Secrecy Despite Compromise: Types, Cryptography, and the Pi-Calculus
A realistic threat model for cryptographic protocols or for language-based security should include a dynamically growing population of principals (or security levels), some of which may be compromised, that is, come under the control of the adversary. We explore such a threat model within a pi-calculus. A new process construct records the ordering between security levels, including the possibility of compromise. Another expresses the expectation of conditional secrecy of a message—that a particular message is unknown to the adversary unless particular levels are compromised. Our main technical contribution is the first system of secrecy types for a process calculus to support multiple, dynamically-generated security levels, together with the controlled compromise or downgrading of security levels. A series of examples illustrates the effectiveness of the type system in proving secrecy of messages, including dynamically-generated messages. It also demonstrates the improvement over prior work obtained by including a security ordering in the type system. Perhaps surprisingly, the soundness proof for our type system for symbolic cryptography is via a simple translation into a core typed pi-calculus, with no need to take symbolic cryptography as primitive.
KeywordsType System Security Level Security Protocol Cryptographic Protocol Process Construct
Unable to display preview. Download preview PDF.
- 2.Abadi, M.: Security protocols and their properties. In: Foundations of Secure Computation, pp. 39–60. IOS Press, Amsterdam (2000)Google Scholar
- 7.Boudol, G., Matos, A.: On declassification and the non-disclosure policy. In: 18th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2005) (to appear)Google Scholar
- 8.Bugliesi, M., Focardi, R., Maffei, M.: Authenticity by tagging and typing. In: Formal Methods in Security Engineering (FMSE 2004), pp. 1–12 (2004)Google Scholar
- 12.Gordon, A.D., Jeffrey, A.: Authenticity by typing for security protocols. Journal of Computer Security 11(4), 451–521 (2003)Google Scholar
- 13.Gordon, A.D., Jeffrey, A.: Types and effects for asymmetric cryptographic protocols. Journal of Computer Security 12(3/4), 435–484 (2003)Google Scholar
- 15.Gordon, A.D., Jeffrey, A.: Secrecy despite compromise: Types, cryptography, and the pi-calculus. Technical Report MSR–TR–2005–76, Microsoft Research (2005) Google Scholar
- 17.Milner, R.: Communicating and Mobile Systems: the π-Calculus. CUP (1999)Google Scholar
- 19.Odersky, M.: Polarized name passing. In: Thiagarajan, P.S. (ed.) FSTTCS 1995. LNCS, vol. 1026, pp. 324–335. Springer, Heidelberg (1995)Google Scholar
- 20.Riely, J., Hennessy, M.: Trust and partial typing in open systems of mobile agents. In: 26th ACM Symposium on Principles of Programming Languages, pp. 93–104 (1999)Google Scholar
- 22.Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: 18th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2005) (to appear)Google Scholar
- 23.Simonet, V.: The Flow Caml system: documentation and user’s manual. Technical Report 0282, INRIA (2003) Google Scholar
- 24.Tse, S., Zdancewic, S.: Run-time principals in information-flow type systems. In: IEEE Computer Society Symposium on Research in Security and Privacy (2004)Google Scholar