Procedimiento para la evaluación del Sistema de Control Interno Institucional (SCII) de la Dependencia o Entidad (anual)

pattern has variables not appearing in S, these will be created and used within the predicate. This method has allowed us to analyze by forward model checking all the examples in Section 5.5.

Example 5.2 Given the following attack S, and never patterns Alice1

and Alice2 (not sharing variables with S) of the Diffie-Hellman protocol

in Example 3.2:

S  t :: r2::r
pa; b; Y q, pb; a; exppg, npb, r2qqq,
pepexppY, npb, r2_{qq, SRqq | nils}

& SS &tIKuu

Alice1 :: r, r1 ::r pa; b; exppg, npa, rqqqs

Alice2 :: r, r1 ::r pa; b; exppg, npa, rqqq,
pb; a; Xq,

pepexppX, npa, rqq, secpa, r1_qqqs

The Maude conditional search command to search for the attack S avod- ing the never patterns for Alice’s strand, is as follows:

search initÑ S such that

pAlice1pSq  false ^ pAlice2pSq  false .

where the predicates pAlice1 and pAlice2 check whether any strand of the

concrete state S is an instance of the strands Alice1 and Alice2, respec-

tively. _

5.3

Forwards Operational Semantics

In a forward reachability analysis, we define state changes by means of a set RF P of rewrite rules, so that the rewrite theory pΣP, EP, RF Pq char-

acterizes the behavior of protocol P modulo the equations EP. Here

we do not have generic transition rules, as in the backwards semantics, and all the rules are generated from principal and intruder strands. The intuitive idea is that a state consists of a multiset of partially executed strands and a set of terms in the intruder’s knowledge. Unlike the back- wards semantics, only the part of the strand that has already executed is present in the state, and each such partial strand instantiates a prefix

of a strand in P. One progresses by either: (i) adding a positive term m to an existing strand and either adding or not adding m to the in- truder’s knowledge, (ii) adding a negative term m
to an existing strand only if it is already present in the intruder’s knowledge, or (iii) starting a new strand, and if it starts with a m that either adds or not to the intruder’s knowledge. For example, the intruder encryption capability r
pKq,
pMq, pepK, Mqs produces the following three rewrite rules:

tSS & tKPI, IKu & xNyu

Ñ tSS & r
pKqs & tKPI, IKu & xNyu tSS & r
pKqs & tMPI, IKu & xNyu

Ñ tSS & r
pKq,
pMqs & tMPI, IKu & xNyu tSS & r
pKq,
pMqs & tIKu & xNyu

Ñ tSS & r
pKq,
pMq, pepK, Mqs & tepK, MqPI, IKu & xNyu

The sets of rewrite rules for output messages are generated as follows, note that some rewrite rules are conditional:

$ ' ' ' ' ' & ' ' ' ' ' % @ ru1, . . . , uj
1, uj , uj 1, . . . , uns P P ^ j ¡ 1 :

tSS & tIKu & ru

1, . . . , uj
1s & xNyu

Ñ

tSS & tujÒMNPI, IKu & ru1, . . . , uj
1,pujÒMNq s & xMyu

IFpujÒM_NPIq R IK , / / / / / . / / / / / - (5.1) $ ' & ' % @ ru1, . . . , uj
1, uj, uj 1, . . . , uns P P ^ j ¡ 1 :

tSS & tIKu & ru

1, . . . , uj
1s & xNyu

Ñ tSS & tIKu & ru1, . . . , uj
1,pujÒMNq s & xMyu

, / . / - (5.2) $ ' ' ' & ' ' ' % @ ru1, . . . , uns P P :

tSS & tIKu & xNyu

Ñ tSS & rpu1ÒMNq s & tu1ÒMNPI, IKu & xMyu

IFpu1PIÒM_Nq R IK , / / / . / / / - (5.3) # @ ru1, . . . , uns P P :

tSS & tIKu & xNyu Ñ tSS & rpu1ÒMNq s & tIKu & xMyu

+

5.3. Forwards Operational Semantics 121

Each transition rule of type (5.1) accepts output messages and the intruder’s knowledge is positively increased, while each transition rule of type (5.2) simply accepts output messages without modifying the in- truder’s knowledge. Each transition rule in (5.3) and (5.4) introduces a new strand beginning with an output message. Similarly, rules of type (5.3) introduce a new strand and the intruder’s knowledge is positively increased, whereas rules of type (5.4) introduce a new strand but the intruder’s knowledge is not increased1 .

The following set of rewrite rules describes the general state transition for a negative message, generating specific rewrite rules according to the protocol strands: $ ' & ' % @ ru 1, . . . , uj
1, u
j, uj 1, . . . , uns P P ^ j ¡ 1 :

tSS &tujPI, IKu & ru₁, . . . , u_j
1s & xNyu

Ñ tSS & tujPI, IKu & ru1, . . . , uj
1, u
js & xNyu

, / . / - (5.5) $ ' & ' % @ ru
1, u2, . . . , uns P P :

tSS & tu1PI, IKu & xNyu

Ñ tSS & ru
1s & tu1PI, IKu & xNyu

, / . /

- (5.6)

Each transition rule in (5.5) and (5.6) accepts input messages if the intruder’s knowledge matches them. Note that in (5.6) a new strand is introduced.

Definition 5.3 Let P be a protocol with signature ΣP and equational

theory EP. We define the forward rewrite theory characterizing P to be

pΣP, EP, RF Pq where RF P  t(5.1) Y (5.2) Y (5.3) Y (5.4) Y (5.5) Y (5.6)u.

The forwards execution of a protocol induces a transition system as follows.

1_{Note that the use of the global counter for new principal names in previous rules}

has to take into account when one of those principals is indeed the intruder; see Example 5.5 for the case in which the intruder impersonates Bob.

Definition 5.4 (Transition System induced by a Protocol) Given a protocol P characterized by the forward rewrite theory pΣP, EP, RF Pq

such that pΣP, B, E0q is a decomposition of pΣ, EPq, we can associate to

it a transition system LP whose states are B-equivalence classes of terms

in E0, B-canonical form and whose transitions are of the form:

rtsB Ñ rt1sB

where tÑRF P,B u and t1 B uÓE0,B.

Unlike the case with process calculi, no information is removed from a state and the history of previous actions can be recovered from a state. Therefore there is no need to record this information in the transition system through labels in order to obtain a labeled transition system. However, labels can be added if desired (e.g. as a compact way of encod- ing essential information).

Example 5.5 Let us show the rewrite rules generated for the proto- col with Diffie-Hellman exponentation of Example 3.1 in Page 45. The rewrite rules associated to Alice’s strand in the forwards semantics of our running example are as follows, where the increment of the global counter can be clearly identified. Alice’s strand is defined as

::: r, r1 :::r pA; B; exppg, npA, rqqq,
pB; A; Xq, pepexppX, npA, rqq, secpA, r1_qqqs

and the rewrite rules associated to it are as follows: tSS & tIKu & xNyu

Ñ tSS & r pN; N 1; exppg, npN, N 2qqqs &

tpN; N 1; exppg, npN, N 2qqqPI, IKu & xN 3yu

tSS & r pA; B; exppg, npA, Rqqqs &tpB; A; XqPI, IKu & xNyu Ñ tSS & r pA; B; exppg, npA, Rqqq,
pB; A; Xqs &

tpB; A; XqPI, IKu & xNyu

tSS & r pA; B; exppg, npA, Rqqq,
pB; A; Xqs &tIKu & xNyu Ñ tSS & r pA; B; exppg, npA, Rqqq,
pB; A; Xq,

pepexppX, npA, Rqq, secpA, Nqqqs &

5.3. Forwards Operational Semantics 123

When the intuder impersonates Bob, the first rule is: tSS & tIKu & xNyu

Ñ tSS & r pN; i; exppg, npN, N 1qqqs &

tpN; i; exppg, npN, N 1qqqPI, IKu & xN 2yu

where i is a constant denoting the intruder’s name. Note that it is not necessary to duplicate the other two rules.

Bob’s strand is defined as

::: r, r1 :::r
pA; B; Y q, pB; A; exppg, npB, r2qqq,
pepexppY, npB, r2_{qq, Srqqs}

and the rewrite rules associated to it are as follows: tSS & tA; B; Y PI, IKu & xNyu

Ñ tSS & r
pA; B; Y q, pB; A; exppg, npB, Nqqqs &

tA; B; Y PI, pB; A; exppg, npB, NqqqPI, IKu & xN 1yu tSS & r
pA; B; Y q, pB; A; exppg, npB, Jqqqs &

tepexppg, NS  npB, Jqq, SrqPI, IKu & xNyu Ñ tSS & r
pA; B; Y q, pB; A; exppg, npB, Jqqq,

pepexppg, NS  npB, Jqq, Srqqs & tepexppg, NS  npB, Jqq, SrqPI, IKu & xNyu

Let us now show the rewrite rules generated for each intruder action. The strands denoting the intruder’s ability to perform the inverses of the concatenation are defined as follows:

:: nil ::r
pM1; M2q, pM1qs :: nil ::r
pM1; M2q, pM2qs

We show below the rewrite rules associated to these two strands: tSS & tpM1; M2qPI, IKu & xNyu

Ñ tSS & r
pM1; M2q, pM1qs & tpM1; M2qPI, M1PI, IKu & xNyu tSS & tpM1; M2qPI, IKu & xNyu

The intruder strand denoting its ability to concatenate two messages M 1 and M 2 is defined as follows:

:: nil ::r
pM1q,
pM2q, pM1; M2qs and its associated rewrite rules are as shown below:

tSS & tM1PI, IKu & xNyu

Ñ tSS & r
pM1qs & tM1PI, IKu & xNyu SS & r
pM1qs & tM2PI, IKu & xNyu

Ñ tSS & r
pM1q,
pM2qs & tM2PI, IKu & xNyu tSS & r
pM1q,
pM2qs & tIKu & xNyu

Ñ tSS & r
pM1q,
pM2q, pM1; M2qs & tpM1; M2qPI, IKu & xNyu In this protocol the intruder is allowed to encrypt and decrypt a message M with a given key Ke, which is denoted by the strands shown below:

:: nil ::r
pMq,
pKeq, pepKe, Mqqs :: nil ::r
pMq,
pKeq, pdpKe, Mqqs

The rewrite rules generated for these two strands are as follows: tSS & tMPI, IKu & xNyu

Ñ tSS & r
pMqs & tMPI, IKu & xNyu tSS & r
pMqs & tKePI, IKu & xNyu

Ñ tSS & r
pMq,
pKeqs & tpKePIq, IKu & xNyu tSS & r
pMq,
pKeqs & tIKu & xNyu

Ñ tSS & r
pMq,
pKeq, pepKe, Mqqs & tepKe, MqPI, IKu & xNyu tSS & tpMqPI, IKu & xNyu

Ñ tSS & r
pMqs & tMPI, IKu & xNyu tSS & r
pMqs & tKePI, IKu & xNyu

Ñ tSS & r
pMq,
pKeqs & tpKePIq, IKu & xNyu tSS & r
pMq,
pKeqs & tIKu & xNyu

5.3. Forwards Operational Semantics 125

The intruder’s ability to perform the product of two exponents NS1 ,and NS2 is denoted by the strand shown below:

:: nil ::r
pNS1 q,
pNS2 q, pNS1  NS2 qqs The rewrite rules associated to this strand are as follows:

tSS & tpNS1 qPI, IKu & xNyu

Ñ tSS & r
pNS1 qs & tNS1 PI, IKu & xNyu SS & r
pNS1 qs & tpNS2 qPI, IKu & xNyu

Ñ tSS & r
pNS1 q,
pNS2 qs & tNS2PI, IKu & xNyu tSS & r
pNS1 q,
pNS2 qs & tIKu & xNyu

Ñ tSS & r
pNS1 q,
pNS2q, pNS1  NS2 qs & tpNS1  NS2 qPI, IKu & xNyu

The strand denoting the intruder’s ability to perform a Diffie-Hellman exponentiation of GE to the power of NS is as shown below:

:: nil ::r
pGEq,
pNSq, pexppGE, NSqqs The rewrite rules associated to this strand are as follows:

tSS & tGEPI, IKu & xNyu

Ñ tSS & r
pGEqs & tGEPI, IKu & xNyu SS & r
pGEqs & tNSPI, IKu & xNyu

Ñ tSS & r
pGEq,
pNSqs & tNSPI, IKu & xNyu tSS & r
pGEq,
pNSqs & tIKu & xNyu

Ñ tSS & r
pGEq,
pNSq, pexppGE, NSqqs & texppGE, NSqPI, IKu & xNyu

The intruder capability to generate the g constant, denoted by the strand shown below:

:: nil ::r pgqs has associated the following rewrite rule:

tSS & tIKu & xNyu Ñ tSS & r pgqs & tgPI, IKu & xNyu Finally, for the intruder’s capability to generate nonces and any ar- bitray name A, denoted by the two strands shown below, respectively:

:: r ::r pnpi, rqqs :: r ::r pAqs

the following rewrite rules are generated, respectively

tSS & tIKu & xNyu

Ñ tSS & r pnpi, Nqqs & tnpi, NqPI, IKu & xN 1yu tSS & tIKu & xNyu

Ñ tSS & r pnamepNqqs & tnamepNqPI, IKu & xN 1yu

Note that, as explained above, names and fresh variables are treated as numeric constants.



In document Manual de Procedimientos Órgano Interno de Control en Talleres Gráficos de México (página 30-38)