spi calculus
DESCRIPTION
Spi Calculus. Gokhan Gokoz Chad R. Meiners. What Spi Calculus Is. Spi calculus is a form of pi calculus extended to support cryptography. Pi calculus is a language for describing and implementing concurrent processes over communication channels. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/1.jpg)
Spi Calculus
Gokhan Gokoz
Chad R. Meiners
![Page 2: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/2.jpg)
What Spi Calculus Is
• Spi calculus is a form of pi calculus extended to support cryptography.
• Pi calculus is a language for describing and implementing concurrent processes over communication channels.
• Pi calculus is designed to have a concise description when compared to CSP.
• Spi calculus adds operators to perform symmetric cryptography.
![Page 3: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/3.jpg)
How Pi and Spi Calculus is used
to verify security properties of protocols.
• Authenticity– Is the implementation equivalent to the
specification?
• Secrecy– Can an external process distinguish one
instance from another?
![Page 4: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/4.jpg)
Basic Facilities of Pi Calculus
• Process: A system is constructed out of a set of concurrent processes.
• Scope: Variables and channels may be restricted to certain processes or they may be global.
• Channel: Processes communicate and synchronize with each other via channels.
![Page 5: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/5.jpg)
Scope Extrusion
• Channels may be placed as messages on channels.
• Allows for scope restricted channel to be used outside of it original scope.
• Allows dataflow analysis.
• Spi calculus adds encryption operators.
![Page 6: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/6.jpg)
Pi Grammar
Pi calculus has four types of objects: • Names: channels.
– represented as m, n, p, q, and r.
• Variables: – represented as x, y, and z .
• Terms: objects in Pi calculus. – represented as L, M, N.
• Processes: – represented as P, Q, and R.
![Page 7: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/7.jpg)
Terms
A term can be one of the following five forms:
• n : the name of a channel
• (M, N) : a pair of terms.
• 0 : the number zero.
• suc(M) : the successor of M.
• x : a variable.
![Page 8: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/8.jpg)
Process Primitives
• 0 : Is the nil process.
• P | Q : Is the process composition operator.
• !P : Is the process replication operator
Examples:
A := 0 : A is the nil process
B := !A | C : B is an infinite number of A in parallel with C.
![Page 9: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/9.jpg)
Process communication• M<N>.P
– communicate message N on channel M
– becomes P.
• M(x).P – block until it receives a message N from channel M
– P where all occurrences of x in P are replaced by N
– (We abbreviate such replacements with P[N/x])
Examples:
A := c<0>.0 : A sends nil on c and becomes nil.
B := c(x).0 : B received x on c and becomes nil.
![Page 10: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/10.jpg)
Process Decisions• [M is N]P
– P if M=N – else 0
• let (x,y) = M in P – P[N/x][L/y] when M=(N,L) – otherwise 0
• case M is 0 : P suc(x) : Q – P when M=0 – Q[N/x] if M=suc(N)– 0 if M is not an integer.
![Page 11: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/11.jpg)
Process Decisions
Examples:• A(M,N) := [M,N]B
– A is B if M=N; otherwise, A is 0.
• B(M) := let (x,y) = M in A(x,y)– B is A(x,y) if M is a pair; otherwise, B is 0.
• C(M) := case M is 0 : 0 suc(x) : C(x)– C is 0 when M = 0– C is C(M-1) when M > 0– C is 0 if M N
![Page 12: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/12.jpg)
Process Scope and Extrusion• (vn)P
– P with the name n bound to P’s scope.
Example:A(M) := (vcp)ca<cp>.cp <M>.0
– Send private channel cp on ca then become nil.
B := ca(x).x(y).0– Receive channel x on ca then receive y on x then become
0.
C := (vca)(A(M) | B)– C is A in parallel with B. Channel ca is only in A’s and
B’s scope.
![Page 13: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/13.jpg)
Spi Calculus Extensions• {M}N : term representing the message “M encrypted
with the key N”.• case L of {x}N in P : P[M/x] provided that L= {M}N
otherwise it is 0.Examples:
A(M) := ca<{M}k>.0– A sends M encrypted with k on ca and then becomes nil.
B := ca(y).case y of {x}k in F(x)– B receives y on ca and decrypts y into x using k. B then
become F(x).
C(M) := (vca)(vk)(A(M) | B)– C is A and B with channel ca and key k.
![Page 14: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/14.jpg)
Process Equivalence
• In Pi Calculus, we write P ≡ Q iff P and Q are indistinguishable to a separate process R.
• In Spi Calculus we write P(M) ≡ P(M’) iff given the two process instances a separate process R cannot tell which instance is the instance of M and which the instance of M’.
![Page 15: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/15.jpg)
Pi Calculus Example
Message 1 : A→B: M on cab
A(M) := cab <M>
B := cab(x).F(x)
Inst(M) := (vcab)(A(M) | B) • Principal A sends message M on channel cab to
principal B.• cab is restricted, only A and B have access to cab.• Inst(M) is one instance of the protocol.
![Page 16: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/16.jpg)
Pi Calculus Example (cont.)
• Specification:
A(M) := cab <M>
Bspec(M) := cab(x).F(M)
Instspec(M) := (vcab)(A(M) | Bspec(M))
• Difference between protocol and specification:
Bspec(M) is a variant, which receives input from A and acts like B when B receives M.
![Page 17: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/17.jpg)
Security Properties• Authenticity property:
Inst(M) ≡ Instspec(M), for all M.
The protocol with message M is indistinguishable from the
specification with message M, for all messages M.
• Secrecy property:
Inst(M) ≡ Inst(M’) if F(M) ≡ F(M’), for all M,M’.
If F(M) is indistinguishable from F(M’), then the protocol
with message M is indistinguishable from the protocol with
message M’.
• These security properties hold because of the restriction on the channel cab.
![Page 18: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/18.jpg)
Channel Establishment Example
• Abstract and simplified version of the Wide Mouthed Frog protocol
• proposed by Michael Burrows in 1989• passes a restricted channel from A to B via
restricted channels to S.
![Page 19: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/19.jpg)
Channel Establishment Example (cont.)
• channels instead of the keys
• channel establishment and data communication happen
only once
Message 1: A→S: cab on cas
Message 2 : S→B: cab on
csb Message 3 : A→B:
M on cab
S
BA
1. new channel
3. Data on new channel
2. new channel
![Page 20: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/20.jpg)
Protocol Implementation
• A(M) := (vcab)cas<cab>.cab<M> – A sends channel cab over cas then sends M over cab.
• S := cas(x).csb<x>– S forwards x from cas to csb.
• B := csb(x).x(y).F(y)– B receives channel x on csb and receives y on x.
• Inst(M) := (vcas)(vcsb) )(A(M) | S | B)– Inst is the composition of A, S and B.
![Page 21: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/21.jpg)
Specification
In the specification A(M) and S are same as above,
• Bspec(M) := csb(x).x(y).F(M)– Here Bspec is similar to B except it knows what
M is already for authenticity checking.
• Inst(M)spec :=(vcas)(vcsb) )(A(M) | S | Bspec(M))
The authenticity and secrecy properties hold.
![Page 22: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/22.jpg)
Spi Calculus Example Same as the first Pi example except that a key
is used to insure secrecy.
• Message 1: A→B: {M}kab on cab
– A(M) := cab <{M}k
ab >• A send a shared key encrypted message M on cab.
– B := cab(x).case x of {y}kab in F(y)
• B decrypts x into y.
– Inst(M) :=(vkab)(A(M) | B) • The key kab is restricted to only A and B.
![Page 23: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/23.jpg)
Spi Example Specification
Specification:
• A(M) := cab <{M}k
ab >
• Bspec(M) := cab(x).case x of {y}kab in F(M)
• Instspec(M) :=(vkab)( A(M) | Bspec(M))
Authenticity and secrecy properties are confirmed
under a coarse-grained equivalence since an observer
can definitely distinguish between P(M) and P(M´́)).
![Page 24: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/24.jpg)
Key establishment in Spi Calculus
• Same as the Pi frog protocol with key used instead of restricted channels.
Message 1: A→S: {kab}kas
on
cas
Message 2: S→B: {kab}ksb
on
csb
Message 3: A→B: {M}kab
on
cab
S
BA
1. new key kab under kas
3. Data under new key kab
2. new key kab under ksb
![Page 25: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/25.jpg)
Protocol
• A(M) :=(vkab)( cas <{kab}k
as>.cab ‹{M}k
ab>)– A sends a key kab to the server S and uses kab to encrypt M to
send to B.
• S := cas(x).case x of {y}kas in csb<{y}k
sb>– S forwards the key contained in x via the shared key kas.
• B := csb(x).case x of {y}ksb in cab(z).case z of {w}y in
F(w)– B receives and decrypts the key in x then uses that key to get
the message w.
• Inst(M) :=(vkas) (vksb)( A(M) | S | B)
![Page 26: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/26.jpg)
Specification
• Principals A(M) and S are the same as in the protocol;– Bspec(M) := csb(x).case x of {y}k
sb in cab(z).case z of {w}y in F(M)
– Instspec(M) :=(vkas) (vksb)( A(M) | S | Bspec(M))
• The specification is more complex than the protocol but Bspec(M) applies F only to the data from A and not to a message resulting from an attack or error.
![Page 27: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/27.jpg)
Complete Authentication Example (with a flaw)
• A server and n other principals• Each principal’s input channels are public and are
named as c1, c2, …, cn and cs.• Server shares a pair of keys with each other principal,
ksi and kis.• Message sequence:
Message 1: A→S: A,{B,kab}kas on cs
Message 2: S→B: {A, kab}ksb
on cb
Message 3: A→B: A,{M}kab
on cb
![Page 28: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/28.jpg)
Instance of the protocol
• We have two principals (A and B) and the message sent after key establishment.
• Instance I is a triple (i,j,M) where
i: source address , j: destination address
• Send(i,j,M) :=(vk)(cs <(i,{j,k}kiS )>| cj
<(i,{M}k)>)
• Recv(j) := cj(ycipher).case ycipher of {xa,xkey}kSj in cj(za,zcipher).[xa is za] case zcipher of {zplain}xkey in F(xa,j, zplain)
![Page 29: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/29.jpg)
Instance of the protocol (Sending)
• Send(i,j,M) :=(vk)(cs <(i,{j,k}kiS )>| cj
<(i,{M}k)>)
– Creates a key k, sends to the server along with the names i and j of the principals of the instance.
– Sends M under k with its name i.
![Page 30: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/30.jpg)
Instance of the protocol (Receiving)
• Recv(j) := cj(ycipher).case ycipher of {xa,xkey}kSj in cj(za,zcipher).[xa is za] case zcipher of {zplain }xkey in F(xa,j, zplain)
– Waits for a message ycipher from server, extracts xkey from this message
– Then waits for a message zcipher under this key
– At the end applies F to the name xa of the presumed sender, j and to zplain of the message.
![Page 31: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/31.jpg)
Server
The server S is the same for all instances: S := cs(xa,xcipher).
i1..n[xa is i] case xcipher of {xb,xkey}kis in
j1..n[xb is j] cj <{xa,xkey}ksj>
S receives a key that selects the correct branch to forward the key to the correct j.
i1..k Pi is the k-way composition P1 |…|Pk
![Page 32: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/32.jpg)
Whole System
Sys(I1,…, Im) := (vkiS)(vkSj)
(Send(I1) |…| Send(Im) |
!S |
!Recv(1) |…| !Recv(n) )
• Where (vkiS)(vkSj) stands for (vk1s)…(vkns)
(vks1)…(vksn) and Sys(I1,…, Im) represents a system with m instances of the protocol.
![Page 33: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/33.jpg)
The Flaw• The protocol is vulnerable to a replay attack.• System: Sys(I,I) where I=(i,j,M) , I=(i,j,M)• An attacker can replay messages of one instance and
get them mistaken for messages of the other instance.
• So M will be passed to F twice and Sys(I,I) could execute two copies of F(i,j,M) although Sys(I,I) can run F for both instances F(i,j,M) and F(i,j,M) only once.
• Therefore the authenticity equation doesn’t hold. Inst(M) ≡ Instspec(M), for all M.
![Page 34: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/34.jpg)
Complete Authentication Example (repaired)
• To protect previous protocol against replay attacks, nonce handshakes (tag in the message to authenticate the sender) are added.
• The new protocol, informally looks like:– Message 1: A→S: A on cs
– Message 2: S→A: Ns on ca
– Message 3: A→S: A,{A,A,B,kab,Ns}kas on cs
– Message 4: S→B: * on cb
– Message 5: B→S: Nb on cs
– Message 6: S→B: {S,A,B, kab, Nb}ksb on cb
– Message 7: A→B: A,{M }kab on cb
• See Appendix for implementation.
![Page 35: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/35.jpg)
What we get with Spi Calculus?
• Protocols in Spi Calculus are tedious. • Good for proofing authenticity and secrecy.• The scope of errors that it can find are
limited though• Spi Calculus is not as general as other
logics, but this lack of generality allows us more confidence in the properties we can prove.
![Page 36: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/36.jpg)
Tool Support
• Spi Calculus does not have any direct tool support.
• Security proprieties must be proven by humans.
• There is however a protocol language Cryptc that is based on Spi Calculus.
![Page 37: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/37.jpg)
Cryptc
• Redefines Spi calculus’s grammar
• Adds protocol beginnings and endings
• Protocols are considered secure if every protocol ending has a distinct beginning.
• Cryptc performs an exhaustive search for paths that generate an end without a begin.
![Page 38: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/38.jpg)
Online References
• A Calculus for Cryptographic Protocols: The Spi CalculusMartin Abadi and Andrew D. GordonDigital SRC Research Report 149January 25, 1998http://gatekeeper.dec.com/pub/DEC/SRC/research-reports/abstracts/src-rr-149.Html
![Page 39: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/39.jpg)
Online References
• Authenticity by Typing for Security ProtocolsA.D. Gordon and A.S.A. JeffreyMicrosoft Research Technical Report MSR-2001-49, 2001ftp://fpl.cs.depaul.edu/pub/ajeffrey/spi-types.ps.gz
• The Cryptc webpage: http://cryptyc.cs.depaul.edu/intro.html
![Page 40: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/40.jpg)
Appendix : Corrected ProtocolSend(i,j,M) := cs<i> |
ci(xnonce).
(vk)(cs<(i,{i,i,j,k,xnonce}kiS )>| cj <(i,{M}k)>)
S := cs(xa).i1..n[xa is i](vNs)(ci<Ns> |
cs(xa,xcipher).[xa is i]
case xcipher of {ya,za,xb,xkey,xnonce}kis in
j1..n[ya is i][za is i][xb is j][xnonce is Ns]
(cj <*> | cS
(ynonce). cj <{S,i,j, xkey,ynonce}ksj>))
![Page 41: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/41.jpg)
Recv(j) := cj(w). (vNb) (cs <Nb> |
cj(ycipher).
case ycipher of {xs, xa, xb, xkey,ynonce}ksj in
j1..n[xs is S][xa is i][xb is j][ynonce is Nb]
cj(za,zcipher).[ za is xa]
case zcipher of {zplain }xkey in F(i,j,zplain))
Sys(I1,…, Im) := (vkiS)(vkSj)
(Send(I1) |…| Send(Im) | !S | !Recv(1) |…| !Recv(n) )
![Page 42: Spi Calculus](https://reader033.vdocument.in/reader033/viewer/2022061617/56815864550346895dc5c3eb/html5/thumbnails/42.jpg)
• Authenticity:
Sys(I1,…,Im) ≡ Sysspec(I1,…,Im) for any
instances I1,…,Im.
This property holds because of the nonces.
• Secrecy:
Sys(I1,…,Im) ≡ Sysspec(J1,…,Jm) if each pair
(I1,J1),…,(Im,Jm) is indistinguishable.