Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Process Calculi CS 395T. Overview uPi calculus Core language for parallel programming Modeling security via name scoping uApplied pi calculus.

Published byErika Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "Security in Process Calculi CS 395T. Overview uPi calculus Core language for parallel programming Modeling security via name scoping uApplied pi calculus."— Presentation transcript:

1 Security in Process Calculi CS 395T

2 Overview uPi calculus Core language for parallel programming Modeling security via name scoping uApplied pi calculus Modeling cryptographic primitives with functions and equational theories Equivalence-based notions of security A little bit of operational semantics Security as testing equivalence

3 Pi Calculus uFundamental language for concurrent systems High-level mathematical model of parallel processes The “core” of concurrent programming languages By comparison, lambda-calculus is the “core” of functional programming languages uMobility is a basic primitive Basic computational step is the transfer of a communication link between two processes Interconnections between processes change as they communicate uCan be used as a general programming language [Milner et al.]

4 A Little Bit of History u1980: Calculus of communicating systems (CCS) u1992: Pi calculus [Milner, Parrow, Walker] Ability to pass channel names between processes u1998: Spi calculus [Abadi, Gordon] Adds cryptographic primitives to pi calculus Security modeled as scoping Equivalence-based specification of security properties Connection with computational models of cryptography u2001: Applied pi calculus [Abadi, Fournet] Generic functions, including crypto primitives [Milner]

5 Pi Calculus Syntax uTerms M, N ::= x variables | n names uProcesses P,Q ::= nil empty process | ū  N .P send term N on channel u | u(x).P receive term from channel P and assign to x | !P replicate process P | P|Q run processes P and Q in parallel | ( n)P restrict name n to process P Let u range over names and variables }

6 Modeling Secrecy with Scoping A(M) = c  M  B = c(x).nil P(M) = ( c)(A(M)|B) AB M channel c uA sends M to B over secure channel c This restriction ensures that channel c is “invisible” to any process except A and B (other processes don’t know name c) -

7 Secrecy as Equivalence A(M) = c  M .nil B = c(x).nil P(M) = ( c)(A(M)|B) Without ( c), attacker could run process c(x) and tell the difference between P(M) and P(M’) - uP(M) and P(M’) are “equivalent” for any values of M and M’ No attacker can distinguish P(M) and P(M’) uDifferent notions of “equivalence” Testing equivalence or observational congruence Indistinguishability by any probabilistic polynomial- time Turing machine

8 Another Formulation of Secrecy A(M) = c  M .nil B = c(x).nil P(M) = ( c)(A(M)|B) - uNo attacker can learn name n from P(n) Let Q be an arbitrary attacker process, and suppose it runs in parallel with P(n) Specification of secrecy: For any process Q in which n does not occur free, P(n) | Q will never output n

9 Modeling Authentication with Scoping A(M) = c  M  B = c(x).d  x  P(M) = ( c)(A(M)|B) AB M channel c uA sends M to B over secure channel c uB announces received value on public channel d - M channel d -

10 Specifying Authentication A(M) = c  M  B = c(x).d  x  P(M) = ( c)(A(M)|B) - uSpecification of authentication: For any value of M, if B outputs M on channel d, then A previously sent M on channel c -

11 A Key Establishment Protocol AB S 1.A and B have pre-established pairwise keys with server S uModel these keys as names of pre-existing communication channels C AS C SB Create new channel C AB Send name C AB M channel d Send data on C AB M 3.A sends M to B encrypted with the new key, B outputs M 2.A creates a new key and sends it to S, who forwards it to B uModel this as creation of a new channel name

12 A(M) = S = B = P(M) = ( c AS )( c SB )(A(M)|B|S).c SB  x  c SB (x) __ Note communication on a channel with a dynamically generated name Key Establishment in Pi Calculus AB S C AS C SB Send name C AB M channel d Send data on C AB M.dy.dy _ Create new channel C AB ( c AB ) c AS  c AB  __ c AS (x).c AB  M  __.x(y).x(y)

13 Applied Pi Calculus uIn pi calculus, channels are the only primitive uThis is enough to model some forms of security Name of a communication channel can be viewed as an “encryption key” for traffic on that channel –A process that doesn’t know the name can’t access the channel Channel names can be passed between processes –Useful for modeling key establishment protocols uTo simplify protocol specification, applied pi calculus adds functions to pi calculus Crypto primitives modeled by functions and equations

14 Applied Pi Calculus: Terms M, N ::= x Variable | n Name | f(M 1,...,M k ) Function application uStandard functions pair(), encrypt(), hash(), … uSimple type system for terms Integer, Key, Channel  Integer , Channel  Key 

15 Applied Pi Calculus: Processes P,Q ::= nil empty process | ū  N .P send term N on channel u | u(x).P receive from channel P and assign to x | !P replicate process P | P|Q run processes P and Q in parallel | ( n)P restrict name n to process P | if M = N conditional then P else Q

16 Modeling Crypto with Functions uIntroduce special function symbols to model cryptographic primitives uEquational theory models cryptographic properties uPairing Functions pair, first, second with equations: first(pair(x,y)) = x second(pair(x,y)) = y uSymmetric-key encryption Functions symenc, symdec with equation: symdec(symenc(x,k),k)=x

17 More Equational Theories uPublic-key encryption Functions pk,sk generate public/private key pair pk(x),sk(x) from a random seed x Functions pdec,penc model encryption and decryption with equation: pdec(penc(y,pk(x)),sk(x)) = y Can also model “probabilistic” encryption: pdec(penc(y,pk(x),z),sk(x)) = y uHashing Unary function hash with no equations hash(M) models applying a one-way function to term M Models random salt (necessary for semantic security)

18 Yet More Equational Theories uPublic-key digital signatures As before, functions pk,sk generate public/private key pair pk(x),sk(x) from a random seed x Functions sign,verify model signing and verification with equation: verify(y,sign(y,sk(x)),pk(x)) = y uXOR Model self-cancellation property with equation: xor(xor(x,y),y) = x Can also model properties of cyclic redundancy codes: crc(xor(x,y)) = xor(crc(x),crc(y))

19 Dynamically Generated Data A(M) = c  (M,s)  B = c(x).if second(x)=s then d  first(x)  P(M) = ( s)(A(M)|B) AB (M,s) channel c uUse built-in name generation capability of pi calculus to model creation of new keys and nonces - M channel d - Models creation of fresh capability every time A and B communicate capability s may be intercepted!

20 Better Protocol with Capabilities A(M) = c  (M,hash(s,M))  B = c(x).if second(x)= hash(s,first(x)) then d  first(x)  P(M) = ( s)(A(M)|B) AB (M,hash(s,M)) channel c - M channel d - Hashing protects integrity of M and secrecy of s

Download ppt "Security in Process Calculi CS 395T. Overview uPi calculus Core language for parallel programming Modeling security via name scoping uApplied pi calculus."

Similar presentations

07/09/2014 Agay Spring School, March'02 Mobility 2 : Mobile Values Cédric Fournet Microsoft Research Cambridge (joint work with Martin Abadi)

07/09/2014 Agay Spring School, March'02 Mobility 2 : Mobile Values Cédric Fournet Microsoft Research Cambridge (joint work with Martin Abadi)
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Programming Paradigms for Concurrency Lecture 11 Part III – Message Passing Concurrency TexPoint fonts used in EMF. Read the TexPoint manual before you.

Programming Paradigms for Concurrency Lecture 11 Part III – Message Passing Concurrency TexPoint fonts used in EMF. Read the TexPoint manual before you.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.

Course on Probabilistic Methods in Concurrency (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1 The pi-calculus and the asynchronous.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.

Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC ACCESS – distributed management group.

Formal Verification of Security Protocols – an Introduction Mads Dam KTH/CSC ACCESS – distributed management group.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.

Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.
Spi Calculus Gokhan Gokoz Chad R. Meiners. What Spi Calculus Is Spi calculus is a form of pi calculus extended to support cryptography. Pi calculus is.

Spi Calculus Gokhan Gokoz Chad R. Meiners. What Spi Calculus Is Spi calculus is a form of pi calculus extended to support cryptography. Pi calculus is.

Similar presentations

Ads by Google