Reasoning about Cryptographic Protocols in the Spi Calculus 1 from Cryptography to Testing Equivalence

The spi calculus is an extension of the pi calculus with constructs for encryption and decryption. This paper develops the theory of the spi calculus, focusing on techniques for establishing testing equivalence , and applying these techniques to the proof of authenticity and secrecy properties of cryptographic protocols. The idea of controlling communication by capabilities underlies both the pi calculus and much of the current work on security in distributed systems (see e.g. MPW92, Lie93, Sch96b]). In the pi calculus, channel names are capabilities ; a process can use a channel only if it has invented or been given the name of the channel, but cannot guess this name. In work on security, on the other hand, the capabilities for communication are often keys, which are used for encrypting and decrypting messages that travel on otherwise unprotected channels. These observations motivate the deenition of the spi calculus, an extension of the pi calculus with constructs for encryption and decryption. In a recent paper AG97a], we introduced the spi calculus and we showed how it can be used for describing protocols, particularly authentication protocols. This paper develops the theory of the spi calculus, concentrating on results and techniques for verifying security properties of protocols. As a rst, informal example, let us consider a protocol where a user A sends a message M under a shared key K to a user B on a public channel. It is straightforward to write this protocol in the spi calculus. We may want to formalise, and then verify, two important properties of this protocol: (1) if B receives a message, then it is the one that A sent, and (2) no eavesdropper learns M. These properties hold even in the presence of an active attacker, provided the attacker does not have access to K. Taking the point of view of such an attacker , we can rephrase properties (1) and (2) in terms of an informal notion of indistinguishability: (1) the protocol is indistinguishable from one where B discards the message that it receives and acts as though the message was M, and (2) assuming that A and B do not reveal M beforehand or afterwards, the protocol is indistinguishable from one where some other message M 0 is sent instead of M. In light of this example, it seems important to nd a formal counterpart to the informal notion of indistinguishability. The concurrency literature …