The Spi Calculus. A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja. Introduction.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
The Spi Calculus
A Calculus for Cryptographic Protocols
Presented By
Ramesh Yechangunja
Developed by Martin Abadi and Andrew D.Gordon at the Systems Research Center, it is an extension of the Pi Calculus with cryptographic primitives designed for describing and analyzing cryptographic protocols.
Consider two principals A and B that share a key KAB with a public channel cAB. The protocol is simply that A sends a message M under KAB to B, on cAB.
Message 1 A→B: {M}KABon cAB
In the spi calculus, we write
A(M) ≜ cAB‹{M}KAB ›
B ≜ cAB(x).case x of {y}KAB in F(y)
Inst(M) ≜ (vK)(A(M)|B)
Security properties are expressed as equivalences. We use the following specification:
A(M) ≜ cAB‹{M}KAB ›
Bspec(M) ≜ cAB(x).case x of {y}KAB in F(M)
Instspec(M) ≜ (vKAB)(A(M)|Bspec(M))
We obtain the properties:
Authenticity: Inst(M) ≃ Instspec(M), for all M
Secrecy: Inst(M) ≃ Inst(M’) if F(M) ≃ F(M’),
for all M,M’
We consider the Wide Mouthed Frog protocol.
1. New key KAB under KAS 2. New key KAB under KSB
3.data under new key KAB
S
A
B
Message 1 A→S: {KAB}KASon cAS
Message 2 S→B: {KAB}KSBon cSB
Message 3 A→B: {M}KABon cAB
In the spi calculus, we can express it as:
A(M) ≜ (vKAB)( cAS‹{KAB}KAS ›. cAB ‹{M}KAB ›)
S ≜ cAS(x).case x of {y}KAS in cSB ‹{y}KSB ›
B ≜ cSB(x).case x of {y}KSB in
cAB(z).case z of {w}y in F(w)
Inst(M) ≜ (vKAS) (vKSB)( A(M)|S|B)
Consider a system with a server and n other principals. Each principal has an input channel which is public, namely, C1, C2,…,Cn and Cs. The server shares a pair of keys with each other principal, Ksi and Kis.
We extend the previous example to this n+1 principals:
Message 1 A→S: A,{B,KAB}KASon cS
Message 2 S→B: {A,KAB}KSBon cB
Message 3 A→B: A,{M}KABon cB
An instance of the protocol is determined by a choice of parties and by the message sent i.e. an instance I is the triple (i,j,M).
i – source address
j - destination address
Given an instance (i,j,M), the following process corresponds to role of A:
Send(i,j,M) ≜ (vK)(cS‹(i,{j,K}KiS )›| cj‹(i,{M}K)›)
The following process corresponds to the role of B:
Recv(j) ≜ cj(ycipher).case ycipher of {xA,xkey}KSj in
cj(zA,zcipher).[xA, zA]
case zcipher of {zplain }xkeyin F(xA,j, zplain)
The server S is the same for all instances:
S ≜ cj(xA,xcipher).
i1..n[xA is i] case xcipher of {xB,xkey}KiSin
j1..n[xB is j] cj ‹{xA,xkey}KS j ›
where i1..k Pi is the k-way composition
P1 |…|Pk
Finally we define a whole system, parameterized on a list of instances of the protocol:
Sys(I1,…, Im) ≜ (vKsi)(vKis)
(Send(I1) |…| Send(Im) |
!S
!Recv(1) |…| !Recv(n) )
Unfortunately, the protocol is vulnerable to a replay attack that invalidates the authenticity. An attacker can replay messages of one instance and get them mistaken for messages of the other instance.
The previous protocol is improved by adding nonce handshakes as protection against replay attacks.
The new protocol is:
Message 1 A→S: A on cS
Message 2 S→A: NSon cA
Message 3 A→S: A,{A,A,B,KAB, NS }KASon cS
Message 4 S→B: * on cB
Message 5 B→S: NBon cS
Message 6 S→B: {S,A,B,KAB, NB }KS Bon cB
Message 7 A→B: A,{M }KAB on cB
In spi calculus, nonces are represented as newly created names.
Send(i,j,M) ≜ cS‹i›|
ci (xnonce).
(vK)(cS‹(i,{i,i,j,K,xnonce}KiS )›| cj‹(i,{M}K)›)
S ≜ cS(xA). i1..n[xA is i] (vNS) (ci‹NS›|
cS(x’A,xcipher).[x’A is i]
case xcipher of {yA,zA, xB, xkey, xnonce}KiSin
j1..n[yAis i][zA is i][xB is j][xnonce is NS]
(cj‹*›| cS (ynonce). cj‹{S,i,j, xkey,ynonce}KS j ›))
Recv(j) ≜ cj(w). (vNB) (cS‹NB›|
cj(ycipher).
case ycipher of {xS, xA, xB, xkey,ynonce} KS j in
j1..n[xSis S][xA is i][xB is j][ynonce is NB]
cj(zA,zcipher).[zA is xA]
case zcipher of {zplain }xkeyin F(i,j, zplain))
Sys(I1,…, Im) ≜ (vKsi)(vKis)
(Send(I1) |…| Send(Im) |
!S
!Recv(1) |…| !Recv(n) )
The authenticity property is obtained:
Sys(I1,…, Im) ≃ Sysspec(I1,…, Im)
for any instances I1,…, Im
This holds good because of the nonces.
Secrecy: Sys(I1,…, Im) ≃ Sysspec(J1,…, Jm)
if each pair (I1, J1 ),… (Im, Jm) is
indistinguishable.