SPi Calculus: Outline. What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography

Transcription

1 SPi Calculus: Outline What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography

2 SPi Calculus: What is it? SPi Calculus is an executable model for the description and analysis of cryptographic protocols Spi Calculus is an extension to Pi Calculus

3 SPi Calculus: Processes Spi Calculus is made up of Processes. When all the processes are combined we have a program or protocol.

4 SPi Calculus: Processes Processes are defined as follows: P (some action our process does) Where P is our process

5 SPi Calculus: Processes Processes can do many things They can create other processes They can send messages They can receive messages They can run other processes You can think of a process as the set of actions a principal takes (Alice, Bob, Malory etc.)

6 SPi Calculus: Processes When processes send or receive messages they do this over channels

7 SPi Calculus: Basic Definitions Channels A channel is a named communications medium Channels can be restricted so that only certain processes can communicate on them

8 SPi Calculus: Basic Definitions Channel Example: A B c AB Process A communicates to Process B through Channel AB

9 SPi Calculus: Basic Definitions Unfortunately we can t just say: Process A Listen on Channel AB for a Message M We have to use SPi Calculus Notation

10 Pi Calc: Basic Notation (1) Process Grammar-Output Sequential Operator The above is how we state Output the message M on Channel C and then run process P

11 Pi Calc: Basic Notation (2) Process Grammar-Input C(x).P Input the message x on the channel C and then run process P (P will have access to x)

12 Pi Calc: Basic Notation (3) Process Grammar-Composition P Q A composition P Q behaves as processes P and Q running in parallel. Each may interact with the other on channels known to both, or with the outside world, independently of the other.

13 Pi Calc: Basic Notation (4) Process Grammar-Restriction (vn)p A restriction (vn)p is a process that makes a new, private name n, and then behaves as P. (Note that n is restricted to P)

14 Pi Calc: Restriction Example C AB is restricted to process A and B (vc AB )(A B) A c AB B D Process D cannot use c AB

15 Pi Calc: Basic Example A basic example of a Protocol using the notation we just learned

16 * Pi Calc: Basic Example Principal A uses the channel AB to send a single message M to Principal B Principal A Channel AB Principal B Mother, MI come bearing a gift. I'll give you a hint: it's in my diaper and it's not a toaster.

17 Pi Calc: Basic Example (2) Principal A Channel AB Principal B M Message 1 A B: M on c AB

18 * A Pi Calc: Basic Example (3) B c AB M Output M on Channel AB A(M) Output Process (Principal A) Is Defined As

19 * A Pi Calc: Basic Example (4) c AB B A(M) M B Input Process (Principal B) Input x from Channel AB Apply F to x

20 Pi Calc: Basic Example (5) A B c AB M A(M) B Inst(M) Create Channel AB Run Process A & B in parallel

21 Basic Example Protocol Final (6) A(M) B Inst(M)

22 Pi Calc: Basic Example Properties 1)Authenticity (Integrity) 2)Secrecy We will show why the basic protocol has these properties using informal and then formal syntax

23 * Pi Calc: Authenticity (2) A(M)= B = Always M Inst(M) = Process B always applies the function F to The message M, that A sends. Why is that?

24 * Pi Calc: Authenticity (3) The restriction operator restricts the channel AB to principal A(M) and B The Channel AB is Secure Inst(M) Restriction on Channel AB Scope of the Restriction

25 Pi Calc: Authenticity (4) A(M)= B = Always M Inst(M) = Since only process A and B communicate on c AB, and the only thing being sent on that channel is M, F(x) is really always F(M)

26 Pi Calc: Authenticity (5) An attacker cannot cause B to apply F to some message other than M.

27 Pi Calc: Secrecy A(M)= B = Inst(M) = The message M cannot be read in transit from Principal A to Principal B (Since c AB is secure)

28 Pi Calc: Secrecy (2) A(M)= B = Inst(M) = If F does not reveal M, then the whole protocol does not reveal M

29 Pi Calc: Indistinguishability P Q The behaviors of process P and Q are indistinguishable

30 Pi Calc: Indistinguishability (2) P Q Internally P and Q might be different. However, a third process R cannot tell the different between running P and running Q.

31 Pi Calc: Secrecy (Formally) We can state the secrecy property using The concept of indistinguishability.

32 * Pi Calc: Secrecy (Formally) (2) If F does not reveal M, then the whole protocol does not reveal M If F(M) F(M') for all M and M', then Inst(M) Inst(M') F(M) F(M') = F does not reveal M Inst(M) Inst(M') = Protocol does not reveal M

33 Pi Calc: Authenticity (Formally) To formally show authenticity for our basic protocol we are going to compare the basic protocol to a specification.

34 * Pi Calc: Authenticity: Specification A(M)= B spec = Inst spec (M) = We need to show that our protocol behaves the same as the above specification. Inst(M) Inst spec (M)

35 Pi Calc: Authenticity Formally (Remember Informally: An attacker cannot cause B to apply F to some other message. ) B spec = B = Always M Are these two indistinguishable? Yes, because x is always M since the c AB is secure and M is the only thing sent on it.

36 Pi Calc:Properties To sum up Authenticity: Inst(M) Inst spec (M), for all M Secrecy: Inst(M) Inst(M') if F(M) F(M'), for all M and M'.

37 * Pi Calc: Channel Establishment C AS and C SB already exist S 1. Send New channel 2. Send New channel A 3. Data on New Channel B Wide Mouth Frog Protocol (Simplified)

38 Pi Calc: Channel Establishment (2) A S B Note: The Message Can be a Channel Message 1 A S: c AB on c AS Message 2 S B: c AB on c SB Message 3 A B: M on c AB

39 Pi Calc: Channel Establishment (3) S c AS c SB AB A M c AB B A(M) =

40 Pi Calc: Channel Establishment (4) S x c AS c SB x A c AB B S = c AB

41 Pi Calc: Channel Establishment (5) S AB AB A c AS c AB c SB B M B = c AB M M

42 Pi Calc: Channel Establishment (6) A(M) = S = B = Inst(M) =

43 Pi Calc: Channel Establishment Spec A(M) = S = B spec = Inst spec (M) =

44 Pi Calc: Channel Establishment Spec In our channel establishment protocol All three channels are secure.

45 Pi Calc: Authenticity and Secrecy Channel Establishment Protocol Authenticity: Inst(M) Inst spec (M), for all M Secrecy: Inst(M) Inst(M') if F(M) F(M'), for all M and M'.

46 * Pi Calc: Limitation 1 S AB c AS c SB AB A c AB B Sending Channels?

47 Pi Calc: Limitation 2 S c AS c SB A B We require that we have secure channels already established which is almost never The case in the real world.

48 SPi Calc: Encryption {M} K N Message M encrypted under key K

49 SPi Calc: Decryption case c of {m} k in P Attempt to decrypt cipher text c with key k resulting in plaintext m used by process P

50 SPi Calc: Cryptographic Ex. (1) S 1. New key K AB under K AS 2. New key K AB under K SB A 3. Data under new key K AB B Cryptographic Wide Mouth Frog Protocol (Simplified) 1) Uses Keys 2) Does not require secure channels

51 SPi Calc: Cryptographic Ex. (2) S 1 2 A 3 B Message 1 A S: {K AB } KAS on c AS Message 2 S B: {K AB } KSB on c SB Message 3 A B: {M} KAB on c AB

52 SPi Calc: Cryptographic Ex. (3) S c AS c SB K AB A {M} KAB c AB B A(M)= ( )

53 SPi Calc: Cryptographic Ex. (4) S y c AS c SB x A c AB B S =

54 SPi Calc: Cryptographic Ex. (5) S K AB c AS c SB y K AB A c AB B M wz B =

55 SPi Calc: Cryptographic Ex. (6) A(M)= ( ) S = B = Inst(M) =

56 SPi Calc: Ideal Protocol A(M)= ( ) S = B spec = Inst spec (M) =

57 SPi Calc: Ideal Protocol Ideal protocol once again has authenticity (Remember Informally: An attacker cannot cause B to apply F to some message other than M. ) B spec =

58 SPi Calc: Authenticity A(M)= ( ) Key AB is restricted Since K AB is restricted only A,B and S know K AB (A created it and sent it to B through S) Remember: S is trusted so no problem there

59 B = SPi Calc: Authenticity K AB F is only called when the decryption works. The decryption only works when w is encrypted with K AB. Therefore, F is only called when w is encrypted with K AB.

60 SPi Calc: Authenticity B = Always M K AB F is only called when w is encrypted with K AB. Since only A can send a message encrypted with K AB the only time F gets called is when A sends B a message.

61 SPi Calc: Authenticity So we can say an attacker cannot cause B to apply F to some message other than M Authenticity: Inst(M) Inst spec (M), for all M

62 SPi Calc: Secrecy Since the message is encrypted with the restricted K AB we know that as long as F does not reveal M then the whole protocol does not reveal M. Secrecy: Inst(M) Inst(M') if F(M) F(M'), for all M and M'.

63 SPi Calc: Problem In the previous cryptographic protocol we have a problem when the attacker is an active attacker. Why is that?

64 SPi Calc: Protocol Limitation Inst(M) = There is a problem here that has to do with the security of channel AB There is no restriction on Channel AB

65 SPi Calc: Protocol Limitation S A c AS c AB c SB B??? Q Not encrypted with K AB

66 SPi Calc: Protocol Limitation Next week we will present a better protocol written in Spi Calculus that can stand up to an active attacker.

67 SPi Calc: The End?