# Spi Calculus - PowerPoint PPT Presentation

PPT – Spi Calculus PowerPoint presentation | free to download - id: 1d6fc1-ZDc1Z

The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
Title:

## Spi Calculus

Description:

### Principal A sends message M on channel cab to principal B. ... passes a restricted channel from A to B via restricted channels to S. ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 43
Provided by: mein9
Category:
Tags:
Transcript and Presenter's Notes

Title: Spi Calculus

1
Spi Calculus
• Gokhan Gokoz

2
What Spi Calculus Is
• Spi calculus is a form of pi calculus extended to
support cryptography.
• Pi calculus is a language for describing and
implementing concurrent processes over
communication channels.
• Pi calculus is designed to have a concise
description when compared to CSP.
• Spi calculus adds operators to perform symmetric
cryptography.

3
How Pi and Spi Calculus is used
• to verify security properties of protocols.
• Authenticity
• Is the implementation equivalent to the
specification?
• Secrecy
• Can an external process distinguish one instance
from another?

4
Basic Facilities of Pi Calculus
• Process A system is constructed out of a set of
concurrent processes.
• Scope Variables and channels may be restricted
to certain processes or they may be global.
• Channel Processes communicate and synchronize
with each other via channels.

5
Scope Extrusion
• Channels may be placed as messages on channels.
• Allows for scope restricted channel to be used
outside of it original scope.
• Allows dataflow analysis.
• Spi calculus adds encryption operators.

6
Pi Grammar
• Pi calculus has four types of objects
• Names channels.
• represented as m, n, p, q, and r.
• Variables
• represented as x, y, and z .
• Terms objects in Pi calculus.
• represented as L, M, N.
• Processes
• represented as P, Q, and R.

7
Terms
• A term can be one of the following five forms
• n the name of a channel
• (M, N) a pair of terms.
• 0 the number zero.
• suc(M) the successor of M.
• x a variable.

8
Process Primitives
• 0 Is the nil process.
• P Q Is the process composition operator.
• !P Is the process replication operator
• Examples
• A 0 A is the nil process
• B !A C B is an infinite number of A in
parallel with C.

9
Process communication
• MltNgt.P
• communicate message N on channel M
• becomes P.
• M(x).P
• block until it receives a message N from channel
M
• P where all occurrences of x in P are replaced by
N
• (We abbreviate such replacements with PN/x)
• Examples
• A clt0gt.0 A sends nil on c and becomes nil.
• B c(x).0 B received x on c and becomes nil.

10
Process Decisions
• M is NP
• P if MN
• else 0
• let (x,y) M in P
• PN/xL/y when M(N,L)
• otherwise 0
• case M is 0 P suc(x) Q
• P when M0
• QN/x if Msuc(N)
• 0 if M is not an integer.

11
Process Decisions
• Examples
• A(M,N) M,NB
• A is B if MN otherwise, A is 0.
• B(M) let (x,y) M in A(x,y)
• B is A(x,y) if M is a pair otherwise, B is 0.
• C(M) case M is 0 0 suc(x) C(x)
• C is 0 when M 0
• C is C(M-1) when M gt 0
• C is 0 if M ? N

12
Process Scope and Extrusion
• (vn)P
• P with the name n bound to Ps scope.
• Example
• A(M) (vcp)caltcpgt.cp ltMgt.0
• Send private channel cp on ca then become nil.
• B ca(x).x(y).0
• Receive channel x on ca then receive y on x then
become 0.
• C (vca)(A(M) B)
• C is A in parallel with B. Channel ca is only in
As and Bs scope.

13
Spi Calculus Extensions
• MN term representing the message M encrypted
with the key N.
• case L of xN in P PM/x provided that L
MN otherwise it is 0.
• Examples
• A(M) caltMkgt.0
• A sends M encrypted with k on ca and then becomes
nil.
• B ca(y).case y of xk in F(x)
• B receives y on ca and decrypts y into x using k.
B then become F(x).
• C(M) (vca)(vk)(A(M) B)
• C is A and B with channel ca and key k.

14
Process Equivalence
• In Pi Calculus, we write P Q iff P and Q are
indistinguishable to a separate process R.
• In Spi Calculus we write P(M) P(M) iff given
the two process instances a separate process R
cannot tell which instance is the instance of M
and which the instance of M.

15
Pi Calculus Example
• Message 1 A?B M on cab
• A(M) cab ltMgt
• B cab(x).F(x)
• Inst(M) (vcab)(A(M) B)
• Principal A sends message M on channel cab to
principal B.
cab.
• Inst(M) is one instance of the protocol.

16
Pi Calculus Example (cont.)
• Specification
• A(M) cab ltMgt
• Bspec(M) cab(x).F(M)
• Instspec(M) (vcab)(A(M)
Bspec(M))
• Difference between protocol and specification
• Bspec(M) is a variant, which receives input
from A and acts like B when B receives M.

17
Security Properties
• Authenticity property
• Inst(M) Instspec(M), for all M.
• The protocol with message M is indistinguishable
from the
• specification with message M, for all messages M.
• Secrecy property
• Inst(M) Inst(M) if F(M) F(M), for
all M,M.
• If F(M) is indistinguishable from F(M), then the
protocol
• with message M is indistinguishable from the
protocol with
• message M.
• These security properties hold because of the
restriction on the channel cab.

18
Channel Establishment Example
• Abstract and simplified version of the Wide
Mouthed Frog protocol
• proposed by Michael Burrows in 1989
• passes a restricted channel from A to B via
restricted channels to S.

19
Channel Establishment Example (cont.)
• channels instead of the keys
• channel establishment and data communication
happen only once
• Message 1 A?S cab on cas
• Message 2 S?B
cab on csb Message 3
A?B M on cab

S
2. new channel
1. new channel
B
A
3. Data on new channel
20
Protocol Implementation
• A(M) (vcab)casltcabgt.cabltMgt
• A sends channel cab over cas then sends M over
cab.
• S cas(x).csbltxgt
• S forwards x from cas to csb.
• B csb(x).x(y).F(y)
• B receives channel x on csb and receives y on x.
• Inst(M) (vcas)(vcsb) )(A(M) S B)
• Inst is the composition of A, S and B.

21
Specification
• In the specification A(M) and S are same as
above,
• Bspec(M) csb(x).x(y).F(M)
• Here Bspec is similar to B except it knows what M
• Inst(M)spec (vcas)(vcsb) )(A(M) S Bspec(M))
• The authenticity and secrecy properties hold.

22
Spi Calculus Example
• Same as the first Pi example except that a key is
used to insure secrecy.
• Message 1 A?B Mkab on cab
• A(M) cab ltMkab gt
• A send a shared key encrypted message M on cab.
• B cab(x).case x of ykab in F(y)
• B decrypts x into y.
• Inst(M) (vkab)(A(M) B)
• The key kab is restricted to only A and B.

23
Spi Example Specification
• Specification
• A(M) cab ltMkab gt
• Bspec(M) cab(x).case x of ykab in F(M)
• Instspec(M) (vkab)( A(M) Bspec(M))
• Authenticity and secrecy properties are confirmed
• under a coarse-grained equivalence since an
observer
• can definitely distinguish between P(M) and P(M).

24
Key establishment in Spi Calculus
• Same as the Pi frog protocol with key used
• Message 1 A?S kabkas on cas
• Message 2 S?B kabksb on
csb
• Message 3 A?B Mkab on cab

S
1. new key kab under kas
2. new key kab under ksb
B
A
3. Data under new key kab
25
Protocol
• A(M) (vkab)( cas ltkabkasgt.cab Mkabgt)
• A sends a key kab to the server S and uses kab to
encrypt M to send to B.
• S cas(x).case x of ykas in csbltyksbgt
• S forwards the key contained in x via the shared
key kas.
• B csb(x).case x of yksb in cab(z).case z of
wy in F(w)
• B receives and decrypts the key in x then uses
that key to get the message w.
• Inst(M) (vkas) (vksb)( A(M) S B)

26
Specification
• Principals A(M) and S are the same as in the
protocol
• Bspec(M) csb(x).case x of yksb in
cab(z).case z of wy in F(M)
• Instspec(M) (vkas) (vksb)( A(M) S Bspec(M))
• The specification is more complex than the
protocol but Bspec(M) applies F only to the data
from A and not to a message resulting from an
attack or error.

27
Complete Authentication Example (with a flaw)
• A server and n other principals
• Each principals input channels are public and
are named as c1, c2, , cn and cs.
• Server shares a pair of keys with each other
principal, ksi and kis.
• Message sequence
• Message 1 A?S A,B,kabkas on cs
• Message 2 S?B A, kabksb on cb
• Message 3 A?B A,Mkab on cb

28
Instance of the protocol
• We have two principals (A and B) and the message
sent after key establishment.
• Instance I is a triple (i,j,M) where
• Send(i,j,M) (vk)(cs lt(i,j,kkiS )gt cj
lt(i,Mk)gt)
• Recv(j) cj(ycipher).case ycipher of
xa,xkeykSj in cj(za,zcipher).xa is za case
zcipher of zplainxkey in F(xa,j, zplain)

29
Instance of the protocol (Sending)
• Send(i,j,M) (vk)(cs lt(i,j,kkiS )gt cj
lt(i,Mk)gt)
• Creates a key k, sends to the server along with
the names i and j of the principals of the
instance.
• Sends M under k with its name i.

30
Instance of the protocol (Receiving)
• Recv(j) cj(ycipher).case ycipher of
xa,xkeykSj in cj(za,zcipher).xa is za case
zcipher of zplain xkey in F(xa,j, zplain)
• Waits for a message ycipher from server, extracts
xkey from this message
• Then waits for a message zcipher under this key
• At the end applies F to the name xa of the
presumed sender, j and to zplain of the message.

31
Server
• The server S is the same for all instances
• S cs(xa,xcipher).
• ?i?1..nxa is i case xcipher of
xb,xkeykis in
• ?j?1..nxb is j cj ltxa,xkeyksjgt
• S receives a key that selects the correct branch
to forward the key to the correct j.
• ?i?1..k Pi is the k-way composition P1 Pk

32
Whole System
• Sys(I1,, Im) (vkiS)(vkSj)
• (Send(I1)
Send(Im)
• !S
• !Recv(1)
!Recv(n) )
• Where (vkiS)(vkSj) stands for (vk1s)(vkns)
• (vks1)(vksn) and Sys(I1,, Im) represents a
system with m instances of the protocol.

33
The Flaw
• The protocol is vulnerable to a replay attack.
• System Sys(I,I?) where I(i,j,M) , I?(i,j,M?)
• An attacker can replay messages of one instance
and get them mistaken for messages of the other
instance.
• So M will be passed to F twice and Sys(I,I?)
could execute two copies of F(i,j,M) although
Sys(I,I?) can run F for both instances F(i,j,M)
and F(i,j,M?) only once.
• Therefore the authenticity equation doesnt hold.
Inst(M) Instspec(M), for all M.

34
Complete Authentication Example (repaired)
• To protect previous protocol against replay
attacks, nonce handshakes (tag in the message to
• The new protocol, informally looks like
• Message 1 A?S A
on cs
• Message 2 S?A Ns
on ca
• Message 3 A?S A,A,A,B,kab,Nskas
on cs
• Message 4 S?B
on cb
• Message 5 B?S Nb
on cs
• Message 6 S?B S,A,B, kab, Nbksb
on cb
• Message 7 A?B A,M kab
on cb
• See Appendix for implementation.

35
What we get with Spi Calculus?
• Protocols in Spi Calculus are tedious.
• Good for proofing authenticity and secrecy.
• The scope of errors that it can find are limited
though
• Spi Calculus is not as general as other logics,
but this lack of generality allows us more
confidence in the properties we can prove.

36
Tool Support
• Spi Calculus does not have any direct tool
support.
• Security proprieties must be proven by humans.
• There is however a protocol language Cryptc that
is based on Spi Calculus.

37
Cryptc
• Redefines Spi calculuss grammar
• Adds protocol beginnings and endings
• Protocols are considered secure if every protocol
ending has a distinct beginning.
• Cryptc performs an exhaustive search for paths
that generate an end without a begin.

38
Online References
• A Calculus for Cryptographic Protocols The Spi
Calculus Martin Abadi and Andrew D.
Gordon Digital SRC Research Report 149 January
25, 1998 http//gatekeeper.dec.com/pub/DEC/SRC/res
earch-reports/abstracts/src-rr-149. Html

39
Online References
•  Authenticity by Typing for Security
Protocols A.D. Gordon and A.S.A.
Jeffrey Microsoft Research Technical Report
MSR-2001-49, 2001 ftp//fpl.cs.depaul.edu/pub/ajef
frey/spi-types.ps.gz
• The Cryptc webpage http//cryptyc.cs.depaul.edu/i
ntro.html

40
Appendix Corrected Protocol
• Send(i,j,M) csltigt
• ci(xnonce).
• (vk)(cslt(i,i,i,j,k,xnoncek
iS )gt cj lt(i,Mk)gt)
• S cs(xa).?i?1..nxa is i(vNs)(ciltNsgt
• cs(x?a,xcipher).x?a is i
• case xcipher of ya,za,xb,xkey,xnoncekis
in
• ?j?1..nya is iza is ixb is
jxnonce is Ns
• (cj ltgt cS (ynonce). cj ltS,i,j,
xkey,ynonceksjgt))

41
• Recv(j) cj(w). (vNb) (cs ltNbgt
• cj(ycipher).
• case ycipher of xs, xa, xb,
xkey,ynonceksj in
• ?j?1..nxs is Sxa is ixb is
jynonce is Nb
• cj(za,zcipher). za is xa
• case zcipher of zplain xkey
in F(i,j,zplain))
• Sys(I1,, Im) (vkiS)(vkSj)
• (Send(I1)
Send(Im)
• !S
• !Recv(1)
!Recv(n) )

42
• Authenticity
• Sys(I1,,Im) Sysspec(I1,,Im) for any
• instances I1,,Im.
• This property holds because of the nonces.
• Secrecy
• Sys(I1,,Im) Sysspec(J1,,Jm) if each pair
• (I1,J1),,(Im,Jm) is indistinguishable.