Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Spi Calculus A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja.

Published byRosanna Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "The Spi Calculus A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja."— Presentation transcript:

1 The Spi Calculus A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja

2 Introduction Developed by Martin Abadi and Andrew D.Gordon at the Systems Research Center, it is an extension of the Pi Calculus with cryptographic primitives designed for describing and analyzing cryptographic protocols.

3 Features Reliance on the powerful scoping constructs of the pi calculus Radical definition of the environment as an arbitrary spi calculus process Representation of security properties, both integrity and secrecy, as equivalences

4 Basics Channels may be restricted, so that only certain processes may communicate on them. (Similar to CSP) The scope of the restriction may change during computation. This is termed scope extrusion. (Different from the earlier process calculi)

5 ā‹N›.P is ready to output on channel a. If an interaction occurs, term N is communicated on a and then process P runs.An output process ā‹N›.P is ready to output on channel a. If an interaction occurs, term N is communicated on a and then process P runs. An input process a(x).P is ready to input from channel a. If an interaction occurs in which N is communicated on a, then process P[N/x] runs.An input process a(x).P is ready to input from channel a. If an interaction occurs in which N is communicated on a, then process P[N/x] runs.

6 A composition P|Q behaves as processes P and Q running in parallel. A restriction (vn)P is a process that makes a new, private name n, and then behaves as P. (x,y) = M in P behaves as P[N/x][L/y] if term M is the pair (N,L). Otherwise, the process is stuck.A pair splitting process let (x,y) = M in P behaves as P[N/x][L/y] if term M is the pair (N,L). Otherwise, the process is stuck.

7 In addition spi calculus introduces primitives for shared-key cryptography The term {M} N represents the ciphertext obtained by encrypting M under the key N. The process case L of {x} N in P attempts to decrypt the term L with the key N. If L is a ciphertext of the form {M} N, then the process behaves as P[M/x]. Otherwise, the process is stuck.

8 A first cryptographic example Consider two principals A and B that share a key K AB with a public channel c AB. The protocol is simply that A sends a message M under K AB to B, on c AB. Message 1 A→B: {M} K AB on c AB In the spi calculus, we write A(M) ≜ c AB ‹{M} K AB ›

9 - B ≜ c AB (x).case x of {y} K AB in F(y) Inst(M) ≜ (vK)(A(M)|B) Inst(M) ≜ (vK)(A(M)|B) Security properties are expressed as equivalences. We use the following specification: A(M) ≜ c AB ‹{M} K AB › B spec (M) ≜ c AB (x).case x of {y} K AB in F(M) B spec (M) ≜ c AB (x).case x of {y} K AB in F(M) Inst spec (M) ≜ (vK AB )(A(M)|B spec (M)) Inst spec (M) ≜ (vK AB )(A(M)|B spec (M))

10 - We obtain the properties: Inst(M) ≃ Inst spec (M), for all M Authenticity: Inst(M) ≃ Inst spec (M), for all M Inst(M) ≃ Inst(M’) if F(M) ≃ F(M’), Secrecy: Inst(M) ≃ Inst(M’) if F(M) ≃ F(M’), for all M,M’ for all M,M’

11 An example with key establishment We consider the Wide Mouthed Frog protocol. 1. New key K AB under K AS 2. New key K AB under K SB 3.data under new key K AB S AB

12 The protocol is Message 1 A→S: {K AB } K AS on c AS Message 2 S→B: {K AB } K SB on c SB Message 3 A→B: {M} K AB on c AB In the spi calculus, we can express it as: A(M) ≜ (vK AB )( c AS ‹{K AB } K AS ›. c AB ‹{M} K AB ›) S ≜ c AS (x).case x of {y} K AS in c SB ‹{y} K SB › S ≜ c AS (x).case x of {y} K AS in c SB ‹{y} K SB › B ≜ c SB (x).case x of {y} K SB in B ≜ c SB (x).case x of {y} K SB in c AB (z).case z of {w} y in F(w) c AB (z).case z of {w} y in F(w) Inst(M) ≜ (vK AS ) (vK SB )( A(M)|S|B)

13 A complete authentication example ( with a flaw) Consider a system with a server and n other principals. Each principal has an input channel which is public, namely, C1, C2,…,Cn and Cs. The server shares a pair of keys with each other principal, K s i and K i s. We extend the previous example to this n+1 principals: Message 1 A→S: A,{B,K AB } K AS on c S Message 2 S→B: {A,K AB } K SB on c B Message 3 A→B: A,{M} K AB on c B

14 - An instance of the protocol is determined by a choice of parties and by the message sent i.e. an instance I is the triple (i,j,M). i – source address j - destination address Given an instance (i,j,M), the following process corresponds to role of A: Send(i,j,M) ≜ (vK)(c S ‹(i,{j,K} K iS )›| c j ‹(i,{M} K )›) The following process corresponds to the role of B: Recv(j) ≜ c j (y cipher ).case y cipher of {x A,x key } K Sj in c j (z A,z cipher ).[x A, z A ] c j (z A,z cipher ).[x A, z A ] case z cipher of {z plain } x key in F(x A, j, z plain ) case z cipher of {z plain } x key in F(x A, j, z plain )

15 - The server S is the same for all instances: S ≜ c j (x A,x cipher ).  i  1..n [x A is i] case x cipher of {x B,x key } K iS in  i  1..n [x A is i] case x cipher of {x B,x key } K iS in  j  1..n [x B is j] c j ‹ {x A,x key } K S j ›  j  1..n [x B is j] c j ‹ {x A,x key } K S j ›  i  1..k P i where  i  1..k P i is the k-way composition P 1 |…|P k Finally we define a whole system, parameterized on a list of instances of the protocol: Sys(I 1,…, I m ) ≜ (vK s i )(vK i s ) (Send(I 1 ) |…| Send(I m ) | (Send(I 1 ) |…| Send(I m ) | !S !S !Recv(1) |…| !Recv(n) ) !Recv(1) |…| !Recv(n) )

16 - Unfortunately, the protocol is vulnerable to a replay attack that invalidates the authenticity. An attacker can replay messages of one instance and get them mistaken for messages of the other instance.

17 A complete authentication example (repaired) The previous protocol is improved by adding nonce handshakes as protection against replay attacks. The new protocol is: Message 1 A→S: A on c S Message 2 S→A: N S on c A Message 3 A→S: A,{A,A,B,K AB, N S } K AS on c S Message 4 S→B: * on c B Message 5 B→S: N B on c S Message 6 S→B: {S,A,B,K AB, N B } K S B on c B Message 7 A→B: A,{M } K AB on c B

18 - In spi calculus, nonces are represented as newly created names. Send(i,j,M) ≜ c S ‹i›| c i (x nonce ). c i (x nonce ). (vK)(c S ‹(i,{i,i,j,K,x nonce } K iS )›| c j ‹(i,{M} K )›) (vK)(c S ‹(i,{i,i,j,K,x nonce } K iS )›| c j ‹(i,{M} K )›) S ≜ c S (x A ).  i  1..n [x A is i] (vN S ) (c i ‹N S ›| S ≜ c S (x A ).  i  1..n [x A is i] (vN S ) (c i ‹N S ›| c S (x’ A,x cipher ).[x’ A is i] c S (x’ A,x cipher ).[x’ A is i] case x cipher of {y A,z A, x B, x key, x nonce } K iS in case x cipher of {y A,z A, x B, x key, x nonce } K iS in  j  1..n [y A is i][z A is i][x B is j][x nonce is N S ]  j  1..n [y A is i][z A is i][x B is j][x nonce is N S ] (c j ‹*›| c S (y nonce ). c j ‹{S,i,j, x key,y nonce } K S j ›)) (c j ‹*›| c S (y nonce ). c j ‹{S,i,j, x key,y nonce } K S j ›))

19 - Recv(j) ≜ c j (w). (vN B ) (c S ‹N B ›| c j (y cipher ). c j (y cipher ). case y cipher of {x S, x A, x B, x key, y nonce } K S j in case y cipher of {x S, x A, x B, x key, y nonce } K S j in  j  1..n [x S is S][x A is i][x B is j][y nonce is N B ]  j  1..n [x S is S][x A is i][x B is j][y nonce is N B ] c j (z A,z cipher ).[ z A is x A ] c j (z A,z cipher ).[ z A is x A ] case z cipher of {z plain } x key in F(i, j, z plain )) case z cipher of {z plain } x key in F(i, j, z plain )) Sys(I 1,…, I m ) ≜ (vK s i )(vK i s ) (Send(I 1 ) |…| Send(I m ) | (Send(I 1 ) |…| Send(I m ) | !S !S !Recv(1) |…| !Recv(n) ) !Recv(1) |…| !Recv(n) )

20 - The authenticity property is obtained: Sys(I 1,…, I m ) Sys spec (I 1,…, I m ) Sys(I 1,…, I m ) ≃ Sys spec (I 1,…, I m ) I 1,…, I m for any instances I 1,…, I m This holds good because of the nonces. Sys(I 1,…, I m ) Sys spec (J 1,…, J m ) Secrecy: Sys(I 1,…, I m ) ≃ Sys spec (J 1,…, J m ) (I 1, J 1 ),… (I m, J m ) if each pair (I 1, J 1 ),… (I m, J m ) is indistinguishable.

21 Conclusion Harder to write protocols but very detailed. Main advantage is its formal precision May not be a good tool for finding flaws but yields more convincing proofs of correctness Protocols prone to attacks are developed without explicit specifications for an attacker. Such precise treatments have not been done before.

Download ppt "The Spi Calculus A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Distributed Systems CS 15-440 Security – Part I Lecture 21, Nov 28, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.

Distributed Systems CS Security – Part I Lecture 21, Nov 28, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Spi Calculus Gokhan Gokoz Chad R. Meiners. What Spi Calculus Is Spi calculus is a form of pi calculus extended to support cryptography. Pi calculus is.

Spi Calculus Gokhan Gokoz Chad R. Meiners. What Spi Calculus Is Spi calculus is a form of pi calculus extended to support cryptography. Pi calculus is.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

Similar presentations

Ads by Google