Proof-Carrying Authentication∗
Andrew W. Appel and Edward W. Felten Secure Internet Programming Laboratory Department of Computer Science Princeton University Princeton, NJ 08544 USA
August 9, 1999
Abstract Statements in these frameworks are represented as data structures that are often digitally signed We have designed and implemented a general to ensure their integrity. and powerful distributed authentication frame- work based on higher-order logic. Authenti- Several authentication frameworks exist; we cation frameworks — including Taos, SPKI, mention a few here as examples. The Taos SDSI, and X.509 — have been explained using operating system provided support for secure logic. We show that by starting with the logic, remote procedure call and data structures to we can implement these frameworks, all in the represent authority and identity [6]. X.509 [15] same concise and efficient system. Because our is a widely-used standard for expressing and us- logic has no decision procedure — although ing digital certificates. SPKI [4] and SDSI [14] proof checking is simple — users of the frame- (since merged under the joint name SPKI) work must submit proofs with their requests. were reactions to the perceived complexity of X.509; in both cases the ‘S’ stands for ‘simple.’ 1 Introduction PolicyMaker [3] is a language for expressing se- curity policies; it can be applied to distributed Distributed authentication frameworks allow security policies. Kerberos [12], unlike the other sharing of access to resources across adminis- frameworks, uses symmetric-key encryption to trative boundaries in a distributed system. The authenticate users. Each framework has a main abstractions they support are name-to- differerent semantics and offers a different kind key bindings, access control, and delegation. of flexibility. ∗To appear in 6th ACM Conference on Computer and Formal logic has been used successfully to Communications Security, November 1999. explain authentication frameworks and proto- Copyright c 1999 by the Association for Computing Machinery, Inc. Permission to make digital or hard cols, most notably in the design of the Taos copies of part of this work for personal or classroom distributed operating system [1, 6]. The design- use is granted without fee provided that copies are not ers of Taos started by constructing an elegant made or distributed for profit or commercial advantage and expressive logic of authentication as an ex- and that copies bear this notice and the full citation on the first page or intial screen of the document. tension of propositional calculus. They proved Copyrights for components of this work owned by others this logic sound — any provable statement is than ACM must be honored. Abstracting with credit is true in all models — which makes the logic permitted. To copy otherwise, to republish, to post on an attractive basis for constructing a system. servers, or to redistribute to lists, requires prior specific However, since they wanted a server presented permission and/or a fee. Request permissions from Publications Dept., ACM Inc., fax +1(212)869-0481, or with a request to be able to decide whether [email protected]. to grant the request, they chose to implement
1 only a decidable subset of their authentication rules, they can safely interoperate: We can take logic. In a decidable logic, there is an algorithm one theorem proved using the SPKI definitions, for determining the truth (or falsehood) of any and another proved using Taos definitions, and statement. combine them to prove access even to a server Using a simple and decidable logic would that has seen neither set of definitions before. have had advantages: it’s easier to prove Although we have expressed SPKI in our metatheorems such as “there’s no way Alice logic, we don’t really recommend the use of can access the file bar.” Why, then, do we SPKI 5-tuples for authorization; the operators use an undecidable logic? Previous approaches weoutlineinsections4and5seemmore have taken a set of basic inference rules and natural. added application-specific inference rules to make application-specific logics; but the new 2 An Example rules must be trusted, i.e. proved sound. Suppose three principals, a client Alice, a By allowing quantification over predicates, we file server Bob, and a certification authority can use a single set of inference rules, with Charlie, are interacting across a network. (See application-specific rules proved as lemmas; Figure 1.) Bob receives a request to “read therefore, the application-specific rules can be foo.” Bob’s access control list says that a used to prove access requests to servers that principal called Alice can read foo — but is know only the basic logic. However, logics the request from Alice? Bob trusts Charlie with quantification over predicates – higher- to guarantee key-to-name bindings, and Bob order logics – tend to be undecidable: there is knows that Charlie’s key is K . Alice has no general algorithm for producing proofs of all c obtained a certificate signed by K that “K true statements. c a is Alice’s key,” and uses Ka to sign “read foo.” Still, a server presented with a request must Armed with all of this information, Bob can be able to figure out what to do. We solve safely grant the request to read foo. this problem by analogy with proof-carrying Our framework can express this as follows. code [9]: the client desiring access must con- We can treat “read foo” as an uninterpreted struct a proof, and the server will simply check atom, meaning that the logic doesn’t know that proof. Even in an undecidable logic, proof what it means although the participants do. checking can be simple and efficient. We put the Digital signing is a primitive of our logic, so burden of proof on the requester. We will show (Ka signed read foo) is a statement of the logic. several different strategies by which requesters Each principal is modeled as the set of can construct proofs, for example by picking formulas that she will admit as true. Thus, an application-specific decidable subset of our Alice( x.x x)meansthatAlice is willing to general logic. claim∀ that→ ( x.x x). That’s not admitting Each of the existing frameworks has chosen much, as the∀ statement→ is a tautology! But a particular set of concepts and abstractions: in fact any principal is required to admit any a particular form of delegation, a key-binding statement provable from other statements she mechanism, certain access control rules, and so admits. on. Although these choices are as reasonable as We translate the statement “Alice wants to any, no set of choices is right for everybody. By read foo” as Alice(read foo). We translate using higher-order logic, our framework allows “read foo if Alice says to” as follows: the specification and use of new abstractions and new variants on the existing abstractions. Alice(read foo) read foo. Since all the application-specific logics are → expressed using the same general inference Charlie’s certification that Ka is Alice’s key
2 Charlie Certification Authority Key certificate: OK to read foo? I want to 01001110=sign(K , keybind(K , Alice)) read foo. c a Prove it to me!
Request: read foo Bob Alice Proof: [S1: signature 10010111 Ka ReadFoo] [S2: signature 01001110 Kc (keybind Ka Alice)] controls_e A3 (keybind_e (controls_e (trustedCA_e A1) A1: trustedCA(Charlie) (keybind_e A2 S2)) A2: keybind(Kc,Charlie) S1). A3: controls(Alice, read foo)
Figure 1: Distributed authentication. we translate as that c is a trusted certification authority: if c says some key binding, we can trust Kc signed ( F. (Ka signed F ) (Alice(F ))). that key binding. ∀ → Bob’s knowledge of Charlie’s key is stated as These particular definitions may be well- suited to our example transaction, but they are F. (Kc signed F ) Charlie(F ). hardly likely to be general enough for the real ∀ → world. The strength of our approach is that Finally, Bob’s trust in Charlie is expressed as a it does not “build in” a fixed set of definitions memorandum to himself: but allows the participants in each application to define and use their own abbreviations. k. p. Some useful lemmas follow immediately from Charlie∀ ∀ (( S. (k signed S) p(S))) these definitions. For example, we can prove S. (k signed∀ S) p(S).→ → ∀ → the lemma controls e, which states that if These statements are expressed in a higher- p controls S and p says S,thenS is true: order logic (i.e., one in which we can quantify p controls Sp(S) over formulas and predicates), with inference controls e S rules given in Figure 3. Since these statements are rather unwieldy, Additional lemmas allow one to use state- it is only natural for the participants to have ments by a trusted certification authority, and agreed upon some definitions: to make inferences from key bindings: trustedCA(c) keybind(k, p) stands for trustedCA e S. (k signed S) p(S). That is, k is p’s c controls keybind(k, p) ∀key, so that if k→signs some statement S keybind(k, p) k signed S then p should be considered to believe it. keybind e p(S) p controls S stands for p(S) S.Thatis,p “controls” the statement S→,soifp says S 2.1 Constructing a proof. then S will be considered true. Bob starts with the following assumptions in his security database: trustedCA(c) stands for k. p. c controls keybind(k, p), meaning A1 = trustedCA(Charlie) ∀ ∀ 3 trustedCA(C) keybind(K ,C) K signed keybind(K ,A) trustedCA e c c a keybind e C controls keybind(K ,A) C(keybind(K ,A)) a a controls e keybind(K ,A) K signed read foo a a keybind e A controls read foo A(read foo) controls e read foo
Figure 2: Proof that Alice can read foo.
A2 = keybind(Kc, Charlie) benefit of any participant who was not already familiar with the definitions and their conse- A3 = Alice controls read foo quences. Using these assumptions, and the lemmas shown above, Alice can prove to Bob that he 3 The Logic should allow her to read foo. Before Alice can We are using a higher-order logic with the type do this, Bob must publish his assumptions – form of formulas and a base type, string,which his security policy – so that she can construct a will be used to represent keys, signatures, local valid proof. Some parts of the policy – such as names, and for many other purposes. The “Alice controls read foo” – he may not wish to inference rules of the logic are given in Figure 3; broadcast to the whole world, but he should at except for the last four rules, it is standard least tell each client the assumptions relevant higher-order logic. The last four inference rules to her. allow reasoning about digital signatures and The proof is illustrated in Figure 2. It has statements by principals derived from signa- five premises: the security policy A1,A2,A3 and tures and names (strings). For reasoning about two digital signatures sent by Alice with the time, we also need the type integer and rules proof. Alice can sign the statement read foo for arithmetic, which we do not show here. with her own key K ; she must ask Charlie to The type form form – which is a predicate a → sign the statement keybind(Ka,A) with his own on formulas – represents the worldview of an ac- key Kc. tor in the system: a principal (an individual or The proof is checked as follows. First machine), a group of principals, or some other we check the two digital signatures to such combination. We will define a principal P establish the facts Ka signed read foo and as a worldview that has the properties K signed keybind(K ,A). From assumption c a F. F P (F )and A we prove C controls keybind(K ,A) 1 a ∀F G.→ P (F ) P (F G) P (G) by the lemma trustedCA e. From ∀ ∀ ∧ → → A2 and a digital signature we prove that is, if F is true then P admits it, and if G C(keybind(Ka,A)) by the keybind e lemma. is a consequence of other things P admits, then Now from C controls keybind(Ka,A)and P admits G. C(keybind(Ka,A)) we prove keybind(Ka,A) A principal may be constructed from a string by the controls e lemma. From this and by the built-in function (). For any string a signature we prove A(read foo)bythe s the inference rules nameN r and name imp e keybind e lemma. Finally, from assumption guarantee that the worldview (s) satisfies the N A3 and A(read foo) we prove read foo by properties required of principals. controls e. We represent a cryptographic key as a string The definitions, and the proofs of the lem- in the X.509 SubjectPublicKeyInfo format, that mas, can be included with the proof for the is, an AlgorithmIdentifer followed by a bit
4 string that is the actual key [15]. The rule signed says that if s is the digital signature AB A B A B with key k of statement F ,then (k)(F ): and i ∧ and e1 ∧ and e2 N A B A B the principal (k)mustadmitanystatement ∧ signed by k.N The informal k signed F stands for the formal (k)(F ). A B or i1 or i2 There is an infiniteN family of digital signature A B A B ∨ ∨ axioms, one for each triple s, k, F where s is the digital signature with key k of the A B [A] [B] representation of the formula F . The proof- ∨ C C or e C checking infrastructure must be able to check digital signatures using one or more encryption algorithms. [A] A BA Because definitions such as “keybind” and B imp i → imp e A B B “controls” are not part of our trusted com- → puting base – such definitions are part of application-specific customizable protocols – A(Y ) Y not occurring in x.A(x) ∀ forall i each server must be able to mechanically check x.A(x) ∀ all proofs of their properties. As we will explain in Section 8, we have implemented a proof- x.A(x) checker for our logic (as will be necessary for the ∀ forall e A(T ) operation of a server in a distributed authenti- cation system). Every lemma and theorem that we state in this paper has been mechanically X = ZH(Z) congr refl verified. H(X) X = X 4 Using the Logic F name i Since a worldview is just a predicate on for- (s)(F ) N mulas, worldviews can exhibit a wide variety of behaviors. This fact can be useful, as we (s)(F ) (s)(F G) will see below, but it also has its drawbacks. N N → name imp e (s)(G) To simplify things, it is useful to define two N special classes of worldviews, and to prove some lemmas about the behavior of these kinds of digital signature(s, k, F ) signed worldviews. (k)(F ) N Principals. The first special class of world- views includes those made by the () operator, Figure 3: Inference rules of the logic. N Quantification and equality (e.g., x. y.x = y) are and other worldviews that behave like them; ∀ ∃ polymorphic: the quantified variables may be of these satisfy base type (such as string) or formulas, functions, prin(P ) or predicates. The logic also has operators and ( F.≡(F P (F ))) inference rules for integer arithmetic, existential ∀( F G.→(P (F ) P (F G) P (G))). quantification, and falsehood, which are not shown ∧ ∀ ∀ → → → here. Intuitively, prin(P ) means that we can assume that P admits all tautologies, and that P
5 admits any formula that can be deduced from evidently satisfy a weaker property than prin(); other formulas it admits. The following two we write this property as lemmas are provable: group(A) F.(F A(F )). prin(P ) F ≡∀ → prin taut P (F ) We can then prove the following lemmas: prin(A) prin(P ) P (F ) P (F G) prin is grp → prin imp e group(A) P (G) group(A) F From the name r and name imp e inference grp taut rules, we can prove the lemma A(F ) group(A) group(B) n is prin grp comp prin( (s)) group(A B) N ◦ group(A) group(B) We can use function composition on world- grp group(A wB) ∧ views: ∧ group(A) group(B) (A B)(F ) A(B(F )). grp ◦ ≡ group(A wB) ∨ A B can be thought of as “A quoting B”. ∨ Composition◦ of two principals is a principal: In addition to these classes of worldviews, any application is free to define its own classes. prin(A) prin(B) prin comp prin(A B) 4.1 Says and Quoting ◦ The system as described so far is adequate, but We can also define a woperatoronworld- some may find the representation of principals views, so that A w∧B admits a formula ∧ as functions confusing. In order to make the whenever both A and B admit it. system more palatable to these users, we can define operators to abstract away the represen- (A wB)(F ) A(F ) B(F ). ∧ ≡ ∧ tation of worldviews. We can then prove the lemma We do this by defining a says operator:
prin(A) prin(B) A says F A(F ). prin ≡ prin(A wB) ∧ ∧ Some simple lemmas about says follow: along with lemmas saying that w is associa- group(A) F ∧ says taut tive and commutative. A says F Similarly, we can define a w operator: ∨ prin(A) A says FAsays (F G) (A wB)(F ) A(F ) B(F ). → says imp e ∨ ≡ ∨ A says G The w operator can be used to construct We can then define a quoting operator as groups∨ of worldviews in which any member can | A B A B, speak on behalf of the group. w is associative | ≡ ◦ and commutative. However,∨ if prin(A)and and it follows that prin(B), this does not imply prin(A wB). (For example, we could have A(F )and∨B(F quote ident G), but neither A(G)norB(G).) Groups→ (A B)saysF A says (B says F ) . | ↔ 6 The wand w operators will lead to the Speaksfor. The operator identities∧ ∨ A speaksfor B x.(A says x B says x) ≡∀ → (A wB)saysF (A says F ) w(B says F ) says that everything said by A is also said by ∧ ↔ ∧ B. Generally, if A speaks for B,thenA can exercise any rights that B has. (A wB)saysF (A says F ) (B says F ) ∨ ↔ ∨ If we use a logical framework that support Names. The ability to translate any string S into a principal (S) gives us the ability to abstract data types, we could choose to hide the N representation of principals, says, and quoting, define name-spaces. For example, we can define and simply expose the set of lemmas they a localname operator as satisfy. (A, S) A (S). LN ≡ |N 5 Application-Specific Operators Now A can give principal B the right to speak We expect that the designers of specific appli- for (A, S) by making the statement cations will often have in mind their own sets LN of operators and rules for manipulating them. A says (B speaksfor (S)). N Our system allows users to define new operators with manipulation rules, so it can implement Now (assuming prin(A)) it follows that B speaksfor (A, S)2. application-specific operators. In this section, LN we give as an example a set of operators we We can also use local names to implement roles, with (A, role : admin) referring to have found useful. LN Any application using our system is free to A’s administrative role; A could then make define whatever operators it likes and prove a statement F on behalf of the role, such as (A says ( (role : admin)saysF )). lemmas about them. This kind of extensibility N is the main advantage of our logic-based ap- 5.1 Access Control proach. Suppose a file server machine M stores a file Controls. First we define the controls opera- f,andM wants to limit who can read f.(We tor1 assume prin(M).) This can be implemented by requiring each read request on f to carry a proof A controls F ((A says F ) F ). ≡ → of (M says read (f )). M can give another prin- Informally, A controls F means that A can cipal A permission to read the file by making make F true just by saying it. We can prove the statement (M says (A controls read (f ))). a simple lemma Now if A makes the request (A says read (f )), A can use the request, along with the statement A controls FAsays F made by M, to prove M says read (f )3. controls r F . 2Proof sketch: Suppose B says F . It follows by We can then prove a lemma that says control says taut that A says (B says F ). Now we have two statements that are said by A: B says F and can be handed off from one principal to another: B speaksfor (S). These two statements together imply (S)saysN F , so when they are both said prin(A) A controls FAsays (B controls F ) by A,N and since prin(A) holds, we can infer that B controls F.A says ( (S)saysF ). By the definition of localname, this equalsN (A, S)saysF . 1This definition differs from the one given in Section 2 3To proveLN this result, we start with A says read (f ), in order to account for the says abstraction. and then (using prin(M)) apply the says taut lemma to
7 5.2 Public-Key Infrastructure Statements can be given limited periods of validity. For example, the statement Public-key certificates and their use can be im- plemented in our system as well. A certification A says ((now(Bob) (cert CKa A) C says ( (Ka) speaksfor A). after that it is vacuous. Of course, a statement ≡ N that expires might be renewed with a later This certificate is pointless unless we trust C to expiration time, and statements might come issue certificates; this trust can be encoded as with hints about how to renew them. In order for Alice to generate a proof that will be valid trustedCA(C) k p. C controls ( (k) speaksfor pon). Bob’s machine, she should first learn how ≡∀ ∀ N much clock skew there is between her machine Now we can prove lemmas such as and Bob’s. Also, if Charlie trusts Bob to keep the clock skew between Bob and Charlie under trustedCA(C) (cert CKa A) Ka signed F5 seconds, at least until tomorrow, he can issue A says F the statement, indicating that our definitions are consistent Kc signed (now(charlie.com) < 100929 with one model of public-key infrastructure. now(charlie.com) now(bob.com) →< 5) Of course, other definitions may make sense | − | to other people. The strength of our system Such certificates about clock skew can help is that it allows anyone to make their own Alice formulate a proof that her key-certificate definitions. (signed by Charlie) is still valid with respect to Bob’s clock. 5.3 Expiration and Revocation An alternative to expiration is revocation. The primitive now() maps strings to integers; For example, the statement now(m) gives the current time as measured on the clock of the host whose name is m.We A says ( revoked(F ) F ) make no assumptions about how different clocks ¬ → are related, though any principal can make says that A says F , unless F has been revoked. statements and form beliefs about how any two A could periodically send out a revocation list; clocks are related. for example When Bob checks the proof of any statement, he will have an assumption in his assumption A says ((now(A) 8 6 Alternative Versions of Says Now A can delegate its rights to B: The definition of says given above seems natu- A says ((B saysoptD F ) F ) ral, but some applications may want a version → of says that behaves differently. These applica- and B can delegate these rights to third parties tions are free to define and use the primitives if and only if D is true. they want. We now give two examples of There are many variants of says,andour alternate definitions of says. system allows each application to define and use the variant that best suits its needs. 6.1 Says without prin() 7 Encoding Other Authentication Some users may find it more natural to reason Frameworks about a world where rules like says taut and says imp e hold for all principals. This can be Our system is general enough to encode other achieved by defining a new operator: distributed authentication frameworks. We encode a framework by expressing its primitives A saysp F F (prin(A) A(F )). in a set of definitions, and then proving the ≡ ∨ ∧ framework’s processing rules as lemmas. By Two lemmas follow: providing a single language in which the se- mantics of several frameworks can be expressed, F we provide a way for those frameworks to A saysp F interoperate with users of our system. By describing different frameworks in a single A saysp FAsaysp (F G) → logic, we provide a way for those frameworks to A saysp G interoperate in a principled way. For example, We can then proceed to define new versions if the semantics of SPKI certificates and Taos of the other operators such as controls,andto certificates are clearly specified in our logic, prove the corresponding lemmas. then certificates from both frameworks can be used together in the same proof, as long as 6.2 Says without Delegation the requester can show they satisfy the server’s requirements. Our first definition of says allows any principal Interoperability has another advantage: it to delegate any rights it may have. Some facilitates the deployment of new frameworks. applications may not like this, so we may want If frameworks can interoperate, then a new to define a version of says that does not allow framework does not need near-universal de- arbitrary delegation. To do this, we define a ployment in order to attract users. A new “says directly” operator: framework can be used by a few people at A saysdir F K.((A = (K)) (K signed F )). first, while those people exploit interoperation ≡∃ N ∧ to work with the rest of the world. Now if B says ((A saysdir F ) F ), B has 7.1 SPKI delegated to A all of B’s rights→ to F , but A cannot delegate these rights further, since As an example, we now describe how to encode the only way A can exercise these rights is to the SPKI [4] framework. Certificates are the directly sign a request to use them. main data structure in SPKI; a certificate can We can define a “says with optional delega- encode a name-to-key binding or a name-to- tion” operator: privileges binding. The SPKI specification describes how every A saysopt F (A saysdir F ) (D (A says F )). certificate can be translated into a 5-tuple data D ≡ ∨ ∧ 9 structure, and it gives rules for combining 5- be permitted; we encode it as the placeholder tuples to deduce new 5-tuples, and for deciding ok(x) ( (ok) (x)) says false. whether a particular 5-tuple is sufficient evi- Now≡ weN can|N prove SPKI’s rules for manip- dence to allow access to a resource. In the 5- ulating 5-tuples as lemmas. To give a simple tuple (I, S, D, T, V ) example, we can prove I is the key that issued the certificate; prin(I) prin(J) tuple(I,J,true,A,V) tuple(J, S, D, A, V ) S is the subject of the certificate, which could tuple(I, S, D, A, V ) be a key, a name, or a group; We could also go about proving the other rules D is a delegation flag, saying whether the for reasoning about 5-tuples, including a rule rights associated with the certificate may for extracting a useful result from a SPKI chain: be delegated; J signed ok(X) prin(I) VT(X) tuple(I, (J),D,T,V) T is a tag, a data structure that describes a Nok(X) request or set of requests; and Having done this, we could conclude that V says when the certificate is valid, giving a any client who could have gotten approval for not-valid-before and a not-valid-after time. operation X on server I in SPKI will be able Space does not permit a full description of SPKI to prove I says ok(X). SPKI provides a way to semantics; see the SPKI documents [4] for full define local access policies such as details. ok(tag (pkpfs /foo read)) read /foo → Encoding SPKI To encode SPKI, we encode Although we have not yet done so, we believe the 5-tuple data structure and the rules for that other distributed authentication frame- manipulating 5-tuples. Since converting certifi- works could be encoded in a similar way. cates to 5-tuples is a straightforward (though tedious) translation process, we could also en- 8 Implementation code this conversion in our logic. Proofs must be produced by the client request- In practice, one would want to model the ing services and checked by the server, so there SPKI data structures in great detail, for ex- must be a machine-readable and -checkable ample, by expressing the tag-matching rules in notation for theorem and proof. We use a logic. We simplify the model here for brevity. higher-order logic implemented in Twelf [13], We give the following definition: an implementation of the Edinburgh Logical tuple(I, S, D, T, V ) V Framework [5]. Research in proof-carrying code ≡ → [11] has shown that the Logical Framework I says ( x.((S saysoptD ok(x)) ∀ T (x)→ ok(x))). (LF) is an excellent notation for explicit proofs → that are to be transmitted and then checked Here I is the issuing principal; S is the subject with a minimal trusted computing base. The principal, which might be a group; D is the algorithm for checking LF proofs is as simple delegation flag; the tag T is represented as a as programming-language type checking, and in predicate on strings (a predicate which admits fact the Touchstone system for proof-carrying any string iff that string will successfully match code [11] includes a simple proof-checker writ- the tag); and the validity interval is represented ten in the C programming language. as a simple predicate V .ok(x) represents the An earlier version of our system was im- assertion the the operation specified by x should plemented in λProlog instead of Twelf, using 10 controls_e: pf (controls @ A @ F) -> pf (A @ F) -> pf F. keybind_e: pf (keybind @K@W)->pf(digital_signature S K F) -> pf (W @ F). trusted_ca_e: pf (trusted_ca @ Ca) -> pf (controls @ Ca @ (keybind @ K @ A)). abc: pf (trusted_ca @ Charlie) -> pf (keybind @ Kc @ Charlie) -> pf (controls @ Alice @ ReadFoo) -> pf (digital_signature B10010111 Ka ReadFoo) -> pf (digital_signature B01001110 Kc (keybind @ Ka @ Alice)) -> pf ReadFoo = [A1][A2][A3][S1][S2] controls_e A3 (keybind_e (controls_e (trusted_ca_e A1) (keybind_e A2 S2)) S1). Figure 4: Twelf representation of “read foo” theorem and its proof. higher-order logic with lemmas and definitions name controls to stand for the (higher-order) as described by Appel and Felty [2]. formula λaλf. (af) f.Wehavemade functions (λ) explicit→ in our logic using the 8.1 Proof representation lam operator, and function-application explicit using the @ operator. Figure 4 shows the Twelf code that implements The controls_e lemma states that, given a the theorem that Alice proves to Bob in the proof that A controls F , and a proof that A says example of Section 2.1. The first three clauses F , we can construct a proof of F . The proof are the statements of the supporting lemmas; first uses another lemma, def2_e,toexpand here we have omitted their proofs. the definition of controls in the premise P1; The name of the theorem, , is followed by abc then the implication-elimination rule imp_e to a statement of the theorem: given proofs of the complete the proof. five premises, we get a proof of ReadFoo. The Twelf notation will allow the recipient After the sign comes the proof of the the- = of a proof (and associated lemmas) to check orem. The variables [A1][A2][A3][S1][S2] the validity of each lemma, and then to use stand for the five premises; the square brackets the lemma in checking the proof of the main indicate that they are formal parameters of theorem (and of other lemmas). the proof, and the body of the proof may refer to them by name. We have chosen the 8.2 Measurements name A1,A2,A3 for the first three premises to correspond to the names used in Section 2.1. The implementation of our logic in Twelf is The variables S1,S2 stand for the two digital- quite concise. Such a checker could be used as signature premises. the core of a distributed authentication system. The last line shows the proof tree, written out The logical inference rules are specified in 46 in Twelf notation. It is the same tree shown in lines, excluding rules for arithmetic, which can Figure 2, but in a form more suited to machine be specified in another dozen or so. processing. The Twelf proof-checker itself [13] is im- Another illustration is the controls e lemma plemented in Standard ML [8]: the parser is (Figure 5). The first line declares the type 2549 lines of commented code, and the proof- of the name controls, as a predicate, i.e. checking algorithm is 1540 lines. The parser afunctiontakingaworldviewandaformula need not be considered part of the trusted and returning a formula. Next, it defines the computing base, since a broken parser cannot 11 controls: tm (worldview arrow form arrow form) = lam[A] lam[F] (A @ F) imp F. controls_e: pf (controls @A@F)->pf(A@F)->pfF=[P1][P2] imp_e (def2_e P1) P2. Figure 5: Representation of controls and controls e. cause an invalid proof to be accepted by the of reducing the redundancy in LF proofs and checker. Necula [11] has also implemented an cutting their size by large factors. LF proof-checker; its current size is about 2000 Some servers – such as programmable disk lines of commented C code [7]. controllers or active-network routers – are so Clients who want to generate proofs will specialized that they will not even want to have need application-specific definitions and lem- a full proof checker. In this case, they can mas, which might amount to several hundred rely on certificates. Suppose Doris the disk lines of Twelf, but this will be outside the controller trusts Bob to check proofs for her; trusted computing base – the lemmas can be in- she can rely on the single inference rule dependently checked by the recipients of proofs. K signed (Doris says F ) Proofs are really just s-expressions extended b trust bob with a primitive notion of binding; that is, trees F whose operators are names of inference rules Now if Alice wants service format disk and lemmas. Each use of a lemma with n from Doris, she can submit a proof of arguments should add approximately n words (Doris says format disk) to Bob, who will check to the size of the proof, and each statement- it and issue the certificate. and-proof of a lemma should add a number of Bob should not sign time-dependent state- words proportional to the size of the lemma and ments such as now(bob.com) = 1998 which can its proof. A good approximation to the size, become false. He can avoid this by not putting in words, of the representation of a proof is any such assumptions into his database while the number of non-punctuation tokens in the checking proofs of statements that he is being fully explicit form of its Twelf syntax. We asked to sign. can measure the size of the proof illustrated in Figure 1: 9 Conclusion Concept Definition Lemma Proof controls 21 29 33 Higher-order logic allows application-specific keybind 20 39 42 modal logics to be defined and proved in a trustedCA 32 15 33 simple and general framework. The apparent Main theorem 84 123 disadvantage of such a logic — undecidability Since Bob’s security database contains state- — can be overcome by submitting a proof ments of the form trustedCA(Charlie), he with each authentication request, in the same presumably also has copies of the relevent def- way that proof-carrying code submits proofs of initions, lemmas, and proofs. Thus, Alice can safety with programs. simply send a 84-word theorem and 123-word We have demonstrated that proofs can be proof to justify read foo. But if other lemmas small, that proof checking is simple to imple- turn out to be helpful in structuring the proof, ment, and that existing authentication frame- they can be represented in a very reasonable works can be expressed as application-specific size, as the table shows. These numbers are definitions and lemmas in our logic. Although gross overestimates of what can be achieved proof generation is undecidable in general, we in practice; Necula [10] has shown methods have shown by example that in cases of interest, 12 the requester will have a good idea why she [11] George Ciprian Necula. Compiling with Proofs. should be able to access a resource. PhD thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, References September 1998. [1] Martin Abadi, Michael Burrows, Butler Lamp- [12] B. Clifford Neuman and Theodore Ts’o. Ker- son, and Gordon D. Plotkin. A Calculus for beros: An Authentication Service for Com- Access Control in Distributed Systems. ACM puter Networks. IEEE Communications, Transactions on Programming Languages and 32(9):33–38, September 1994. Systems, 15(4):706–734, September 1993. [13] Frank Pfenning and Carsten Sch¨urmann. Sys- [2] Andrew W. Appel and Amy Felty. Lightweight tem Description: Twelf — A Meta-Logical Lemmas in Lambda Prolog. In 16th Interna- Framework for Deductive Systems. In The tional Conference on Logic Programming.MIT 16th International Conference on Automated Press, November 1999. Deduction. Springer-Verlag, July 1999. [3] Matt Blaze, Joan Feigenbaum, and Jack Lacy. [14] Ron Rivest and Butler Lampson. SDSI – Distributed Trust Management. In Proc. of A Simple Distributed Security Infrastructure. 17th IEEE Symposium on Security and Pri- September 1996. vacy, pages 164–173, May 1996. [15] International Telecommunications Union. ITU- [4] Carl M. Ellison, Bill Frantz, Butler Lampson, T Recommendation X.509: The Directory: RonRivest,BrianM.Thomas,andTatuYlo- Authentication Framework. Technical Report nen. Simple Public Key Certificate. Inter- X.509, ITU, www.itu.int, 1997. net Draft draft-ietf-spki-cert-structure-05.txt, 1998. [5] Robert Harper, Furio Honsell, and Gordon Plotkin. A Framework for Defining Logics. Journal of the ACM, January 1993. To appear. A preliminary version appeared in Symposium on Logic in Computer Science, pages 194–204, June 1987. [6] Butler Lampson, Martin Abadi, Michael Bur- rows, and Edward Wobber. Authentication in Distributed Systems: Theory and Prac- tice. ACM Transactions on Computer Systems, 10(4):265–310, November 1992. [7] Peter Lee. personal communication, 1999. [8] Robin Milner, Mads Tofte, Robert Harper, and David MacQueen. The Definition of Standard ML (Revised). MIT Press, Cambridge, MA, 1997. [9] George C. Necula. Proof-Carrying Code. In Procedings of the 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’97), pages 106–119, January 1997. [10] George C. Necula and Peter Lee. Efficient Representation and Validation of Proofs. In In Proceedings of the 13th Annual Symposium on Logic in Computer Science, 1998. 13