Expressing Security Properties in CSP

Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and levels of threat ñ the intruders and their capabilities

We will consider the following security properties:

Secrecy

messages, keys, etc. have not become known

Authentication

Guarantees about the parties involved in the protocol

Non-repudiation

Evidence of the involvement of the other party

Anonymity

Protecting the identity of agents wrt particular events

Anonymity

We will model events as consisting of two components: the event itself, x, and the identity of the agent performing the event, a

a.x

AnUsers: the users who want to remain secret

ÝGiven x, defineÝÝÝÝÝ A = { a.x | a e AnUsers }

Definition: A protocol described as a CSP system P provides anonymity if an arbitrary permutation of the events in A, applied to all the traces of P, does not alter the set of all possible traces of P

Anonymity

Traces of a process: the sequences of visible actions in all possible runs

Example:ÝÝÝ a -> b -> StopÝ |||Ý c -> d -> Stop

Traces:ÝÝÝ a.b.c.dÝÝÝ a.c.b.dÝÝ c.a.b.dÝÝ a.c.d.bÝÝ c.a.d.bÝÝ c.d.a.b

Example:ÝÝÝ a -> b -> c -> StopÝ ||_{b} d -> b -> e -> Stop

Traces:ÝÝÝÝÝ a.d.b.c.dÝÝÝ d.a.b.c.dÝÝÝ a.d.b.d.cÝÝÝ d.a.b.d.c

Anonymity

LetÝÝ AnUsers = {p₁,p₂}

LetÝ A = {p₁.m, p₂.m}

Example 1ÝÝÝÝ p₁.m -> p₂.m -> Stop

Example 2ÝÝÝÝ p₁.m -> StopÝ |||Ý p₂.m -> Stop

Example 3ÝÝÝÝ p₁.m -> StopÝÝ +ÝÝ p₂.m -> Stop

Question: for each system, say whether or not it provides anonymity wrt A

Anonymity

A more involved example:

P =Ý p₁.m -> a -> StopÝ []Ý p₂.m -> a -> Stop

ÝÝÝÝÝ ||_{_p₁_._m_,_p₂_._m _}

ÝÝÝÝÝ p₁.m -> b -> StopÝ []Ý p₂.m -> c -> Stop

Question: Does P provides anonymity wrt

A = {p₁.m, p₂.m}

Anonymity

Answer: No

ÝÝ P has tracesÝ (p₁.m).b.a ,ÝÝ (p₂.m).c.aÝ ,Ý Ö

ÝÝÝÝÝÝÝÝÝÝÝ but notÝ (p₂.m).b.a ,ÝÝ (p₁.m).c.a ,Ý Ö

ÝÝ The permutationÝ { p₁-> p₂, p₂ -> p₁} changes the traces.

However, if we assume that the observer has no visibility of the actions b and c, then the system does provide anonymity wrtÝÝÝ A = {p₁.m, p₂.m}

One elegant way to formalize the concept of visibility in CSP is to use the the hiding operator:

P\{b, c} provides anonymity wrt A

Note: the above example shows that hiding A would not be enough

Anonymity

In general, given P, consider the sets:

A = { a.x | a e AnUsers }Ý : the actions that we want to know only partially (we want to know x but not a)

B :Ý the actions that we want to observe

C = Actions ñ (B U A) Ý: The actions we want to hide

Example: The dining cryptographers

The dining cryptographers

Three cryptographers share a meal

The meal is paid either by the organization (master) or by one of them. The decision on who pays is taken by the master

Each of them is informed by the master whether or not he is paying

GOAL: The cryptographers would like to know whether the organization is paying or not, but without knowing the identity of the cryptographer who is paying (if any).

The dining cryptographers

Solution: Each cryptographer tosses a coin. Each coin is in between two cryptographers.

The result of each coin-tossing is visible to the adjacent cryptographers, and only to them.

Each cryptographer examines the two adjacent coins

If he is not paying, he announces ìagreeî if the results are the same, and ìdisagreeî otherwise.

If he is paying, he says the opposite

Claim: if the number of ìdisagreeî is even, then the master is paying. Otherwise, one of them is paying. In the latter case, the non paying cryptographers will not be able to deduce whom exactly is paying

The dining cryptographers

Specification in CSP: Master and Coins

Master =

Ý S_n pays.n -> notpays.(n+1) -> notpays (n+2) -> Stop

ÝÝ + notpays.0 -> notpays.1 -> notpays.2 -> Stop

Coin(n) = Heads(n) + Tails(n)

Heads(n) = look.n.n.hd ->StopÝ |||Ý look.(n-1).n.hd ->Coin(n)

Tails(n) = look.n.n.tl -> StopÝ |||Ý look.(n-1).n.tl ->Coin(n)

Note: the arithmetic operations are modulo 3

The dining cryptographers

Specification in CSP:Ý Cryptographers

Crypt(n) = notpays(n) -> Check(n)

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ [] pays(n) -> Checkí(n)

Check(n) =Ý look.n.n?x -> look.n.(n+1)?y ->

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ if (x=y) then out.n.agree -> Stop

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ else out.n.disagree -> Stop

Checkí(n) =Ý look.n.n?x -> look.n.(n+1)?y ->

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ if (x=y) then out.n.disagree -> Stop

ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ else out.n.agree -> Stop

The dining cryptographers

Specification in CSP:Ý The whole system

Crypts = Crypt(0)Ý |||Ý Crypt(1)Ý |||Ý Crypt(2)

CoinsÝ =Ý Coin(0)Ý |||Ý Coin(1)Ý |||Ý Coin(2)

MealÝÝ =Ý Master ||_{{pays,

notpays}} ( Coins ||_{look} Crypts )

The dining cryptographers

The anonymity property

A = { pays.0, pays.1, pays.2 }

B = { out }

C = Actions ñ (B U A) = {look,notpays}

Theorem:Ý For every permutation r: A -> A, we have

r(Meal\C) =_T Meal\C

=_TÝ here represents trace equivalence.

This theorem means that an external observer cannot infer which cryptographer has paid.

This theorem can be proved by using the authomatic tool FDR.

Of course, it can also be proved ìby handî. Exercise

The dining cryptographers

One can argue that previous result is not strong enough: a cryptographer has more information than an external observer. Let us then do the analysis for a cryptographer, say Crypt(0)

A = { pays.1, pays.2 }

B = { pays.0, notpays.0, look.0, out }

C = Actions ñ (B U A)

Theorem:Ý For every permutation r: A -> A, we have

r(Meal\C) =_T Meal\C

This means that if Crypt(1) or Crypt(2) pay, then Crypt(0) canít infer which of them has paid. The same can be shown for the other two. So Meal\C provides the desired anonymity property.

The dining cryptographers

Example of a case in which the anonymity property does not hold.

Assume that Crypt(0) can access the result of the third coin, namely has visibility of the result of the action look.2.2

A = { pays.1, pays.2 }

B = { pays.0, notpays.0, look.0, out } U { look.2.2 }

C = Actions ñ (B U A)

We have that for some permutation r: A -> A,

r(Meal\C)ÝÝ =/=_TÝ Meal\C

pays.2Ý notpays.0Ý look.00.headsÝ look.0.1.headsÝ look.2.2.headsÝ out.2.disagreeÝ ÝYES

pays.1Ý notpays.0Ý look.00.headsÝ look.0.1.headsÝ look.2.2.headsÝ out.2.disagreeÝ ÝNO


Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and levels of threat ñ the intruders and their capabilities

We will consider the following security properties:
	Secrecy
		messages, keys, etc. have not become known
	Authentication
		Guarantees about the parties involved in the protocol
	Non-repudiation
		Evidence of the involvement of the other party
	Anonymity
		Protecting the identity of agents wrt particular events


	We will model events as consisting of two components: the event itself, x, and the identity of the agent performing the event, a
	a.x
	AnUsers: the users who want to remain secret
	ÝGiven x, defineÝÝÝÝÝ A = { a.x \| a e AnUsers }

	Definition: A protocol described as a CSP system P provides anonymity if an arbitrary permutation of the events in A, applied to all the traces of P, does not alter the set of all possible traces of P



	Traces of a process: the sequences of visible actions in all possible runs

	Example:ÝÝÝ a -> b -> StopÝ \|\|\|Ý c -> d -> Stop

	Traces:ÝÝÝ a.b.c.dÝÝÝ a.c.b.dÝÝ c.a.b.dÝÝ a.c.d.bÝÝ c.a.d.bÝÝ c.d.a.b


	Example:ÝÝÝ a -> b -> c -> StopÝ \|\|_{b} d -> b -> e -> Stop

	Traces:ÝÝÝÝÝ a.d.b.c.dÝÝÝ d.a.b.c.dÝÝÝ a.d.b.d.cÝÝÝ d.a.b.d.c


	LetÝÝ AnUsers = {p₁,p₂}

	LetÝ A = {p₁.m, p₂.m}

	Example 1ÝÝÝÝ p₁.m -> p₂.m -> Stop
	Example 2ÝÝÝÝ p₁.m -> StopÝ \|\|\|Ý p₂.m -> Stop
	Example 3ÝÝÝÝ p₁.m -> StopÝÝ +ÝÝ p₂.m -> Stop

	Question: for each system, say whether or not it provides anonymity wrt A


	A more involved example:

	P =Ý p₁.m -> a -> StopÝ []Ý p₂.m -> a -> Stop
	ÝÝÝÝÝ \|\|_{_p₁_._m_,_p₂_._m _}
	ÝÝÝÝÝ p₁.m -> b -> StopÝ []Ý p₂.m -> c -> Stop

	Question: Does P provides anonymity wrt
	A = {p₁.m, p₂.m}


	Answer: No
	ÝÝ P has tracesÝ (p₁.m).b.a ,ÝÝ (p₂.m).c.aÝ ,Ý Ö
	ÝÝÝÝÝÝÝÝÝÝÝ but notÝ (p₂.m).b.a ,ÝÝ (p₁.m).c.a ,Ý Ö
	ÝÝ The permutationÝ { p₁-> p₂, p₂ -> p₁} changes the traces.

	However, if we assume that the observer has no visibility of the actions b and c, then the system does provide anonymity wrtÝÝÝ A = {p₁.m, p₂.m}

	One elegant way to formalize the concept of visibility in CSP is to use the the hiding operator:
	P\{b, c} provides anonymity wrt A

	Note: the above example shows that hiding A would not be enough


	In general, given P, consider the sets:
		A = { a.x \| a e AnUsers }Ý : the actions that we want to know only partially (we want to know x but not a)
		B :Ý the actions that we want to observe
		C = Actions ñ (B U A) Ý: The actions we want to hide


	Three cryptographers share a meal
	The meal is paid either by the organization (master) or by one of them. The decision on who pays is taken by the master
	Each of them is informed by the master whether or not he is paying

	GOAL: The cryptographers would like to know whether the organization is paying or not, but without knowing the identity of the cryptographer who is paying (if any).


	Solution: Each cryptographer tosses a coin. Each coin is in between two cryptographers.
	The result of each coin-tossing is visible to the adjacent cryptographers, and only to them.
	Each cryptographer examines the two adjacent coins
		If he is not paying, he announces ìagreeî if the results are the same, and ìdisagreeî otherwise.
		If he is paying, he says the opposite

	Claim: if the number of ìdisagreeî is even, then the master is paying. Otherwise, one of them is paying. In the latter case, the non paying cryptographers will not be able to deduce whom exactly is paying


	Specification in CSP: Master and Coins

	Master =
	Ý S_n pays.n -> notpays.(n+1) -> notpays (n+2) -> Stop
	ÝÝ + notpays.0 -> notpays.1 -> notpays.2 -> Stop

	Coin(n) = Heads(n) + Tails(n)

	Heads(n) = look.n.n.hd ->StopÝ \|\|\|Ý look.(n-1).n.hd ->Coin(n)

	Tails(n) = look.n.n.tl -> StopÝ \|\|\|Ý look.(n-1).n.tl ->Coin(n)

	Note: the arithmetic operations are modulo 3


	Specification in CSP:Ý Cryptographers

	Crypt(n) = notpays(n) -> Check(n)
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ [] pays(n) -> Checkí(n)

	Check(n) =Ý look.n.n?x -> look.n.(n+1)?y ->
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ if (x=y) then out.n.agree -> Stop
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ else out.n.disagree -> Stop

	Checkí(n) =Ý look.n.n?x -> look.n.(n+1)?y ->
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ if (x=y) then out.n.disagree -> Stop
	ÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝ else out.n.agree -> Stop


	Specification in CSP:Ý The whole system

	Crypts = Crypt(0)Ý \|\|\|Ý Crypt(1)Ý \|\|\|Ý Crypt(2)

	CoinsÝ =Ý Coin(0)Ý \|\|\|Ý Coin(1)Ý \|\|\|Ý Coin(2)

	MealÝÝ =Ý Master \|\|_{{pays, notpays}} ( Coins \|\|_{look} Crypts )


	The anonymity property

		A = { pays.0, pays.1, pays.2 }
		B = { out }
		C = Actions ñ (B U A) = {look,notpays}

	Theorem:Ý For every permutation r: A -> A, we have
	r(Meal\C) =_T Meal\C

		=_TÝ here represents trace equivalence.
		This theorem means that an external observer cannot infer which cryptographer has paid.

	This theorem can be proved by using the authomatic tool FDR.
	Of course, it can also be proved ìby handî. Exercise


	One can argue that previous result is not strong enough: a cryptographer has more information than an external observer. Let us then do the analysis for a cryptographer, say Crypt(0)

		A = { pays.1, pays.2 }
		B = { pays.0, notpays.0, look.0, out }
		C = Actions ñ (B U A)

	Theorem:Ý For every permutation r: A -> A, we have
	r(Meal\C) =_T Meal\C

	This means that if Crypt(1) or Crypt(2) pay, then Crypt(0) canít infer which of them has paid. The same can be shown for the other two. So Meal\C provides the desired anonymity property.


	Example of a case in which the anonymity property does not hold.
	Assume that Crypt(0) can access the result of the third coin, namely has visibility of the result of the action look.2.2

		A = { pays.1, pays.2 }
		B = { pays.0, notpays.0, look.0, out } U { look.2.2 }
		C = Actions ñ (B U A)

	We have that for some permutation r: A -> A,
	r(Meal\C)ÝÝ =/=_TÝ Meal\C

	pays.2Ý notpays.0Ý look.00.headsÝ look.0.1.headsÝ look.2.2.headsÝ out.2.disagreeÝ ÝYES
	pays.1Ý notpays.0Ý look.00.headsÝ look.0.1.headsÝ look.2.2.headsÝ out.2.disagreeÝ ÝNO