Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computational Soundness for PCL Dilsun Kaynar Carnegie Mellon University Foundations of Security and Privacy October 11, 2007.

Similar presentations


Presentation on theme: "Computational Soundness for PCL Dilsun Kaynar Carnegie Mellon University Foundations of Security and Privacy October 11, 2007."— Presentation transcript:

1 Computational Soundness for PCL Dilsun Kaynar Carnegie Mellon University Foundations of Security and Privacy October 11, 2007

2 Security protocol analysis Analysis Tool Protocol Property Security proof or attack Attacker model

3 PCL Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) SSL authentication -Complete control over network -Perfect crypto axiomatic proof

4 Alternative view Analysis Tool Protocol Property Security proof or attack Attacker model SSL authentication - Any ppt algorithm -Explicit crypto Alternative formalism Associated proof techniques

5 Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

6 PCL Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics Lectures on PCL so far Leverage PCL success…

7 PCL Approach Symbolic Model PCL Semantics (Meaning of formulas) Unbounded # concurrent sessions PCL Syntax (Properties) Proof System (Proofs) Soundness Theorem (Induction) High-level proof principles Cryptographic Model PCL Semantics (Meaning of formulas) Polynomial # concurrent sessions Computational PCL Syntax ±  Proof System±  Soundness Theorem (Reduction) [BPW, MW,…]

8 Reminder: PCL Protocol Language u Terms Constants, variables, name, key, (t,t), sig K {t}, enc K {t} u Actions new t, send t, receive x, sign(t,K), verify (t,t,K), enc(t,K), dec(t,K) uStrand, cord [a;..., a] P u Role, protocol

9 Challenge-Response as Cords AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

10 Attacker capabilities uControls complete network Can read, remove, inject messages uFixed set of operations on terms Pairing Projection Encryption with known key Decryption with known key Commonly referred to as “Dolev-Yao” attacker

11 Execution model Initial configuration Protocol is a finite set of roles Set of principals and keys Assignment of  1 role to each principal Run (produces a symbolic trace) new x send {x} B receive {x} B A B C receive {z} B new z send {z} B

12 Protocol Logic Action formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Encrypt(P,t) | Decrypt(P,t) | Sign (P,t) | Verify (P,t) Formulas  ::= a | a < a| Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t, t) |  |    |  x  | Start(P) Modal formulas  [a; …a] P 

13 Reasoning about knowledge uPairing Has(X, {m,n})  Has(X, m)  Has(X, n) uEncryption Has(X, enc K (m))  Has(X, K -1 )  Has(X, m)

14 Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker u Satisfaction Q, R |=  Q, R |= Send(A, m) If in R, thread A executed send(m) Q, R |   [ actions ] P  If some role of P in R does exactly actions starting from state where  is true, then  is true in state after actions completed Q |   [ actions ] P  Q, R |   [ actions ] P  for all runs R of Q

15 Proof System uGoal: formally prove security properties uAxioms Simple formulas provable by hand uInference rules Proof steps uTheorem Formula obtained from axioms by application of inference rules

16 Soundness u Soundness Theorem: if Q |-  then Q |=  If  is a theorem then  is a valid formula u  holds in any step in any run of protocol Q Unbounded number of participants Dolev-Yao intruder

17 Computational PCL uSymbolic proofs about complexity- theoretic model of cryptographic protocols!

18 Towards Computational PCL u Revisit Protocol language and execution model Protocol logic u New semantics for formulas: Interpret formulas as operators on probability distributions on traces Meaning of  on a set of traces T is a subset T' in which  holds. Probability that  holds is |T'| / |T|.

19 Main result uComputational PCL Symbolic logic for proving security properties of network protocols using public-key encryption uSoundness Theorem: If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. uBenefits Symbolic proofs about computational model Computational reasoning in soundness proof (only!) Different axioms rely on different crypto assumptions

20 Protocol execution model uInitialization Set roles, identify honest principals, provide encryption keys (polynomially-bounded) and random coins u Execution phase Adversary has complete control of the network, acts according to the standard cryptographic model Running time is polynomially-bounded u Computational trace e is the symbolic description of the trace λ maps terms in e to bitstrings

21 PCL  Computational PCL uSyntax, proof system mostly the same uSignificant difference Symbolic “knowledge” –Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm Computational “knowledge” –Possess(X,t) : can produce t by ppt algorithm –Indistinguishable(X,t) : can distinguish from random in ppt More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

22 Example: Simple secrecy Init(A, X) = [ new m; y := enc(m,X); send (A, X, y); ] Resp(B, X) = [ receive z; match z/ ; z’’ := dec(z’, B); ] When A completes proof with B, m will be a shared secret: Start(A) [Init] A Honest(A)  Honest(B)  (Z ≠A,B)  Indist(Z,m)

23 Example: axiomatic proof u Т [new m] X Z  X  Indist(Z,m) At the point m is generated by X, it is indistinguishable from random by everyone else u Source(Y,u,{m} X )   Decr(X, {m} X )  Honest(X,Y)  (Z  X)  Indist(Z, u) X remains indistinguishable since it appears encrypted with a private key

24 Central axioms uCryptographic security property of encryption scheme Ciphertext indistinguishability uCryptographic security property of signature scheme Unforgeability (used for authentication)

25 Sample axioms u Т [new x] X Y  X  Indist(Y,x) u Source(Y,u,{m} X )   Decr(X, {m} X )  Honest(X,Y)  (Z  X,Y)  Indist(Z,u) u Verify(X,sig Y {m})  Honest(X,Y)   Y. Sign(Y,m)

26 IND-CCA2-Secure encryption C m {m} K m {m b } K m 0, m 1 d Attacker wins if d = b Messages are bit-strings Attacker is a PPT Turing Machine IND-CCA2 security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n) Intuition: Encryption reveals no information about message Challenger Attacker

27 CMA-Secure Signatures ChallengerAttacker mi Sig(Y,mi) Sig(Y,m) Attacker wins if m  mi

28 Computational Semantics u [[  ]] (T,D, ε) T is a set of traces, D is a Distinguisher, ε is tolerance u Inductive definition [[a(.,.)]] (T,D,ε) : for basic actions a, is simply the collection of traces in which action a(.,.) occurs [[Indist(X,u)]] (T,D,ε) : uses T, D, ε –T if D cannot distinguish u from random, empty set otherwise –Not a trace property

29 Inductive Semantics  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[   ]] (T,D,  ) = T - [[  ]] (T,D,  ) Implication uses conditional probability  [[  1   2 ]] (T,D,  ) = [[   1 ]] (T,D,  )  [[  2 ]] (T’,D,  ) where T’ = [[  1 ]] (T,D,  ) Formula defines transformation on probability distributions over traces

30 Complexity-theoretic semantics uQ |=  if  adversary A  distinguisher D  negligible function f  n 0  n > n 0 s.t. [[  ]](T,D,f) T(Q,A,n) [[  ]](T,D,f(n)) |/|T| > 1 – f(n) Fraction represents probability Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces

31 Soundness of Proof System u Prove soundness of individual axioms u Show all rules preserve validity

32 Soundness of proof system uExample axiom Source(Y,u,{m}X)   Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uProof idea: crypto-style reduction Assume axiom not valid:  A  D  negligible f  n 0  n > n 0 s.t. [[  ]](T,D,f)|/|T| < 1 –f(n) Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme

33 Correspondence theorems u If “secure” in abstract model, then “secure” in computational model. Strong assumptions about cryptographic functions No abstractions for Diffie-Hellman exponentiation Negative results: symmetric encryption, hash functions, xor u CPCL can potentially sidestep these problems by appropriate axiomatizations of properties

34 Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem


Download ppt "Computational Soundness for PCL Dilsun Kaynar Carnegie Mellon University Foundations of Security and Privacy October 11, 2007."

Similar presentations


Ads by Google