiatorí(Anne,n_A)SÝ |||Ý Responder(Bob,n_B)SÝ |||Ý Server(Jeeves)SÝ |||Ý Intruderí(f)Sí

S = [fake,take/receive,send]

Sí = [take.x.y/learn][fake.x.y, leak/say]

Exm: Secrecy in the Yahalom protocol

ÝThe property to be verified:

Signal.Claim_Secret.a.b.m e Traces(System)

a

not(leak.m e Traces(System) )

As usual, this property can be verified automatically by checking the traces

Authentication

The CSP approach is based on inserting signals:

Running.a.bÝ (in aís protocol)

Agent a is executing a protocol run apparently with b

Commit.b.aÝ (in bís protocol)

Agent b has completed a protocol run apparently with a

Authentication is achieved if Running.a.b always precedes Commit.b.a in the traces of the system

Weaker or stronger forms of authentication can be achieved by variations of the parameters of these signals and the constraints on them

Authentication in the Yahalom Pr.

The Yahalom Protocol aims at providing authentication of both parties : authentication of the initiator to the responder, and viceversa

We will analyze the two authentication properties separately

This requires two separateÝ enhancements of the protocol

Yahalom: authentication of initiator

CSP description of the two parties - Enhanced

ÝÝÝ Initiatorí(a,n_a ) =

ÝÝÝ env?b: Agent

ÝÝÝÝÝÝÝÝ g send.a.b.a.n_a

ÝÝÝÝÝÝÝÝ g []_Ý(receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k}_ab_e_{KeyÝÝÝÝÝÝÝÝÝ}g signal.Running_Initiator.a.b.n_a.n_b.k_ab

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ n}_b_e_{NonceÝÝÝÝÝÝÝÝÝ}g send.a.b.m.{n_b}_k_ab

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(a,b,k_ab,n_a,n_b) )

Responderí(b,n_b ) =

ÝÝÝ []_Ý(receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)

_{Ý

k}_ab_e_{KeyÝÝÝÝÝÝÝÝÝ}g receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab

_n_b_e_NonceÝ g signal. Commit_Responder.b.a.n_a.n_b.k_ab

_{ÝÝ

m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(b,a,k_ab,n_a,n_b) )

Yahalom: authentication of initiator

Yahalom: authentication of initiator

The property to be verified:

signal. Running_Initiator.a.b.n_a.n_b.k_ab

precedes

signal.Commit_Responder.b.a.n_a.n_b.k_ab

in all the Traces(System)

Again, this property can be verified automatically by checking the traces

Yahalom: authentication of responder

CSP description of the two parties - Enhanced

ÝÝÝ Initiatorí(a,n_a ) =

ÝÝÝ env?b: Agent

ÝÝÝÝÝÝÝÝ g send.a.b.a.n_a

ÝÝÝÝÝÝÝÝ g []_Ý(receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k}_ab_e_{KeyÝÝÝÝÝÝÝ}g send.a.b.m.{n_b}_k_ab

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ n}_b_e_{NonceÝÝÝÝÝÝÝ}g_ÝÝÝsignal.Commit_Initiator.a.b.n_a.n_b.k_ab

_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(a,b,k_ab,n_a,n_b) )

Responderí(b,n_b ) =

ÝÝÝ []_Ý(receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)

_{Ý

k}_ab_e_{KeyÝÝÝÝÝÝÝÝÝ}g signal. Running_Responder.b.a.n_a.n_b

_n_b_e_NonceÝ g receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab

_{ÝÝÝ m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(b,a,k_ab,n_a,n_b) )

Yahalom: authentication of responder

Yahalom: authentication of responder

The property to be verified:

signal. Running_Responder.b.a.n_a.n_b

precedes

signal.Commit_Initiator.a.b.n_a.n_b.k_ab

in all the Traces(System)

Again, this property can be verified automatically by checking the traces

Non-repudiation

Goal: provide the parties of an interaction with evidence so that later they cannot deny having participated

Example: The Zhou-Gollmann protocol

Message 1ÝÝ a -> b :Ý {f_NRO .b.l.c}_Sk_a

Message 2ÝÝ b -> a :Ý {f_NRR .a.l.c}_Sk_b

Message 3ÝÝ a -> j :Ý {f_SUB .b.l.k}_Sk_a

Message 4ÝÝ b <-> j :Ý {f_CON .a.b.l.k}_Sk_j

Message 5ÝÝ a <-> j :Ý {f_CON .a.b.l.k}_Sk_j

c = k(m) where m is the message to be transmitted

a and b are the parties, j is the trusted server

f_NRO,f_NRR,etc. are flags identifying the steps. l is a nonce

Sk_a, Sk_b, etc. are signature keys known only to their owners

a can prove that b has got the message by presenting

{f_NRR .a.l.c}_Sk_bÝandÝ _Ý{f_CON .a.b.l.k}_Sk_j

The Zhou-Gollmann protocol

Non-Repudiation of Recipient: a can prove that b has got the message by presenting

{f_NRR .a.l.c}_Sk_bÝandÝ _Ý{f_CON .a.b.l.k}_Sk_j

Non-Repudiation of Origin: b can prove that a has sent the message by presenting

{f_NRO .b.l.c}_Sk_aÝandÝ _Ý{f_CON .a.b.l.k}_Sk_j

CSP analysis of Non-Repudiation

Specification of the Zhou-Gollmann protocol in CSP

Agent_a(S) =

ÝÝ [] _b_e_{Agent, m}_e_SÝ send.a.b.m -> Agent_i(S)

ÝÝ []Ý receive.a.b?m -> Agent_a(close(S U {m}))

ÝÝ [] ftp.a.Jeeves?m -> Agent_a(close(S U {m}))

ÝÝ [] _m_e_S evidence.a.m -> Agent_i(S)

Close(S) represent the capability of inferring new information

Server(S) =

ÝÝ receive.a.Jeeves?. {f_SUB .b.l.k}_Sk_a

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ -> Server(S U {f_CON .a.b.l.k}_Sk_j)

ÝÝÝ [] _b_e_{Agent, m}_e_S ftp.a.Jeeves.m -> Server(S)

The Zhou-Gollmann protocol in CSP

Analysis of the Zhou-Gollmann protocol

Non-Repudiation of Recipient:

evidence.a.{f_NRR .a.l.c}_Sk_bÝin TrÝ a b sent (f_NRR .a.l.c)

evidence.a.{f_CON.a.b.l.k}_Sk_jin TrÝ a receive.a.j. {f_CON .a.b.l.k}_Sk_jin Tr

Non-Repudiation of Origin:

evidence.b.{f_NRO .b.l.c}_Sk_ain TrÝ a a sent (f_NRO.b.l.c)

evidence.b.{f_CON.a.b.l.k}_Sk_jin TrÝ a a sent (f_SUB.b.l.k)

Again, these properties on traces can be proven automatically


Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and levels of threat ñ the intruders and their capabilities

We will consider the following security properties:
	Secrecy
		No information leakage
	Authentication
		No falsification of identity
	Non-repudiation
		Evidence of the involvement of the other party
	Anonymity
		Protecting the identity of agents wrt particular events


	They are both safety properties: a certain bad thing should not happen

	Explicit annotations: In the CSP approach, these properties are defined by ìenhancingî the code of the processes with explicit signal claiming the success of the protocol wrt theÝ intended property

	Secrecy:ÝÝÝ Claim_secret. m
		Information m has not become known to the intruder

	Authentication:ÝÝ Run with A ,Ý Commit with B
		The matching of these two events guarrantees the identities of A and B


	The protocol

		Message 1ÝÝ a -> b : a.n_a
		Message 2ÝÝ b -> s : b.{a.n_a.n_b}_ServerKey(b)
		Message 3ÝÝ s -> a : {b.k_ab.n_a.n_b}_ServerKey(a){a.k_ab}_ServerKey(b)
		Message 4ÝÝ a -> b : {a.k_ab}_ServerKey(b).{n_b}_kab

	Authentication of the participants
	K_abshould remain secret
	We may require secrecy also on n_b


	CSP description of the two parties - Original

		Initiator(a,n_a ) =
		ÝÝÝ env?b: Agent
		ÝÝÝÝÝÝÝÝ g send.a.b.a.n_a
		ÝÝÝÝÝÝÝÝ g []_Ý(receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m
		_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k}_ab_e_{KeyÝÝÝÝÝÝÝÝ}g send.a.b.m.{n_b}_k_ab
		_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ n}_b_e_{NonceÝÝÝÝÝÝ}g Session(a,b,k_ab,n_a,n_b) )
		_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ m}_e_T



		Responder(b,n_b ) =
		ÝÝÝ []_Ý(receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)
		_{Ý k}_ab_e_{KeyÝÝÝÝÝÝÝÝÝ}g receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab
		_n_b_e_NonceÝ g Session(b,a,k_ab,n_a,n_b) )
		_{ÝÝÝ m}_e_T


	CSP description of the two parties - Enhanced

	ÝÝÝ Initiatorí(a,n_a ) =
		ÝÝÝ env?b: Agent
		ÝÝÝÝÝÝÝÝ g send.a.b.a.n_a
		ÝÝÝÝÝÝÝÝ g []_Ý(receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m
		_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k}_ab_e_{KeyÝÝÝÝÝÝÝÝ}g send.a.b.m.{n_b}_k_ab
		_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ n}_b_e_{NonceÝÝÝÝÝÝ}g signal.Claim_Secret.a.b. k_ab
		_{ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(a,b,k_ab,n_a,n_b) )



		Responderí(b,n_b ) =
		ÝÝÝ []_Ý(receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)
		_{Ý k}_ab_e_{KeyÝÝÝÝÝÝÝÝÝ}g receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab
		_n_b_e_NonceÝ g signal.Claim_Secret.a.b. k_ab
		_{ÝÝ m}_e_{TÝÝÝÝÝÝÝÝÝÝÝÝÝÝ}g Session(b,a,k_ab,n_a,n_b) )


	CSP description of the server

		Server(J,k_ab ) =
		ÝÝÝ []_Ý(receive.b.J.b .{a.n_a.n_b}_ServerKey(b)
		_{Ý A,B}_e_{AgentÝÝÝÝÝÝÝÝÝ}g send.J.a. {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)
		_N_b_,n_b_e_NonceÝ g Server(J,k_s ) )


		_ÝServer(J)ÝÝ =Ý \|\|\| Server(J,k_ab )
		ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ k_ab e Keys_Server


	CSP description of the intruder
	ÝÝÝÝ Intruder(X) = learn?m: messages gIntruder(close(X U {m})
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ []
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ say!m: X /\ messages gIntruder(X)

	Close(X) represents all the possible information that the attacker can infer from X. Typically we assume

		Ý{k,m}Ý \|-Ý encript(k,m)
		{encript(k,m), k^-1}Ý \|-Ý m
		{Sq<x₁,Ö,x_n>} \|- x_i
		{x₁,Ö,x_n}Ý \|-Ý Sq<x₁,Ö,x_n>}


	Initiatorí(Anne,n_A)SÝ \|\|\|Ý Responder(Bob,n_B)SÝ \|\|\|Ý Server(Jeeves)SÝ \|\|\|Ý Intruderí(f)Sí

	S = [fake,take/receive,send]
	Sí = [take.x.y/learn][fake.x.y, leak/say]



	ÝThe property to be verified:

		Signal.Claim_Secret.a.b.m e Traces(System)
		a
		not(leak.m e Traces(System) )

	As usual, this property can be verified automatically by checking the traces


The CSP approach is based on inserting signals:
	Running.a.bÝ (in aís protocol)
		Agent a is executing a protocol run apparently with b

	Commit.b.aÝ (in bís protocol)
		Agent b has completed a protocol run apparently with a

Authentication is achieved if Running.a.b always precedes Commit.b.a in the traces of the system
	Weaker or stronger forms of authentication can be achieved by variations of the parameters of these signals and the constraints on them


	The Yahalom Protocol aims at providing authentication of both parties : authentication of the initiator to the responder, and viceversa

	We will analyze the two authentication properties separately

	This requires two separateÝ enhancements of the protocol


	The property to be verified:

	signal. Running_Initiator.a.b.n_a.n_b.k_ab
	precedes
	signal.Commit_Responder.b.a.n_a.n_b.k_ab
	in all the Traces(System)

	Again, this property can be verified automatically by checking the traces


	The property to be verified:

	signal. Running_Responder.b.a.n_a.n_b
	precedes
	signal.Commit_Initiator.a.b.n_a.n_b.k_ab
	in all the Traces(System)

	Again, this property can be verified automatically by checking the traces


	Goal: provide the parties of an interaction with evidence so that later they cannot deny having participated

	Example: The Zhou-Gollmann protocol

		Message 1ÝÝ a -> b :Ý {f_NRO .b.l.c}_Sk_a
		Message 2ÝÝ b -> a :Ý {f_NRR .a.l.c}_Sk_b
		Message 3ÝÝ a -> j :Ý {f_SUB .b.l.k}_Sk_a
		Message 4ÝÝ b <-> j :Ý {f_CON .a.b.l.k}_Sk_j
		Message 5ÝÝ a <-> j :Ý {f_CON .a.b.l.k}_Sk_j

		c = k(m) where m is the message to be transmitted
		a and b are the parties, j is the trusted server
		f_NRO,f_NRR,etc. are flags identifying the steps. l is a nonce
		Sk_a, Sk_b, etc. are signature keys known only to their owners

	a can prove that b has got the message by presenting
	{f_NRR .a.l.c}_Sk_bÝandÝ _Ý{f_CON .a.b.l.k}_Sk_j



	Non-Repudiation of Recipient: a can prove that b has got the message by presenting
	{f_NRR .a.l.c}_Sk_bÝandÝ _Ý{f_CON .a.b.l.k}_Sk_j

	Non-Repudiation of Origin: b can prove that a has sent the message by presenting
	{f_NRO .b.l.c}_Sk_aÝandÝ _Ý{f_CON .a.b.l.k}_Sk_j


	Specification of the Zhou-Gollmann protocol in CSP

	Agent_a(S) =
	ÝÝ [] _b_e_{Agent, m}_e_SÝ send.a.b.m -> Agent_i(S)
	ÝÝ []Ý receive.a.b?m -> Agent_a(close(S U {m}))
	ÝÝ [] ftp.a.Jeeves?m -> Agent_a(close(S U {m}))
	ÝÝ [] _m_e_S evidence.a.m -> Agent_i(S)

	Close(S) represent the capability of inferring new information

	Server(S) =
	ÝÝ receive.a.Jeeves?. {f_SUB .b.l.k}_Sk_a
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ -> Server(S U {f_CON .a.b.l.k}_Sk_j)
	ÝÝÝ [] _b_e_{Agent, m}_e_S ftp.a.Jeeves.m -> Server(S)


	Non-Repudiation of Recipient:

	evidence.a.{f_NRR .a.l.c}_Sk_bÝin TrÝ a b sent (f_NRR .a.l.c)
	evidence.a.{f_CON.a.b.l.k}_Sk_jin TrÝ a receive.a.j. {f_CON .a.b.l.k}_Sk_jin Tr

	Non-Repudiation of Origin:

	evidence.b.{f_NRO .b.l.c}_Sk_ain TrÝ a a sent (f_NRO.b.l.c)
	evidence.b.{f_CON.a.b.l.k}_Sk_jin TrÝ a a sent (f_SUB.b.l.k)

	Again, these properties on traces can be proven automatically