Electronic Notes in Theoretical Computer Science (cid:2)(cid:3)(cid:4)(cid:5)(cid:6)(cid:6)(cid:6)(cid:7) URL(cid:2) http(cid:2)(cid:3)(cid:3)www(cid:4)elsevier(cid:4)nl(cid:3)locate(cid:3)entcs(cid:3)volume(cid:5)(cid:6)(cid:4)html (cid:8) pages The MFPS XV Security Session Catherine Meadows Naval Research Laboratory Code (cid:2)(cid:2)(cid:3)(cid:4) Washington(cid:5) DC (cid:6)(cid:7)(cid:4)(cid:8)(cid:6) meadows(cid:2)itd(cid:3)nrl(cid:3)navy(cid:3)mil Dennis Volpano Department of Computer Science Naval Postgraduate School Monterey(cid:5) CA volpano(cid:2)cs(cid:3)nps(cid:3)navy(cid:3)mil (cid:0) Introduction Security has long been a popular application of formal methods(cid:2) This is be(cid:3) causeitisafertilesourceofchallengingproblemsthatareimportantenoughto justify the e(cid:4)ort involved in developing mathematicalmodelsand formaltech(cid:3) niques(cid:2) And their importanceis growing(cid:2) We are moving to a more networked world where our vital transactions depend upon our ability to communicate securely over an untrusted network and upon information and software ob(cid:3) tained from parties about whom we may know little if anything(cid:2) To meet these challenges(cid:5) MFPS is bringing people in formal methods and semantics together with researchers in the (cid:6)eld of security(cid:2) A special session of MFPS(cid:7)(cid:8) was devoted to security(cid:2) It involved one invited talk by Mart(cid:9)(cid:10)n Abadi(cid:5) and six speakers(cid:5) Dominique Bolignano(cid:5) Carl Gunter(cid:5) Pat Lincoln(cid:5) George Necula(cid:5) Geo(cid:4)rey Smith(cid:5) and Paul Syverson(cid:2) The speakers covered four major areas of security(cid:2) In this introduction(cid:5) we give an overview of these areas and indicate why they are important and what makes them di(cid:11)cult(cid:2) We also give a brief outline of the speakers(cid:12) talks(cid:2) (cid:2) Cryptographic Protocol Veri(cid:3)cation In order to communicate securely over an insecure network(cid:5) it is necessary to useencryptiontoprovidesecrecy andtoauthenticatemessages(cid:5) andtodevelop protocols that use cryptography to perform such functions as the distribution of keys and the authentication of principals and transactions(cid:2) But the use of cryptography does not in itself guarantee correctness(cid:13) in many cases it may U(cid:2)S(cid:2) Government Work(cid:2) Not Subject to U(cid:2)S(cid:2) Copyright(cid:2) Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 2. REPORT TYPE 3. DATES COVERED 01 SEP 1999 N/A - 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER The MFPS XV Security Session 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Research Laboratory Code 5543 Washington, DC 20372 REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE UU 4 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 Meadows be possible for a hostile intruder who has the ability to read(cid:5) redirect(cid:5) and alter messages to manipulate the protocol into revealing secret information or allowing the intruder to impersonate an honest principal(cid:5) without breaking the underlying crypto(cid:3)algorithms(cid:2) This concern is not merely a theoretical one(cid:13) numerous examples exist of protocols that were at one time believed to be secure but were found out to have serious security (cid:14)aws some time after (cid:0) they were published (cid:2) In their talks(cid:5) Bolignano(cid:5) Syverson and Lincoln each addressed di(cid:4)erent aspects of this problem(cid:2) Bolignano described work related to his analysis of electronic commerce protocols(cid:2) Such protocols are typically very complicated(cid:5) and the security propertiesproved typicallyinvolveprovingtheintegrityofcomplexdatastruc(cid:3) tures(cid:2) Thus it is necessary to (cid:6)nd safe abstractions(cid:5) that is abstractions that reduce the complexity of the system to be analyzed without jeopardizing the correctness of the conclusions reached(cid:2) Bolignano outlined his techniques for (cid:6)nding such safe abstractions for cryptographic protocols(cid:2) Syverson addressed the problem of reconciling belief logics developed for theanalysisofcryptographicprotocols(cid:5)whichrequirearelativelysmallamount of computational e(cid:4)ort but tend to be overly abstract(cid:5) with state(cid:3)based mod(cid:3) els(cid:5) which are more detailed (cid:15)and hence usually more accurate(cid:16)(cid:5) but whose use in analysis tends to be more computationally intensive(cid:2) He used the recently introduced strand space model (cid:17)(cid:18)(cid:19)(cid:5) that ties together much of the recent work in state(cid:3)based cryptographic protocol analysis(cid:5) to provide a semantics for the modal authentication logic SVO (cid:17)(cid:20)(cid:19)(cid:2) Lincoln described a framework for analyzing security protocols in which protocoladversaries may bearbitraryprobabilisticpolynomial(cid:3)timeprocesses(cid:2) Inthisframework(cid:5) protocolsarewritteninarestricted formofathe(cid:0)(cid:3)calculus (cid:17)(cid:8)(cid:19)(cid:5) a formal speci(cid:6)cation language developed for reasoning about communi(cid:3) cation in distributed systems(cid:5) and secrecy is formulated in terms of observa(cid:3) tional equivalence which involves quantifying over the possible environments that can interact with a protocol(cid:2) This allows a more accurate model of the role cryptography plays in a cryptographic protocol while still retaining the bene(cid:6)ts provided by a formal speci(cid:6)cation language(cid:2) He also mentioned some more recent results in the complexity of analyzing secrecy in simple crypto(cid:3) graphic protocols(cid:2) The problem of determining whether a protocol allows an intruder to gain access to a given secret is undecidable even for protocols with very strong restrictions on various parameters like message length and nesting depth of encryption(cid:2) (cid:4) Public Key Infrastructure Public key cryptography provides a powerful authentication mechanism(cid:2) A principal can sign a message with a private key that only it knows(cid:5) and any(cid:3) (cid:0) See (cid:2)(cid:3)(cid:4) for a few examples(cid:5) (cid:18) Meadows one can verify it with the corresponding public key(cid:2) But this alone is not very usefulunless there isaway ofassociatingpublickeys with principals(cid:2) The ear(cid:3) liest work on public key cryptography suggested that public keys be published in a central place(cid:5) such as a telephone directory(cid:2) However(cid:5) with the grow(cid:3) ing widespread use of public keys(cid:5) this is no longer practical(cid:2) The common use now is to have a public key authority that signs (cid:15)and thus vouches for(cid:16) a certi(cid:6)cate containing the principal(cid:12)s name and the public key belonging to it(cid:2) The public key of this authority may be signed by a higher authority(cid:5) and so forth(cid:5) so that a public key hierarchy is obtained(cid:2) The issue is complicated by the fact that many di(cid:4)erent hierarchies may exist(cid:5) that circular chains of authenticationmay be allowed(cid:15)e(cid:2)g(cid:2) the PGP (cid:21)web of trust(cid:22)(cid:16)(cid:5) that certi(cid:6)cates may be used not only to provide authentication of keys but to specify di(cid:4)erent privileges belonging to principals(cid:5) and that both keys and privileges may be revoked by an authority(cid:2) It is necessary to develop a sound and expressive logic to reason about policies in this framework and describe them without ambiguity(cid:2) In his talk(cid:5) Gunter showed how type theory can be applied to the problem of certi(cid:6)cate revocation and addressed the issues raised by the non(cid:3)monoticity that such revocation introduces(cid:2) (cid:5) Secrecy Models The ability not to reveal sensitive information is a key feature of security(cid:2) However(cid:5) it usually is not practical to verify that every piece of code that has access to secret information is trusted not to reveal it(cid:2) Instead(cid:5) it is quite common to have some smaller part of a system enforce a security pol(cid:3) icy describing the types of communication a process with access to sensitive information may have with other parts of the system(cid:2) However(cid:5) when the stakes are high(cid:5) a simple access control policy may not be enough(cid:2) A Trojan Horse in the untrusted process could use any visible e(cid:4)ect the process has on the system as a covert channel in which the sensitive information could be encoded(cid:2) Visible e(cid:4)ects could include resources used by the process(cid:5) delays in processing for other parts of the system (cid:15)timingchannels(cid:16) and even changes in the probability that other events would or would not occur(cid:2) The problem was (cid:6)rst noted by Lampson in (cid:7)(cid:23)(cid:24)(cid:25) (cid:17)(cid:26)(cid:19)(cid:5) and has motivated much of the research in multilevel security(cid:5) which deals with the problem of maintaining separation between data classi(cid:6)ed at di(cid:4)erent security levels in the same system(cid:2) This problem has remained with us even as we move from timesharing operating systems to more networked architectures (cid:17)(cid:25)(cid:19)(cid:2) In his talk(cid:5) Smith described a model for secrecy that takes into account(cid:5) not only a process(cid:12)s ability to pro(cid:3) duce events that may be seen by another process(cid:5) but a process(cid:12)s ability to a(cid:4)ect the probability of certain events(cid:2) (cid:25) Meadows (cid:6) Code Veri(cid:3)cation Correctness of code has always been an importantproblem(cid:2) But code veri(cid:6)ca(cid:3) tion(cid:5) althoughitgot o(cid:4)to a promisingstart(cid:5) has inrecent years been regarded as too di(cid:11)cult to be practical(cid:5) and e(cid:4)orts instead have concentrated on ver(cid:3) i(cid:6)cation of higher(cid:3)level system speci(cid:6)cations(cid:2) But increasing use of mobile code(cid:5) that is(cid:5) code which is sent over the network and executed(cid:5) has sparked new interest in developing the best possible methods of assuring the safety of the code itself(cid:5) by the user as well as the developer(cid:5) and doing so in an au(cid:3) tomated way(cid:2) Necula described the concept of proof(cid:3)carrying code(cid:5) in which mobile code carries its own proofs of safety with it(cid:5) which can be mechanically veri(cid:6)ed by the target execution environment(cid:2) (cid:7) Conclusion Tools and techniques developed as part of the foundations of programming languagesand their logicscan be applied fruitfullyto some aspects of security(cid:2) ThespeakersintheSecuritySessionprovidedyetmoreevidenceofthegrowing synergy between the semantics of programming languages and security(cid:2) For the details of their work(cid:5) we invite you to read the papers that appear in these proceedings(cid:2) References (cid:0)(cid:2)(cid:3)M(cid:4) Burrows(cid:5) M(cid:4) Abadi(cid:5) and R(cid:4) Needham(cid:4) A logic of authentication(cid:4) ACM Transactions on Computer Systems(cid:5) (cid:6)(cid:7)(cid:2)(cid:8)(cid:9)(cid:2)(cid:6)(cid:10)(cid:11)(cid:12)(cid:5) February (cid:2)(cid:13)(cid:13)(cid:14)(cid:4) (cid:0)(cid:15)(cid:3)F(cid:4) JavierThayer Fabr(cid:16)ega(cid:5) JonathanC(cid:4) Herzog(cid:5) andJoshuaD(cid:4) Guttman(cid:4) Strand spaces(cid:9) Why is a security protocol correct(cid:17) In Proceedings of the (cid:9)(cid:10)(cid:10)(cid:11) IEEE Symposium on Security and Privacy(cid:5) pages (cid:2)(cid:12)(cid:14)(cid:10)(cid:2)(cid:18)(cid:2)(cid:4) IEEE Computer Society Press(cid:5) May (cid:2)(cid:13)(cid:13)(cid:6)(cid:4) (cid:0)(cid:11)(cid:3)Myong H(cid:4) Kang and Ira S(cid:4) Moskowitz(cid:4) A network pump(cid:4) IEEE Transactions on Software Engineering(cid:5) (cid:15)(cid:15)(cid:7)(cid:19)(cid:8)(cid:5) May (cid:2)(cid:13)(cid:13)(cid:12)(cid:4) (cid:0)(cid:20)(cid:3)B(cid:4) W(cid:4) Lampson(cid:4) A note on the con(cid:21)nement problem(cid:4) Communications of the ACM(cid:5) (cid:2)(cid:12)(cid:7)(cid:2)(cid:14)(cid:8)(cid:9)(cid:12)(cid:2)(cid:11)(cid:10)(cid:12)(cid:2)(cid:19)(cid:5) October (cid:2)(cid:13)(cid:18)(cid:11)(cid:4) (cid:0)(cid:19)(cid:3)R(cid:4) Milner(cid:5)J(cid:4) Parrow(cid:5) and D(cid:4) Walker(cid:4) A calculus of mobileprocesses(cid:5) parts I and II(cid:4) Information and Computation(cid:5) (cid:2)(cid:14)(cid:14)(cid:9)(cid:2)(cid:10)(cid:18)(cid:18)(cid:5) September (cid:2)(cid:13)(cid:13)(cid:15)(cid:4) (cid:0)(cid:12)(cid:3)Paul F(cid:4) Syverson and Paul C(cid:4) van Oorschot(cid:4) On unifying some cryptographic protocol logics(cid:4) In Proceedings of the (cid:9)(cid:10)(cid:10)(cid:3) Symposium on Security and Privacy(cid:4) IEEE Computer Society Press(cid:5) May (cid:2)(cid:13)(cid:13)(cid:20)(cid:4) (cid:26)