Universally Composable Symbolic Analysis of Cryptographic Protocols

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
SECURITY AND VERIFICATION
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
CS 395T Computational Soundness of Formal Models.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Proving Security Protocols Correct— Correctly Jonathan Herzog 21 March 2006 The author's affiliation with The MITRE Corporation is provided for identification.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,
CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Adaptively Secure Broadcast, Revisited
Cryptography Lecture 8 Stefan Dziembowski
Executable specification of cryptofraglets with Maude for security verification Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
CSCE 813 Internet Security Cryptographic Protocol Analysis.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
Alternative Wide Block Encryption For Discussion Only.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
Key Management Network Systems Security Mort Anvari.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
TRUSTED FLOW: Why, How and Where??? Moti Yung Columbia University.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu
On the Size of Pairing-based Non-interactive Arguments
Symbolic methods for cryptography
Security Protocols Analysis
Authenticated encryption
The Inductive Approach to Verifying Cryptographic Protocols
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Soundness of Formal Encryption in the Presence of Key Cycles
Fiat-Shamir for Highly Sound Protocols is Instantiable
Protocol Verification by the Inductive Method
The power of Pairings towards standard model security
Universally Composable Symbolic Security Analysis∗
The “Modular” Approach
Presentation transcript:

Universally Composable Symbolic Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

Universally Composable Automated Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

Overview This talk: symbolic analysis can guarantee universally composable (UC) key exchange (Paper also includes mutual authentication) Symbolic (Dolev-Yao) model: high-level framework Messages treated symbolically; adversary extremely limited Despite (general) undecidability, proofs can be automated Result: symbolic proofs are computationally sound (UC) For some protocols For strengthened symbolic definition of secrecy With UC theorems, suffices to analyze single session Implies decidability!

Needham-Schroeder-Lowe protocol (Prev: A, B get other’s public encryption keys) A B EKB(A || Na) EKA(Na || Nb || B) K EKB(Nb) K Version 1: K = Na Version 2: K = Nb Which one is secure?

Two approaches to analysis Standard (computational) approach: reduce attacks to weakness of encryption Alternate approach: apply methods of the symbolic model Originally proposed by Dolev & Yao (1983) Cryptography without: probability, security parameter, etc. Messages are parse trees Countable symbols for keys (K, K’,…), names (A, B,…) and nonces (N, N’, Na, Nb, …) Encryption ( EK(M) ) pairing ( M || N ) are constructors Participants send/receive messages Output some key-symbol

The symbolic adversary Explicitly enumerated powers Interact with countable number of participants Knowledge of all public values, non-secret keys Limited set of re-write rules: M1, M2  M1 || M2 M, K EK(M) EK(M), K-1 M

‘Traditional’ symbolic secrecy Conventional goal for symbolic secrecy proofs: “If A or B output K, then no sequence of interactions/rewrites can result in K” Undecidable in general [EG, HT, DLMS] but: Decidable with bounds [DLMS, RT] Also, general case can be automatically verified in practice Demo 1: analysis of both NSLv1, NSLv2 So what? Symbolic model has weak adversary, strong assumptions We want computational properties! …But can we harness these automated tools? EG = Evan & Goldreich HT = Heintze & Tygar DLMS = Durgin, Lincoln, Mitchell, Scedrov RT = Rusinowitch & Turauni

What we’d like Symbolic protocol Symbolic key-exchange Simple, automated Natural translation for large class of protocols ‘Soundness’ (need only be done once) Would like Concrete protocol Computational key-exchange

Some previous work General area: [AR]: soundness for indistinguishability Passive adversary [MW, BPW]: soundness for general trace properties Includes mutual authentication; active adversary Many, many others Key-exchange in particular (independent work): [BPW]: (later) [CW]: soundness for key-exchange Traditional symbolic secrecy implies (weak) computational secrecy Abadi-Rogaway Micciancio-Warinschi

Limitations of ‘traditional’ secrecy Big question: Can ‘traditional’ symbolic secrecy imply standard computational definitions of secrecy? Unfortunately, no Counter-example: Demo: NSLv2 satisfies traditional secrecy Cannot provide real-or-random secrecy in standard models Falls prey to the ‘Rackoff’ attack

The ‘Rackoff attack’ (on NSLv2) B EKB( A || Na) EKA( Na || Nb || B ) EKB(Nb) EKB(K) K =? Nb ? K if K = Nb  O.W. Adv

Achieving soundness Soundness requires new symbolic definition of secrecy [BPW]: ‘traditional’ secrecy + ‘non-use’ Thm: new definition implies secrecy (in their framework) But: must analyze infinite concurrent sessions and all resulting protocols Here: ‘traditional’ secrecy + symbolic real-or-random Non-interference property; close to ‘strong secrecy’ [B] Thm: new definition equivalent to UC secrecy Demonstrably automatable (Demo 2) Suffices to consider single session! (Infinite concurrency results from joint-state UC theorems) Implies decidability (forthcoming)

Decidability (not in paper) Traditional secrecy Symbolic real-or-random Unbounded sessions Undecidable [EG, HT, DLMS] [B] Bounded sessions Decidable (NP-complete) [DLMS, RT] EG = Evan & Goldreich HT = Heintze & Tygar DLMS = Durgin, Lincoln, Mitchell, Scedrov RT = Rusinowitch & Turauni

Proof overview (soundness) Symbolic key-exchange Construct simulator Information-theoretic Must strengthen notion of UC public-key encryption Intermediate step: trace properties (as in [MW,BPW]) Every activity-trace of UC adversary could also be produced by symbolic adversary Rephrase: UC adversary no more powerful than symbolic adversary Single session UC KE (ideal crypto) UC w/ joint state [CR] (Info-theor.) Multi-session UC KE (ideal crypto) UC theorem Multi-session KE (CCA-2 crypto)

Summary & future work Result: symbolic proofs are computationally sound (UC) For some protocols For strengthened symbolic definition of secrecy With UC theorems, suffices to analyze single session Implies decidability! Additional primitives Have public-key encryption, signatures [P] Would like symmetric encryption, MACs, PRFs… Symbolic representation of other goals Commitment schemes, ZK, MPC…

Backup slides

Traditional secrecy is undecidable for: Two challenges Traditional secrecy is undecidable for: Unbounded message sizes [EG, HT] or Unbounded number of concurrent sessions (Decidable when both are bounded) [DLMS] Traditional secrecy is unsound Cannot imply standard security definitions for computational key exchange Example: NSLv2 (Demo) EG = Evan and Goldreich, On the security of ping-pong protocols (1983) HT=Heintze, Tygar, A model for secure protocols and their composition, 1994 (Oakland) DLMS = Durgin, Lincoln, Mitchell, Scedrov, Multiset rewriting and complexity of bounded security protocols (2003)

Prior work: BPW New symbolic definition Implies UC key exchange Theory Practice Implies UC key exchange (Public-key & symmetric encryption, signatures)

Our work New symbolic definition: ‘real-or-random’ Theory Practice Automated verification! Equiv. to UC key exchange (Public-key encryption [CH], signatures [P]) UC suffices to examine single protocol run + Finite system Decidability? Demo 3: UC security for NSLv1

Our work: solving the challenges Soundness: requires new symbolic definition of secrecy Ours: purely symbolic expression of ‘real-or-random’ security Result: new symbolic definition equivalent to UC key exchange UC theorems: sufficient to examine single protocol in isolation Thus, bounded numbers of concurrent sessions Automated verification of our new definition is decidable!… Probably

Summary Summary: Future work Symbolic key-exchange sound in UC model Computational crypto can now harness symbolic tools Now have the best of both worlds: security and automation! Future work

Secure key-exchange: UC ? P P K K A Answer: yes, it matters Negative result [CH]: traditional symbolic secrecy does not imply universally composable key exchange

Secure key-exchange: UC P ? F S ? P K A Adversary gets key when output by participants Does this matter? (Demo 2)

Secure key-exchange [CW] P K, K’ P A Adversary interacts with participants Afterward, receives real key, random key Protocol secure if adversary unable to distinguish NSLv1, NSLv2 satisfy symbolic def of secrecy Therefore, NSLv1, NSLv2 meet this definition as well

? F P P S A KE Adversary unable to distinguish real/ideal worlds Effectively: real or random keys Adversary gets candidate key at end of protocol NSL1, NSL2 secure by this defn.

Analysis strategy Dolev-Yao protocol Dolev-Yao key-exchange Simple, automated Natural translation for large class of protocols Main result of talk (Need only be done once) Would like Concrete protocol UC key-exchange functionality

“Simple” protocols Concrete protocols that map naturally to Dolev-Yao framework Two cryptographic operations: Randomness generation Encryption/decryption (This talk: asymmetric encryption) Example: Needham-Schroeder-Lowe {P1, N1}K2 P1 P2 {P2, N1, N2}K1 {N2}K2

UC Key-Exchange Functionality (P1 P2) (P1 P2) FKE (P1 P2) A P1 Key P1 Key k k  {0,1}n Key P2 X (P2 P1) (P2 P1) (P2 P1) P2 Key k Key P2

A The Dolev-Yao model P1 P2 M1 M2 Participants, adversary take turns Participant turn: M1 A L P1 P2 M2 Local output: Not seen by adversary

The Dolev-Yao adversary Adversary turn: A Application of deduction P1 P2 Know

Dolev-Yao adversary powers Already in Know Can add to Know M1, M2 Pair(M1, M2) M1 and M2 M, K Enc(M,K) Enc(M, K), K-1 M Always in Know: Randomness generated by adversary Private keys generated by adversary All public keys

The Dolev-Yao adversary Know M P1 P2

Dolev-Yao key exchange Assume that last step of (successful) protocol execution is local output of (Finished Pi Pj K) Key Agreement: If P1 outputs (Finished P1 P2 K) and P2 outputs (Finished P2 P1 K’) then K = K’. Traditional Dolev-Yao secrecy: If Pi outputs (Finished Pi Pj K), then K can never be in adversary’s set Know Not enough!

Goal of the environment Recall that the environment Z sees outputs of participants Goal: distinguish real protocol from simulation In protocol execution, output of participants (session key) related to protocol messages In ideal world, output independent of simulated protocol If there exists a detectable relationship between session key and protocol messages, environment can distinguish Example: last message of protocol is {“confirm”}K where K is session key Can decrypt with participant output from real protocol Can’t in simulated protocol

Real-or-random (1/3) Need: real-or-random property for session keys Can think of traditional goal as “computational” Need a stronger “decisional” goal Expressed in Dolev-Yao framework Let  be a protocol Let r be , except that when participant outputs (Finished Pi Pj Kr), Kr added to Know Let f be , except that when any participant outputs (Finished Pi Pj Kr), fresh key Kf added to adversary set Know Want: adversary can’t distinguish two protocols

Real-or-random (2/3) Attempt 1: Let Traces() be traces adversary can induce on . Then: Traces(r) = Traces(f) Problem: Kf not in any traces of r Attempt 2: Traces(r) = Rename(Traces(f), Kf  Kr) Problem: Two different traces may “look” the same Example protocol: If participant receives session key, encrypts “yes” under own (secret) key. Otherwise, encrypts “no” instead Traces different, but adversary can’t tell

Real-or-random (3/3) Observable part of trace: Abadi-Rogaway pattern Undecipherable encryptions replaced by “blob” Example: t = {N1, N2}K1, {N2}K2, K1-1 Pattern(t) = {N1, N2}K1, K2, K1-1 Final condition: Pattern(Traces(r)) = Pattern(Rename(Traces(f), Kf  Kr)))

Main results Let key-exchange in the Dolev-Yao model be: Key agreement Traditional Dolev-Yao secrecy of session key Real-or-random Let  be a simple protocol that uses UC asymmetric encryption. Then: DY() satisfies Dolev-Yao key exchange iff UC() securely realizes FKE

Future work How to prove Dolev-Yao real-or-random? Needed for UC security Not previously considered in the Dolev-Yao literature Can it be automated? Weaker forms of DY real-or-random Similar results for symmetric encryption and signatures

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.