security in process calculi
Embed Size (px)
DESCRIPTION
CS 259. Security in Process Calculi . Vitaly Shmatikov. Overview. Pi calculus Core language for parallel programming Modeling security via name scoping Applied pi calculus Modeling cryptographic primitives with functions and equational theories Equivalencebased notions of security  PowerPoint PPT PresentationTRANSCRIPT

Security in Process Calculi Vitaly ShmatikovCS 259

OverviewPi calculusCore language for parallel programmingModeling security via name scopingApplied pi calculusModeling cryptographic primitives with functions and equational theoriesEquivalencebased notions of securityA little bit of operational semanticsSecurity as testing equivalence

Pi CalculusFundamental language for concurrent systemsHighlevel mathematical model of parallel processesThe core of concurrent programming languagesBy comparison, lambdacalculus is the core of functional programming languagesMobility is a basic primitive Basic computational step is the transfer of a communication link between two processesInterconnections between processes change as they communicateCan be used as a general programming language[Milner et al.]

A Little Bit of History1980: Calculus of Communicating Systems (CCS)1992: Pi Calculus[Milner, Parrow, Walker]Ability to pass channel names between processes1998: Spi Calculus[Abadi, Gordon]Adds cryptographic primitives to pi calculusSecurity modeled as scopingEquivalencebased specification of security propertiesConnection with computational models of cryptography2001: Applied Pi Calculus[Abadi, Fournet]Generic functions, including crypto primitives[Milner]

Pi Calculus SyntaxTermsM, N ::= x variables n namesProcessesP,Q ::= nil empty process N.P send term N on channel u u(x).P receive term from channel P and assign to x !P replicate process P PQ run processes P and Q in parallel (n)P restrict name n to process PLet u range overnames and variables}

Modeling Secrecy with ScopingA sends M to B over secure channel cA(M) = cM B = c(x).nilP(M) = (c)(A(M)B)ABMchannel cThis restriction ensures that channel c is invisible to any process except A and B(other processes dont know name c)

Secrecy as EquivalenceP(M) and P(M) are equivalent for any values of M and MNo attacker can distinguish P(M) and P(M)Different notions of equivalenceTesting equivalence or observational congruenceIndistinguishability by any probabilistic polynomialtime Turing machine
A(M) = cM B = c(x).nilP(M) = (c)(A(M)B)Without (c), attacker could run process c(x) and tell the differencebetween P(M) and P(M)

Another Formulation of SecrecyNo attacker can learn name n from P(n)Let Q be an arbitrary attacker process, and suppose it runs in parallel with P(n)For any process Q in which n does not occur free, P(n)  Q will never output nA(M) = cM B = c(x).nilP(M) = (c)(A(M)B)

Modeling Authentication with ScopingA sends M to B over secure channel cB announces received value on public channel d
A(M) = cM B = c(x).dxP(M) = (c)(A(M)B)ABMchannel cMchannel d

Specifying AuthenticationFor any value of M, if B outputs M on channel d, then A previously sent M on channel cA(M) = cM B = c(x).dxP(M) = (c)(A(M)B)

A Key Establishment ProtocolA and B have preestablished pairwise keys with server SModel these keys as names of preexisting communication channelsA creates a new key and sends it to S, who forwards it to BModel this as creation of a new channel nameA sends M to B encrypted with the new key, B outputs M
ABSCASCSBCreate newchannel CABSend name CABSend name CABSend data on CABMchannel dM

Key Establishment in Pi CalculusABSCASCSBCreate newchannel CABSend name CABSend name CABSend data on CABMchannel dMA(M) = (cAB) S = cAS(x).cSBx B = cSB(x)P(M) = (cAS)(cSB)(A(M)BS)_______Note communication on a channelwith a dynamically generated name.cABMcAScAB.x(y).dy

Applied Pi CalculusIn pi calculus, channels are the only primitiveThis is enough to model some forms of securityName of a communication channel can be viewed as an encryption key for traffic on that channelA process that doesnt know the name cant access the channelChannel names can be passed between processesUseful for modeling key establishment protocolsTo simplify protocol specification, applied pi calculus adds functions to pi calculusCrypto primitives modeled by functions and equations

Applied Pi Calculus: Terms
M, N ::= x Variable  nName f(M1,...,Mk)Function application
Standard functionspair(), encrypt(), hash(), Simple type system for termsInteger, Key, ChannelInteger, ChannelKey

Applied Pi Calculus: Processes
P,Q ::= nil empty process N.P send term N on channel u u(x).P receive from channel P and assign to x !P replicate process P PQ run processes P and Q in parallel (n)P restrict name n to process P if M = N conditional then P else Q

Modeling Crypto with FunctionsIntroduce special function symbols to model cryptographic primitivesEquational theory models cryptographic propertiesPairingFunctions pair, first, second with equations:first(pair(x,y)) = xsecond(pair(x,y)) = ySymmetrickey encryptionFunctions symenc, symdec with equation:symdec(symenc(x,k),k)=x

More Equational TheoriesPublickey encryptionFunctions pk,sk generate public/private key pair pk(x),sk(x) from a random seed xFunctions pdec,penc model encryption and decryption with equation:pdec(penc(y,pk(x)),sk(x)) = yCan also model probabilistic encryption: pdec(penc(y,pk(x),z),sk(x)) = y HashingUnary function hash with no equationshash(M) models applying a oneway function to term MModels random salt (necessary for semantic security)

Yet More Equational TheoriesPublickey digital signaturesAs before, functions pk,sk generate public/private key pair pk(x),sk(x) from a random seed xFunctions sign,verify model signing and verification with equation:verify(y,sign(y,sk(x)),pk(x)) = yXORModel selfcancellation property with equation:xor(xor(x,y),y) = xCan also model properties of cyclic redundancy codes:crc(xor(x,y)) = xor(crc(x),crc(y))

Dynamically Generated DataUse builtin name generation capability of pi calculus to model creation of new keys and nonces
A(M) = c(M,s) B = c(x).if second(x)=s then dfirst(x)P(M) = (s)(A(M)B)AB(M,s)channel cMchannel dModels creation of fresh capability every time A and B communicatecapability s maybe intercepted!

Better Protocol with CapabilitiesA(M) = c(M,hash(s,M)) B = c(x).if second(x)= hash(s,first(x)) then dfirst(x)P(M) = (s)(A(M)B)AB(M,hash(s,M))channel cMchannel dHashing protects integrity of M and secrecy of s

Proving SecurityReal protocolProcesscalculus specification of the actual protocolIdeal protocol Achieves the same goal as the real protocol, but is secure by designUses unrealistic mechanisms, e.g., private channelsRepresents the desired behavior of real protocolTo prove the real protocol secure, show that no attacker can tell the difference between the real protocol and the ideal protocolProof will depend on the model of attacker observations

Example: ChallengeResponseChallengeresponse protocolA B{i}kB A{i+1}k
This protocol is secure if it is indistinguishable from this ideal protocolA B{random1}kB A{random2}k

Example: AuthenticationAuthentication protocolA B{i}kB A{i+1}kA BOkThis protocol is secure if it is indistinguishable from this ideal protocolA B{random1}kB A{random2}kB A random1, random2 on a magic secure channelA BOk if numbers on real & magic channels match

Security as Observational EquivalenceNeed to prove that two processes are observationally equivalent to the attackerComplexitytheoretic modelProve that two systems cannot be distinguished by any probabilistic polynomialtime adversary[Beaver 91, GoldwasserLevin 90, MicaliRogaway 91]Abstract processcalculus modelCryptography is modeled by abstract functionsProve testing equivalence between two processesProofs are easier, but it is nontrivial to show computational completeness [AbadiRogaway 00]

Structural Equivalence P  nil P P  Q Q  PP  (Q  R) (P  Q)  R!P P  !P(m) (n)P (n) (m)P (n)nil nil(n)(P  Q) P  (n)Q if n is not a free name in P P[M/x] P[N/x] if M=N in the equational theory

Operational SemanticsReduction is the smallest relation on closed processes that is closed by structural equivalence and application of evaluation contexts such that M.P  a(x).Q P  Q[M/x]models P sending M to Q on channel aif M = M then P else Q Pif M = N then P else Q Qfor any ground M, N s.t. M N in the equational theory

Equivalence in Process CalculusStandard processcalculus notions of equivalence such as bisimulation are not adequate for cryptographic protocolsDifferent ciphertexts leak no information to the attacker who does not know the decryption keys(k)csymenc(M,k) and (k)csymenc(N,k) send different messages, but they should be treated as equivalent when proving securityIn each case, a term is encrypted under a fresh keyNo test by the attacker can tell these apart

Testing EquivalenceInformally, two processes are equivalent if no environment can distinguish themA test is a process R and channel name wInformally, R is the environment and w is the channel on which the outcome of the test is announcedA process P passes a test (R,w) if P  R may produce an output on channel wThere is an interleaving of P and R that results in R being able to perform the desired testTwo processes are equivalent if they pass the same tests

Advantages and DisadvantagesProving testing equivalence is hardNeed to quantify over all possible attacker processes and all tests they may performThere are some helpful proof techniques, but no fully automated tools and very few decision proceduresTesting equivalence is a congruenceCan compose protocols like building blocksEquivalence is the right notion of securityDirect connection with definitions of security in complexitytheoretic cryptographyContrast this with invariant and tracebased definitions

BibliographyRobin Milner. Communication and Concurrency. PrenticeHall, 1989.Calculus of communicating systems (CCS)Robin Milner. Communicating and Mobile Systems: the Calculus. Cambridge University Press, 1999.Pi calculusMartin Abadi and Andrew Gordon. A calculus for cryptographic protocols: the spicalculus. Information and Computation 148(1), 1999.Spi calculusMartin Abadi and Cedric Fournet. Mobile values, new names, and secure communication. POPL 2001.Applied pi calculusMartin Abadi and Phillip Rogaway. Reconciling two views of cryptography. Journal of Cryptology 15(2), 2002.On equivalence of complexitytheoretic and processcalculus models