Pattern-Matching Spi-Calculus A Type System for Cryptographic - - PowerPoint PPT Presentation

Pattern-Matching Spi-Calculus

A Type System for Cryptographic Protocols

Christian Haack and Alan Jeffrey DePaul University, Chicago

Pattern-Matching Spi-Calculus – p.1/11

Types for Cryptographic Protocols

Pattern-Matching Spi-Calculus – p.2/11

Types for Cryptographic Protocols

Spi-calculus: A small and abstract domain-specific language for cryptographic protocols: Abadi and Gordon [1997]

Pattern-Matching Spi-Calculus – p.2/11

Types for Cryptographic Protocols

Spi-calculus: A small and abstract domain-specific language for cryptographic protocols: Abadi and Gordon [1997] Type systems for verifying secrecy or authenticity within the spi-calculus. Abadi [1999] Abadi and Blanchet [2001] Gordon and Jeffrey [2001, 2002]

Pattern-Matching Spi-Calculus – p.2/11

Types for Cryptographic Protocols

Spi-calculus: A small and abstract domain-specific language for cryptographic protocols: Abadi and Gordon [1997] Type systems for verifying secrecy or authenticity within the spi-calculus. Abadi [1999] Abadi and Blanchet [2001] Gordon and Jeffrey [2001, 2002] Advantages of verification by type-checking: Type-checking is easier than proofs from first principles. Type-checking is automatable.

Pattern-Matching Spi-Calculus – p.2/11

Pattern-Matching Spi: Messages

L, M, N ::= n | x | () | (M, N) | { |M| }N | { |M| }N −1 | Enc (M) | Dec (M)

Other constructors by translation to this core language:

Pattern-Matching Spi-Calculus – p.3/11

Pattern-Matching Spi: Messages

L, M, N ::= n | x | () | (M, N) | { |M| }N | { |M| }N −1 | Enc (M) | Dec (M)

Other constructors by translation to this core language: Symmetric crypto:

{M}k

∆

= { |M| }Enc (k) where k is a secret key pair

Pattern-Matching Spi-Calculus – p.3/11

Pattern-Matching Spi: Messages

L, M, N ::= n | x | () | (M, N) | { |M| }N | { |M| }N −1 | Enc (M) | Dec (M)

Other constructors by translation to this core language: Symmetric crypto:

{M}k

∆

= { |M| }Enc (k) where k is a secret key pair

Message tagging:

l (M)

∆

= { |M| }Enc (l) where l is a public “key” pair

Pattern-Matching Spi-Calculus – p.3/11

Pattern-Matching Spi: Messages

L, M, N ::= n | x | () | (M, N) | { |M| }N | { |M| }N −1 | Enc (M) | Dec (M)

Other constructors by translation to this core language: Symmetric crypto:

{M}k

∆

= { |M| }Enc (k) where k is a secret key pair

Message tagging:

l (M)

∆

= { |M| }Enc (l) where l is a public “key” pair

Hashing:

#(M)

∆

= hashtag ({ |M| }hashkey) where hashkey is a public

encryption key with decryption part unknown to everybody

Pattern-Matching Spi-Calculus – p.3/11

Pattern-Matching Spi: Processes

P, Q ::= out N M | inp N X; P | new n:T; P | !P | P | Q | 0

Pattern-matching input; X is a pattern.

Pattern-Matching Spi-Calculus – p.4/11

Pattern-Matching Spi: Processes

P, Q ::= out N M | inp N X; P | new n:T; P | !P | P | Q | 0

Pattern-matching input; X is a pattern.

X ::= { x . M | ¯ A}

where ¯

A is a set of assertions

Pattern-Matching Spi-Calculus – p.4/11

Pattern-Matching Spi: Processes

P, Q ::= out N M | inp N X; P | new n:T; P | !P | P | Q | 0

Pattern-matching input; X is a pattern.

X ::= { x . M | ¯ A}

where ¯

A is a set of assertions

Surface syntax has syntax sugar. For instance:

inp N { |x : T| }k−1; P

∆

= inp N {x . { |x| }k−1 | x : T}; P

Pattern-Matching Spi-Calculus – p.4/11

Pattern-Matching Spi: Processes

P, Q ::= out N M | inp N X; P | new n:T; P | !P | P | Q | 0

Pattern-matching input; X is a pattern.

X ::= { x . M | ¯ A}

where ¯

A is a set of assertions

Surface syntax has syntax sugar. For instance:

inp N { |x : T| }k−1; P

∆

= inp N {x . { |x| }k−1 | x : T}; P

Syntactic restricitions: Members of binder

x must have a witness in M.

Pattern-Matching Spi-Calculus – p.4/11

Pattern-Matching Spi: Processes

P, Q ::= out N M | inp N X; P | new n:T; P | !P | P | Q | 0

Pattern-matching input; X is a pattern.

X ::= { x . M | ¯ A}

where ¯

A is a set of assertions

Surface syntax has syntax sugar. For instance:

inp N { |x : T| }k−1; P

∆

= inp N {x . { |x| }k−1 | x : T}; P

Syntactic restricitions: Members of binder

x must have a witness in M.

Input patterns must be Dolev-Yao-implementable. For instance, {x, k . {

|x| }k−1 | ¯ A} is not D-Y-implementable.

Pattern-Matching Spi-Calculus – p.4/11

Semantics of Pattern-Matching

Dynamic semantics.

• ut L M{

x← N} | inp L { x . M | ¯ A}; P → P{ x← N}

Pattern-Matching Spi-Calculus – p.5/11

Semantics of Pattern-Matching

Dynamic semantics.

• ut L M{

x← N} | inp L { x . M | ¯ A}; P → P{ x← N}

Dynamic check that input message matches input message pattern M.

Pattern-Matching Spi-Calculus – p.5/11

Semantics of Pattern-Matching

Dynamic semantics.

• ut L M{

x← N} | inp L { x . M | ¯ A}; P → P{ x← N}

Dynamic check that input message matches input message pattern M. Dynamic semantics ignores the assertion set ¯

A.

Pattern-Matching Spi-Calculus – p.5/11

Semantics of Pattern-Matching

Dynamic semantics.

• ut L M{

x← N} | inp L { x . M | ¯ A}; P → P{ x← N}

Dynamic check that input message matches input message pattern M. Dynamic semantics ignores the assertion set ¯

A.

Static semantics.

E ⊢ ¯ A{ x← N} E ⊢ M{ x← N} ∈ { x . M | ¯ A}

Pattern-Matching Spi-Calculus – p.5/11

Semantics of Pattern-Matching

Dynamic semantics.

• ut L M{

x← N} | inp L { x . M | ¯ A}; P → P{ x← N}

Dynamic check that input message matches input message pattern M. Dynamic semantics ignores the assertion set ¯

A.

Static semantics.

E ⊢ ¯ A{ x← N} E ⊢ M{ x← N} ∈ { x . M | ¯ A}

Static check that assertion set ¯

A holds after input.

Pattern-Matching Spi-Calculus – p.5/11

Semantics of Pattern-Matching

Dynamic semantics.

• ut L M{

x← N} | inp L { x . M | ¯ A}; P → P{ x← N}

Dynamic check that input message matches input message pattern M. Dynamic semantics ignores the assertion set ¯

A.

Static semantics.

E ⊢ ¯ A{ x← N} E ⊢ M{ x← N} ∈ { x . M | ¯ A}

Static check that assertion set ¯

A holds after input. ¯ A may be viewed as checked input post-condition.

Pattern-Matching Spi-Calculus – p.5/11

Correspondence Assertions

A → B (m, A, B) PA

∆

= new m : T;

• ut net (m, A, B)

PB

∆

= inp net {x, p . (x, p, B) | ¯ A(x, p)};

Pattern-Matching Spi-Calculus – p.6/11

Correspondence Assertions

A !begins “A sends m to B” A → B (m, A, B) B ends “A sends m to B” PA

∆

= new m : T; begin!(m, A, B); out net (m, A, B) PB

∆

= inp net {x, p . (x, p, B) | ¯ A(x, p)}; end(x, p, B)

Pattern-Matching Spi-Calculus – p.6/11

Correspondence Assertions

A !begins “A sends m to B” A → B (m, A, B) B ends “A sends m to B” PA

∆

= new m : T; begin!(m, A, B); out net (m, A, B) PB

∆

= inp net {x, p . (x, p, B) | ¯ A(x, p)}; end(x, p, B)

A process is safe iff in every run every end-assertion is preceeded by a matching begin-assertion.

Pattern-Matching Spi-Calculus – p.6/11

Correspondence Assertions

A !begins “A sends m to B” A → B (m, A, B) B ends “A sends m to B” PA

∆

= new m : T; begin!(m, A, B); out net (m, A, B) PB

∆

= inp net {x, p . (x, p, B) | ¯ A(x, p)}; end(x, p, B)

A process is safe iff in every run every end-assertion is preceeded by a matching begin-assertion.

PA | PB is safe.

Pattern-Matching Spi-Calculus – p.6/11

Correspondence Assertions

A !begins “A sends m to B” A → B (m, A, B) B ends “A sends m to B” PA

∆

= new m : T; begin!(m, A, B); out net (m, A, B) PB

∆

= inp net {x, p . (x, p, B) | ¯ A(x, p)}; end(x, p, B)

A process is safe iff in every run every end-assertion is preceeded by a matching begin-assertion.

PA | PB is safe.

A process P is robustly safe iff P | O is safe for all

• pponents O.

Pattern-Matching Spi-Calculus – p.6/11

Correspondence Assertions

A !begins “A sends m to B” A → B (m, A, B) B ends “A sends m to B” PA

∆

= new m : T; begin!(m, A, B); out net (m, A, B) PB

∆

= inp net {x, p . (x, p, B) | ¯ A(x, p)}; end(x, p, B)

A process is safe iff in every run every end-assertion is preceeded by a matching begin-assertion.

PA | PB is safe.

A process P is robustly safe iff P | O is safe for all

• pponents O.

PA | PB is not robustly safe.

Pattern-Matching Spi-Calculus – p.6/11

Correspondence Assertions

A !begins “A sends m to B” A → B (m, A, B) B ends “A sends m to B” PA

∆

= new m : T; begin!(m, A, B); out net (m, A, B) PB

∆

= inp net {x, p . (x, p, B) | ¯ A(x, p)}; end(x, p, B)

A process is safe iff in every run every end-assertion is preceeded by a matching begin-assertion.

PA | PB is safe.

A process P is robustly safe iff P | O is safe for all

• pponents O.

PA | PB is not robustly safe.

Theorem: Every well-typed process is robustly safe.

Pattern-Matching Spi-Calculus – p.6/11

A Well-Typed Protocol

A !begins “A sends m to B” A → B { |m, A, B| }esA B ends “A sends m to B” esA : ??? dsA : ??? PA

∆

= new m : ???; begin!(m, A, B);

• ut net {

|m, A, B| }esA PB

∆

= inp net {x, p . { |x, p, B| }dsA−1 | ???}; end(x, p, B)

Pattern-Matching Spi-Calculus – p.7/11

A Well-Typed Protocol

A !begins “A sends m to B” A → B { |m, A, B| }esA B ends “A sends m to B” esA : SignEncKey(X) dsA : SignDecKey(X) X

∆

= {x, p, q . (x, p, q) | !begun(x, p, q)} PA

∆

= new m : ???; begin!(m, A, B);

• ut net {

|m, A, B| }esA PB

∆

= inp net {x, p . { |x, p, B| }dsA−1 | ???}; end(x, p, B)

Pattern-Matching Spi-Calculus – p.7/11

A Well-Typed Protocol

A !begins “A sends m to B” A → B { |m, A, B| }esA B ends “A sends m to B” esA : SignEncKey(X) dsA : SignDecKey(X) X

∆

= {x, p, q . (x, p, q) | !begun(x, p, q)} PA

∆

= new m : Public; begin!(m, A, B);

• ut net {

|m, A, B| }esA PB

∆

= inp net {x, p . { |x, p, B| }dsA−1 | ???}; end(x, p, B)

Pattern-Matching Spi-Calculus – p.7/11

A Well-Typed Protocol

A !begins “A sends m to B” A → B { |m, A, B| }esA B ends “A sends m to B” esA : SignEncKey(X) dsA : SignDecKey(X) X

∆

= {x, p, q . (x, p, q) | !begun(x, p, q)} PA

∆

= new m : Public; begin!(m, A, B);

• ut net {

|m, A, B| }esA PB

∆

= inp net {x, p . { |x, p, B| }dsA−1 | !begun(x, p, B)}; end(x, p, B)

Pattern-Matching Spi-Calculus – p.7/11

Protocol-Independent Key Types

• ut net {

|m, A, B| }esA

type-checks with

esA : SignEncKey({x, p, q . (x, p, q) | !begun(x, p, q)}).

Problems.

Pattern-Matching Spi-Calculus – p.8/11

Protocol-Independent Key Types

• ut net {

|m, A, B| }esA

type-checks with

esA : SignEncKey({x, p, q . (x, p, q) | !begun(x, p, q)}).

Problems. The type of esA is specific to this particular protocol.

Pattern-Matching Spi-Calculus – p.8/11

Protocol-Independent Key Types

• ut net {

|m, A, B| }esA

type-checks with

esA : SignEncKey({x, p, q . (x, p, q) | !begun(x, p, q)}).

Problems. The type of esA is specific to this particular protocol. The inclusion of principal name A is redundant, because A’s signature already authenticates A.

Pattern-Matching Spi-Calculus – p.8/11

Protocol-Independent Key Types

• ut net {

|m, A, B| }esA

type-checks with

esA : SignEncKey({x, p, q . (x, p, q) | !begun(x, p, q)}).

Problems. The type of esA is specific to this particular protocol. The inclusion of principal name A is redundant, because A’s signature already authenticates A. A Solution. Typed message tagging and “authorization” types.

Pattern-Matching Spi-Calculus – p.8/11

Tag and Authorization Types

• ut net {

|ℓ(m, B)| }esA

Pattern-Matching Spi-Calculus – p.9/11

Tag and Authorization Types

• ut net {

|ℓ(m, B)| }esA

type-checks with

esA : SignEncKey(∅ Auth(A))

Pattern-Matching Spi-Calculus – p.9/11

Tag and Authorization Types

• ut net {

|ℓ(m, B)| }esA

type-checks with

esA : SignEncKey(∅ Auth(A))

From a sender’s point of view, ∅ Auth(A) is a type of messages that require authorization by A.

Pattern-Matching Spi-Calculus – p.9/11

Tag and Authorization Types

• ut net {

|ℓ(m, B)| }esA

type-checks with

esA : SignEncKey(∅ Auth(A))

From a sender’s point of view, ∅ Auth(A) is a type of messages that require authorization by A. From a receiver’s point of view, ∅ Auth(A) is a type of messages that have been authorized by A.

Pattern-Matching Spi-Calculus – p.9/11

Tag and Authorization Types

• ut net {

|ℓ(m, B)| }esA

type-checks with

esA : SignEncKey(∅ Auth(A))

From a sender’s point of view, ∅ Auth(A) is a type of messages that require authorization by A. From a receiver’s point of view, ∅ Auth(A) is a type of messages that have been authorized by A. Tag type:

ℓ : ∀p . X(p) → Auth(p) X(p)

∆

= {x, q . (x, q) | !begun(x, p, q)}

Pattern-Matching Spi-Calculus – p.9/11

Tag and Authorization Types

• ut net {

|ℓ(m, B)| }esA

type-checks with

esA : SignEncKey(∅ Auth(A))

From a sender’s point of view, ∅ Auth(A) is a type of messages that require authorization by A. From a receiver’s point of view, ∅ Auth(A) is a type of messages that have been authorized by A. Tag type:

ℓ : ∀p . X(p) → Auth(p) X(p)

∆

= {x, q . (x, q) | !begun(x, p, q)}

Compare to X

∆

= {x, p, q . (x, p, q) | !begun(x, p, q)}.

Pattern-Matching Spi-Calculus – p.9/11

Pattern-Matching Spi: Types

Kinds:

K, H ⊆ {Public, Tainted}

Types:

T, U ::= (K, H) KT(X) | K Top | K Auth(M) KT ::= EncKey | DecKey | KeyPair

Pattern-Matching Spi-Calculus – p.10/11

Pattern-Matching Spi: Types

Kinds:

K, H ⊆ {Public, Tainted}

Types:

T, U ::= (K, H) KT(X) | K Top | K Auth(M) KT ::= EncKey | DecKey | KeyPair

In key types (K, H) KT(X), K is the kind of the encryption key and H the kind of the decryption key.

Pattern-Matching Spi-Calculus – p.10/11

Pattern-Matching Spi: Types

Kinds:

K, H ⊆ {Public, Tainted}

Types:

T, U ::= (K, H) KT(X) | K Top | K Auth(M) KT ::= EncKey | DecKey | KeyPair

In key types (K, H) KT(X), K is the kind of the encryption key and H the kind of the decryption key.

K Top is the greatest type for messages of kind K.

Pattern-Matching Spi-Calculus – p.10/11

Pattern-Matching Spi: Types

Kinds:

K, H ⊆ {Public, Tainted}

Types:

T, U ::= (K, H) KT(X) | K Top | K Auth(M) KT ::= EncKey | DecKey | KeyPair

In key types (K, H) KT(X), K is the kind of the encryption key and H the kind of the decryption key.

K Top is the greatest type for messages of kind K. K Auth(M) is a type of messages authorized by M and

• f kind K.

Pattern-Matching Spi-Calculus – p.10/11

Pattern-Matching Spi: Types

Kinds:

K, H ⊆ {Public, Tainted}

Types:

T, U ::= (K, H) KT(X) | K Top | K Auth(M) KT ::= EncKey | DecKey | KeyPair

In key types (K, H) KT(X), K is the kind of the encryption key and H the kind of the decryption key.

K Top is the greatest type for messages of kind K. K Auth(M) is a type of messages authorized by M and

• f kind K.

The types from the previous examples translate to this core language of types.

Pattern-Matching Spi-Calculus – p.10/11

Summary and Contributions

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks.

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks. Static pattern matching instead of dependent types results in more flexible scoping rules.

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks. Static pattern matching instead of dependent types results in more flexible scoping rules. Can now type-check hashing and nested encryption.

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks. Static pattern matching instead of dependent types results in more flexible scoping rules. Can now type-check hashing and nested encryption. Authorization types and tag types instead of tagged union types.

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks. Static pattern matching instead of dependent types results in more flexible scoping rules. Can now type-check hashing and nested encryption. Authorization types and tag types instead of tagged union types. Protocol-independent key types.

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks. Static pattern matching instead of dependent types results in more flexible scoping rules. Can now type-check hashing and nested encryption. Authorization types and tag types instead of tagged union types. Protocol-independent key types. Authentication by signature.

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks. Static pattern matching instead of dependent types results in more flexible scoping rules. Can now type-check hashing and nested encryption. Authorization types and tag types instead of tagged union types. Protocol-independent key types. Authentication by signature. Small core language.

Pattern-Matching Spi-Calculus – p.11/11

Summary and Contributions

Pattern-matching input instead of message destructors and equality checks. Static pattern matching instead of dependent types results in more flexible scoping rules. Can now type-check hashing and nested encryption. Authorization types and tag types instead of tagged union types. Protocol-independent key types. Authentication by signature. Small core language. The rule system, its correctness proofs and its implementation remain tractable.

Pattern-Matching Spi-Calculus – p.11/11