AVISPA Class Notes for ISA 780 Made from many publications available from the AVISPA web site .

Duminda Wijesekera Fall 2005


Class Notes for ISA 780Made from many publications available from the AVISPA web site

This transparency is simply a teaching aid used to explain contributions of authors of AVISPA. We respect all copyrights held by those and possibly other authors.

Duminda Wijesekera Fall 2005

References Many references available at Will use some presentations available at Will cover some details from

The High Level Protocol Specification Language Intermediate form List of selected problems The Temporal Logic of Action by Leslie Lamport, ACM Transactions of

Programming Languages and Systems Vol 7, No 7, November 1993, Pages 1-52 available from the authors web site at Microsoft Research. Also the book Specifying Systems describing TAL and a model checker

is freely available from the Microsoft Web site

Will cover other tools used in AVISPA from the respective papers.

Some experience in using AVISPA at GMU

Duminda Wijesekera Fall 2005

Suggested Reading

1. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications, The 5 page paper from CAV05, available through the AVISPA web site.Authors: Armando, Basin, Boichut, Chavalier,

Compagna, Culler, Hankes Drielsma, Heam, Kouchnarenko, Mantovani, Modersheim, von Ohiemb, Rusinowich, Santiago, Turuani, Vigano, Vigneron

Duminda Wijesekera Fall 2005

Suggested Reading1. The High Level Protocol Specification Language.

(HLPSL)2. The AVISPA Tutorial.3. The Intermediate Form.4. Some fragment of the TLA paper to see how HLPSL is

mapped to TLA.5. Papers 6,9,2,5 listed on CAV05 Paper to get an idea

of how the different components of AVISPA works.6. A Hierarchy of Authentication Protocols by Gavin

Lowe, to understand the difference between strong vs. Weak authentication.

7. Suggested: Two facets of authentication, by martin Abadi (an old paper)

Duminda Wijesekera Fall 2005

Introduction to AVISPA

1. First go through the transparencies “The AVISPA Project:Automated Validation of Internet Security Protocols and Applications” by Alessandro Armando.

2. See the AVISPA tool being used online3. Come back to describing the details of

HLPSL4. Then Review TAL and understand how

HLPSL is translated to TAL

Duminda Wijesekera Fall 2005

High Level Protocol Specification Language. (HLPSL) Reference: Deliverable 2.1:

The High Level Protocol Specification Language, available from

Syntax used to specify protocols in AVISPA: Strongly typed Supports

modularity: composition, hiding control flow explicit intruder knowledge

cryptographic primitives: nonces, hashes, signatures

algebraic properties: Xor exp

Duminda Wijesekera Fall 2005

Entities in HLPSL Basic types and terms State-based formalism Roles

Simple (agents such as Alice, Bob etc) Composite (communities of agents playing their

roles as Alice Bob and the Dolev-Yao Intruder, Key Server synchronizing with each other)

The environment (where all evil lives = Intruder = environment)

Security Goals String authentication, authorization, anonymity,

secrecy, etc.

Duminda Wijesekera Fall 2005

States and Variables

Kinds of variables: State variables: Those that are within the

scope of a role. Declared at the top of a role Unprimed versions indicate current state Primed versions indicate next state

Duminda Wijesekera Fall 2005

An examplerole Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0

transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role

Duminda Wijesekera Fall 2005

Basic types in HLPSL

Agent: names of principles public_key: asymmetric keys symmetric key: symmetric keys nat: natural numbers function: to model hash functions etc bool: Boolean values for modeling


Duminda Wijesekera Fall 2005

Aggregate types

Lists Example:

KeyMap: (agent, public_key) listinit KeyMap = []in((B,Kb’), KeyMap)

Duminda Wijesekera Fall 2005

State and transition predicates State predicate: First order formulas written

using unprimed state variables. Example:

State = Init State= done

Transition predicates First order formulas written using primed and unprimed state variables.

Example:(State‘=2) /\ SND({Na'.A}_Kb)

/\ witness(A,B,na,Na‘)

Duminda Wijesekera Fall 2005

Mappings Functions on messages:

rigid mapping that do not change due to state changes

Thus f(x) = f(x’) Mapping from one type to another

Denoted using -> Exampleexists KeyMap: agent -> public_keyinit KeyMap = [(A,Ka),(B,Kb)]

Duminda Wijesekera Fall 2005

Messages space of legal messages

as the closure of the basic types under the operations of concatenation via the associative “.” operator

and Encryption written {Msg}Key

for a given message Msg and encryption key Key Examples:

Na % The nonce on its ownA.Na % A’s name concatenated with the nonce{A.Na}K % As above, but encrypted with K

Duminda Wijesekera Fall 2005

Channels variables over which communication takes

place. Connects communicating parties. Type may take an attribute specifying the

intruder Currently supports only (dy), the Dolev-Yao

intruder Example:

role Alice (A, B: agent,Ka, Kb: public_key,SND, RCV: channel (dy) )

Duminda Wijesekera Fall 2005


Description of entity behavior Two kinds:

Basic Roles: Schematic descriptions of atomic behavior

Composed Roles: Instantiations of other roles composed

using operators

Roles are translated to TLA for operational semantics

Duminda Wijesekera Fall 2005

Role Definition1. Role declaration:

its name and the list of formal arguments, along with (in the case of basic roles)

a player declaration;2. Declaration of local variables and ownership rules, if

any;3. Initialization of variables, if required;4. Declaration of accepting states, if any;5. Knowledge declarations, if applicable; 6. Either (optionally) :

a transition section (for basic roles) or a composition section (for composed roles).

Duminda Wijesekera Fall 2005

Basic Roles

role Basic_Role (…) played_by … def= owns {θ: Θ} local {ε} init Init accepts Accept transition event1 action1 event2 action2end role

role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0

transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role

General Pattern Initiator Role in NSPK

Duminda Wijesekera Fall 2005

Composed Roles: Parallel Composition

role Par_Role (…)

def= owns {θ:Θ}

local {ε}

init Init

accepts Accept


A Bend role



role Kerberos (..) composition Client /\ Authn_Server /\ TGS /\ Serverend role

Duminda Wijesekera Fall 2005

Composed Roles: Sequential Composition

role Seq_Role (…)def= owns {θ:Θ} local {ε} init Init accepts Acceptcomposition

A ; Bend role

General Pattern


role Alice (..) establish_TLS_Tunnel(server_ authn_only); present_credentials; main_protocol(request, response)end role

Duminda Wijesekera Fall 2005

Syntactic Details: Role declaration keyword role followed by an identifier (the

role name) and, in parentheses, a comma separated list of arguments with

their types. A definition of the role player An optional role header:

may declare local variables using exists may assert ownership of variables with owns, may initialize variables in an init may define accepting states using accepts may include knowledge declarations

Duminda Wijesekera Fall 2005

An example role

role Alice(A,S:agent, Ka,Ks: public_key) played_by Alice def=exists State:nat, Na:text (fresh)init State = 0owns Xaccepts State=5 /\ auth =1knowledge(A)={ inv(Ka),{A,Ka}inv(Ks)}... % Role bodyend role

Duminda Wijesekera Fall 2005

State transitions in roles

Spontaneous transitionsanAction. A --|> B where Whenever state predicate A is satisfied

action B may be taken (non-deterministic: not required)

Immediate ReactionsaReaction. A =|> B Whenever a non-stutter event A is true

action B must be executed simultaneously

Duminda Wijesekera Fall 2005

State predicates, events and actions

A state predicate: Predicates that do not have primed variables.

Stuttering step: A transition predicate that does not change any value Example: X’=X /\ Y=Y’

Action: transition predicates p(v,v’) satisfying v v’ p(v,v’)

Events: transition predicates containing at least one X ≠X’

Duminda Wijesekera Fall 2005

An example again

role Basic_Role (…) played_by … def= owns {θ: Θ} local {ε} init Init accepts Accept transition event1 action1 event2 action2end role

role Alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State:nat, Na:text (fresh), Nb:text init State = 0

transition 1. State =0 /\ RCV(start) =|> State'=2 /\ SND({Na'.A}_Kb) /\ witness(A,B,na,Na') 2. State =2 /\ RCV({Na.Nb'}_Ka) =|> State'=4 /\ SND({Nb'}_Kb) /\ request(A,B,nb,Nb') /\ secret(Na,B)end role

General Pattern Initiator Role in NSPK

Duminda Wijesekera Fall 2005

Communication in HLPSL Synchronous, via immediate transitions Runtime ensures that SND and RCV are

executed simultaneously, over channels How communication is modeled:

SND(msg) in RHS of rule shorthand for SND’=msg RCV(masg) in LHS is shorthand for

(RCV-flag’≠RCV-flag)/\(RCV’=Msg) where RCV-flag is a binary flag toggled whenever the channel has a new message.

Duminda Wijesekera Fall 2005

Role composition

No transition section Have a composition section that

instantiate other roles Operators:

Parallel /\ Sequential ;

Top level role is named Environment

Duminda Wijesekera Fall 2005

The NSPK example: Alicerole Alice (A,B:agent,Ka,Kb:public_key,SND,RCV: channel(dy))

played_by A def=exists State : nat, Na : text (fresh), Nb: textinit State=0knowledge(A) = { inv(Ka) }transitionstep1. State=0 /\ RCV(start)=|>

State’=1/\ SND({Na’.A}Kb)step2. State=1 /\ RCV({Na.Nb’}Ka) =|>

State’=2 /\ SND({Nb’}Kb)end role

Duminda Wijesekera Fall 2005

The NSPH example: Bobrole Bob(A,B:agent,Ka,Kb:public_key,SND,RCV:channel(dy))

played_by B def=exists State : nat, Na: text, Nb: text (fresh)init State=0knowledge(B) = { inv(Kb) }transitionstep1. State=0 /\ RCV({Na’.A}Kb) =|>

State’=1 /\ SND({Na’.Nb’}Ka)step2. State=1 /\ RCV({Nb}Ka) =|>

State’=2end role

Duminda Wijesekera Fall 2005

The NSPK: Compositionrole NSPK(S, R: agent -> channel (dy),

Instances: (agent,agent, public_key,public_key) set)

def=exists A, B: agent, Ka, Kb: public_key

composition/\_{in((A,B,Ka,Kb),Instances)}Alice(A,B,Ka,Kb,S(A),R(A))/\ Bob(A,B,Ka,Kb,S(B),R(B))

end role

Duminda Wijesekera Fall 2005

The NSPK: Environment

role Environment()


NSPK([(a,s_a),(b,s_b)], % S[(a,r_a),(b,r_b)], % R[(a,b,ka,kb),(a,i,ka,ki)]) % Instances

end role

Duminda Wijesekera Fall 2005

Security Goals Only secrecy and authentication goals are

supported currently. Expected have more expressive goals using

temporal logic syntax. Expressed in the goal section Examples:

Secrecy of V: If V is obtained or derived by the attacker, AVISPA would report.

Authentication goals: Strong authentication Weak authentication

Page 33: Duminda WijesekeraFall 20051 AVISPA Class Notes for ISA 780 Made from many publications available from the AVISPA web site .

Duminda Wijesekera Fall 2005

Examples: Security Goals of NSPK

goal Alice weakly authenticates Bob on NbBob weakly authenticates Alice on Nasecrecy_of Na, Nb

end goal

Duminda Wijesekera Fall 2005

Instantiating the main role in AVISPA
