Download presentation
Presentation is loading. Please wait.
1
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005
2
Security Protocols uSecurity Protocol Distributed program Uses cryptography to accomplish goal Network controlled by adversary uExamples Internet Engineering Task Force (IETF), IEEE Working Group Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication –802.11i - wireless security
3
Engineering practice uIdentify requirements uDesign protocol uThink hard uThink some more uCan’t find attack protocol “secure” uImplement uDeploy
4
Protocol flaws uIEEE 802.11i wireless authentication uIPSec’s IKE key exchange uIETF GDOI secure group communication uIETF Mobile IPv6 security u…many more These are protocols designed for real networks
5
Engineering Practice (Cycle 2) uSomeone else thinks hard and finds attack uGo back to cycle 1: Fix protocol Reimplement Redeploy
6
This is Theory Lunch… uWe like to do rigorous proofs uBut prove what? uWhat does “secure” mean? uWhat is the model of protocol execution and attack?
7
Problem Statement Cryptographers and logicians working in computer security don’t talk to each other (Disclaimer: Examples not representative)
8
Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds
9
Logic 101 (Recall) uLogic Syntax Formulas –p, p q, (p q), p q SemanticsTruth –Model, M = {p = true, q = false} M |= p q uProof System Axioms and proof rules Provability –p (q p)p p q q Soundness Theorem –Provability implies truth
10
Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ± Proof System ± Complexity-theoretic model Semantics PhD Oral May 10, 11AM Right here
11
Main Result uComputational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption uSoundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model
12
Computational PCL uSyntax Expressing security properties uProof System Proving security properties Soundness Theorem uSemantics Complexity-theoretic Model –Attacker – any PPT algorithm –Meaning of security properties
13
Example 1 AB A, B, {n, A} B B, A, n uSecurity Property - authentication [Initiator Program] A Honest(B) ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )
14
Example 2 AB A, B, {n, A} B uSecurity Property - secrecy [Initiator Program] A Honest(B) ( X (X A,B) Indistinguishable(X,n)
15
Logic Syntax
16
Proof System
17
Soundness of proof system uInformation-theoretic reasoning [new u] X (Y X) Indistinguishable(Y, u) uComplexity-theoretic reductions Source(Y,u,{m} X ) Decrypts(X, {m} X ) Honest(X,Y) (Z X,Y) Indistinguishable(Z, u) uAsymptotic calculations Sum of two negligible functions is a negligible function Reduction to IND-CCA2-secure encryption scheme
18
Big picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem
19
Complexity-theoretic semantics uQ |= if A D f negligible n 0 n > n 0 function s.t. Fix protocol Q, PPT adversary A, security parameter n Vary random bits used by all programs Obtain set of equi- probable traces, T(Q,A,n) T( ) T(Q,A,n) |T( )|/|T(Q,A,n)| > 1 –f(n) Represents probability
20
Inductive Semantics uConsider set of traces T(Q,A,n) T( 1 2 ) = T( 1 ) T( 2 ) T( 1 2 ) = T( 1 ) T( 2 ) T( ) = T( ) Semantics of formulas are transformers on probability distribution over traces
21
Future Work uInvestigate nature of logic Propositional fragment not classical represents conditional probability – complexity-theoretic reductions –connections with probabilistic logics (e.g. Nilsson86) uGeneralize reasoning about secrecy Probability close to ½ instead of 1 Not a trace property uExtend logic More primitives: signature, hash functions,… Remove current syntactic restrictions on formulas u Information-theoretic semantics Only probability; no complexity
22
Related Work uProcess calculus LMMS98-RMST05 uLogic AR00 (passive eavesdropper; encryption) IK03 (computational indistinguishability) uRelating symbolic and crypto models BPW03-05 (active attacker) MW04-05 (active attacker)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.