MSR 3.0:
MSR 3:
One Year Later
The Logical Meeting Point of Multiset
Rewriting and Process Algebra
Iliano Cervesato
iliano@itd.nrl.navy.mil
ITT Industries, inc @ NRL Washington, DC
http://www.cs.stanford.edu/~iliano
CS Department, UMBC
Iliano Cervesato
February 27-28, 2003
iliano@itd.nrl.navy.mil
ITT Industries, inc @ NRL Washington, DC
http://theory.stanford.edu/~iliano
Protocol eXchange Seminar, UMBC
May 27-28, 2004
NSPK in MSR 3
A: princ.
A  B: {nA, A}kB
B  A: {nA, nB}kA
A  B: {nB}kB
MSR 2 spec.
{ L: princ  B:princ.pubK B  nonce  mset.
B: princ. kB: pubK B.

 nA: nonce.
net ({nA, A}kB), L (A, B, kB, nA)
B: princ. kB: pubK B.
kA: pubK A. kA': prvK kA.
nA: nonce. nB: nonce.
net ({nA, nB}kA), L (A, B, kB, nA)
 net ({nB}kB)
}
MSR 3: One Year Later
Interpretation
of L
 Rule invocation
 Implementation
detail
 Control flow
 Local state of
role
 Explicit view
 Important for
DOS
1/28
A  B: {nA, A}kB
B  A: {nA, nB}kA
A  B: {nB}kB
NSPK in MSR 3
A:princ.
B: princ. kB: pubK B.
Not an MSR 2 spec.
  nA: nonce.
net ({nA, A}kB),
(kA: pubK A. kA': prvK kA. nB: nonce.
net ({nA, nB}kA)  net ({nB}kB))
 Succinct
 Continuation-passing style
 Rule asserts what to do next
 Lexical control flow
MSR 3: One Year Later
 State is implicit
 Abstract
2/28
Looks Familiar?
Process calculus
A:princ.
B: princ. kB: pubK B.
kA: pubK A. kA': prvK kA. nB: nonce.
nnA: nonce.
net ({nA, A}kB) .
net <{nA, nB}kA> .
net ({nB}kB) . 0
A  B: {nA, A}kB
B  A: {nA, nB}kA
A  B: {nB}kB
Parametric strand
Alice (A,B,NA,NB) :
NA Fresh, pA (A,B)
{NA, A}KB
{NA, NB}KA
{NB}KB
MSR 3: One Year Later
3/28
What is MSR 3?
A new language for security protocols
 Supports
 State transition specs
 Conservative over MSR 2
Neutral paradigm
 Process algebraic specs
 Rewriting re-interpretation of logic
 Rich composable set of connectives
 Universal connector
MSR 3: One Year Later
4/28
More than the Sum of its Parts
Process- and transition-based specs.
in the same language
 Choose the paradigm
 User’s preference
 Highlight characteristics of interest
 Support various verification techniques (FW)
 Mix and match styles
 Within a spec.
 Within a protocol
 Within a role
MSR 3: One Year Later
5/28
What is in MSR 3 ?
 Security-relevant signature
 Network
 Encryption, …
From
MSR 1
 Typing infrastructure
w-Multisets
MSR 2
Protocols
Repr. gap
 Dependent types
 Subsorting
From
MSR 2
 Data Access Specification (DAS)
 Module system
 Equations
MSR 3: One Year Later
From MSR 2
implementation
6/28
w-Multisets
Specification language for concurrent systems
 Crossroad of
 State transition languages
 Petri nets, multiset rewriting, …
w-Multisets
MSR 2
Protocols
Repr. gap
 Process calculi
 CCS, p-calculus, …
 (Linear) logic
 Benefits
 Analysis methods from logic and type theory
 Common ground for comparing
 Multiset rewriting
 Process algebra
 Allows multiple styles of specification
 Unified approach
MSR 3: One Year Later
7/28
Syntax
A ::=
|
|
|
|
|
|
|
|
a
1
AB
A  B
T
A&B
x. A
x. A
!A
atomic object
[]
empty
[A, B]
formation
[A  B] rewrite
no-op
[A || B] choice
instantiation
generation
replication
Generalizes FO multiset rewriting (MSR 1-2)
x1…xn. a(x)  y1…yk. b(x,y)
MSR 3: One Year Later
8/28
State and Transitions
 States
- logic
- system w
- rewriting
- processes
- security
S ; G ; D
S ; D
 S is a list
 G and D are
commutative monoids
 Transitions
 Constructor: “,”
 Empty: “”
S; G; D  S’; G’; D’
S; G; D * S’; D’
 * for reflexive and transitive closure
MSR 3: One Year Later
9/28
Transition Semantics

T
S ; G ; (D, A, A  B)
 S ; G ; (D, B)
(no rule)
&
S ; G ; (D, A1 & A2)
 S ; G ; (D, Ai)

S ; G ; (D, x. A)
if S |- t
 S ; G ; (D, [t/x]A)

S ; G ; (D, x. A)
 (S, x) ; G ; (D, A)
!
S ; G ; (D, !A)
 S ; (G, A) ; D
S ; (G, A) ; D
 S ; (G, A) ; (D, A)
S ; G ; D * S ; D
S ; G ; D * S’’ ; D’’
if S ; G ; D  S’ ; G’ ; D’ and S’ ; G’ ; D’ * S’’ ; D’’
MSR 3: One Year Later
10/28
Linear Logic
 Formulas
A, B ::= a | 1 | A  B | A  B | ! A
| T | A & B | x. A | x. A
- logic
- system w
- rewriting
- processes
- security
 LV sequents
G ; D -->S C
Unrestricted
context
MSR 3: One Year Later
Linear
context
Signature
 Constructor: “,”
 Empty: “”
Goal
formula
11/28
Logical Derivations
G’’’; C -->S’’’ C
 Proof of C from D and G
 Emphasis on C
 C is input
G’’; D’’ -->S’’ C
G’; D’ -->S’ C
 Finite
 Closed
 Rules shown
- logic
- system w
- rewriting
- processes
- security
 Major premise
 Preserves C
 Minor premise
G; D -->S C
MSR 3: One Year Later
 Starts subderivation
12/28
A Rewriting Re-Interpretation
 Transition
G’’’; C -->S’’’ C
 From conclusion
 To major premise
G’’; D’’ -->S’’ C
G’; D’ -->S’ C
 Emphasis on G, D and S
 C is output, at best
 Does not change
 Possibly infinite
 Open
- logic
- system w
- rewriting
- processes
- security
 Minor premise
 Auxiliary rewrite chain
G; D -->S C
MSR 3: One Year Later
 Finite
 Topped with axiom
13/28
Interpreting Unary Rules
G; D, A, B -->S C
G; D, AB -->S C
S |- t G; D, [t/x]A -->S C
G; D, x.A -->S C
- logic
- system w
- rewriting
- processes
- security
G; D, A -->S,x C
G; D, x.A -->S C
G, A; D -->S C
G; D , !A -->S C
…
MSR 3: One Year Later
S; G; (D, AB )  S; G; (D, A, B)
S; G; (D, x. A)  S; G; (D, [t/x]A)
if S |- t
S; G; (D, x. A)  (S, x); G; (D, A)
S; G; (D, !A)  S; (G, A); D
…
14/28
Binary Rules and Axiom
G’; A -->S’ A
 Minor premise
 Auxiliary rewrite
chain
 Top of tree
- logic
- system w
- rewriting
- processes
- security
G; D’ -->S A G; D, B -->S C
G; D, D’ , AB -->S C
MSR 3: One Year Later
 Focus shifts to RHS
 Axiom rule
 Observation
15/28
G,G’; A’ -->S,S’ A’
Observations
G; D -->S S’. A’
 Observation states
A
S ; D
 In D, we identify
 , with 
  with 1
D = D
Categorical semantics
- logic
- system w
- rewriting
- processes
- security
 Identified with x1. … xn. D
 For S = x1, …, xn
De Bruijn’s telescopes
S; D = S. D
 Observation transitions
S; G; D * S’; D’
MSR 3: One Year Later
16/28
Interpreting Binary Rules
G; A -->S A
S; G; D * S; D
S; G; D * S’’; D’’
if S; G; D  S’; G’; D’
and S’; G’; D’ * S’’; D’’
- logic
- system w
- rewriting
- processes
- security
G; D’ -->S A G; D, B -->S C
G; D, D’ , AB -->S C
G; D’ -->S A G; D, A -->S C
G; D, D’ -->S C
…
MSR 3: One Year Later
S; G; (D, D’, A  B)  S; G; (D, B)
if S; G; D’ * S; A
S; G; D, D’  S; G; (A, D)
if S; G; D’ * S; A
…
17/28
Formal Correspondence
 Soundness
If
then
- logic
- system w
- rewriting
- processes
- security
S ; G ; D * S,S’; D’
G ; D -->S S’.  D’
 Completeness?
No! We have only crippled right rules
 ;  ; a  b, b  c *  ; a  c
MSR 3: One Year Later
18/28
System w
 With cut, rule for  can be simplified to
S; G; (D, A, A  B)  S; G; (D, B)
 Cut elimination holds
- logic
- system w
- rewriting
- processes
- security
= in-lining of auxiliary rewrite chains
 But …
 Careful with extra signature symbols
 Careful with extra persistent objects
 No rule for  needs a premise
  does not depend on *
MSR 3: One Year Later
19/28
Multiset Rewriting
 Multiset: set with repetitions allowed
a ::=  | a, a
 Commutative monoid
 Multiset rewriting (a.k.a. Petri nets)
- logic
- system w
- rewriting
- processes
- security
 Rewriting within the monoid
 Fundamental model of distributed computing
 Alternative: Process Algebras
 Basis for security protocol spec. languages
 MSR family
 … several others
 Many extensions, more or less ad hoc
MSR 3: One Year Later
20/28
The Atomic Objects of MSR 3
Atomic terms
w-Multisets
MSR 2
Protocols
 Principals
 Keys
 Nonces
 Other
Constructors
A
K
N
 Raw data, timestamp, …
Repr. gap
Fully definable
MSR 3: One Year Later
 Encryption
 Pairing
 Other
{_}_
(_, _)
 Signature, hash, MAC, …
Predicates
 Network
 Memory
 Intruder
…
net
MA
I
21/28
Types
 Simple types
 Dependent types
 A : princ
 n : nonce
 m : msg, …
 k : shK A B
 K : pubK A
 K’ : privK K, …
w-Multisets
Fully definable
MSR 2
Protocols
Repr. gap
 Powerful abstraction mechanism
 At various user-definable level
 Finely tagged messages
 Untyped: msg only
 Simplify specification and reasoning
 Automated type checking
MSR 3: One Year Later
22/28
Subsorting
t <: t’
 Allows atomic terms in messages
w-Multisets
MSR 2
Protocols
Repr. gap
 Definable
Non-transmittable terms
Sub-hierarchies
 Discriminant for type-flaw attacks
MSR 3: One Year Later
23/28
Data Access Specification
 Prevent illegitimate use of information
 Protocol specification divided in roles
– Owner = principal executing the role
 A signing/encrypting with B’s key
 A accessing B’s private data, …
w-Multisets
MSR 2
Protocols
Repr. gap
 Simple static check
 Central meta-theoretic notion
 Detailed specification of Dolev-Yao access model
 Gives meaning to Dolev-Yao intruder
 Current effort towards integration in type system
 Definable
 Possibility of going beyond Dolev-Yao model
MSR 3: One Year Later
24/28
Modules and Equations
 Modules
w-Multisets
MSR 2
Protocols
Repr. gap
 Bundle declarations with simple import/export
interface
 Keep specifications tidy
 Reusable
 Equations
(For free from underlying Maude engine)
 Specify useful algebraic properties
 Associativity of pairs
 Allow to go beyond free-algebra model
 Dec(k, Enc(k, M)) = M
MSR 3: One Year Later
25/28
State-Based vs. Process-Based
 State-based languages
 Multiset Rewriting
 NRL Prot. Analyzer, CAPSL/CIL, Paulson’s approach, …
w-Multisets
MSR 2
Protocols
Repr. gap
 State
transition
semantics
 Process-based languages
 Process Algebra
 Strand spaces, spi-calculus, …
 Independent
communicating
threads
MSR 3: One Year Later
26/28
MSR 3 Bridges the Gap
 Difficult to go from one to the other
 Different paradigms
PB
PB
w-Multisets
MSR 2
State vs.
process
distance
Protocols
SB
SB
Repr. gap
Other
distance
MSR 3
State  Process translation done once and for all in
MSR 3
MSR 3: One Year Later
27/28
Summary
 MSR 3.0
 Language for security protocol specification
 Succinct representations
 Simpl specifications
 Economy of reasoning
 Bridge between
 State-based representation
 Process-based representation
 w-multisets
 Logical foundation of multiset rewriting
 Relationship with process algebras
 Unified logical view
 Better understanding of where we are
 Hint about where to go next
MSR 3: One Year Later
28/28