The Spi Calculus

1
The Spi Calculus

• A Calculus for Cryptographic Protocols
• Presented By
• Ramesh Yechangunja

2
Introduction

• Developed by Martin Abadi and Andrew D.Gordon
  at the Systems Research Center, it is an
  extension of the Pi Calculus with cryptographic
  primitives designed for describing and analyzing
  cryptographic protocols.

3
Features

• Reliance on the powerful scoping constructs of
  the pi calculus
• Radical definition of the environment as an
  arbitrary spi calculus process
• Representation of security properties, both
  integrity and secrecy, as equivalences

4
Basics

• Channels may be restricted, so that only certain
  processes may communicate on them. (Similar to
  CSP)
• The scope of the restriction may change during
  computation. This is termed scope extrusion.
  (Different from the earlier process calculi)

5

• An output process aN.P is ready to output on
  channel a. If an interaction occurs, term N is
  communicated on a and then process P runs.
• An input process a(x).P is ready to input from
  channel a. If an interaction occurs in which N is
  communicated on a, then process PN/x runs.

6

• A composition PQ behaves as processes P and Q
  running in parallel.
• A restriction (vn)P is a process that makes a
  new, private name n, and then behaves as P.
• A pair splitting process let (x,y) M in P
  behaves as PN/xL/y if term M is the pair
  (N,L). Otherwise, the process is stuck.

7
In addition spi calculus introduces primitives
for shared-key cryptography

• The term MN represents the ciphertext obtained
  by encrypting M under the key N.
• The process case L of xN in P attempts to
  decrypt the term L with the key N. If L is a
  ciphertext of the form MN, then the process
  behaves as PM/x. Otherwise, the process is
  stuck.

8
A first cryptographic example

• Consider two principals A and B that share a
  key KAB with a public channel cAB. The protocol
  is simply that A sends a message M under KAB to
  B, on cAB.
• Message 1 A?B MKAB on cAB
• In the spi calculus, we write
• A(M) ? cAB MKAB

9
-

• B ? cAB(x).case x of yKAB in F(y)
• Inst(M) ? (vK)(A(M)B)
• Security properties are expressed as
  equivalences. We use the following specification
• A(M) ? cAB MKAB
• Bspec(M) ? cAB(x).case x of yKAB in F(M)
• Instspec(M) ? (vKAB)(A(M)Bspec(M))

10
-

• We obtain the properties
• Authenticity Inst(M) ? Instspec(M), for all M
• Secrecy Inst(M) ? Inst(M) if F(M) ? F(M),
• for all
  M,M

11
An example with key establishment

• We consider the Wide Mouthed Frog protocol.
• 1. New key KAB under KAS
  2. New key KAB
  under KSB
• 
  3.data under new key KAB

S
A
B
12
The protocol is

• Message 1 A?S KABKAS on cAS
• Message 2 S?B KABKSB on cSB
• Message 3 A?B MKAB on cAB
• In the spi calculus, we can express it as
• A(M) ? (vKAB)( cAS KABKAS . cAB MKAB
  )
• S ? cAS(x).case x of yKAS in cSB
  yKSB
• B ? cSB(x).case x of yKSB in
• cAB(z).case z of wy in F(w)
• Inst(M) ? (vKAS) (vKSB)( A(M)SB)

13
A complete authentication example ( with a flaw)

• Consider a system with a server and n other
  principals. Each principal has an input channel
  which is public, namely, C1, C2,,Cn and Cs. The
  server shares a pair of keys with each other
  principal, Ksi and Kis.
• We extend the previous example to this n1
  principals
• Message 1 A?S A,B,KABKAS on cS
• Message 2 S?B A,KABKSB on cB
• Message 3 A?B A,MKAB on cB

14
-

• An instance of the protocol is determined by a
  choice of parties and by the message sent i.e. an
  instance I is the triple (i,j,M).
• i source address
• j - destination address
• Given an instance (i,j,M), the following process
  corresponds to role of A
• Send(i,j,M) ? (vK)(cS (i,j,KKiS ) cj
  (i,MK))
• The following process corresponds to the role of
  B
• Recv(j) ? cj(ycipher).case ycipher of
  xA,xkeyKSj in
• cj(zA,zcipher).xA, zA
• case zcipher of zplain xkey
  in F(xA,j, zplain)

15
-

• The server S is the same for all instances
• S ? cj(xA,xcipher).
• ?i?1..nxA is i case xcipher of
  xB,xkeyKiS in
• ?j?1..nxB is j cj xA,xkeyKS j
  
• where ?i?1..k Pi is the k-way composition
• P1 Pk
• Finally we define a whole system,
  parameterized on a list of instances of the
  protocol
• Sys(I1,, Im) ? (vKsi )(vKis)
• (Send(I1)
  Send(Im)
• !S
• !Recv(1)
  !Recv(n) )

16
-

• Unfortunately, the protocol is vulnerable to a
  replay attack that invalidates the authenticity.
  An attacker can replay messages of one instance
  and get them mistaken for messages of the other
  instance.

17
A complete authentication example (repaired)

• The previous protocol is improved by adding
  nonce handshakes as protection against replay
  attacks.
• The new protocol is
• Message 1 A?S A
  on cS
• Message 2 S?A NS
  on cA
• Message 3 A?S A,A,A,B,KAB, NS KAS on cS
• Message 4 S?B
  on cB
• Message 5 B?S NB
  on cS
• Message 6 S?B S,A,B,KAB, NB KS B on
  cB
• Message 7 A?B A,M KAB
  on cB

18
-

• In spi calculus, nonces are represented as
  newly created names.
• Send(i,j,M) ? cS i
• ci (xnonce).
• (vK)(cS (i,i,i,j,K,xnonceKiS
  ) cj (i,MK))
• S ? cS(xA). ?i?1..nxA is i (vNS)
  (ci NS
• cS(xA,xcipher).xA is i
• case xcipher of yA,zA, xB,
  xkey, xnonceKiS in
• ?j?1..nyA is izA is ixB
  is jxnonce is NS
• (cj cS (ynonce). cj
  S,i,j, xkey,ynonceKS j ))

19
-

• Recv(j) ? cj(w). (vNB) (cS NB
• cj(ycipher).
• case ycipher of xS, xA, xB,
  xkey,ynonce KS j in
• ?j?1..nxS is SxA is ixB
  is jynonce is NB
• cj(zA,zcipher). zA is xA
• case zcipher of zplain
  xkey in F(i,j, zplain))
• Sys(I1,, Im) ? (vKsi )(vKis)
• (Send(I1) Send(Im)
• !S
• !Recv(1) !Recv(n) )

20
-

• The authenticity property is obtained
• Sys(I1,, Im) ? Sysspec(I1,, Im)
• for any instances
  I1,, Im
• This holds good because of the nonces.
• Secrecy Sys(I1,, Im) ? Sysspec(J1,, Jm)
• if each pair (I1, J1 ),
  (Im, Jm) is
• indistinguishable.
  
  
  
  

21
Conclusion

• Harder to write protocols but very detailed.
• Main advantage is its formal precision
• May not be a good tool for finding flaws but
  yields more convincing proofs of correctness
• Protocols prone to attacks are developed without
  explicit specifications for an attacker. Such
  precise treatments have not been done before.