1 / 42

Spi Calculus

Spi Calculus. Gokhan Gokoz Chad R. Meiners. What Spi Calculus Is. Spi calculus is a form of pi calculus extended to support cryptography. Pi calculus is a language for describing and implementing concurrent processes over communication channels.

cyrah
Download Presentation

Spi Calculus

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spi Calculus Gokhan Gokoz Chad R. Meiners

  2. What Spi Calculus Is • Spi calculus is a form of pi calculus extended to support cryptography. • Pi calculus is a language for describing and implementing concurrent processes over communication channels. • Pi calculus is designed to have a concise description when compared to CSP. • Spi calculus adds operators to perform symmetric cryptography.

  3. How Pi and Spi Calculus is used to verify security properties of protocols. • Authenticity • Is the implementation equivalent to the specification? • Secrecy • Can an external process distinguish one instance from another?

  4. Basic Facilities of Pi Calculus • Process: A system is constructed out of a set of concurrent processes. • Scope: Variables and channels may be restricted to certain processes or they may be global. • Channel: Processes communicate and synchronize with each other via channels.

  5. Scope Extrusion • Channels may be placed as messages on channels. • Allows for scope restricted channel to be used outside of it original scope. • Allows dataflow analysis. • Spi calculus adds encryption operators.

  6. Pi Grammar Pi calculus has four types of objects: • Names: channels. • represented as m, n, p, q, and r. • Variables: • represented as x, y, and z . • Terms: objects in Pi calculus. • represented as L, M, N. • Processes: • represented as P, Q, and R.

  7. Terms A term can be one of the following five forms: • n: the name of a channel • (M, N) : a pair of terms. • 0 : the number zero. • suc(M) : the successor of M. • x: a variable.

  8. Process Primitives • 0: Is the nil process. • P | Q: Is the process composition operator. • !P: Is the process replication operator Examples: A := 0 :A is the nil process B := !A | C :B is an infinite number of A in parallel with C.

  9. Process communication • M<N>.P • communicate message N on channel M • becomes P. • M(x).P • block until it receives a message N from channel M • P where all occurrences of x in P are replaced by N • (We abbreviate such replacements with P[N/x]) Examples: A := c<0>.0 : A sends nil on c and becomes nil. B := c(x).0 : B received x on c and becomes nil.

  10. Process Decisions • [M is N]P • P if M=N • else 0 • let (x,y) = MinP • P[N/x][L/y] when M=(N,L) • otherwise 0 • caseMis 0 : P suc(x) : Q • P when M=0 • Q[N/x] if M=suc(N) • 0 if M is not an integer.

  11. Process Decisions Examples: • A(M,N) := [M,N]B • A is B if M=N; otherwise, A is 0. • B(M) := let (x,y) = M inA(x,y) • B is A(x,y) if M is a pair; otherwise, B is 0. • C(M) := caseMis 0 : 0 suc(x) : C(x) • C is 0 when M = 0 • C is C(M-1) when M > 0 • C is 0 if M N

  12. Process Scope and Extrusion • (vn)P • P with the name n bound to P’s scope. Example: A(M) := (vcp)ca<cp>.cp <M>.0 • Send private channel cp on ca then become nil. B := ca(x).x(y).0 • Receive channel x on ca then receive y on x then become 0. C := (vca)(A(M) | B) • C is A in parallel with B. Channel ca is only in A’s and B’s scope.

  13. Spi Calculus Extensions • {M}N: term representing the message “M encrypted with the key N”. • caseLof {x}N in P:P[M/x] provided that L= {M}N otherwise it is 0. Examples: A(M) := ca<{M}k>.0 • A sends M encrypted with k on ca and then becomes nil. B := ca(y).caseyof {x}k in F(x) • B receives y on ca and decrypts y into x using k. B then become F(x). C(M) := (vca)(vk)(A(M) | B) • C is A and B with channel ca and key k.

  14. Process Equivalence • In Pi Calculus, we write P≡Q iff P and Q are indistinguishable to a separate process R. • In Spi Calculus we write P(M) ≡P(M’) iff given the two process instances a separate process R cannot tell which instance is the instance of M and which the instance of M’.

  15. Pi Calculus Example Message 1 : A→B: M on cab A(M) :=cab<M> B := cab(x).F(x) Inst(M) := (vcab)(A(M) | B) • Principal A sends message M on channel cab to principal B. • cab is restricted, only A and B have access to cab. • Inst(M) isone instance of the protocol.

  16. Pi Calculus Example (cont.) • Specification: A(M) :=cab<M> Bspec(M) := cab(x).F(M) Instspec(M) := (vcab)(A(M) | Bspec(M)) • Difference between protocol and specification: Bspec(M) is a variant, which receives input from A and acts like B when B receives M.

  17. Security Properties • Authenticity property: Inst(M) ≡Instspec(M), for all M. The protocol with message M is indistinguishable from the specification with message M, for all messages M. • Secrecy property: Inst(M) ≡Inst(M’) if F(M) ≡F(M’), for all M,M’. If F(M) is indistinguishable from F(M’), then the protocol with message M is indistinguishable from the protocol with message M’. • These security properties hold because of the restriction on the channel cab.

  18. Channel Establishment Example • Abstract and simplified version of the Wide Mouthed Frog protocol • proposed by Michael Burrows in 1989 • passes a restricted channel from A to B via restricted channels to S.

  19. Channel Establishment Example (cont.) • channels instead of the keys • channel establishment and data communication happen only once Message 1: A→S: cab on cas Message 2 : S→B: cab on csb Message 3 : A→B: M on cab S 2. new channel 1. new channel A B 3. Data on new channel

  20. Protocol Implementation • A(M) := (vcab)cas<cab>.cab<M> • A sends channel cab over cas then sends M over cab. • S := cas(x).csb<x> • S forwards x from cas to csb. • B := csb(x).x(y).F(y) • B receives channel x on csb and receives y on x. • Inst(M) := (vcas)(vcsb) )(A(M) | S | B) • Inst is the composition of A, S and B.

  21. Specification In the specification A(M) and S are same as above, • Bspec(M) := csb(x).x(y).F(M) • Here Bspec is similar to B except it knows what M is already for authenticity checking. • Inst(M)spec:=(vcas)(vcsb) )(A(M) | S | Bspec(M)) The authenticity and secrecy properties hold.

  22. Spi Calculus Example Same as the first Pi example except that a key is used to insure secrecy. • Message 1: A→B: {M}kabon cab • A(M) :=cab<{M}kab > • A send a shared key encrypted message M on cab. • B := cab(x).case x of {y}kabin F(y) • B decrypts x into y. • Inst(M) :=(vkab)(A(M) | B) • The key kab is restricted to only A and B.

  23. Spi Example Specification Specification: • A(M) :=cab<{M}kab> • Bspec(M) := cab(x).case x of {y}kabin F(M) • Instspec(M) :=(vkab)( A(M) | Bspec(M)) Authenticity and secrecy properties are confirmed under a coarse-grained equivalence since an observer can definitely distinguish between P(M) and P(M´).

  24. Key establishment in Spi Calculus • Same as the Pi frog protocol with key used instead of restricted channels. Message 1: A→S: {kab}kason cas Message 2: S→B: {kab}ksbon csb Message 3: A→B: {M}kabon cab S 1. new key kab under kas 2. new key kab under ksb A B 3. Data under new key kab

  25. Protocol • A(M) :=(vkab)( cas<{kab}kas>.cab‹{M}kab>) • A sends a key kab to the server S and uses kabto encrypt M to send to B. • S := cas(x).case x of{y}kasincsb<{y}ksb> • S forwards the key contained in x via the shared key kas. • B := csb(x).case x of{y}ksbincab(z).case z of{w}yin F(w) • B receives and decrypts the key in x then uses that key to get the message w. • Inst(M) :=(vkas) (vksb)( A(M) | S | B)

  26. Specification • Principals A(M) and S are the same as in the protocol; • Bspec(M) := csb(x).case x of{y}ksbin cab(z).case z of{w}yin F(M) • Instspec(M) :=(vkas) (vksb)( A(M) | S | Bspec(M)) • The specification is more complex than the protocol but Bspec(M) applies F only to the data from A and not to a message resulting from an attack or error.

  27. Complete Authentication Example (with a flaw) • A server and n other principals • Each principal’s input channels are public and are named as c1, c2, …, cn and cs. • Server shares a pair of keys with each other principal, ksi and kis. • Message sequence: Message 1: A→S: A,{B,kab}kas on cs Message 2: S→B: {A, kab}ksbon cb Message 3: A→B: A,{M}kabon cb

  28. Instance of the protocol • We have two principals (A and B) and the message sent after key establishment. • Instance I is a triple (i,j,M) where i: source address , j: destination address • Send(i,j,M):=(vk)(cs<(i,{j,k}kiS)>| cj<(i,{M}k)>) • Recv(j):= cj(ycipher).case ycipherof{xa,xkey}kSjincj(za,zcipher).[xa is za]case zcipherof{zplain}xkeyin F(xa,j, zplain)

  29. Instance of the protocol (Sending) • Send(i,j,M) :=(vk)(cs<(i,{j,k}kiS )>|cj<(i,{M}k)>) • Creates a key k, sends to the server along with the names i and j of the principals of the instance. • Sends M under k with its name i.

  30. Instance of the protocol (Receiving) • Recv(j) := cj(ycipher).case ycipherof{xa,xkey}kSjincj(za,zcipher).[xa is za] case zcipherof {zplain}xkeyin F(xa,j, zplain) • Waits for a message ycipher from server, extracts xkeyfrom this message • Then waits for a message zcipherunder this key • At the end applies F to the name xaof the presumed sender, j and to zplainof the message.

  31. Server The server S is the same for all instances: S := cs(xa,xcipher). i1..n[xa is i] case xcipher of {xb,xkey}kisin j1..n[xb is j] cj<{xa,xkey}ksj> S receives a key that selects the correct branch to forward the key to the correct j. i1..k Pi is the k-way composition P1 |…|Pk

  32. Whole System Sys(I1,…, Im) := (vkiS)(vkSj) (Send(I1) |…| Send(Im) | !S | !Recv(1) |…| !Recv(n) ) • Where (vkiS)(vkSj) stands for (vk1s)…(vkns) (vks1)…(vksn) and Sys(I1,…, Im) represents a system with m instances of the protocol.

  33. The Flaw • The protocol is vulnerable to a replay attack. • System: Sys(I,I) where I=(i,j,M) ,I=(i,j,M) • An attacker can replay messages of one instance and get them mistaken for messages of the other instance. • So M will be passed to F twice and Sys(I,I) could execute two copies of F(i,j,M) although Sys(I,I) can run F for both instances F(i,j,M) and F(i,j,M) only once. • Therefore the authenticity equation doesn’t hold. Inst(M) ≡Instspec(M), for all M.

  34. Complete Authentication Example (repaired) • To protect previous protocol against replay attacks, nonce handshakes (tag in the message to authenticate the sender) are added. • The new protocol, informally looks like: • Message 1: A→S: A on cs • Message 2: S→A: Ns on ca • Message 3: A→S: A,{A,A,B,kab,Ns}kason cs • Message 4: S→B: * on cb • Message 5: B→S: Nb on cs • Message 6: S→B: {S,A,B, kab, Nb}ksbon cb • Message 7: A→B: A,{M }kab on cb • See Appendix for implementation.

  35. What we get with Spi Calculus? • Protocols in Spi Calculus are tedious. • Good for proofing authenticity and secrecy. • The scope of errors that it can find are limited though • Spi Calculus is not as general as other logics, but this lack of generality allows us more confidence in the properties we can prove.

  36. Tool Support • Spi Calculus does not have any direct tool support. • Security proprieties must be proven by humans. • There is however a protocol language Cryptc that is based on Spi Calculus.

  37. Cryptc • Redefines Spi calculus’s grammar • Adds protocol beginnings and endings • Protocols are considered secure if every protocol ending has a distinct beginning. • Cryptc performs an exhaustive search for paths that generate an end without a begin.

  38. Online References • A Calculus for Cryptographic Protocols: The Spi CalculusMartin Abadi and Andrew D. GordonDigital SRC Research Report 149January 25, 1998http://gatekeeper.dec.com/pub/DEC/SRC/research-reports/abstracts/src-rr-149.Html

  39. Online References •  Authenticity by Typing for Security ProtocolsA.D. Gordon and A.S.A. JeffreyMicrosoft Research Technical Report MSR-2001-49, 2001ftp://fpl.cs.depaul.edu/pub/ajeffrey/spi-types.ps.gz • The Cryptc webpage: http://cryptyc.cs.depaul.edu/intro.html

  40. Appendix : Corrected Protocol Send(i,j,M) :=cs<i> | ci(xnonce). (vk)(cs<(i,{i,i,j,k,xnonce}kiS )>| cj<(i,{M}k)>) S := cs(xa).i1..n[xa is i](vNs)(ci<Ns> | cs(xa,xcipher).[xa is i] case xcipher of {ya,za,xb,xkey,xnonce}kis in j1..n[yais i][za is i][xb is j][xnonce is Ns] (cj<*> | cS(ynonce). cj<{S,i,j, xkey,ynonce}ksj>))

  41. Recv(j) := cj(w). (vNb) (cs<Nb> | cj(ycipher). case ycipher of {xs, xa, xb, xkey,ynonce}ksj in j1..n[xsis S][xais i][xbis j][ynonce is Nb] cj(za,zcipher).[zais xa] case zcipher of {zplain}xkeyin F(i,j,zplain)) Sys(I1,…, Im) := (vkiS)(vkSj) (Send(I1) |…| Send(Im) | !S | !Recv(1) |…| !Recv(n) )

  42. Authenticity: Sys(I1,…,Im) ≡Sysspec(I1,…,Im) for any instances I1,…,Im. This property holds because of the nonces. • Secrecy: Sys(I1,…,Im) ≡Sysspec(J1,…,Jm) if each pair (I1,J1),…,(Im,Jm) is indistinguishable.

More Related