1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.
-
date post
21-Dec-2015 -
Category
Documents
-
view
217 -
download
1
Transcript of 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.
![Page 1: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/1.jpg)
1
Protocol compositionand refinement patternsProtocol composition
and refinement patterns
February, 2003
Dusko PavlovicKestrel Institute
![Page 2: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/2.jpg)
2
ProtocolsProtocols
![Page 3: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/3.jpg)
3
ProtocolsProtocols
&d
p(d)$p(d)
dA B
wants = 0has = d + $(a-p(d)) has = $p(d)
has = dwants = dhas = $a
![Page 4: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/4.jpg)
4
&dp(d)
$p(d)d
A B
abstraction
ProblemProblem
![Page 5: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/5.jpg)
5
SolutionSolution
&dp(d)
$p(d)d
A B
![Page 6: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/6.jpg)
6
refinement
SolutionSolution
&dp(d)
$p(d)d
A B
![Page 7: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/7.jpg)
7
“Security Science”“Security Science”
logic(belief, knowledge)
process(CSP,CCS,spi)
crypto(next 700 models)
security
![Page 8: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/8.jpg)
8
“Security Science”“Security Science”
logic(belief, knowledge)
process(CSP,CCS,spi)
crypto(next 700 models)
security
security protocols
“idealizations”
![Page 9: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/9.jpg)
9
“Security Science”“Security Science”
logic(belief, knowledge)
process(CSP,CCS,spi)
crypto(next 700 models)
security
propositions-as-typesproofs-as-processes
security protocols
Dolev-Yao
![Page 10: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/10.jpg)
10
Derivational approachDerivational approach
Protocol derivation
• components
• refinements
• transformations
Proof derivation
• axioms
• proof rules
• proof transformations
truth is just anothersecurity property
• derivation patterns
![Page 11: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/11.jpg)
11
OutlineOutline
• Protocol logic
• Derivation patterns1. Authenticated DH
• CR STS
2. Identity and DoS protection
• STS JFK
3. DH refinements
• KAMQV
4. Combine 2. and 3.
• MQVMQV+
• Tool demo
![Page 12: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/12.jpg)
12
PapersPapers
• Deriving, attacking and defending
GDOI
– with C. Meadows» submitted
• Abstraction and refinement in
protocol derivation
– with A. Datta and A. Derek and J. Mitchell» to appear in Proceedings of CSFW 2004
• Secure protocol composition
– with A. Datta and A. Derek and J. Mitchell
» Proceedings of MFPS 2003 (ext. abstract in
FMCS 2003)
• Derivation system for security protocols and its logical formalization
– with A. Datta and A. Derek and J. Mitchell» Proceedings of CSFW 2003
• Compositional logic for protocol correctness
– with N. Durgin and J. Mitchell» JCS 2003 (eariler version in CSFW 2001)
• Composition and refinement of behavioral specifications
– with D. Smith» ASE 2002
• Guarded transitions in evolving specifications
– with D. Smith» AMAST 2002
http://www.kestrel.edu/users/pavlovic/
![Page 13: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/13.jpg)
13
Protocol logicProtocol logic
• term calculus
• names, variables
• operations
• equality
• action calculus
• send at:ABC
• receive b(x: XY)Z
• new (x)C
• match (t/p(x))C
• tR (x)S R S(t/x)
• (p(t)/p(x))R R(t/x)
![Page 14: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/14.jpg)
14
Protocol logicProtocol logic
• atomic predicates
• a = b -- actions a and b are equal
• a -- action a has occurred
• a < b -- action a has occurred before b
• e.g.,
• tA < (x)Y -- some tA precedes some (x)Y
• a = tA -- a is in the form tA
• sA = tB -- s = t and A = B
![Page 15: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/15.jpg)
15
Protocol logicProtocol logic
• statements
• A : () »
• e.g.,
• A : (x) »
cABxA <((rABx))A
cABxA < ((cABx))B < rABxB <((rABx))A
![Page 16: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/16.jpg)
16
Protocol logicProtocol logic
• abbreviations
• (t) (x)(x/t)
• t U(t/x)
• ((t)) (U(t/x))
• tA< a = tA b = tB . a ≤ b
• tA< a = tA b = tB . a ≤ b
• t U(t/x)
• H(t,x) UHV(t,x) | X,YZ
![Page 17: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/17.jpg)
17
Protocol logicProtocol logic
• general axioms
• (t) a = t a < (t)
(rcv)
• (x)M aA. x FV(a) (x) < aA (new)
A ≠ M (x)M < xM < ((x))A ≤ aA
![Page 18: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/18.jpg)
18
Protocol logicProtocol logic
• challenge-response axiom
• A : (x) »
(cr)
cABxA < ((rABx))A
cABxA < ((cABx))B < rABxB <((rABx))A
(x)A
cABxA
((rABx))A
((cABx))B
rABxB
![Page 19: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/19.jpg)
19
Challenge-responseChallenge-response
CR
CRK
CRKICRKO
CRP
CRECRS
![Page 20: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/20.jpg)
20
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
rABm
cABm
![Page 21: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/21.jpg)
21
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A: (m)A< cABmA <(rABm)A
» cABmA < ((rABm))A
cABmA<((cABm))B<rABmB<((rABm))A
A: (m)A< cABmA<((cABm))B<
rABmB< (rABm)A
![Page 22: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/22.jpg)
22
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
SB(A,m)
m
SBt = SBu t = u (sig1)
SBt X< X=B (sig2)
VB(y,t) y = SBt (sig3)
![Page 23: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/23.jpg)
23
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
SBt = SBu t = u (sig1)
SBt X< X=B (sig2)
VB(y,t) y = SBt (sig3)
(sig1) (sig2) (sig3) (cr)
![Page 24: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/24.jpg)
24
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
m
EB(A,m)
(m)A<EBmA <mX< (enc)
X=A X=B
![Page 25: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/25.jpg)
25
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
KAB(A,m)
m
KABt = KABu t = u (hk1)
KABt X< X=A X=B (hk2)
![Page 26: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/26.jpg)
26
CR
Challenge-responseChallenge-response
CRK
CRKICRKO
CRP
CRECRS
A B
m
m
KAB(A,m)
KABt = KABu t = u (hk1)
KABt X< X=A X=B (hk2)
![Page 27: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/27.jpg)
27
Composing authenticationComposing authentication
SBm
mm
SAn
nn
CRS[A,B] CRS[B,A]
NestSeq
2CRSSeq
SAn
n, SBmn
mm
SBm
2CRSNest
SAn
nn
mm
![Page 28: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/28.jpg)
28
Composing authenticationComposing authentication
SBm
mm
SAn
nn
CRS[A,B] CRS[B,A]
SB(m,n)
PoP STS0
NestSeq
SA(n,m)
n, SB(m,n)n
mm
SA(m,n)
nn
mm
![Page 29: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/29.jpg)
29
Reasoning in PoPReasoning in PoP
((m))B
SB(m,y)B
(m)A
mA
(n)A
SA(m,n)A
(SB(m,n))A
nY<
(rcv)
n = y
(sig1) n = y
yB
(SA(m,y))B
(y)B
![Page 30: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/30.jpg)
30
Reasoning in PoPReasoning in PoP
((m))B
SB(m,y)B
(m)A
mA
(n)A
SA(m,n)A
(SB(m,n))A
nY<
(rcv)
n = y
(sig1) n = y
yB
(SA(m,y))B
(y)B
![Page 31: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/31.jpg)
31
Composing authenticationComposing authentication
SBm
mm
SAn
nn
CRS[A,B] CRS[B,A]
SB(m,n)
PoP STS0
NestSeq
SA(n,m)
n, SB(m,n)n
mm
SA(m,n)
nn
mm
![Page 32: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/32.jpg)
32
STS familySTS family
m=gx, n=gy
k=gxy
STSa
STSH
STS0
distributecertificates
cookie
openresponder
JFK0
symmetrichash
JFK
protect identities
STSP
STS0H
STSaH
STS JFK1
STSPH
RFK
![Page 33: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/33.jpg)
33
m=gx, n=gy
k=gxy
m
SB(m,n),n
SA(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 34: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/34.jpg)
34
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
m
n, Hmn
m, n, Hmn,SA(m,n)
SB(n,m)
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 35: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/35.jpg)
35
m=gx, n=gy
k=gxy
m
CB, SB(m,n),n
CA, SA(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 36: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/36.jpg)
36
m=gx, n=gy
k=gxy
m
n, Hmn
m, n, Hmn,CA, SA(m,n)
CB, SB(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 37: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/37.jpg)
37
m=gx, n=gy
k=gxy
m
n, CB, Hmn
m, n, Hmn,CA, SA(m,n)
SB(n,m)
STS familySTS family
distributecertificates
cookie
openresponder
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 38: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/38.jpg)
38
m=gx, n=gy
k=gxy
m
n, CB, Ek(SB(n, m))
CA, Ek(SA(m,n))
m=gx
n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 39: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/39.jpg)
39
m
n, Hmn
m, n, Hmn,CA, Ek(SA(m,n))
CB, Ek(SB(n, m))
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 40: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/40.jpg)
40
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
m
n, CB, Hmn
m, n, Hmn,CA,Ek(SA(m,n,CB))
Ek(SB(n, m))
m=gx
n=gy
k=gxy
protect identities
symmetrichash
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 41: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/41.jpg)
41
m
n, Ek(CB, SB(n, m))
Ek(CA, SA(m,n))
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 42: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/42.jpg)
42
m
n, Hmn
m, n, Hmn,Ek(CA, SA(m,n))
Ek(CB, SB(n, m))
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 43: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/43.jpg)
43
m=gx, n=gy
k=gxy
STS familySTS family
distributecertificates
cookie
openresponder
symmetrichash
protect identities
m
n, CB, Hmn
m, n, Hmn,Ek(CA, SA(m,n,CB))
Ek(SB(n, m))
m=gx
n=gy
k=gxy
STS0 STS0H
STSa STSaH JFK0
STS STSH JFK1
STSP STSPH JFK
RFK
![Page 44: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/44.jpg)
44
m
n, Hmn
m, n, Hmn,Ek(CA,SA(m,n)), #(I)
Ek(CB,SB(n, m)), #(R)
m=gx
n=gy
k=gxy
m=gx, n=gy
k=gxy
STS familySTS family
STS0H
STSaH
STS
STSPH
JFK1
distributecertificates
cookie
openresponder
symmetrichash
protect identities
RFK
STS0
STSa JFK0
STSH
STSP JFK
![Page 45: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/45.jpg)
45
MQV familyMQV family
MTI/A
MQV
KA
MTI/B
DH
MTI/C
UM
![Page 46: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/46.jpg)
46
MQV familyMQV family
mA
mB
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
![Page 47: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/47.jpg)
47
MQV familyMQV family
gx
gy
k=gxy
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
![Page 48: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/48.jpg)
48
(gb)x
(ga)y
k=(gay)1/a gx =(gbx)1/b gy
MQV familyMQV family
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
![Page 49: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/49.jpg)
49
MQV familyMQV family
(gb)x
(ga)y
k=(gay)x/a =(gbx)y/b
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
![Page 50: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/50.jpg)
50
MQV familyMQV family
gx, GA
gy , GB
k = {(gy)a (gb)x}
= {(gx)b (ga)y}
GA={A,ga}TA
GB={B,gb}TA
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
![Page 51: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/51.jpg)
51
MQV familyMQV family
gx, GA
gy , GB
k = {(gy)a ||(gb)x} = {(gx)b || (ga)y}
GA={A,ga}TA
GB={B,gb}TA
k = {(gy)x ||(gb)a} = {(gx)y || (ga)b}or
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
![Page 52: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/52.jpg)
52
MQV familyMQV family
gx, GA
gy , GB
k = gf(a,x) f(b,y) where
GA={A,ga}TA
GB={B,gb}TA
f(a,x) = agx + x
KA
DH
MTI/B MTI/C
MTI/A
UM
MQV
![Page 53: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/53.jpg)
53
MQV familyMQV family
DH
MTI/C
UM
gx, GA
gy , GB
k = gf(a,x) f(b,y) where
GA={A,ga}TA
GB={B,gb}TA
f(a,x) = agx + x gf(a,x) = F(ga, gx) is 1-way in gx.
E.g., given a one-way function H(n), such
that H(gx) = gh(x), take
F(m,n)= m H(n) and f(a,x) = a+h(x)
gf(a,x) = F(ga, gx) is 1-way in gx.
E.g., given a one-way function H(n), such
that H(gx) = gh(x), take
F(m,n)= m H(n) and f(a,x) = a+h(x)
KA
MTI/B
MTI/A
MQV
![Page 54: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/54.jpg)
54
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
JFK
STSP
MQVCP
KA
key
keyconf.
MQVJFK
authenticate
protect identities
encryption
signature
DH
RFK
symmetrichash
STSa
STS STSPH
MQV MQVCMQVCPH
MQVRFK
![Page 55: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/55.jpg)
55
mA
mB
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 56: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/56.jpg)
56
mA
mB, CB, SB(n, mA)
CA, SA(mA, mB)
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 57: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/57.jpg)
57
gx
gy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 58: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/58.jpg)
58
gx
gy, CB, Ek(SB(gy,gx))
CA, Ek(SA(gx, gy))
k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 59: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/59.jpg)
59
gx
gy, Ek(CB, SB(gy,gx))
Ek(CA, SA(gx, gy))k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 60: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/60.jpg)
60
gx
gy, Hgx, gy, H, Ek(CA, SA(gx, gy))
Ek(CB, SB(gy, gx)) k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 61: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/61.jpg)
61
gx
gy, CB, H,gx, gy, H, Ek(CA, SA(gx, gy, CB))
Ek(SB(gy, gx)) k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 62: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/62.jpg)
62
gx
gy, H,gx, gy, H, Ek(CA, SA(gx, gy)), #(I)
Ek(CB, SB(gy, gx)), #(R) k=gxy
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 63: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/63.jpg)
63
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
gx, GA
gy, GB
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 64: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/64.jpg)
64
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx, ga
gy,GB,Ek(gy,gx)
GA, Ek(gx, gy)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 65: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/65.jpg)
65
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx, ga
gy,gb, Ek(GB,gy,gx)
Ek(GA,gx, gy)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 66: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/66.jpg)
66
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx, ga
gy, gb, H,gx, ga, gy, gb, H, Ek(GA,gx,gy))
Ek(GB,gy,gx)
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 67: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/67.jpg)
67
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
gx
gy, gb, H,gx, ga, gy, H, Ek(GA,gx, gb, gy))
Ek(GB,gy, gx)
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
cookie
openresponder
symmetrichash
key
keyconf.
authenticate
protect identities
encryption
signature
KA STSa
DH STS STSP STSPH
JFK
MQV
RFK
MQVC MQVCPMQVCPH
MQVJFK
MQVRFK
![Page 68: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/68.jpg)
68
add certificatesk=gf(a,x)f(b,y)
m=gx, n=gy
k=gxy
MQV refinementsMQV refinements
STSa
STSPH
cookie
openresponder
symmetrichash
MQVCPHMQV MQVC
key
keyconf.
MQVRFK
authenticate
protect identities
encryption
signature
STS
gx, ga
gy, gb, H,gx, ga, gy, gb, H, Ek(GA,gx,gy), #(I)
Ek(GB,gy,gx), #(R)
GA={A,ga}TA
GB={B,gb}TA
k=gf(a,x)f(b,y)
KA
DH STSP
JFK
RFK
MQVCP
MQVJFK
![Page 69: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/69.jpg)
69
SummarySummary
STS
CR
1
JFK2
DH
MQV
KA
3
MQV+4
![Page 70: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/70.jpg)
70
SummarySummary
mA
mB
gx
gy, CB, Hmn
gx, gy, Hmn,Ek
Ek
c
r
gx
gy
gx, GA
gy, GB
gx
gy, CB, EK
CA , EK
gx
gy, gb, H n
gx, ga,… H, Ek
Ek
![Page 71: 1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.](https://reader035.fdocuments.in/reader035/viewer/2022062714/56649d575503460f94a3651b/html5/thumbnails/71.jpg)
71
Future workFuture work
• Populate taxonomy
• Interface crypto• complexity algebra
• Quantify utility• evolutionary equilibria
• distributed fixpoint programming