In Proceedings of 21 st IEEE Computer Security Foundation Symposium (CSF’08). IEEE Computer Society Language Based Secure Communication Michele Bugliesi and Riccardo Focardi Dipartimento di Informatica Universit` a Ca’ Foscari di Venezia {bugliesi,focardi}@dsi.unive.it Abstract Secure communication in distributed systems is notori- ously hard to achieve due to the variety of attacks an ad- versary can mount, based on message interception, mod- iﬁcation, redirection, eavesdropping or, even more subtly, on trafﬁc analysis. In the literature on process calculi, tra- ditional solutions to the problem either draw on low-level cryptographic primitives, as in the spi or applied-pi calculi, or rely on very abstract, and hard-to-implement, mecha- nisms to hide communication by means of private channels, as in the pi-calculus. A more recent line of research follows a different approach, aimed at identifying security primi- tives adequate as high-level programming abstractions, and at the same time well-suited for security analysis and ver- iﬁcation in adversarial settings. The present paper makes a step further in that direction. We develop a calculus of secure communication based on core abstractions that support concise, high-level programming idioms for dis- tributed, security-sensitive applications, and at the same time are powerful enough to express a full-ﬂedged adver- sarial setting. Drawing on this calculus, we investigate rea- soning methods for security based on the long-established practice by which security properties are deﬁned in terms of behavioral equivalences. We give a co-inductive character- ization of behavioral equivalence, in terms of bisimulation, and develop powerful up-to techniques to provide simple co- inductive proofs. We illustrate the adequacy of the model with several security laws for secrecy and authentication. 1 Introduction Security in pi-calculus and related process algebraic for- malisms is based on a conceptually simple but powerful mechanism: communication over private channels. Data can be created and circulated among the components of a system (the principals of a protocol), and the scope rules guarantee that the environment of the system (the attacker of the protocol) cannot access any piece of data that is ex- changed over a private channel. The scope rules are thus the basis for security. Unfortunately, however, the security guarantees they convey are often hard to realize in practice, for several reasons some of which we discuss next (the fol- lowing observations are not ours, but due to [1]). Protection from trafﬁc analysis. The observational theory of the pi-calculus validates equations like the one displayed below: νn( n〈m〉| n(x).P ) ∼ = P {m/x} Mimicking this behavior in an implementation is costly, as it requires communication protocols resilient to attacks based on trafﬁc analysis. Message delivery. Another problem with the previous equa- tion is that it presupposes that messages sent on private channels will indeed be delivered to the intended recipi- ents (and to no-one else). While that is convenient at the speciﬁcation level, implementing a corresponding behavior in a low-level environment requires enough redundancy to compensate for the potential of packet loss and message in- terception. Forward Secrecy. The use of private channels for secrecy yields behavioral equivalences that are even more problem- atic. For instance, the equation νn( n〈m〉| n(x). p〈n〉) ∼ = νn( n〈m ′ 〉| n(x). p〈n〉) guarantees the secrecy of the exchange on the private chan- nel n, even though n is made public after the exchange. In a distributed environment, where n might be though as an encrypted channel, an adversary may learn the message sent on n by buffering it and waiting until the key associated to n is ﬁnally made public. In sum, scoping is convenient in pi calculus as a mech- anism for writing security speciﬁcations, but tends to be too abstract (when applied to channels), hence stronger than what can be achieved in practice. In fact, distributed appli- cations often rely on lower-level cryptographic constructs