The Spi Calculus - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

The Spi Calculus

Description:

Consider two principals A and B that share a key KAB with a public channel cAB. The protocol is simply that A sends a message M under KAB to B, on cAB. ... – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 22
Provided by: EEIL6
Category:
Tags: calculus | chan | spi

less

Transcript and Presenter's Notes

Title: The Spi Calculus


1
The Spi Calculus
  • A Calculus for Cryptographic Protocols
  • Presented By
  • Ramesh Yechangunja

2
Introduction
  • Developed by Martin Abadi and Andrew D.Gordon
    at the Systems Research Center, it is an
    extension of the Pi Calculus with cryptographic
    primitives designed for describing and analyzing
    cryptographic protocols.

3
Features
  • Reliance on the powerful scoping constructs of
    the pi calculus
  • Radical definition of the environment as an
    arbitrary spi calculus process
  • Representation of security properties, both
    integrity and secrecy, as equivalences

4
Basics
  • Channels may be restricted, so that only certain
    processes may communicate on them. (Similar to
    CSP)
  • The scope of the restriction may change during
    computation. This is termed scope extrusion.
    (Different from the earlier process calculi)

5
  • An output process aN.P is ready to output on
    channel a. If an interaction occurs, term N is
    communicated on a and then process P runs.
  • An input process a(x).P is ready to input from
    channel a. If an interaction occurs in which N is
    communicated on a, then process PN/x runs.

6
  • A composition PQ behaves as processes P and Q
    running in parallel.
  • A restriction (vn)P is a process that makes a
    new, private name n, and then behaves as P.
  • A pair splitting process let (x,y) M in P
    behaves as PN/xL/y if term M is the pair
    (N,L). Otherwise, the process is stuck.

7
In addition spi calculus introduces primitives
for shared-key cryptography
  • The term MN represents the ciphertext obtained
    by encrypting M under the key N.
  • The process case L of xN in P attempts to
    decrypt the term L with the key N. If L is a
    ciphertext of the form MN, then the process
    behaves as PM/x. Otherwise, the process is
    stuck.

8
A first cryptographic example
  • Consider two principals A and B that share a
    key KAB with a public channel cAB. The protocol
    is simply that A sends a message M under KAB to
    B, on cAB.
  • Message 1 A?B MKAB on cAB
  • In the spi calculus, we write
  • A(M) ? cAB MKAB

9
-
  • B ? cAB(x).case x of yKAB in F(y)
  • Inst(M) ? (vK)(A(M)B)
  • Security properties are expressed as
    equivalences. We use the following specification
  • A(M) ? cAB MKAB
  • Bspec(M) ? cAB(x).case x of yKAB in F(M)
  • Instspec(M) ? (vKAB)(A(M)Bspec(M))

10
-
  • We obtain the properties
  • Authenticity Inst(M) ? Instspec(M), for all M
  • Secrecy Inst(M) ? Inst(M) if F(M) ? F(M),
  • for all
    M,M

11
An example with key establishment
  • We consider the Wide Mouthed Frog protocol.
  • 1. New key KAB under KAS
    2. New key KAB
    under KSB

  • 3.data under new key KAB

S
A
B
12
The protocol is
  • Message 1 A?S KABKAS on cAS
  • Message 2 S?B KABKSB on cSB
  • Message 3 A?B MKAB on cAB
  • In the spi calculus, we can express it as
  • A(M) ? (vKAB)( cAS KABKAS . cAB MKAB
    )
  • S ? cAS(x).case x of yKAS in cSB
    yKSB
  • B ? cSB(x).case x of yKSB in
  • cAB(z).case z of wy in F(w)
  • Inst(M) ? (vKAS) (vKSB)( A(M)SB)

13
A complete authentication example ( with a flaw)
  • Consider a system with a server and n other
    principals. Each principal has an input channel
    which is public, namely, C1, C2,,Cn and Cs. The
    server shares a pair of keys with each other
    principal, Ksi and Kis.
  • We extend the previous example to this n1
    principals
  • Message 1 A?S A,B,KABKAS on cS
  • Message 2 S?B A,KABKSB on cB
  • Message 3 A?B A,MKAB on cB

14
-
  • An instance of the protocol is determined by a
    choice of parties and by the message sent i.e. an
    instance I is the triple (i,j,M).
  • i source address
  • j - destination address
  • Given an instance (i,j,M), the following process
    corresponds to role of A
  • Send(i,j,M) ? (vK)(cS (i,j,KKiS ) cj
    (i,MK))
  • The following process corresponds to the role of
    B
  • Recv(j) ? cj(ycipher).case ycipher of
    xA,xkeyKSj in
  • cj(zA,zcipher).xA, zA
  • case zcipher of zplain xkey
    in F(xA,j, zplain)

15
-
  • The server S is the same for all instances
  • S ? cj(xA,xcipher).
  • ?i?1..nxA is i case xcipher of
    xB,xkeyKiS in
  • ?j?1..nxB is j cj xA,xkeyKS j
  • where ?i?1..k Pi is the k-way composition
  • P1 Pk
  • Finally we define a whole system,
    parameterized on a list of instances of the
    protocol
  • Sys(I1,, Im) ? (vKsi )(vKis)
  • (Send(I1)
    Send(Im)
  • !S
  • !Recv(1)
    !Recv(n) )

16
-
  • Unfortunately, the protocol is vulnerable to a
    replay attack that invalidates the authenticity.
    An attacker can replay messages of one instance
    and get them mistaken for messages of the other
    instance.

17
A complete authentication example (repaired)
  • The previous protocol is improved by adding
    nonce handshakes as protection against replay
    attacks.
  • The new protocol is
  • Message 1 A?S A
    on cS
  • Message 2 S?A NS
    on cA
  • Message 3 A?S A,A,A,B,KAB, NS KAS on cS
  • Message 4 S?B
    on cB
  • Message 5 B?S NB
    on cS
  • Message 6 S?B S,A,B,KAB, NB KS B on
    cB
  • Message 7 A?B A,M KAB
    on cB

18
-
  • In spi calculus, nonces are represented as
    newly created names.
  • Send(i,j,M) ? cS i
  • ci (xnonce).
  • (vK)(cS (i,i,i,j,K,xnonceKiS
    ) cj (i,MK))
  • S ? cS(xA). ?i?1..nxA is i (vNS)
    (ci NS
  • cS(xA,xcipher).xA is i
  • case xcipher of yA,zA, xB,
    xkey, xnonceKiS in
  • ?j?1..nyA is izA is ixB
    is jxnonce is NS
  • (cj cS (ynonce). cj
    S,i,j, xkey,ynonceKS j ))

19
-
  • Recv(j) ? cj(w). (vNB) (cS NB
  • cj(ycipher).
  • case ycipher of xS, xA, xB,
    xkey,ynonce KS j in
  • ?j?1..nxS is SxA is ixB
    is jynonce is NB
  • cj(zA,zcipher). zA is xA
  • case zcipher of zplain
    xkey in F(i,j, zplain))
  • Sys(I1,, Im) ? (vKsi )(vKis)
  • (Send(I1) Send(Im)
  • !S
  • !Recv(1) !Recv(n) )

20
-
  • The authenticity property is obtained
  • Sys(I1,, Im) ? Sysspec(I1,, Im)
  • for any instances
    I1,, Im
  • This holds good because of the nonces.
  • Secrecy Sys(I1,, Im) ? Sysspec(J1,, Jm)
  • if each pair (I1, J1 ),
    (Im, Jm) is
  • indistinguishable.




21
Conclusion
  • Harder to write protocols but very detailed.
  • Main advantage is its formal precision
  • May not be a good tool for finding flaws but
    yields more convincing proofs of correctness
  • Protocols prone to attacks are developed without
    explicit specifications for an attacker. Such
    precise treatments have not been done before.
Write a Comment
User Comments (0)
About PowerShow.com