Comunidad educativa
CAPÍTULO 3. TECNOLOGÍAS DE PROXIMIDAD Introducción
3.2. Bluetooth Low Energy (BLE)
Nested Knowledge We have shown above that after adding identities to our challenge response pro- tocol with signatures, the challengerAknows that the responderB has received the first message and has intended his message (the second message of the protocols) forA. The responder, on the contrary, has no knowledge about his challenger, that is he does not ifAwas the real sender of the first message, and that he received the second message. All the responder knows is his suspicions about the protocol, that is
α0≤2BfB(α0)
It is easily seen that this inequality holds, since by adjunction it is equivalent to the following
fB(α0)≤fB(α0)
In this section we are interested in calculating the nested knowledge of the agents, that is what does
Bknow about the knowledge ofA. In particular does he know thatAknows that he received the first message and sent the second one, that is do the following hold
α0 ≤2B2AqB,r,m,A and α0 ≤2B2AqB,s,SIGB(m,IDA),A
Consider the first inequality, which is by adjunction equivalent to
fB(α0)≤2AqB,r,m,A
which is itself, again by adjunction, equivalent to
So calculating the nested knowledge ofBaboutAis equivalent to calculating the nested suspicions of
AaboutB. We do this calculation as follows:
fA(fB(α0)) = fA
fB(qA,s,m,B•qB,r,m,A•qB,s,SIGB(m,IDA),A•qA,r,SIGB(m,IDA),B)
≤ fA(fB(qA,s,m,B))•fA(qB,r,m,A)•fA(qB,s,SIGB(m,IDA),A)
•fA(fB(qA,r,SIGB(m,IDA),B))
So far we have only assigned suspicions to the actions of the honest agents. But in order to calculate this composition we also have to assignfA’s to the actions of the intruder. For example we have to
decide about the following:
fA(qC,r,m
0,A
) and fA(qC,s,m,B)
Since we have assumed that there is only one intruder in the system,Ahas no uncertainties about the receive actions of the intruder, that is
fA(qC,r,m
0,A
) =qC,r,m0,A
But he suspects for example three possibilities about the send actions are
fA(qC,s,m,B) =qC,s,m,B∨qC,s,m
0,B ∨1
After assigning suspicions to all the intruder actions involved in the above expression, we have to analyze a considerable amount of disjuncts. In fact the number is so large that any thought of even starting the calculation without automation seems infeasible. So in order to be able to perform an exact analysis of the nested knowledge, we need to automize the reasoning.
On the other hand, calculating the nested knowledge ofAaboutB, that is
α0 ≤2A2BfB(α0)
is easier, this is because the above inequality is equivalent to
fB(fA(α0))≤fB(α0)
and we have done a perfect analysis offA(α0)before, in which we discarded 17 cases of the 19 disjuncts
and had to deal with only 2 cases other than reality. So we have the following
So agentAdoes not know agentB’s suspicions, that is
fB(fA(α0))fB(α0) ∼= α02A2BfB(α0)
We now know whatAdoesnotknow, but what about the things that he knows? We can show thatA
knows thatBis uncertain about the first message
α0 ≤2A2B(qA,s,m,B∨qA,s,m
0,B
∨qA,s,m,C∨qA,s,m0,C) and also thatAknows thatBknows that he received the second message
α0 ≤2A2BqB,r,m,A
AgentAhas these pieces of nested knowledge because he has refined suspicions that lead to his ac- quiring some knowledge. But agentB was not able to do any refinement on his suspicions in the CR with two messages and as a result calculating his nested knowledge involves checking many cases. In the CR with three messages and identitiesγ0, agentBalso refines his suspicions and we can show that
γ0≤2B2AqB,r,m,A also γ0 ≤2B2AqB,s,{n,SIGB(n,m,IDA)},A
Another form of nested knowledge, is the nested knowledge of the intruder, that is calculating knowl- edge ofCabout the knowledge of the other two honest agents. But this can be easily calculated since we have only dealt with clear text messages. So the intruder does not have any suspicions andfC is
identity on all the messages and as a result he knows everything that each agent knows, for example
α0≤2C2AqB,s,SIGB(m),A and α0 ≤2
C2AqB,r,m,A
But the situation changes if cipher texts are used, in which caseC does not know the content of the messages that are encrypted in keys that he does not have. This constitutes future work and will be discussed in another point below.
Conditional Knowledge As it stands, in the CR with two messagesα0, agentBdoes not know thatA
actually knows that he received the first message and sent the second message toA. But if he knows that
Areceived his second message as it was sent, then he, exactly likeA, discards his suspicions. That is if he knows thatAreceived the second message, he knows thatAknows that he received the first message and so on. We can express this using the adjoints (residuals) to sequential composition: as discussed in the chapter on the algebra, sequential composition is join-preserving and non-commutative, thus it has two adjoints presented in chapter two.
Here we use the first residual to expressB’s conditional knowledge: α0≤2BfA(α0)/2BqA,r,SIGB(m),B which is equivalent to α0•2BqA,r,SIGB(m),B ≤2 BfA(α0) equivalent to fB(α0)•qA,r,SIGB(m),B ≤fA(α0)
Enriching the setting so that these sort of inequalities can be proven in it constitutes further work. For example, we have to add axioms to discard the following invalid sequences of messages
qA,r,m0,B•qA,r,SIGB(m),B =⊥
We also need to add axioms to discard repetition of factual messages, for example
qA,r,SIGB(m),B•qA,r,SIGB(m),B ≤qA,r,SIGB(m),B
Lack of Knowledge . Another interesting thing we can express using residuals is lack of knowledge. We can define two kinds of negations (using each residual) for actions, for example by using the right residual we can define aright negationas¬q =⊥/q. We can then express that it is impossible forA
to know ifBreceived his message right after he sent it
qA,s,m,B•qB,r,m,A≤ ¬2AqB,r,m,A
for which we have to show
qA,s,m,B•qB,r,m,A•2AqB,r,m,A=⊥
In order to prove this we need the axiom about repetition of factual messages. The rest goes by noting thatfA(⊥) =⊥, takingfAon both sides, and recalling thatfA(2AqB,r,m,A)≤qB,r,m,A.
Contents of messages So far in this chapter, we have showed how one can reason about knowledge of agents about actions in a security protocol. Each action has a propositional content, about which the agents also have knowledge. For example whenBreceives a message, he gets to know its content. Reasoning about the propositional knowledge is done in the module where we use the dynamic modal- ity, exactly in the same lines as for the muddy children puzzle. For example, if the initial situation is encoded in a propositions0 ∈Mwe have to prove the following inequality to show that after receiving
a message,Bknows its content
On the other hand, afterAsends his message toB, we do not have thatB knows the content, sinceC
might have stopped or changed it, that is
s0 [qA,s,m,B]2Bm
Moreover, agentAis aware of this:
s0 [qA,s,m,B]2A2Bm
In this setting we can prove that after a protocol with only one message, agentB knows the content of the message he has received, that is
s0≤[qA,s,m,B•qB,r,m,A]2Bm
butAis not aware of it
s0 [qA,s,m,B•qB,r,m,A]2A2Bm
The proofs of these cases are derivable from the proofs of the single action cases. For example, we have the following claim:
If s0 ≤[qB,r,m,A]2Bm then s0 ≤[qA,s,m,B•qB,r,m,A]2Bm
To prove this claim we start from ourunifyingaxiom on the quantale
qA,s,m,B•qA,r,m,A≤qB,r,m,A
now we update the initial situation on both sides and we get
s0.(qA,s,m,B•qA,r,m,A)≤s0. qB,r,m,A
we then applyfBto both sides
fB(s0.(qA,s,m,B•qA,r,m,A))≤fB(s0. qB,r,m,A)
but the right hand side is less thanmby our if part of the claim
fB(s0. qB,r,m,A)≤m
so we have
which is equivalent to the then part of our claim
s0≤[qA,s,m,B•qB,r,m,A]2Bm
and we are done. So all that needs to be done is to encode the propositional part of each security protocol in our module so that we can prove propositional knowledge of agents, that is for example the if part of the claim. For this we have to analyze the initial situations0 and assign propositional
appearances to it for each agent, that isfB(s0)andfA(s0). We also have to assign kernel to each of
our actions. In fact, the kernel of the send and its corresponding receive will be the same, since they have the same propositional content.
Secrecy So far we have only considered messages in clear text and did not use encryption. This means that each agent, when he receives the message, will know its content and this includes the intruder. This knowledge is included in the knowledge of actions, that is we have shown how to prove the following
qC,r,m,A≤2CqC,r,m,A
which says that after the intruderCreceives a messages containingm inA’s name, he will know he has received this message with all the particulars. This should result in the derivation of the following propositional knowledge on the module
s0 ≤[qC,r,m,A]2Cm
But when the messages are encrypted, things are not the same. We denote by {m}K an encrypted propositionmin the keyK. Suppose that the key is only known byAandBand not byC. So we have the following inequality forB
qC,r,{m}K,A≤2
BqC,r,{m}K,A
butCwill not get to know the decrypted content, that is
s0 [qC,r,{m}K,A]2Cm
and we only have thatCknows the encrypted and not the real content
s0 ≤[qC,r,{m},A]2C{m}K
which does not imply thatC also knows the real content. The situation is different forAandB, for example we have the following for agentB
Adding secrecy, reduces the powers of the intruder: he is not anymore the agent who knows everything. Encoding secrecy constitutes future work, we have to encode the initial assumptions in such a way the we can derive the above properties.
Chapter 6
Algebraic Representation of Kripke
Semantics
The usual semantics for epistemic logic is the relational or Kripke models that encode the appearances as accessibility relations on a set of states that stand for possible worlds for agents and calculate knowl- edge set-theoretically. These models have been extended by Baltag Moss and Solecki [10] to model communication actions and their effects on the knowledge of agents. The syntax of their logic DEL, has been discussed in chapter three. In this chapter we explain the Kripke semantics of DEL and show how it can be recasted and represented in our order-theoretic semantics of Epistemic Systems, presented in chapter two. The novelty of DEL is that it models actions as states as Kripke models and then formal- izes the effect of an action on knowledge by forming the (partial) product of the two structures. Our theorem shows that models of DEL are instances or concrete versions of models of IDEAL. We start with defining Kripke models for states and actions and the product of the two. Examples will be pre- sented along the way to make the understanding of concepts easier. We then abstract over these Kripke models and build abstractDELmodels in order to state our theorem. The proofs are straightforward and follow from the way we abstract the state and action models. This means that any valid formula in a model ofDELis valid in its corresponding order structure built by our theorem and also the other way around. Although there exist dualities [28, 49] between Kripke models of epistemic logic and order-theoretic structures, for instances boolean algebras with operators are algebraic models of classi- cal modal logic [51, 50], nothing similar has been done for the setting ofDEL. The other direction of the construction of this chapter, mentioned in the joint work [8] is the first of its kind.
6.1
Kripke Models
For a set offactsΦand a finite set ofagentsA, aKripke state modelis a triple S= (S, A- , µ)A∈A
whereSis the set ofstates, A- is theaccessibility relationfor each agentA∈ A, that is
A
- ⊆S×S , andµis thevaluation mapdefined as follows
µ:S→ P(Φ),
that encodes the following satisfaction relation
s|=φ iff φ∈µ(s).
The “facts” φ ∈ Φ are simple, objectives features of the world (“objective” in the sense of non- epistemic, i.e. independent of the agents’ knowledge or believes), and the valuation maps tell us what facts hold in a given states∈S.
Example. Consider a coin-toss scenario where in front of two agentsAandB, a refereeC throws a coin and covers it. So non of the agents includingChimself know on which face the coin has landed. This scenario can be modeled by the following Kripke structure
(Toss)
ONML HIJKs:H
A,B,C
J
J A,B,Coo //ONMLHIJKt:T A,B,C
I
I .
In this model we have two states, one in which the coin lands heads up denoted ass, and another in which the coin lands tails, denoted byt. So the set of states isS={s, t}. The accessibility relation forAtells us ifsis the real world, agentAconsiders the worldssandtas possible, because he does not know on which face the coin has landed. So the set of accessibility relation for agentAis
A
- ={(s, s),(s, t),(t, t),(t, s)} and similarly for agentsBandC, that is
B
- =
C
- ={(s, s),(s, t),(t, t),(t, s)}
The set of facts is{H, T}, whereHis the fact that the coin is heads andT is the fact that the coin is tails. The valuations are as follows
s|=H and t|=T
or inµterms:
This says that each state satisfies its corresponding facts.
Repackaging of Accessibility Relations Each accessibility relation can be repackaged as (or lifted t) a map from the set of states to the power set of states as follows
fA:S→ P(S) ::s7→fA(s) :={t∈S|s A
- t},
which corresponds to our algebraicappearance mapof an agentA. The significance of the appearance maps is as follows: ift∈fA(s)then, whenever agentAis in stateshe considers statetas a ‘possible
world’. In other words, if the actual state of the system iss, agentAthinkstmay be the actual state. For example in our coin-toss model above we have
fA(s) ={s, t} and fA(t) ={s, t}
and similarly forBandC.
As another example consider a case in which agentsBandCcan see the face of the coin, but agent
Acannot see it (although he knows that the others see it), so he is still uncertain if the coin is heads or tails. This scenario is depicted in the following Kripke model called PToss:
(PToss) ONML HIJKs0 :H A,B,C K K oo A //ONMLHIJKt 0 :T A,B,C K K .
In this case only agentAis uncertain about the face of the coins and thus has several arrows between states, that is
fA(s0) =fA(t0) ={s0, t0}
whereas agentsB andChave only one arrow in each state, that is
fB(s0) =fC(s0) ={s0} and fB(t0) =fC(t0) ={t0}
This means that if the coin is heads up,BandCknow it and similarly for tails up.
Epistemic Propositions We continue the repackaging by defining a new notion of proposition: Definition 6.1.1 Anepistemic proposition P over a state model Sis a subset P ofS, containing all the states at which the proposition is ‘true’.
We have to show how our valuations and appearance maps extend to this new notion of proposition. The mapsµandfAof the state model are extended to elements ofP as follows
fA(P) :=
[
{fA(s)|s∈P} ∈ P(S) µ(P) :=
\
Since epistemic propositions are just subsets of the set of states, appearance maps can be extend to them point wisely, . So in order to calculate the appearance map of a set of states, we take the union of the appearance maps of each element. For the valuations, we first form the set ofµmaps of each element and then take the intersection of these sets. We use intersection and not union in definingµ(P)since a fact is entailed by an epistemic proposition when it holds at all the states of the proposition. This will become clear by our example below. This is called acontravariantpassage fromP(S)toP(Φ), that is theµis order reversing. In other words, the actual algebra of facts isP(Φ)op, that is, the complete boolean algebraP(Φ)where the order is reversed i.e.
φ1≤opφ2⇔φ1 ⊇φ2.
While facts are simple and non-epistemic, and thus cannot be altered by epistemic actions (as explained in chapter two), epistemic propositions can express complex features of the world, which may depend on the agents’ knowledge (and so can be changed by epistemic actions). Facts can also be repackaged