Spi Calculus - PowerPoint PPT Presentation

About This Presentation

Title:

Spi Calculus

Description:

Principal A sends message M on channel cab to principal B. ... passes a restricted channel from A to B via restricted channels to S. ... – PowerPoint PPT presentation

Number of Views:33

Avg rating:3.0/5.0

Slides: 43

Provided by: mein9

Learn more at: http://www.cse.msu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Spi Calculus

1
Spi Calculus

Gokhan Gokoz
Chad R. Meiners

2
What Spi Calculus Is

Spi calculus is a form of pi calculus extended to
support cryptography.
Pi calculus is a language for describing and
implementing concurrent processes over
communication channels.
Pi calculus is designed to have a concise
description when compared to CSP.
Spi calculus adds operators to perform symmetric
cryptography.

3
How Pi and Spi Calculus is used

to verify security properties of protocols.
Authenticity
Is the implementation equivalent to the
specification?
Secrecy
Can an external process distinguish one instance
from another?

4
Basic Facilities of Pi Calculus

Process A system is constructed out of a set of
concurrent processes.
Scope Variables and channels may be restricted
to certain processes or they may be global.
Channel Processes communicate and synchronize
with each other via channels.

5
Scope Extrusion

Channels may be placed as messages on channels.
Allows for scope restricted channel to be used
outside of it original scope.
Allows dataflow analysis.
Spi calculus adds encryption operators.

6
Pi Grammar

Pi calculus has four types of objects
Names channels.
represented as m, n, p, q, and r.
Variables
represented as x, y, and z .
Terms objects in Pi calculus.
represented as L, M, N.
Processes
represented as P, Q, and R.

7
Terms

A term can be one of the following five forms
n the name of a channel
(M, N) a pair of terms.
0 the number zero.
suc(M) the successor of M.
x a variable.

8
Process Primitives

0 Is the nil process.
P Q Is the process composition operator.
!P Is the process replication operator
Examples
A 0 A is the nil process
B !A C B is an infinite number of A in
parallel with C.

9
Process communication

MltNgt.P
communicate message N on channel M
becomes P.
M(x).P
block until it receives a message N from channel
M
P where all occurrences of x in P are replaced by
N
(We abbreviate such replacements with PN/x)
Examples
A clt0gt.0 A sends nil on c and becomes nil.
B c(x).0 B received x on c and becomes nil.

10
Process Decisions

M is NP
P if MN
else 0
let (x,y) M in P
PN/xL/y when M(N,L)
otherwise 0
case M is 0 P suc(x) Q
P when M0
QN/x if Msuc(N)
0 if M is not an integer.

11
Process Decisions

Examples
A(M,N) M,NB
A is B if MN otherwise, A is 0.
B(M) let (x,y) M in A(x,y)
B is A(x,y) if M is a pair otherwise, B is 0.
C(M) case M is 0 0 suc(x) C(x)
C is 0 when M 0
C is C(M-1) when M gt 0
C is 0 if M ? N

12
Process Scope and Extrusion

(vn)P
P with the name n bound to Ps scope.
Example
A(M) (vcp)caltcpgt.cp ltMgt.0
Send private channel cp on ca then become nil.
B ca(x).x(y).0
Receive channel x on ca then receive y on x then
become 0.
C (vca)(A(M) B)
C is A in parallel with B. Channel ca is only in
As and Bs scope.

13
Spi Calculus Extensions

MN term representing the message M encrypted
with the key N.
case L of xN in P PM/x provided that L
MN otherwise it is 0.
Examples
A(M) caltMkgt.0
A sends M encrypted with k on ca and then becomes
nil.
B ca(y).case y of xk in F(x)
B receives y on ca and decrypts y into x using k.
B then become F(x).
C(M) (vca)(vk)(A(M) B)
C is A and B with channel ca and key k.

14
Process Equivalence

In Pi Calculus, we write P Q iff P and Q are
indistinguishable to a separate process R.
In Spi Calculus we write P(M) P(M) iff given
the two process instances a separate process R
cannot tell which instance is the instance of M
and which the instance of M.

15
Pi Calculus Example

Message 1 A?B M on cab
A(M) cab ltMgt
B cab(x).F(x)
Inst(M) (vcab)(A(M) B)
Principal A sends message M on channel cab to
principal B.
cab is restricted, only A and B have access to
cab.
Inst(M) is one instance of the protocol.

16
Pi Calculus Example (cont.)

Specification
A(M) cab ltMgt
Bspec(M) cab(x).F(M)
Instspec(M) (vcab)(A(M)
Bspec(M))
Difference between protocol and specification
Bspec(M) is a variant, which receives input
from A and acts like B when B receives M.

17
Security Properties

Authenticity property
Inst(M) Instspec(M), for all M.
The protocol with message M is indistinguishable
from the
specification with message M, for all messages M.
Secrecy property
Inst(M) Inst(M) if F(M) F(M), for
all M,M.
If F(M) is indistinguishable from F(M), then the
protocol
with message M is indistinguishable from the
protocol with
message M.
These security properties hold because of the
restriction on the channel cab.

18
Channel Establishment Example

Abstract and simplified version of the Wide
Mouthed Frog protocol
proposed by Michael Burrows in 1989
passes a restricted channel from A to B via
restricted channels to S.

19
Channel Establishment Example (cont.)

channels instead of the keys
channel establishment and data communication
happen only once
Message 1 A?S cab on cas
Message 2 S?B
cab on csb Message 3
A?B M on cab

S
2. new channel
1. new channel
B
A
3. Data on new channel
20
Protocol Implementation

A(M) (vcab)casltcabgt.cabltMgt
A sends channel cab over cas then sends M over
cab.
S cas(x).csbltxgt
S forwards x from cas to csb.
B csb(x).x(y).F(y)
B receives channel x on csb and receives y on x.
Inst(M) (vcas)(vcsb) )(A(M) S B)
Inst is the composition of A, S and B.

21
Specification

In the specification A(M) and S are same as
above,
Bspec(M) csb(x).x(y).F(M)
Here Bspec is similar to B except it knows what M
is already for authenticity checking.
Inst(M)spec (vcas)(vcsb) )(A(M) S Bspec(M))
The authenticity and secrecy properties hold.

22
Spi Calculus Example

Same as the first Pi example except that a key is
used to insure secrecy.
Message 1 A?B Mkab on cab
A(M) cab ltMkab gt
A send a shared key encrypted message M on cab.
B cab(x).case x of ykab in F(y)
B decrypts x into y.
Inst(M) (vkab)(A(M) B)
The key kab is restricted to only A and B.

23
Spi Example Specification

Specification
A(M) cab ltMkab gt
Bspec(M) cab(x).case x of ykab in F(M)
Instspec(M) (vkab)( A(M) Bspec(M))
Authenticity and secrecy properties are confirmed
under a coarse-grained equivalence since an
observer
can definitely distinguish between P(M) and P(M).

24
Key establishment in Spi Calculus

Same as the Pi frog protocol with key used
instead of restricted channels.
Message 1 A?S kabkas on cas
Message 2 S?B kabksb on
csb
Message 3 A?B Mkab on cab

S
1. new key kab under kas
2. new key kab under ksb
B
A
3. Data under new key kab
25
Protocol

A(M) (vkab)( cas ltkabkasgt.cab Mkabgt)
A sends a key kab to the server S and uses kab to
encrypt M to send to B.
S cas(x).case x of ykas in csbltyksbgt
S forwards the key contained in x via the shared
key kas.
B csb(x).case x of yksb in cab(z).case z of
wy in F(w)
B receives and decrypts the key in x then uses
that key to get the message w.
Inst(M) (vkas) (vksb)( A(M) S B)

26
Specification

Principals A(M) and S are the same as in the
protocol
Bspec(M) csb(x).case x of yksb in
cab(z).case z of wy in F(M)
Instspec(M) (vkas) (vksb)( A(M) S Bspec(M))
The specification is more complex than the
protocol but Bspec(M) applies F only to the data
from A and not to a message resulting from an
attack or error.

27
Complete Authentication Example (with a flaw)

A server and n other principals
Each principals input channels are public and
are named as c1, c2, , cn and cs.
Server shares a pair of keys with each other
principal, ksi and kis.
Message sequence
Message 1 A?S A,B,kabkas on cs
Message 2 S?B A, kabksb on cb
Message 3 A?B A,Mkab on cb

28
Instance of the protocol

We have two principals (A and B) and the message
sent after key establishment.
Instance I is a triple (i,j,M) where
i source address , j destination address
Send(i,j,M) (vk)(cs lt(i,j,kkiS )gt cj
lt(i,Mk)gt)
Recv(j) cj(ycipher).case ycipher of
xa,xkeykSj in cj(za,zcipher).xa is za case
zcipher of zplainxkey in F(xa,j, zplain)

29
Instance of the protocol (Sending)

Send(i,j,M) (vk)(cs lt(i,j,kkiS )gt cj
lt(i,Mk)gt)
Creates a key k, sends to the server along with
the names i and j of the principals of the
instance.
Sends M under k with its name i.

30
Instance of the protocol (Receiving)

Recv(j) cj(ycipher).case ycipher of
xa,xkeykSj in cj(za,zcipher).xa is za case
zcipher of zplain xkey in F(xa,j, zplain)
Waits for a message ycipher from server, extracts
xkey from this message
Then waits for a message zcipher under this key
At the end applies F to the name xa of the
presumed sender, j and to zplain of the message.

31
Server

The server S is the same for all instances
S cs(xa,xcipher).
?i?1..nxa is i case xcipher of
xb,xkeykis in
?j?1..nxb is j cj ltxa,xkeyksjgt
S receives a key that selects the correct branch
to forward the key to the correct j.
?i?1..k Pi is the k-way composition P1 Pk

32
Whole System

Sys(I1,, Im) (vkiS)(vkSj)
(Send(I1)
Send(Im)
!S
!Recv(1)
!Recv(n) )
Where (vkiS)(vkSj) stands for (vk1s)(vkns)
(vks1)(vksn) and Sys(I1,, Im) represents a
system with m instances of the protocol.

33
The Flaw

The protocol is vulnerable to a replay attack.
System Sys(I,I?) where I(i,j,M) , I?(i,j,M?)
An attacker can replay messages of one instance
and get them mistaken for messages of the other
instance.
So M will be passed to F twice and Sys(I,I?)
could execute two copies of F(i,j,M) although
Sys(I,I?) can run F for both instances F(i,j,M)
and F(i,j,M?) only once.
Therefore the authenticity equation doesnt hold.
Inst(M) Instspec(M), for all M.

34
Complete Authentication Example (repaired)

To protect previous protocol against replay
attacks, nonce handshakes (tag in the message to
authenticate the sender) are added.
The new protocol, informally looks like
Message 1 A?S A
on cs
Message 2 S?A Ns
on ca
Message 3 A?S A,A,A,B,kab,Nskas
on cs
Message 4 S?B
on cb
Message 5 B?S Nb
on cs
Message 6 S?B S,A,B, kab, Nbksb
on cb
Message 7 A?B A,M kab
on cb
See Appendix for implementation.

35
What we get with Spi Calculus?

Protocols in Spi Calculus are tedious.
Good for proofing authenticity and secrecy.
The scope of errors that it can find are limited
though
Spi Calculus is not as general as other logics,
but this lack of generality allows us more
confidence in the properties we can prove.

36
Tool Support

Spi Calculus does not have any direct tool
support.
Security proprieties must be proven by humans.
There is however a protocol language Cryptc that
is based on Spi Calculus.

37
Cryptc

Redefines Spi calculuss grammar
Adds protocol beginnings and endings
Protocols are considered secure if every protocol
ending has a distinct beginning.
Cryptc performs an exhaustive search for paths
that generate an end without a begin.

38
Online References

A Calculus for Cryptographic Protocols The Spi
CalculusMartin Abadi and Andrew D.
GordonDigital SRC Research Report 149January
25, 1998http//gatekeeper.dec.com/pub/DEC/SRC/res
earch-reports/abstracts/src-rr-149.Html

39
Online References

Authenticity by Typing for Security
ProtocolsA.D. Gordon and A.S.A.
JeffreyMicrosoft Research Technical Report
MSR-2001-49, 2001ftp//fpl.cs.depaul.edu/pub/ajef
frey/spi-types.ps.gz
The Cryptc webpage http//cryptyc.cs.depaul.edu/i
ntro.html

40
Appendix Corrected Protocol