Team Automata for Security Analysis (of Multicast/Broadcast Communication)

1. Team Automata for Security Analysis(of Multicast/Broadcast Communication) Maurice ter Beek1, Gabriele Lenzini1,2, Marinella Petrocchi3 1 ISTI, CNR, Pisa, Italy 2 Dept. of CS, University of Twente, The Netherlands 3 Istituto di Informatica e Telematica, CNR, Pisa, Italy WISP 2003 1stWorkshop on Issues in Security and Petri nets Eindhoven, The Netherlands, 23 June 2003 Technical Report, University of Twente, The Netherlands

2. Multicast/Broadcast technology Unicast: “sending a message through a point-to-pointconnection” Broadcast: “flooding a message to all the connected recipients using a single local transmit operation” (e.g. ordinary TV) Multicast: “sending a message to a set of designated recipients using a single local transmit operation” (e.g. pay-per-view TV) M/B technology was born with the intent of saving resources (e.g. bandwidth & CPU time) w.r.t. unicast

3. Stream signature protocols • send digital streams, i.e. long (potentially infinite) sequences of bits, as packets • guarantee authenticity and integrity • aim at minimizing the computational cost of signing and verifying packets a sender broadcasts a continuous stream to a possibly unbounded number of receivers Features receivers use information retrieved in earlier packets to authenticate later packets (or v.v.)

4. Tolerating packet loss • digital streams are usually sent over the User Data Protocol, an unreliable transport protocol • this may cause packet loss, i.e. the stream may be received incomplete by (a part of) the recipients • a stream signature protocol tolerates packet loss if it still allows a recipient to verify all packets that are not lost

5. The EMSS family of protocols • Efficient Multi-chained Stream Signature: family of protocols to sign digital streams (Perrig et al., IEEE S&P 2000) • basic idea: a hash of packet Pi is appended to packet Pi-1 (whose hash is in turn appended to packetPi-2 , etc.) • signature packet Psign at the end of the stream • each packet contains multiple hashes of previous packets and the signature packet contains hashes of multiple packets • multiple copies of the signature packet are sent

6. Packet PSign Hash(PLAST) Hash(PLAST-1) SIGNATURE The (1,2) deterministic EMSS Packet Pi-1 Packet Pi Packet Pi+1 Mi-1 Hash(Pi-2) Hash(Pi-3) Mi Hash(Pi-1) Hash(Pi-2) Mi+1 Hash(Pi) Hash(Pi-1) . . . Time / Number of packets EMSS achieves (some) robustness against packet loss

7. S: Ri: a a p p’ qi qi’ a (p,q1,…,qi,…,qn) (p’,q1’,…,qi’,…,qn’) Broadcast communication in TA: max-ai broadcast TA |||{S,R1,…,Ri,…,Rn}:

8. TX The insecure communication scenario TR TR TS assertions TR public send public receive TIC TP TI eavesdrop inject (Lynch, CSFW’99)

9. (P) (P)     C C GeneralizedNon-Deducibility on Compositions Top  • P  GNDCiff (P || ) \C (P) • A system specification P satisfies GNDC if the behavior of P, • despite the presence of the most general intruder , • with initial knowledge and communication channels , • appears to be the same (w.r.t. a behavioural relation ) • as the expected (correct) behaviour of P • (Focardi-Martinelli, FM’99 & Focardi et al., ICALP’00) • composition, hiding Top  C  (P) || \