Process Calculus and Security 18739A: Foundations of Security and Privacy Anupam Datta Fall 2007-08.

Slides:



Advertisements
Similar presentations
07/09/2014 Agay Spring School, March'02 Mobility 2 : Mobile Values Cédric Fournet Microsoft Research Cambridge (joint work with Martin Abadi)
Advertisements

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Programming Paradigms for Concurrency Lecture 11 Part III – Message Passing Concurrency TexPoint fonts used in EMF. Read the TexPoint manual before you.
Security Definitions in Computational Cryptography
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
CS 395T Computational Soundness of Formal Models.
Session 4 Asymmetric ciphers.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
Spi Calculus Gokhan Gokoz Chad R. Meiners. What Spi Calculus Is Spi calculus is a form of pi calculus extended to support cryptography. Pi calculus is.
Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.
Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Equivalence-Based Security Specifications A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V. Shmatikov A. Scedrov, V. Teague, P. Mateus.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
A Cryptography Tutorial Jim Xu College of Computing Georgia Tech
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Public Key Model 8. Cryptography part 2.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Security in Process Calculi CS 259 Vitaly Shmatikov.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
The Spi Calculus A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Security in Process Calculi CS 395T. Overview uPi calculus Core language for parallel programming Modeling security via name scoping uApplied pi calculus.
Digital Signatures, Message Digest and Authentication Week-9.
Alternative Wide Block Encryption For Discussion Only.
Lecture 2: Introduction to Cryptography
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
JFK Protocol in Applied Pi Calculus CS 395T. Proving Security u“Real” protocol Process-calculus specification of the actual protocol u“Ideal” protocol.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Symmetric Cryptography
Key Exchange References: Applied Cryptography, Bruce Schneier
Process Calculus and Security
Just Fast Keying (JFK) Protocol
Cryptography Basics and Symmetric Cryptography
Security through Encryption
Probabilistic Polynomial-Time Calculus
Outline Using cryptography in networks IPSec SSL and TLS.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Presentation transcript:

Process Calculus and Security 18739A: Foundations of Security and Privacy Anupam Datta Fall

Overview uPi calculus Core language for parallel programming Modeling security via name scoping uApplied pi calculus Modeling cryptographic primitives with functions and equational theories Equivalence-based notions of security A little bit of operational semantics Security as testing equivalence

Pi Calculus uModeling language for concurrent systems High-level mathematical model of parallel processes A “core” of concurrent programming languages By comparison, lambda-calculus is the “core” of functional programming languages uMobility is a basic primitive Basic computational step is the transfer of a communication link between two processes Interconnections between processes change as they communicate uCan be used as a general programming language In theory at least; see Pierce’s Pict implementation [Milner et al.]

A Little Bit of History u1980: Calculus of Communicating Systems (CCS) u1992: Pi Calculus [Milner, Parrow, Walker] Ability to pass channel names between processes u1998: Spi Calculus [Abadi, Gordon] Adds cryptographic primitives to pi calculus Security modeled as scoping Equivalence-based specification of security properties Connection with computational models of cryptography u2001: Applied Pi Calculus [Abadi, Fournet] Generic functions, including crypto primitives [Milner]

Pi Calculus Syntax uTerms M, N ::= x variables | n names uProcesses P,Q ::= nil empty process | ū  N .P send term N on channel u | u(x).P receive term from channel P and assign to x | !P replicate process P | P|Q run processes P and Q in parallel | ( n)P restrict name n to process P Let u range over names and variables }

Examples uProcess to send a message c  M  uProcess to receive x and send x+1 c(x). c  x+1  uProcess to compute n factorial c(n,1) | ![ c(x,y). if x>0 then c  x-1,y*x  else d  y  ] uWith input and output from channel d d(z). ( c)( c(z,1) | ![ … if … then … else d  y  ] ) Other processes can send, receive on d, but cannot see actions on private channel c

Modeling Secrecy with Scoping A(M) = c  M  B = c(x).nil P(M) = ( c)(A(M)|B) AB M channel c uA sends M to B over secure channel c This restriction ensures that channel c is “invisible” to any process except A and B (other processes don’t know name c) -

Secrecy as Equivalence A(M) = c  M  B = c(x).nil P(M) = ( c)(A(M)|B) Without ( c), attacker could run process c(x) and tell the difference between P(M) and P(M’) - uP(M) and P(M’) are “equivalent” for any values of M and M’ No attacker can distinguish P(M) and P(M’)

Another Formulation of Secrecy A(M) = c  M  B = c(x).nil P(M) = ( c)(A(M)|B) - uNo attacker can learn name n from P(n) Let Q be an arbitrary attacker process, and suppose it runs in parallel with P(n) For any process Q in which n does not occur, P(n) | Q will never output n

Modeling Authentication with Scoping A(M) = c  M  B = c(x).d  x  P(M) = ( c)(A(M)|B) AB M channel c uA sends M to B over secure channel c uB announces received value on public channel d - M channel d -

Specifying Authentication A(M) = c  M  B = c(x).d  x  P(M) = ( c)(A(M)|B) - uFor any value of M, if B outputs M on channel d, then A previously sent M on channel c -

A Key Establishment Protocol AB S 1.A and B have pre-established pairwise keys with server S uModel these keys as names of pre-existing communication channels 2.A creates a new key and sends it to S, who forwards it to B uModel this as creation of a new channel name 3.A sends M to B encrypted with the new key, B outputs M C AS C SB Create new channel C AB Send name C AB Send data on C AB M channel d M

Key Establishment in Pi Calculus AB S C AS C SB Create new channel C AB Send name C AB Send data on C AB M channel d M A(M) = ( c AB ) S = c AS (x).c SB  x  B = c SB (x) P(M) = ( c AS )( c SB )(A(M)|B|S) __ _ Note communication on a channel with a dynamically generated name.c AB  M  c AS  c AB .x(y).dy.x(y).dy

Applied Pi Calculus uIn pure pi calculus, channels are the only primitive uThis is enough to model some forms of security Name of a communication channel can be viewed as an “encryption key” for traffic on that channel –A process that doesn’t know the name can’t access the channel Channel names can be passed between processes –Useful for modeling key establishment protocols uTo simplify protocol specification, applied pi calculus adds functions to pi calculus Crypto primitives modeled by functions and equations

Applied Pi Calculus: Terms M, N ::= x Variable | n Name | f(M 1,...,M k ) Function application uStandard functions pair(), encrypt(), hash(), … uSimple type system for terms Integer, Key, Channel  Integer , Channel  Key 

Applied Pi Calculus: Processes P,Q ::= nil empty process | ū  N .P send term N on channel u | u(x).P receive from channel P and assign to x | !P replicate process P | P|Q run processes P and Q in parallel | ( n)P restrict name n to process P | if M = N conditional then P else Q

Modeling Crypto with Functions uIntroduce special function symbols to model cryptographic primitives uEquational theory models cryptographic properties uPairing Functions pair, first, second with equations: first(pair(x,y)) = x second(pair(x,y)) = y uSymmetric-key encryption Functions symenc, symdec with equation: symdec(symenc(x,k),k)=x

More Equational Theories uPublic-key encryption Functions pk,sk generate public/private key pair pk(x),sk(x) from a random seed x Functions pdec,penc model encryption and decryption with equation: pdec(penc(y,pk(x)),sk(x)) = y Can also model “probabilistic” encryption: pdec(penc(y,pk(x),z),sk(x)) = y uHashing Unary function hash with no equations hash(M) models applying a one-way function to term M Models random salt (necessary for semantic security)

Yet More Equational Theories uPublic-key digital signatures As before, functions pk,sk generate public/private key pair pk(x),sk(x) from a random seed x Functions sign,verify model signing and verification with equation: verify(y,sign(y,sk(x)),pk(x)) = y uXOR Model self-cancellation property with equation: xor(xor(x,y),y) = x Can also model properties of cyclic redundancy codes: crc(xor(x,y)) = xor(crc(x),crc(y))

Dynamically Generated Data A(M) = c  (M,s)  B = c(x).if second(x)=s then d  first(x)  P(M) = ( s)(A(M)|B) AB (M,s) channel c uUse built-in name generation capability of pi calculus to model creation of new keys and nonces - M channel d - Models creation of fresh capability every time A and B communicate capability s may be intercepted!

Better Protocol with Capabilities A(M) = c  (M,hash(s,M))  B = c(x).if second(x)= hash(s,first(x)) then d  first(x)  P(M) = ( s)(A(M)|B) AB (M,hash(s,M)) channel c - M channel d - Hashing protects integrity of M and secrecy of s

Operational Semantics uReduction  is the smallest relation on closed processes that is closed by structural equivalence and application of evaluation contexts such that ā  M .P | a(x).Q  P | Q[M/x] models P sending M to Q on channel a if M = M then P else Q  P if M = N then P else Q  Q for any ground M, N s.t. M  N in the equational theory

Outline uApplied Pi Calculus Syntax Operational Semantics Expressing and proving security properties

Proving Security u“Real” protocol Process-calculus specification of the actual protocol u“Ideal” protocol Achieves the same goal as the real protocol, but is secure by design Uses unrealistic mechanisms, e.g., private channels Represents the desired behavior of real protocol uTo prove the real protocol secure, show that no attacker can tell the difference between the real protocol and the ideal protocol Proof will depend on the model of attacker observations

Is Bart Smart? Who is in the box? Can’t tell => Both equally smart

Example: Challenge-Response uChallenge-response protocol A  B{i} k B  A{i+1} k uThis protocol is secure if it is indistinguishable from this “ideal” protocol A  B{random 1 } k B  A{random 2 } k

Example: Authentication uAuthentication protocol A  B{i} k B  A{i+1} k A  B“Ok” uThis protocol is secure if it is indistinguishable from this “ideal” protocol A  B{random 1 } k B  A{random 2 } k B  A random 1, random 2 on a magic secure channel A  B“Ok” if numbers on real & magic channels match

Security as Observational Equivalence uNeed to prove that two processes are observationally equivalent to the attacker uComplexity-theoretic model Prove that two systems cannot be distinguished by any probabilistic polynomial-time adversary [Beaver ’91, Goldwasser-Levin ’90, Micali-Rogaway ’91] uAbstract process-calculus model Cryptography is modeled by abstract functions Prove testing equivalence between two processes Proofs are easier, but it is nontrivial to show computational completeness [Abadi-Rogaway ’00]

Structural Equivalence P | nil  P P | Q  Q | P P | (Q | R)  (P | Q) | R !P  P | !P ( m) ( n)P  ( n) ( m)P ( n)nil  nil ( n)(P | Q)  P | ( n)Q if n is not a free name in P P[M/x]  P[N/x] if M=N in the equational theory

uStandard process-calculus notions of equivalence such as bisimulation are not adequate for cryptographic protocols Different ciphertexts leak no information to the attacker who does not know the decryption keys u( k)c  symenc(M,k)  and ( k)c  symenc(N,k)  send different messages, but they should be treated as equivalent when proving security In each case, a term is encrypted under a fresh key Equivalence in Process Calculus --

Note uThe next few slides are quite technical uWill revisit these concepts in a later lecture with examples

Observational Equivalence

Static Equivalence uFrames are static knowledge exported by a process to the execution environment Assignment of values to variables –{x=M, y=enc k (M,x), …} Attacker (i.e., environment) learns these values uTwo frames  and  are statically equivalent if they map the same variables to equal values –Dom(  )=Dom(  ) and  terms M, N (M=N)  iff (M=N)  uTwo processes are statically equivalent if they export the same knowledge to the environment –A  s B if their frames are statically equivalent

Labeled Bisimilarity  Labeled bisimilarity is the largest symmetric relation R on closed processes s.t. A R B implies 1.A  s B 2.If A  A’, then B  * B’ and A’ R B’ for some B’ 3.If A  A’ and freevars(  )  dom(A) and boundnames(  )  freenames(B) = , then B  *   * B’ and A’ R B’ for some B’ uWhy labeled bisimilarity? Congruence:  context C[], A  l B implies C[A]  l C[B] Easier to check than direct observational equivalence: only care about steps that export values to environment  

Advantages and Disadvantages uProving testing equivalence is hard Need to quantify over all possible attacker processes and all tests they may perform uTesting equivalence is a congruence Can compose protocols like building blocks

Bibliography uRobin Milner. “Communication and Concurrency”. Prentice- Hall, Calculus of communicating systems (CCS) uRobin Milner. “Communicating and Mobile Systems: the  - Calculus”. Cambridge University Press, Pi calculus uMartin Abadi and Andrew Gordon. “A calculus for cryptographic protocols: the spi-calculus”. Information and Computation 148(1), Spi calculus uMartin Abadi and Cedric Fournet. “Mobile values, new names, and secure communication”. POPL Applied pi calculus

Acknowledgement uLecture based on slides from J. Mitchell and V. Shmatikov