The Spi Calculus. CSG 399 Lecture. The Spi Calculus p.1

Similar documents
CSG 399 Lecture. The Inductive Approach to Protocol Analysis p.1

How To Verify A Bluetooth Device Pairing With A Human Eye Oracle

Computational Soundness of Symbolic Security and Implicit Complexity

Towards the Correctness of Security Protocols

A Semantic Analysis of Wireless Network Security Protocols

Authenticity by Typing for Security Protocols

Security Protocols and their Properties

Modeling and verification of security protocols

Lecture 9 - Message Authentication Codes

Formal Modelling of Network Security Properties (Extended Abstract)

Victor Shoup Avi Rubin. Abstract

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Solutions to Problem Set 1

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

How to Formally Model Features of Network Security Protocols

MACs Message authentication and integrity. Table of contents

How to prove security of communication protocols?

E- Encryption in Unix

A Search-Based Framework for Security Protocol Synthesis

[Refer Slide Time: 05:10]

The Advantages of Automatic Protocol Creation

Authentication and Encryption: How to order them? Motivation

Chapter 3. Network Domain Security

Q: Why security protocols?

Lesson 4 Web Service Interface Definition (Part I)

Semantic Description of Distributed Business Processes

Chapter 16: Authentication in Distributed System

Formal Methods in Security Protocols Analysis

Formally-based semi-automatic implementation of an open security protocol

Lecture 25: Pairing-Based Cryptography

SECURITY IN NETWORKS

Digital Signatures. Prof. Zeph Grunschlag

A STRUCTURED APPROACH TO NETWORK SECURITY PROTOCOL IMPLEMENTATION

Mathematical Induction

Introduction. Digital Signature

CS 392/681 - Computer Security

Verifying security protocols using theorem provers

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

TELE 301 Network Management. Lecture 18: Network Security

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

VHDL Test Bench Tutorial

Attestation and Authentication Protocols Using the TPM

Adversary Modelling 1

Lecture 13 - Basic Number Theory.

Math 319 Problem Set #3 Solution 21 February 2002

Lecture 16 : Relations and Functions DRAFT

Le vote électronique : un défi pour la vérification formelle

Lecture 17: Re-encryption

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

A Generic Process Calculus Approach to Relaxed-Memory Consistency

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

A Framework for the Semantics of Behavioral Contracts

Likewise, we have contradictions: formulas that can only be false, e.g. (p p).

What is Protocol Analysis?

Take-home points. Distributed Systems Security II. Remember digital signatures. Today: Auth protocols

Security Protocols: Principles and Calculi Tutorial Notes

Operational Semantics of Security Protocols

Secure Sessions for Web Services

Practice Questions. CS161 Computer Security, Fall 2008

Observational Program Calculi and the Correctness of Translations

Verifying Second-Level Security Protocols

1 Construction of CCA-secure encryption

Lab 4.4 Secret Messages: Indexing, Arrays, and Iteration

Specification and Analysis of Contracts Lecture 1 Introduction

Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage

An Overview of Common Adversary Models

CS 758: Cryptography / Network Security

Privacy-Preserving Smart Metering

Formal Verification for Software-Defined Networking

Electronic Voting Protocol Analysis with the Inductive Method

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Security protocol verification by means of symbolic model checking.

1 Message Authentication

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

SCADA System Security, Complexity, and Security Proof

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Capture Resilient ElGamal Signature Protocols

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Ensuring Consistency in Long Running Transactions

CPS221 Lecture: Layered Network Architecture

Solution to Homework 2

Lecture 11: Tail Recursion; Continuations

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Rigorous Software Development CSCI-GA

ASPASyA: an Automated tool for Security Protocol Analysis based on a Symbolic Approach

Two Factor Zero Knowledge Proof Authentication System

Understanding Digital Certificates and Secure Sockets Layer (SSL)

SECURITY ANALYSIS OF NETWORK PROTOCOLS: COMPOSITIONAL REASONING AND COMPLEXITY-THEORETIC FOUNDATIONS

Formal/Computational Verification of Protocol Implementations by Typechecking

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Transcription:

The Spi Calculus CSG 399 Lecture The Spi Calculus p.1

Recall CSP Model system as a CSP process A specification is a property of traces Often, can be represented as a process Spec Checking a specification: Spec P Every trace of P is a trace of Spec The Spi Calculus p.2

Abadi and Gordon s Approach Uses a different calculus of processes Based on the π calculus Philosophical alternative to CSP Offers different ways of specifying and verifying protocols AG use equivalence with obviously correct system The Spi Calculus p.3

The π Calculus Let us start by defining the π calculus Just a calculus for reasoning about concurrent systems As in CSP, notion of processes, which can be put in parallel Processes may communicate by sending values over channels Channels have a scope (which process knows which channel) But channel names can be sent to other processes Scope extrusion The Spi Calculus p.4

Syntax - Values First, let us define a syntax for terms that denote the values exchangeable between processes A term M, N is one of: Name n For channels, keys, nonces, primitive messages Pair (M, N) Variable (AG also talk about integers and arithmetic operations) The Spi Calculus p.5

Syntax - Processes We use a more readable syntax introduced in later papers on the spi calculus A process P is of the form: out M N; Q: send N on channel M, then behave as Q inp M (x); Q: receive a value on channel M, bind it to x in Q, then behave as Q P Q: P and Q executing in parallel new (n); Q: create new name n in the scope of Q The Spi Calculus p.6

Other Process Forms repeat Q: replicate Q match M is N; Q: proceed as Q if M and N are equal stop: do nothing and stops split M is (x, y); Q: split the pair M into x and y and behaves as Q The Spi Calculus p.7

Example new (c); new (d); new (M); (out c M; stop inp c (x); out d x; stop inp c (x); stop) The Spi Calculus p.8

Semantics The semantics of the π calculus is a relation P Q that gives one possible next step of the execution of P. Note that there can be many possible next steps Processes are nondeterministic The definition is in two steps Define when two processes are structurally equivalent Define the reaction relation P Q The Spi Calculus p.9

Reduction Relation P > Q P reduces immediately to Q repeat P > P repeat P match M is M; P > P split (M, N) is (x, y); P > P [M/x][N/y] P [M/x] : replace every free occurrence of x by M The Spi Calculus p.10

Structural Equivalence P Q P and Q are basically the same process P P P stop P P Q Q P P (Q R) (P Q) R new (m); new (n); P new (n); new (m); P new (n); stop stop new (n); (P Q) P new (n); Q, if n fn(p ) The Spi Calculus p.11

If P > Q then P Q If P Q then Q P If P Q and Q R then P R If P Q then P R Q R If P Q then new (n); P new (n); Q The Spi Calculus p.12

Reaction Relation P Q P can execute and become Q out m N; P inp m (x); Q P Q[N/x] If P P, Q Q, and P Q, then P Q If P P then P Q P Q If P P then new (n); P new (n); P P Q if P 1,..., P k with P P 1 P k Q The Spi Calculus p.13

The Spi Calculus - Terms Toss in the ability to encrypt messages (shared key) and that of decrypting messages. New term form: {M} N The Spi Calculus p.14

The Spi Calculus - Processes New process form: decrypt M is {x} N ;P Intuitively, try to decrypt M with key N If it succeeds, bind x to result and proceed with P If it fails, process is stuck Note that this embodies: Can only decrypt if you have the key There is enough redundancy to detect when decryption has succeeded The Spi Calculus p.15

The Wide Mouthed Frog protocol Two agents communicating without sharing a key A wants to send M to B A and B do not share keys A and B both share a key with a server S A S :{K AB } KAS S B :{K AB } KBS A B :{M} KAB The Spi Calculus p.16

Modeling Security Protocols Essentially like in CSP Write a process for each agent Put all the processes in parallel into a system Then, prove something of interest about the process The Spi Calculus p.17

Modeling WMF - Initiator INIT (M) = new (KAB); out net {KAB} KAS ; out net {M} KAB ; stop Assumes a channel net representing the network The Spi Calculus p.18

Modeling WMF - Server SERVER = repeat inp net (x); decrypt x is {y} KAS ; out net {y} KBS ; stop The Spi Calculus p.19

Modeling WMF - Receiver RESP = inp net (x); decrypt x is {y} KBS ; inp net (x); decrypt x is {z} y ; F (z) The Spi Calculus p.20

Modeling WMF - System SYS(M) = new (KAS); new (KBS); (INIT (M) RESP SERVER) If F does not contain free occurrences of KAS and KBS: SYS(M) F (M) Running the protocol can yield F (M) This is a sanity check: the protocol can make progress The Spi Calculus p.21

Specifying Secrecy Intuition: Message exchange is kept secret if the system exchanging message M is indistinguishable from the outside from the system exchanging message M Formally: Message exchanged is kept secret if for every M, M : If F (M) F (M ), then SYS(M) SYS(M ) The Spi Calculus p.22

Process Equivalence We want to define a notion of what it means for two processes to be indistinguishable (called equivalent) There are many possible choices, depending on what one means by equivalent A pastime in the process calculus world is to define notions of equivalences Different equivalences have different properties Some are easier to establish than others Structural equivalence is an equivalence Too fine Really just a form of syntactic equivalence The Spi Calculus p.23

Testing Equivalence AG use testing equivalence as the notion of equivalence Two processes are testing equivalent, written P Q, if they are indistinguishable to any other process No process R can distinguish: If it is running in parallel with P If it is running in parallel with Q The Spi Calculus p.24

Barbs Define a predicate describing the channels on which a process can communicate A barb β is an input or an output channel, where output channels are marked by a bar m P exhibits barb β, written P β, is defined by out m M; P m inp m (x); P m If P β then P Q β If P β and β {m, m}, then new (m); P β If P Q and Q β, then P β The Spi Calculus p.25

Tests We generalize to P may eventually exhibit barb β, written P β, by: If P β then P β If P Q and Q β, then P β A test is a closed process R and a barb β think, process R trying to see if the tested process can be made to exhibit barb β P Q if for all (R, β), (P R) β, then (Q R) β P Q if P Q and Q P The Spi Calculus p.26

Testing Equivalence is a Congruence One can check that testing equivalence has a nice property: If P and Q cannot be distinguished by a third process R in parallel, it turns out that P and Q can be used interchangeably in any context Formally: is a congruence If P Q, then C[P ] C[Q], when C[ ] is a closed context a closed process with a hole The Spi Calculus p.27

Specifying Authentication Intuition: The system where message M is exchanged using the protocol is indistinguishable from a system where message M magically makes it to the responder. The Spi Calculus p.28

The Specification System RESP (M) = inp net (x); decrypt x is {y} KBS ; inp net (x); decrypt x is {z} y ; F (M) SYS (M) = new (KAS); new (KBS); (INIT (M) RESP (M) SERVER) The Spi Calculus p.29

Formalizing Authentication Message is authenticated if for all M: SYS(M) SYS (M) The Spi Calculus p.30

Where s the Adversary? It is implicit in the model! All properties expressed as P Q P Q means no third process (the adversary) can make it so that something can be distinguished between P and Q Third process can intercept messages, decrypt them if he knows the key, take messages apart, send new messages, etc Thus, the third process can be thought of as an instance of a Dolev-Yao adversary The Spi Calculus p.31

Final Notes How do you check P Q? Prove it explicitly by applying definitions Develop a proof system for Define an equivalence that is easier to establish, that implies Alternative: Keep spi calculus as a language Use different specification and verification techniques Proverif (uses logic programming) Correspondence assertions (uses a type system) The Spi Calculus p.32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information