Lecture 3

The CSP approach to the specification and analysis of Security protocols

Communicating Sequential Processes [Hoare 78]

Mathematical framework for the description and analysis of systems consisting of processes interacting via exchange of messages

Automatic tools available for proving properties of CSP specifications

Model-checker FDR

Theorem prover PVS

The CSP formalism

A small mathematical language containing the main constructs for specifying concurrency, parallelism, communication, choice, hiding etc.

The evolution of processes is based on a sequence of events or actions

Visible actions S

Interaction with other processes, communication

Invisible action t

Internal computation steps

The CSP language: Syntax

Inaction: Stop

Termination, deadlock, incapability of performing any action, either internal or external

Input: in ? x : A g P(x)

Execute an input action on channel in, get message x of type A, then continue as P(x)

Output: out ! m g P(x)

Execute an output action on channel out, send message m, then continue as P(x)

Recursion: P(y₁,…,y_n) = Body(y₁,…,y_n)

Process definition. P is a process name, y₁,…,y_n are the parameters, Body(y₁,…,y_n) is a process expression

Example: Copy = in ? x g out ! m g Copy

CSP’s Syntax (Cont’ed)

External (aka guarded) choice: P [] Q

Execute a choice between P and Q. Do not choose a process which cannot proceed

Example: (a ? x g P(x)) [] (b ? x g Q(x))

Execute one and only one input action. If only one is available then choose that one. If both are available than choose arbitrarily. If none are available then block. The unchoosen branch is discarded (commitment)

Internal choice: P + Q

Execute an arbitrary choice between P and Q. It is possible to choose a process which cannot proceed

CSP’s Syntax (Cont’ed)

Parallel operator w/synchronization: P || Q

P and Q proceed in parallel and are obliged to synchronize on all the common actions

Example: (c ? x g P(x)) || (c ! m g Q)

Synchronization: the two processes can proceed only if their actions correspond

Handshaking: sending and receiving is symultaneous (clearly an abstraction. Buffered communication can anyway be modeled by implementing a buffer process)

Communication: m is transmitted to the first process, which continues as P(m).

Broadcasting: c ! m is available for other parallel procs

Question: what happens with the process

((c?xgP(x)) [] (d?y gQ(y))) || (c!m gR)

CSP’s Syntax (Cont’ed)

Parallel operator w/synchronization and interleaving: P ||_A Q

P and Q are obliged to synchronize only on the common actions in A

They interleave on all the actions not in A

Example:

(c ? x gP(x)) ||_{c} ((c ! m gQ) [] (d ! n g R))

the two processes can either synchronize on the action on channel c, or the second process can perform an action on d. In this second case the first process will remain blocked, though, until the second will decide to perform (if ever) an output action on c.

Question: in what part of the second process could this action on c be performed ?

Abbreviation: P ||| Q stands for P ||_f Q

CSP’s Syntax (Cont’ed)

Hiding: P \ A

P \A behaves as P except that all the actions in A are turned into invisible actions. So they cannot be used anymore to synchronize with other processes.

One possible use of this mechanism is to avoid that external processes interfere with the communication channels in P. (Internalization of communication in P.)

Renaming: P[y/x]

P[x/y] behaves as P except that all the occurrences of x are renamed by y.

Typically it serves to create different instances of the same process scheme

Abbr: P[y₁,y₂/x₁,x₂] will stand for P[y₁/x₁][y₂/x₂]

Modeling Security Protocols in CSP

Security protocols work through the interaction of a number of processes in parallel that send messages to each other. CSP is therefore an obvious notation for describing the participants and their role in the protocol

Example: The Yahalom protocol

Message 1    a g b : a.n_a

Message 2    b g s : b.{a.n_a.n_b}_ServerKey(b)

Message 3    s g a : {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)

Message 4    a g b : {a. k_ab}_ServerKey(b).{n_b}_k_ab

Questions:

Is the it based on symmetric or asymmetric cryptography?

what are n_a and n_b, andwhat is their purpose?

Modeling Security Protocols in CSP

We assume that each process has channels

Receive

Send

that it uses for all communications with the other nodes via the medium

Let us assume that A (Anne) and B (Bob) use the protocol, with A as initiator and B as responder, and that J (Jeeves) is the secure server

Modeling Security Protocols in CSP

A’s view (initiator):

Message 1 a sends to b: a.n_a

Message 3 a gets from ‘j’: {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)

Message 4 a sends to b: {a. k_ab}_ServerKey(b).{n_b}_k_ab

In CSP this behavior can be modeled as follows:

Initiator(a,n_a ) =

    env?b: Agent

         g send.a.b.a.n_a

         g [](receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m

_k_ab_e_Keyg send.a.b.m.{n_b}_k_ab g Session(a,b,k_ab,n_a,n_b) )

_n_b_e_Nonce

_m_e_T

Modeling Security Protocols in CSP

B’s view (responder):

Message 1 b getss from ‘a’: a.n_a

Message 2 b sends to j: b.{a.n_a.n_b}_ServerKey(b)

Message 4 b gets from ‘a’: {a. k_ab}_ServerKey(b).{n_b}_k_ab

In CSP this behavior can be modeled as follows:

Responder(b,n_b ) =

[](receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)

_k_ab_e_Keyg receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab

_n_b_e_Nonce g Session(b,a,k_ab,n_a,n_b) )

_m_e_T

Modeling Security Protocols in CSP

J’s view (server):

Message 2 j gets from ‘b’: b.{a.n_a.n_b}_ServerKey(b)

Message 3 j sends to a : {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)

In CSP this behavior can be modeled as follows:

Server(J,k_ab ) =

    [](receive.b.J.b .{a.n_a.n_b}_ServerKey(b)

_A,B_e_Agentg send.J.a. {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)

_N_b_,n_b_e_Nonce g Server(J,k_s ) )

Server(J)   = ||| Server(J,k_ab )

                    k_ab e Keys_Server

Question: why several server processes in parallel?

Modeling an intruder

We want to model an intruder that represents all potential intruder behaviors

     Intruder(X) = learn?m: messages gIntruder(close(X U {m})

                            []

                            say!m: X /\ messages gIntruder(X)

Close(X) represents all the possible information that the attacker can infer from X. Typically we assume

{k,m} |- encript(k,m)

{encript(k,m), k^-1} |- m

{Sq<x₁,…,x_n>} |- x_i

{x₁,…,x_n} |- Sq<x₁,…,x_n>}

Putting the network together

Alternative with direct channels

Initiator(Anne,n_A)[S]

|||

Responder(Bob,n_B)[S]

|||

Server(Jeeves)[S]

|||

Intruder(f)[S]


The CSP approach to the specification and analysis of Security protocols

	Communicating Sequential Processes [Hoare 78]

	Mathematical framework for the description and analysis of systems consisting of processes interacting via exchange of messages

	Automatic tools available for proving properties of CSP specifications
		Model-checker FDR
		Theorem prover PVS


A small mathematical language containing the main constructs for specifying concurrency, parallelism, communication, choice, hiding etc.

The evolution of processes is based on a sequence of events or actions
	Visible actions S
		Interaction with other processes, communication
	Invisible action t
		Internal computation steps


Inaction: Stop
		Termination, deadlock, incapability of performing any action, either internal or external
Input: in ? x : A g P(x)
		Execute an input action on channel in, get message x of type A, then continue as P(x)
Output: out ! m g P(x)
		Execute an output action on channel out, send message m, then continue as P(x)
Recursion: P(y₁,…,y_n) = Body(y₁,…,y_n)
		Process definition. P is a process name, y₁,…,y_n are the parameters, Body(y₁,…,y_n) is a process expression

	Example: Copy = in ? x g out ! m g Copy



External (aka guarded) choice: P [] Q
		Execute a choice between P and Q. Do not choose a process which cannot proceed
	Example: (a ? x g P(x)) [] (b ? x g Q(x))
	Execute one and only one input action. If only one is available then choose that one. If both are available than choose arbitrarily. If none are available then block. The unchoosen branch is discarded (commitment)

Internal choice: P + Q
		Execute an arbitrary choice between P and Q. It is possible to choose a process which cannot proceed


Parallel operator w/synchronization: P \|\| Q
		P and Q proceed in parallel and are obliged to synchronize on all the common actions
	Example: (c ? x g P(x)) \|\| (c ! m g Q)
		Synchronization: the two processes can proceed only if their actions correspond
		Handshaking: sending and receiving is symultaneous (clearly an abstraction. Buffered communication can anyway be modeled by implementing a buffer process)
		Communication: m is transmitted to the first process, which continues as P(m).
		Broadcasting: c ! m is available for other parallel procs
Question: what happens with the process
((c?xgP(x)) [] (d?y gQ(y))) \|\| (c!m gR)


Parallel operator w/synchronization and interleaving: P \|\|_A Q
		P and Q are obliged to synchronize only on the common actions in A
		They interleave on all the actions not in A
	Example:
	(c ? x gP(x)) \|\|_{c} ((c ! m gQ) [] (d ! n g R))
		the two processes can either synchronize on the action on channel c, or the second process can perform an action on d. In this second case the first process will remain blocked, though, until the second will decide to perform (if ever) an output action on c.
		Question: in what part of the second process could this action on c be performed ?
	Abbreviation: P \|\|\| Q stands for P \|\|_f Q


	Hiding: P \ A
			P \A behaves as P except that all the actions in A are turned into invisible actions. So they cannot be used anymore to synchronize with other processes.
			One possible use of this mechanism is to avoid that external processes interfere with the communication channels in P. (Internalization of communication in P.)

	Renaming: P[y/x]
			P[x/y] behaves as P except that all the occurrences of x are renamed by y.
			Typically it serves to create different instances of the same process scheme
			Abbr: P[y₁,y₂/x₁,x₂] will stand for P[y₁/x₁][y₂/x₂]


	Security protocols work through the interaction of a number of processes in parallel that send messages to each other. CSP is therefore an obvious notation for describing the participants and their role in the protocol

	Example: The Yahalom protocol

		Message 1 a g b : a.n_a
		Message 2 b g s : b.{a.n_a.n_b}_ServerKey(b)
		Message 3 s g a : {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)
		Message 4 a g b : {a. k_ab}_ServerKey(b).{n_b}_k_ab

	Questions:
		Is the it based on symmetric or asymmetric cryptography?
		what are n_a and n_b, andwhat is their purpose?


	We assume that each process has channels
		Receive
		Send
	that it uses for all communications with the other nodes via the medium

	Let us assume that A (Anne) and B (Bob) use the protocol, with A as initiator and B as responder, and that J (Jeeves) is the secure server


	A’s view (initiator):
		Message 1 a sends to b: a.n_a
		Message 3 a gets from ‘j’: {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)
		Message 4 a sends to b: {a. k_ab}_ServerKey(b).{n_b}_k_ab

	In CSP this behavior can be modeled as follows:

		Initiator(a,n_a ) =
		env?b: Agent
		g send.a.b.a.n_a
		g [](receive.J.a{b. k_ab.n_a.n_b}_ServerKey(a).m
		_k_ab_e_Keyg send.a.b.m.{n_b}_k_ab g Session(a,b,k_ab,n_a,n_b) )
		_n_b_e_Nonce
		_m_e_T


	B’s view (responder):
		Message 1 b getss from ‘a’: a.n_a
		Message 2 b sends to j: b.{a.n_a.n_b}_ServerKey(b)
		Message 4 b gets from ‘a’: {a. k_ab}_ServerKey(b).{n_b}_k_ab

	In CSP this behavior can be modeled as follows:

		Responder(b,n_b ) =
		[](receive.a.b.a.n_ag send.b.J.b .{a.n_a.n_b}_ServerKey(b)
		_k_ab_e_Keyg receive.a.b.{a. k_ab}_ServerKey(b).{n_b}_k_ab
		_n_b_e_Nonce g Session(b,a,k_ab,n_a,n_b) )
		_m_e_T


	J’s view (server):
		Message 2 j gets from ‘b’: b.{a.n_a.n_b}_ServerKey(b)
		Message 3 j sends to a : {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)

	In CSP this behavior can be modeled as follows:

		Server(J,k_ab ) =
		[](receive.b.J.b .{a.n_a.n_b}_ServerKey(b)
		_A,B_e_Agentg send.J.a. {b. k_ab.n_a.n_b}_ServerKey(a).{a.k_ab}_ServerKey(b)
		_N_b_,n_b_e_Nonce g Server(J,k_s ) )


		Server(J) = \|\|\| Server(J,k_ab )
		k_ab e Keys_Server

	Question: why several server processes in parallel?


	We want to model an intruder that represents all potential intruder behaviors
	Intruder(X) = learn?m: messages gIntruder(close(X U {m})
	[]
	say!m: X /\ messages gIntruder(X)

	Close(X) represents all the possible information that the attacker can infer from X. Typically we assume

		{k,m} \|- encript(k,m)
		{encript(k,m), k^-1} \|- m
		{Sq<x₁,…,x_n>} \|- x_i
		{x₁,…,x_n} \|- Sq<x₁,…,x_n>}


	Initiator(Anne,n_A)[S]
	\|\|\|
	Responder(Bob,n_B)[S]
	\|\|\|
	Server(Jeeves)[S]
	\|\|\|
	Intruder(f)[S]