CS 259 Overview Pi calculus Security in Process Calculi • Core language for parallel programming • Modeling security via name scoping Applied pi calculus • Modeling cryptographic primitives with functions Vitaly Shmatikov and equational theories • Equivalence-based notions of security • A little bit of operational semantics • Security as testing equivalence Pi Calculus [Milner et al.] A Little Bit of History [Milner] Fundamental language for concurrent systems 1980: Calculus of Communicating Systems (CCS) • High-level mathematical model of parallel processes 1992: Pi Calculus [Milner, Parrow, Walker] • The “core” of concurrent programming languages • Ability to pass channel names between processes • By comparison, lambda-calculus is the “core” of 1998: Spi Calculus [Abadi, Gordon] functional programming languages • Adds cryptographic primitives to pi calculus Mobility is a basic primitive • Security modeled as scoping • Basic computational step is the transfer of a • Equivalence-based specification of security properties communication link between two processes • Connection with computational models of cryptography • Interconnections between processes change as they communicate 2001: Applied Pi Calculus [Abadi, Fournet] Can be used as a general programming language • Generic functions, including crypto primitives Pi Calculus Syntax Modeling Secrecy with Scoping Terms A sends M to B over secure channel c • M, N ::= x variables Let u range over } names and variables | n names A M B Processes channel c • P,Q ::= nil empty process | ū〈N〉.P send term N on channel u A(M) = c-〈M〉 | u(x).P receive term from channel P and assign to x B = c(x).nil | !P replicate process P P(M) = (νc)(A(M)|B) | P|Q run processes P and Q in parallel This restriction ensures that channel c is | (νn)P restrict name n to process P “invisible” to any process except A and B (other processes don’t know name c) 1 Secrecy as Equivalence Another Formulation of Secrecy - Without (νc), attacker could run - A(M) = c〈M〉 process c(x) and tell the difference A(M) = c〈M〉 B = c(x).nil between P(M) and P(M’) B = c(x).nil P(M) = (νc)(A(M)|B) P(M) = (νc)(A(M)|B) P(M) and P(M’) are “equivalent” for any values No attacker can learn name n from P(n) of M and M’ • Let Q be an arbitrary attacker process, and suppose • No attacker can distinguish P(M) and P(M’) it runs in parallel with P(n) Different notions of “equivalence” • For any process Q in which n does not occur free, P(n) | Q will never output n • Testing equivalence or observational congruence • Indistinguishability by any probabilistic polynomial- time Turing machine Modeling Authentication with Scoping Specifying Authentication A sends M to B over secure channel c A(M) = c-〈M〉 -〈 〉 B announces received value on public channel d B = c(x).d x P(M) = (νc)(A(M)|B) For any value of M, if B outputs M on channel d, M M A B then A previously sent M on channel c channel c channel d A(M) = c-〈M〉 B = c(x).d-〈x〉 P(M) = (νc)(A(M)|B) A Key Establishment Protocol Key Establishment in Pi Calculus S S Send name CAB Send name CAB Send name CAB Send name CAB CAS CSB CAS CSB Create new M M Create new M M channel CAB A B channel CAB A B Send data on CAB channel d Send data on CAB channel d __ __ 1. A and B have pre-established pairwise keys with server S A(M) = (νc )c 〈c 〉.c 〈M〉 AB AS__ AB AB Model these keys as names of pre-existing communication channels S=c(x).c 〈x〉 AS SB _ Note communication on a channel 2. A creates a new key and sends it to S, who forwards it to B 〈 〉 with a dynamically generated name B=cSB(x).x(y).d y Model this as creation of a new channel name ν ν 3. A sends M to B encrypted with the new key, B outputs M P(M) = ( cAS)( cSB)(A(M)|B|S) 2 Applied Pi Calculus Applied Pi Calculus: Terms In pi calculus, channels are the only primitive This is enough to model some forms of security M, N ::= x Variable • Name of a communication channel can be viewed as an | n Name “encryption key” for traffic on that channel – A process that doesn’t know the name can’t access the channel | f(M1,...,Mk) Function application • Channel names can be passed between processes – Useful for modeling key establishment protocols To simplify protocol specification, applied pi Standard functions calculus adds functions to pi calculus • pair(), encrypt(), hash(), … • Crypto primitives modeled by functions and equations Simple type system for terms • Integer, Key, Channel〈Integer〉, Channel〈Key〉 Applied Pi Calculus: Processes Modeling Crypto with Functions Introduce special function symbols to model P,Q ::= nil empty process cryptographic primitives | ū〈N〉.P send term N on channel u Equational theory models cryptographic properties | u(x).P receive from channel P and assign to x Pairing | !P replicate process P • Functions pair, first, second with equations: | P|Q run processes P and Q in parallel first(pair(x,y)) = x | (νn)P restrict name n to process P second(pair(x,y)) = y | if M = N conditional Symmetric-key encryption then P else Q • Functions symenc, symdec with equation: symdec(symenc(x,k),k)=x More Equational Theories Yet More Equational Theories Public-key encryption Public-key digital signatures • Functions pk,sk generate public/private key pair • As before, functions pk,sk generate public/private key pk(x),sk(x) from a random seed x pair pk(x),sk(x) from a random seed x • Functions pdec,penc model encryption and decryption • Functions sign,verify model signing and verification with with equation: equation: pdec(penc(y,pk(x)),sk(x)) = y verify(y,sign(y,sk(x)),pk(x)) = y • Can also model “probabilistic” encryption: XOR pdec(penc(y,pk(x),z),sk(x)) = y • Model self-cancellation property with equation: Models random salt Hashing (necessary for semantic security) xor(xor(x,y),y) = x • Unary function hash with no equations • Can also model properties of cyclic redundancy codes: • hash(M) models applying a one-way function to term M crc(xor(x,y)) = xor(crc(x),crc(y)) 3 Dynamically Generated Data Better Protocol with Capabilities Use built-in name generation capability of pi calculus to model creation of new keys and nonces A (M,hash(s,M)) B M channel c channel d (M,s) M Hashing protects integrity of A B M and secrecy of s channel c channel d A(M) = c-〈(M,hash(s,M))〉 A(M) = c-〈(M,s)〉 B = c(x).if second(x)= B = c(x).if second(x)=s hash(s,first(x)) - then d〈first(x)〉 then d-〈first(x)〉 P(M) = (νs)(A(M)|B) P(M) = (νs)(A(M)|B) Models creation of fresh capability capability s may every time A and B communicate be intercepted! Proving Security Example: Challenge-Response “Real” protocol Challenge-response protocol → • Process-calculus specification of the actual protocol A B{i}k → “Ideal” protocol B A{i+1}k • Achieves the same goal as the real protocol, but is secure by design This protocol is secure if it is indistinguishable • Uses unrealistic mechanisms, e.g., private channels from this “ideal” protocol • Represents the desired behavior of real protocol → A B{random1}k To prove the real protocol secure, show that no → B A{random2}k attacker can tell the difference between the real protocol and the ideal protocol • Proof will depend on the model of attacker observations Example: Authentication Security as Observational Equivalence Authentication protocol Need to prove that two processes are → A B{i}k observationally equivalent to the attacker → B A{i+1}k Complexity-theoretic model A → B“Ok” • Prove that two systems cannot be distinguished by any This protocol is secure if it is indistinguishable from probabilistic polynomial-time adversary this “ideal” protocol [Beaver ’91, Goldwasser-Levin ’90, Micali-Rogaway ’91] → Abstract process-calculus model A B{random1}k → • Cryptography is modeled by abstract functions B A{random2}k → • Prove testing equivalence between two processes B Arandom1, random2 on a magic secure channel A → B “Ok” if numbers on real & magic channels match • Proofs are easier, but it is nontrivial to show computational completeness [Abadi-Rogaway ’00] 4 Structural Equivalence Operational Semantics P | nil ≡ P Reduction → is the smallest relation on P | Q ≡ Q | P closed processes that is closed by P | (Q | R) ≡ (P | Q) | R structural equivalence and application of !P ≡ P | !P evaluation contexts such that (νm) (νn)P ≡ (νn) (νm)P ā〈M〉.P | a(x).Q → P | Q[M/x] (νn)nil ≡ nil models P sending M to Q on channel a (νn)(P | Q) ≡ P | (νn)Q if n is not a free name in P if M = M then P else Q → P P[M/x] ≡ P[N/x] if M=N in the equational theory if M = N then P else Q → Q for any ground M, N s.t. M ≠ N in the equational theory Equivalence in Process Calculus Testing Equivalence Standard process-calculus notions of Informally, two processes are equivalent if no equivalence such as bisimulation are not environment can distinguish them adequate for cryptographic protocols A test is a process R and channel name w • Different ciphertexts leak no information to the • Informally, R is the environment and w is the channel attacker who does not know the decryption keys on which the outcome of the test is announced -- (νk)c〈symenc(M,k)〉 and (νk)c〈symenc(N,k)〉 A process P passes a test (R,w) if P | R may send different messages, but they should be produce an output on channel w treated as equivalent when proving security • There is an interleaving of P and R that results in R • In each case, a term is encrypted under a fresh key being able to perform the desired test • No test by the attacker can tell these apart Two processes are equivalent if they pass the same tests Advantages and Disadvantages Bibliography Proving testing equivalence is hard Robin Milner.