security in process calculi

Security in Process Calculi Vitaly ShmatikovCS 259

OverviewPi calculusCore language for parallel programmingModeling security via name scopingApplied pi calculusModeling cryptographic primitives with functions and equational theoriesEquivalence-based notions of securityA little bit of operational semanticsSecurity as testing equivalence

Pi CalculusFundamental language for concurrent systemsHigh-level mathematical model of parallel processesThe core of concurrent programming languagesBy comparison, lambda-calculus is the core of functional programming languagesMobility is a basic primitive Basic computational step is the transfer of a communication link between two processesInterconnections between processes change as they communicateCan be used as a general programming language[Milner et al.]

A Little Bit of History1980: Calculus of Communicating Systems (CCS)1992: Pi Calculus[Milner, Parrow, Walker]Ability to pass channel names between processes1998: Spi Calculus[Abadi, Gordon]Adds cryptographic primitives to pi calculusSecurity modeled as scopingEquivalence-based specification of security propertiesConnection with computational models of cryptography2001: Applied Pi Calculus[Abadi, Fournet]Generic functions, including crypto primitives[Milner]

Pi Calculus SyntaxTermsM, N ::= x variables| n namesProcessesP,Q ::= nil empty process| N.P send term N on channel u| u(x).P receive term from channel P and assign to x| !P replicate process P| P|Q run processes P and Q in parallel| (n)P restrict name n to process PLet u range overnames and variables}

Modeling Secrecy with ScopingA sends M to B over secure channel cA(M) = cM B = c(x).nilP(M) = (c)(A(M)|B)ABMchannel cThis restriction ensures that channel c is invisible to any process except A and B(other processes dont know name c)-

Secrecy as EquivalenceP(M) and P(M) are equivalent for any values of M and MNo attacker can distinguish P(M) and P(M)Different notions of equivalenceTesting equivalence or observational congruenceIndistinguishability by any probabilistic polynomial-time Turing machine

A(M) = cM B = c(x).nilP(M) = (c)(A(M)|B)Without (c), attacker could run process c(x) and tell the differencebetween P(M) and P(M)-

Another Formulation of SecrecyNo attacker can learn name n from P(n)Let Q be an arbitrary attacker process, and suppose it runs in parallel with P(n)For any process Q in which n does not occur free, P(n) | Q will never output nA(M) = cM B = c(x).nilP(M) = (c)(A(M)|B)-

Modeling Authentication with ScopingA sends M to B over secure channel cB announces received value on public channel d

A(M) = cM B = c(x).dxP(M) = (c)(A(M)|B)ABMchannel c-Mchannel d-

Specifying AuthenticationFor any value of M, if B outputs M on channel d, then A previously sent M on channel cA(M) = cM B = c(x).dxP(M) = (c)(A(M)|B)--

A Key Establishment ProtocolA and B have pre-established pairwise keys with server SModel these keys as names of pre-existing communication channelsA creates a new key and sends it to S, who forwards it to BModel this as creation of a new channel nameA sends M to B encrypted with the new key, B outputs M

ABSCASCSBCreate newchannel CABSend name CABSend name CABSend data on CABMchannel dM

Key Establishment in Pi CalculusABSCASCSBCreate newchannel CABSend name CABSend name CABSend data on CABMchannel dMA(M) = (cAB) S = cAS(x).cSBx B = cSB(x)P(M) = (cAS)(cSB)(A(M)|B|S)_______Note communication on a channelwith a dynamically generated name.cABMcAScAB.x(y).dy

Applied Pi CalculusIn pi calculus, channels are the only primitiveThis is enough to model some forms of securityName of a communication channel can be viewed as an encryption key for traffic on that channelA process that doesnt know the name cant access the channelChannel names can be passed between processesUseful for modeling key establishment protocolsTo simplify protocol specification, applied pi calculus adds functions to pi calculusCrypto primitives modeled by functions and equations

Applied Pi Calculus: Terms

M, N ::= x Variable | nName| f(M1,...,Mk)Function application

Standard functionspair(), encrypt(), hash(), Simple type system for termsInteger, Key, ChannelInteger, ChannelKey

Modeling Crypto with FunctionsIntroduce special function symbols to model cryptographic primitivesEquational theory models cryptographic propertiesPairingFunctions pair, first, second with equations:first(pair(x,y)) = xsecond(pair(x,y)) = ySymmetric-key encryptionFunctions symenc, symdec with equation:symdec(symenc(x,k),k)=x

More Equational TheoriesPublic-key encryptionFunctions pk,sk generate public/private key pair pk(x),sk(x) from a random seed xFunctions pdec,penc model encryption and decryption with equation:pdec(penc(y,pk(x)),sk(x)) = yCan also model probabilistic encryption: pdec(penc(y,pk(x),z),sk(x)) = y HashingUnary function hash with no equationshash(M) models applying a one-way function to term MModels random salt (necessary for semantic security)

Yet More Equational TheoriesPublic-key digital signaturesAs before, functions pk,sk generate public/private key pair pk(x),sk(x) from a random seed xFunctions sign,verify model signing and verification with equation:verify(y,sign(y,sk(x)),pk(x)) = yXORModel self-cancellation property with equation:xor(xor(x,y),y) = xCan also model properties of cyclic redundancy codes:crc(xor(x,y)) = xor(crc(x),crc(y))

Dynamically Generated DataUse built-in name generation capability of pi calculus to model creation of new keys and nonces

A(M) = c(M,s) B = c(x).if second(x)=s then dfirst(x)P(M) = (s)(A(M)|B)AB(M,s)channel c-Mchannel d-Models creation of fresh capability every time A and B communicatecapability s maybe intercepted!

Better Protocol with CapabilitiesA(M) = c(M,hash(s,M)) B = c(x).if second(x)= hash(s,first(x)) then dfirst(x)P(M) = (s)(A(M)|B)AB(M,hash(s,M))channel c-Mchannel d-Hashing protects integrity of M and secrecy of s

Proving SecurityReal protocolProcess-calculus specification of the actual protocolIdeal protocol Achieves the same goal as the real protocol, but is secure by designUses unrealistic mechanisms, e.g., private channelsRepresents the desired behavior of real protocolTo prove the real protocol secure, show that no attacker can tell the difference between the real protocol and the ideal protocolProof will depend on the model of attacker observations

Example: Challenge-ResponseChallenge-response protocolA B{i}kB A{i+1}k

This protocol is secure if it is indistinguishable from this ideal protocolA B{random1}kB A{random2}k

Example: AuthenticationAuthentication protocolA B{i}kB A{i+1}kA BOkThis protocol is secure if it is indistinguishable from this ideal protocolA B{random1}kB A{random2}kB A random1, random2 on a magic secure channelA BOk if numbers on real & magic channels match

Security as Observational EquivalenceNeed to prove that two processes are observationally equivalent to the attackerComplexity-theoretic modelProve that two systems cannot be distinguished by any probabilistic polynomial-time adversary[Beaver 91, Goldwasser-Levin 90, Micali-Rogaway 91]Abstract process-calculus modelCryptography is modeled by abstract functionsProve testing equivalence between two processesProofs are easier, but it is nontrivial to show computational completeness [Abadi-Rogaway 00]

Structural Equivalence P | nil P P | Q Q | PP | (Q | R) (P | Q) | R!P P | !P(m) (n)P (n) (m)P (n)nil nil(n)(P | Q) P | (n)Q if n is not a free name in P P[M/x] P[N/x] if M=N in the equational theory

Operational SemanticsReduction is the smallest relation on closed processes that is closed by structural equivalence and application of evaluation contexts such that M.P | a(x).Q P | Q[M/x]models P sending M to Q on channel aif M = M then P else Q Pif M = N then P else Q Qfor any ground M, N s.t. M N in the equational theory

Equivalence in Process CalculusStandard process-calculus notions of equivalence such as bisimulation are not adequate for cryptographic protocolsDifferent ciphertexts leak no information to the attacker who does not know the decryption keys(k)csymenc(M,k) and (k)csymenc(N,k) send different messages, but they should be treated as equivalent when proving securityIn each case, a term is encrypted under a fresh keyNo test by the attacker can tell these apart--

Testing EquivalenceInformally, two processes are equivalent if no environment can distinguish themA test is a process R and channel name wInformally, R is the environment and w is the channel on which the outcome of the test is announcedA process P passes a test (R,w) if P | R may produce an output on channel wThere is an interleaving of P and R that results in R being able to perform the desired testTwo processes are equivalent if they pass the same tests

Advantages and DisadvantagesProving testing equivalence is hardNeed to quantify over all possible attacker processes and all tests they may performThere are some helpful proof techniques, but no fully automated tools and very few decision proceduresTesting equivalence is a congruenceCan compose protocols like building blocksEquivalence is the right notion of securityDirect connection with definitions of security in complexity-theoretic cryptographyContrast this with invariant- and trace-based definitions

BibliographyRobin Milner. Communication and Concurrency. Prentice-Hall, 1989.Calculus of communicating systems (CCS)Robin Milner. Communicating and Mobile Systems: the -Calculus. Cambridge University Press, 1999.Pi calculusMartin Abadi and Andrew Gordon. A calculus for cryptographic protocols: the spi-calculus. Information and Computation 148(1), 1999.Spi calculusMartin Abadi and Cedric Fournet. Mobile values, new names, and secure communication. POPL 2001.Applied pi calculusMartin Abadi and Phillip Rogaway. Reconciling two views of cryptography. Journal of Cryptology 15(2), 2002.On equivalence of complexity-theoretic and process-calculus models