Spi Calculus - PowerPoint PPT Presentation

About This Presentation
Title:

Spi Calculus

Description:

Principal A sends message M on channel cab to principal B. ... passes a restricted channel from A to B via restricted channels to S. ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 43
Provided by: mein9
Learn more at: http://www.cse.msu.edu
Category:
Tags: calculus | chan | spi

less

Transcript and Presenter's Notes

Title: Spi Calculus


1
Spi Calculus
  • Gokhan Gokoz
  • Chad R. Meiners

2
What Spi Calculus Is
  • Spi calculus is a form of pi calculus extended to
    support cryptography.
  • Pi calculus is a language for describing and
    implementing concurrent processes over
    communication channels.
  • Pi calculus is designed to have a concise
    description when compared to CSP.
  • Spi calculus adds operators to perform symmetric
    cryptography.

3
How Pi and Spi Calculus is used
  • to verify security properties of protocols.
  • Authenticity
  • Is the implementation equivalent to the
    specification?
  • Secrecy
  • Can an external process distinguish one instance
    from another?

4
Basic Facilities of Pi Calculus
  • Process A system is constructed out of a set of
    concurrent processes.
  • Scope Variables and channels may be restricted
    to certain processes or they may be global.
  • Channel Processes communicate and synchronize
    with each other via channels.

5
Scope Extrusion
  • Channels may be placed as messages on channels.
  • Allows for scope restricted channel to be used
    outside of it original scope.
  • Allows dataflow analysis.
  • Spi calculus adds encryption operators.

6
Pi Grammar
  • Pi calculus has four types of objects
  • Names channels.
  • represented as m, n, p, q, and r.
  • Variables
  • represented as x, y, and z .
  • Terms objects in Pi calculus.
  • represented as L, M, N.
  • Processes
  • represented as P, Q, and R.

7
Terms
  • A term can be one of the following five forms
  • n the name of a channel
  • (M, N) a pair of terms.
  • 0 the number zero.
  • suc(M) the successor of M.
  • x a variable.

8
Process Primitives
  • 0 Is the nil process.
  • P Q Is the process composition operator.
  • !P Is the process replication operator
  • Examples
  • A 0 A is the nil process
  • B !A C B is an infinite number of A in
    parallel with C.

9
Process communication
  • MltNgt.P
  • communicate message N on channel M
  • becomes P.
  • M(x).P
  • block until it receives a message N from channel
    M
  • P where all occurrences of x in P are replaced by
    N
  • (We abbreviate such replacements with PN/x)
  • Examples
  • A clt0gt.0 A sends nil on c and becomes nil.
  • B c(x).0 B received x on c and becomes nil.

10
Process Decisions
  • M is NP
  • P if MN
  • else 0
  • let (x,y) M in P
  • PN/xL/y when M(N,L)
  • otherwise 0
  • case M is 0 P suc(x) Q
  • P when M0
  • QN/x if Msuc(N)
  • 0 if M is not an integer.

11
Process Decisions
  • Examples
  • A(M,N) M,NB
  • A is B if MN otherwise, A is 0.
  • B(M) let (x,y) M in A(x,y)
  • B is A(x,y) if M is a pair otherwise, B is 0.
  • C(M) case M is 0 0 suc(x) C(x)
  • C is 0 when M 0
  • C is C(M-1) when M gt 0
  • C is 0 if M ? N

12
Process Scope and Extrusion
  • (vn)P
  • P with the name n bound to Ps scope.
  • Example
  • A(M) (vcp)caltcpgt.cp ltMgt.0
  • Send private channel cp on ca then become nil.
  • B ca(x).x(y).0
  • Receive channel x on ca then receive y on x then
    become 0.
  • C (vca)(A(M) B)
  • C is A in parallel with B. Channel ca is only in
    As and Bs scope.

13
Spi Calculus Extensions
  • MN term representing the message M encrypted
    with the key N.
  • case L of xN in P PM/x provided that L
    MN otherwise it is 0.
  • Examples
  • A(M) caltMkgt.0
  • A sends M encrypted with k on ca and then becomes
    nil.
  • B ca(y).case y of xk in F(x)
  • B receives y on ca and decrypts y into x using k.
    B then become F(x).
  • C(M) (vca)(vk)(A(M) B)
  • C is A and B with channel ca and key k.

14
Process Equivalence
  • In Pi Calculus, we write P Q iff P and Q are
    indistinguishable to a separate process R.
  • In Spi Calculus we write P(M) P(M) iff given
    the two process instances a separate process R
    cannot tell which instance is the instance of M
    and which the instance of M.

15
Pi Calculus Example
  • Message 1 A?B M on cab
  • A(M) cab ltMgt
  • B cab(x).F(x)
  • Inst(M) (vcab)(A(M) B)
  • Principal A sends message M on channel cab to
    principal B.
  • cab is restricted, only A and B have access to
    cab.
  • Inst(M) is one instance of the protocol.

16
Pi Calculus Example (cont.)
  • Specification
  • A(M) cab ltMgt
  • Bspec(M) cab(x).F(M)
  • Instspec(M) (vcab)(A(M)
    Bspec(M))
  • Difference between protocol and specification
  • Bspec(M) is a variant, which receives input
    from A and acts like B when B receives M.

17
Security Properties
  • Authenticity property
  • Inst(M) Instspec(M), for all M.
  • The protocol with message M is indistinguishable
    from the
  • specification with message M, for all messages M.
  • Secrecy property
  • Inst(M) Inst(M) if F(M) F(M), for
    all M,M.
  • If F(M) is indistinguishable from F(M), then the
    protocol
  • with message M is indistinguishable from the
    protocol with
  • message M.
  • These security properties hold because of the
    restriction on the channel cab.

18
Channel Establishment Example
  • Abstract and simplified version of the Wide
    Mouthed Frog protocol
  • proposed by Michael Burrows in 1989
  • passes a restricted channel from A to B via
    restricted channels to S.

19
Channel Establishment Example (cont.)
  • channels instead of the keys
  • channel establishment and data communication
    happen only once
  • Message 1 A?S cab on cas
  • Message 2 S?B
    cab on csb Message 3
    A?B M on cab

S
2. new channel
1. new channel
B
A
3. Data on new channel
20
Protocol Implementation
  • A(M) (vcab)casltcabgt.cabltMgt
  • A sends channel cab over cas then sends M over
    cab.
  • S cas(x).csbltxgt
  • S forwards x from cas to csb.
  • B csb(x).x(y).F(y)
  • B receives channel x on csb and receives y on x.
  • Inst(M) (vcas)(vcsb) )(A(M) S B)
  • Inst is the composition of A, S and B.

21
Specification
  • In the specification A(M) and S are same as
    above,
  • Bspec(M) csb(x).x(y).F(M)
  • Here Bspec is similar to B except it knows what M
    is already for authenticity checking.
  • Inst(M)spec (vcas)(vcsb) )(A(M) S Bspec(M))
  • The authenticity and secrecy properties hold.

22
Spi Calculus Example
  • Same as the first Pi example except that a key is
    used to insure secrecy.
  • Message 1 A?B Mkab on cab
  • A(M) cab ltMkab gt
  • A send a shared key encrypted message M on cab.
  • B cab(x).case x of ykab in F(y)
  • B decrypts x into y.
  • Inst(M) (vkab)(A(M) B)
  • The key kab is restricted to only A and B.

23
Spi Example Specification
  • Specification
  • A(M) cab ltMkab gt
  • Bspec(M) cab(x).case x of ykab in F(M)
  • Instspec(M) (vkab)( A(M) Bspec(M))
  • Authenticity and secrecy properties are confirmed
  • under a coarse-grained equivalence since an
    observer
  • can definitely distinguish between P(M) and P(M).

24
Key establishment in Spi Calculus
  • Same as the Pi frog protocol with key used
    instead of restricted channels.
  • Message 1 A?S kabkas on cas
  • Message 2 S?B kabksb on
    csb
  • Message 3 A?B Mkab on cab

S
1. new key kab under kas
2. new key kab under ksb
B
A
3. Data under new key kab
25
Protocol
  • A(M) (vkab)( cas ltkabkasgt.cab Mkabgt)
  • A sends a key kab to the server S and uses kab to
    encrypt M to send to B.
  • S cas(x).case x of ykas in csbltyksbgt
  • S forwards the key contained in x via the shared
    key kas.
  • B csb(x).case x of yksb in cab(z).case z of
    wy in F(w)
  • B receives and decrypts the key in x then uses
    that key to get the message w.
  • Inst(M) (vkas) (vksb)( A(M) S B)

26
Specification
  • Principals A(M) and S are the same as in the
    protocol
  • Bspec(M) csb(x).case x of yksb in
    cab(z).case z of wy in F(M)
  • Instspec(M) (vkas) (vksb)( A(M) S Bspec(M))
  • The specification is more complex than the
    protocol but Bspec(M) applies F only to the data
    from A and not to a message resulting from an
    attack or error.

27
Complete Authentication Example (with a flaw)
  • A server and n other principals
  • Each principals input channels are public and
    are named as c1, c2, , cn and cs.
  • Server shares a pair of keys with each other
    principal, ksi and kis.
  • Message sequence
  • Message 1 A?S A,B,kabkas on cs
  • Message 2 S?B A, kabksb on cb
  • Message 3 A?B A,Mkab on cb

28
Instance of the protocol
  • We have two principals (A and B) and the message
    sent after key establishment.
  • Instance I is a triple (i,j,M) where
  • i source address , j destination address
  • Send(i,j,M) (vk)(cs lt(i,j,kkiS )gt cj
    lt(i,Mk)gt)
  • Recv(j) cj(ycipher).case ycipher of
    xa,xkeykSj in cj(za,zcipher).xa is za case
    zcipher of zplainxkey in F(xa,j, zplain)

29
Instance of the protocol (Sending)
  • Send(i,j,M) (vk)(cs lt(i,j,kkiS )gt cj
    lt(i,Mk)gt)
  • Creates a key k, sends to the server along with
    the names i and j of the principals of the
    instance.
  • Sends M under k with its name i.

30
Instance of the protocol (Receiving)
  • Recv(j) cj(ycipher).case ycipher of
    xa,xkeykSj in cj(za,zcipher).xa is za case
    zcipher of zplain xkey in F(xa,j, zplain)
  • Waits for a message ycipher from server, extracts
    xkey from this message
  • Then waits for a message zcipher under this key
  • At the end applies F to the name xa of the
    presumed sender, j and to zplain of the message.

31
Server
  • The server S is the same for all instances
  • S cs(xa,xcipher).
  • ?i?1..nxa is i case xcipher of
    xb,xkeykis in
  • ?j?1..nxb is j cj ltxa,xkeyksjgt
  • S receives a key that selects the correct branch
    to forward the key to the correct j.
  • ?i?1..k Pi is the k-way composition P1 Pk

32
Whole System
  • Sys(I1,, Im) (vkiS)(vkSj)
  • (Send(I1)
    Send(Im)
  • !S
  • !Recv(1)
    !Recv(n) )
  • Where (vkiS)(vkSj) stands for (vk1s)(vkns)
  • (vks1)(vksn) and Sys(I1,, Im) represents a
    system with m instances of the protocol.

33
The Flaw
  • The protocol is vulnerable to a replay attack.
  • System Sys(I,I?) where I(i,j,M) , I?(i,j,M?)
  • An attacker can replay messages of one instance
    and get them mistaken for messages of the other
    instance.
  • So M will be passed to F twice and Sys(I,I?)
    could execute two copies of F(i,j,M) although
    Sys(I,I?) can run F for both instances F(i,j,M)
    and F(i,j,M?) only once.
  • Therefore the authenticity equation doesnt hold.
    Inst(M) Instspec(M), for all M.

34
Complete Authentication Example (repaired)
  • To protect previous protocol against replay
    attacks, nonce handshakes (tag in the message to
    authenticate the sender) are added.
  • The new protocol, informally looks like
  • Message 1 A?S A
    on cs
  • Message 2 S?A Ns
    on ca
  • Message 3 A?S A,A,A,B,kab,Nskas
    on cs
  • Message 4 S?B
    on cb
  • Message 5 B?S Nb
    on cs
  • Message 6 S?B S,A,B, kab, Nbksb
    on cb
  • Message 7 A?B A,M kab
    on cb
  • See Appendix for implementation.

35
What we get with Spi Calculus?
  • Protocols in Spi Calculus are tedious.
  • Good for proofing authenticity and secrecy.
  • The scope of errors that it can find are limited
    though
  • Spi Calculus is not as general as other logics,
    but this lack of generality allows us more
    confidence in the properties we can prove.

36
Tool Support
  • Spi Calculus does not have any direct tool
    support.
  • Security proprieties must be proven by humans.
  • There is however a protocol language Cryptc that
    is based on Spi Calculus.

37
Cryptc
  • Redefines Spi calculuss grammar
  • Adds protocol beginnings and endings
  • Protocols are considered secure if every protocol
    ending has a distinct beginning.
  • Cryptc performs an exhaustive search for paths
    that generate an end without a begin.

38
Online References
  • A Calculus for Cryptographic Protocols The Spi
    CalculusMartin Abadi and Andrew D.
    GordonDigital SRC Research Report 149January
    25, 1998http//gatekeeper.dec.com/pub/DEC/SRC/res
    earch-reports/abstracts/src-rr-149.Html

39
Online References
  •  Authenticity by Typing for Security
    ProtocolsA.D. Gordon and A.S.A.
    JeffreyMicrosoft Research Technical Report
    MSR-2001-49, 2001ftp//fpl.cs.depaul.edu/pub/ajef
    frey/spi-types.ps.gz
  • The Cryptc webpage http//cryptyc.cs.depaul.edu/i
    ntro.html

40
Appendix Corrected Protocol
  • Send(i,j,M) csltigt
  • ci(xnonce).
  • (vk)(cslt(i,i,i,j,k,xnoncek
    iS )gt cj lt(i,Mk)gt)
  • S cs(xa).?i?1..nxa is i(vNs)(ciltNsgt
  • cs(x?a,xcipher).x?a is i
  • case xcipher of ya,za,xb,xkey,xnoncekis
    in
  • ?j?1..nya is iza is ixb is
    jxnonce is Ns
  • (cj ltgt cS (ynonce). cj ltS,i,j,
    xkey,ynonceksjgt))

41
  • Recv(j) cj(w). (vNb) (cs ltNbgt
  • cj(ycipher).
  • case ycipher of xs, xa, xb,
    xkey,ynonceksj in
  • ?j?1..nxs is Sxa is ixb is
    jynonce is Nb
  • cj(za,zcipher). za is xa
  • case zcipher of zplain xkey
    in F(i,j,zplain))
  • Sys(I1,, Im) (vkiS)(vkSj)
  • (Send(I1)
    Send(Im)
  • !S
  • !Recv(1)
    !Recv(n) )

42
  • Authenticity
  • Sys(I1,,Im) Sysspec(I1,,Im) for any
  • instances I1,,Im.
  • This property holds because of the nonces.
  • Secrecy
  • Sys(I1,,Im) Sysspec(J1,,Jm) if each pair
  • (I1,J1),,(Im,Jm) is indistinguishable.
Write a Comment
User Comments (0)
About PowerShow.com