Logical Foundations for Security Protocol Analysis Patrick Lincoln John Mitchell Mark Mitchell Andre Scedrov

Correctness vs Security uProgram or System Correctness Program satisfies specification –For reasonable input, get reasonable output uProgram or System Security Program resists attack –For unreasonable input, output is not completely disastrous uMain difference Active interference from environment

Main Scientific Problem uHow powerful is the adversary? Simple replay of previous messages Decompose, reassemble and resend Statistical analysis of network traffic Timing attacks uNo absolute notion of security Weak adversary: any correct system is secure Strong adversary: nothing is secure –If I can read your mind, you have no secrets

Needham-Schroeder Key Exchange { A, Nonce a } { Nonce a, Nonce b } { Nonce b } KaKa KbKb Result: A and B share two private numbers not known to any observer without K a -1, K b -1 AB KbKb

Anomaly in Needham-Schroeder AE B { A, N a } { N a, N b } { N b } KeKe KbKb KaKa KaKa KeKe Evil agent E tricks honest A into revealing private key N b from B. Evil E can then fool B. [Lowe]

Analyzing Security Protocols uThink long and hard uBAN and other belief logics uSpecialized tools using proof search uExhaustive state-enumeration tools Model checking using CSP, Mur ,... uNew directions Abadi-Gordon Spi-calculus Probabilistic poly-time framework

Prior state of the art uFormal protocol analysis uses Dolev-Yao model Adversary is nondeterministic process Adversary can –Block network traffic –Read any message, decompose into parts –Decrypt if key is known to adversary –Insert new message from data it has observed Adversary cannot –Gain partial knowledge –Guess part of a key –Perform statistical tests, …

Power and limitations uCan find some attacks Needham-Schroeder by exhaustive search uOther attacks are outside model Interaction between protocol and encryption uSome protocols cannot be modeled Probabilistic protocols Steps that require specific properties of encryption uPossible to prove erroneous protocol correct

Example: TMN Cell Phone Protocol uReplay attack if N b not fresh Server rejects N b and requests different number from B uRSA Encryption: encrypt(k,msg) = msg k mod N Replay {N b } Ks * {i} Ks = N b Ks * i Ks = (N b * i) Ks and divide later a N a b b K K s s S B A B, {N } A B {N } A {N }

Recent Language Approach [AG97] uWrite protocol in process calculus uExpress security using observational equivalence Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] Context (environment) represents adversary uUse proof rules for  to prove security Protocol is secure if no adversary can distinguish it from some idealized version of the protocol

Probabilistic Poly-time Analysis uAdopt spi-calculus approach, add probability uProbabilistic polynomial-time process calculus Protocols use probabilistic primitives –Key generation, nonce, probabilistic encryption,... Adversary may be probabilistic Modal type system guarantees complexity bounds uExpress protocol and specification in calculus uStudy security using observational equivalence Use probabilistic form of process equivalence Our Framework

Technical Challenges uLanguage for prob. poly-time functions Extend Hofmann language with rand uReplace nondeterminism with probability Otherwise adversary is too strong... uDefine probabilistic equivalence Related to poly-time statistical tests... uDevelop specification by equivalence Several examples carried out uProof systems for probabilistic equivalence Goal for the future

Example protocol in process calc u“Notation found in the literature” A  B: { m } K B  A: { m+1 } K uProcess calculus with cryptographic primitives let k = new_key(n) in let m = pick_a_number(n) in AB  encrypt(k,m)  | AB (x). BA  encrypt(k, decrypt(k,x)+1)  end This form makes assumptions and response explicit output on port AB not m

How we specify secrecy uOriginal protocol P A  B: { m } K B  A: { m+1 } K u“Obviously’’ secret protocol Q (zero knowledge) A  B: { random_number } K B  A: { random_number } K uBasic idea: P  Q implies P preserves secrecy If not, then some context can obtain some information from the original protocol

Nondeterminism is traditional, but... uNondeterminism is a useful idealization Classical  disguised as a computational primitive Expresses extreme “good luck” or “bad luck” –Nondeterministic algorithm for traveling salesman “Guess” a path and check that it is correct –Nondeterministic semantics for parallel composition Treat any possible interleaving as significantly possible Appropriate for “worst case” correctness uNot an intrinsic property of system itself

Nondeterminism breaks encryption uAlice encrypts message and sends to Bob A  B: { msg } K uAdversary uses nondeterministic parallelism Process E 0 E  0  | E  0  | … | E  0  Process E 1 E  1  | E  1  | … | E  1  Process E E  b 1 . E  b 2 ... E  b n . decrypt(b 1 b 2...b n, msg) In reality, adversary has  2 -n chance to guess n-bit key

Solution: probabilistic scheduler uDefine operational semantics Probabilistic steps let x = M in P  r [v/x]P Nondeterministic choice between parallel processes uEach run requires probabilistic scheduler Chooses step from “nondeterministic” alternatives Scheduler runs in probabilistic polynomial time Quantify over schedulers to get universal properties Similar ideas in literature on Markov decision diagrams

Toward probabilistic equivalence uBackground: poly-time statistical tests Standard notion from cryptography Define crypto. strong pseudo-random sequence uMain ideas Pseudo-random generator family G = {G n } n>0 Test generator G n in time poly(n) –Compare Test(G k (random(n)) to Test(random(n k )) –Generator “secure” if results within 1/poly(n)

Observing Probabilistic Process uObservations Compare |Prob[ P  “yes” ] - Prob[ Q  “yes” ] | <  How small  is small ? –Less than 1/2, 1/4, … ? (not equiv relation for fixed  ) –Vanishingly small ? –How fast should   0 ? As a function of what? uCryptographic protocols Use encryption keys of a certain length –Protocol is family { P n } n>0 indexed by key length Increasing key length  increasing security

Probabilistic Observational Equiv uProcesses P, Q are  -indistinguishable P   Q if  contexts C[ ].  observations v. |Prob[C[ P ]  v ] - Prob[C[ Q ]  v ] | <  uAsymptotically within f Process, context families { P n } n>0 { Q n } n>0 { C n } n>0 P  f Q if  contexts C[ ].  obs v.  n 0.  n> n 0. | Prob[C n [ P n ]  v ] - Prob[C n [ Q n ]  v ] | < f(n) uAsymptotically polynomially indistinguishable P  Q if P  f Q for every polynomial f(n) = 1/p(n) Final def’n gives robust equivalence relation

Basic example uSequence generated from random seed P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end uTruly random sequence Q n : let b = sequence of n k random bits in PUBLIC  b  end uP is crypto strong pseudo-random generator P  Q

Protocol P [Diffie, Hellman, ElGamal] g a mod p g b mod p msg * g ab mod p Prime p and generator g of Z p are public Passive eavesdropper has small chance at msg AB

Specification Q random_number mod p Network traffic should look like 3 random numbers AB

Analysis uProve P  Q ? Prove difficulty of computing discrete logarithm ? uBetter: reduction from a discrete log problem Strategy to distinguish P from Q with prob > 1/poly  win Diffie-Hellman game with prob >1/poly uDecision-Diffie-Hellman problem Given two triples:  x, y, z   g u, g v, g uv  Decide which is which (u,v,x,y,z chosen randomly) Note: this is for passive eavesdropper only

ElGamal Analysis: So what? uCharacterize security by number-theoretic game Decision Diffie-Hellman appears in literature Previously studied, believed hard uRemove doubt about protocol, up to common cryptographic assumptions Simplified example since this protocol can be subverted by replacing g a by g c

Current state of project uBetter foundations for protocol analysis ? Determine crypto requirements of protocols ! uProbabilistic ptime language Extended Hofmann language with rand uPi-calculus-like process framework replaced nondeterminism with rand equivalence based on ptime statistical tests uSpecifications of secrecy, authenticity uSimple examples uWork in progress...