Presentation is loading. Please wait.

Presentation is loading. Please wait.

Logical Foundations for Security Protocol Analysis Patrick Lincoln John Mitchell Mark Mitchell Andre Scedrov.

Published byBarry Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "Logical Foundations for Security Protocol Analysis Patrick Lincoln John Mitchell Mark Mitchell Andre Scedrov."— Presentation transcript:

1 Logical Foundations for Security Protocol Analysis Patrick Lincoln John Mitchell Mark Mitchell Andre Scedrov

2 Correctness vs Security uProgram or System Correctness Program satisfies specification –For reasonable input, get reasonable output uProgram or System Security Program resists attack –For unreasonable input, output is not completely disastrous uMain difference Active interference from environment

3 Main Scientific Problem uHow powerful is the adversary? Simple replay of previous messages Decompose, reassemble and resend Statistical analysis of network traffic Timing attacks uNo absolute notion of security Weak adversary: any correct system is secure Strong adversary: nothing is secure –If I can read your mind, you have no secrets

4 Needham-Schroeder Key Exchange { A, Nonce a } { Nonce a, Nonce b } { Nonce b } KaKa KbKb Result: A and B share two private numbers not known to any observer without K a -1, K b -1 AB KbKb

5 Anomaly in Needham-Schroeder AE B { A, N a } { N a, N b } { N b } KeKe KbKb KaKa KaKa KeKe Evil agent E tricks honest A into revealing private key N b from B. Evil E can then fool B. [Lowe]

6 Analyzing Security Protocols uThink long and hard uBAN and other belief logics uSpecialized tools using proof search uExhaustive state-enumeration tools Model checking using CSP, Mur ,... uNew directions Abadi-Gordon Spi-calculus Probabilistic poly-time framework

7 Prior state of the art uFormal protocol analysis uses Dolev-Yao model Adversary is nondeterministic process Adversary can –Block network traffic –Read any message, decompose into parts –Decrypt if key is known to adversary –Insert new message from data it has observed Adversary cannot –Gain partial knowledge –Guess part of a key –Perform statistical tests, …

8 Power and limitations uCan find some attacks Needham-Schroeder by exhaustive search uOther attacks are outside model Interaction between protocol and encryption uSome protocols cannot be modeled Probabilistic protocols Steps that require specific properties of encryption uPossible to prove erroneous protocol correct

9 Example: TMN Cell Phone Protocol uReplay attack if N b not fresh Server rejects N b and requests different number from B uRSA Encryption: encrypt(k,msg) = msg k mod N Replay {N b } Ks * {i} Ks = N b Ks * i Ks = (N b * i) Ks and divide later a N a b b K K s s S B A B, {N } A B {N } A {N }

10 Recent Language Approach [AG97] uWrite protocol in process calculus uExpress security using observational equivalence Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] Context (environment) represents adversary uUse proof rules for  to prove security Protocol is secure if no adversary can distinguish it from some idealized version of the protocol

11 Probabilistic Poly-time Analysis uAdopt spi-calculus approach, add probability uProbabilistic polynomial-time process calculus Protocols use probabilistic primitives –Key generation, nonce, probabilistic encryption,... Adversary may be probabilistic Modal type system guarantees complexity bounds uExpress protocol and specification in calculus uStudy security using observational equivalence Use probabilistic form of process equivalence Our Framework

12 Technical Challenges uLanguage for prob. poly-time functions Extend Hofmann language with rand uReplace nondeterminism with probability Otherwise adversary is too strong... uDefine probabilistic equivalence Related to poly-time statistical tests... uDevelop specification by equivalence Several examples carried out uProof systems for probabilistic equivalence Goal for the future

13 Example protocol in process calc u“Notation found in the literature” A  B: { m } K B  A: { m+1 } K uProcess calculus with cryptographic primitives let k = new_key(n) in let m = pick_a_number(n) in AB  encrypt(k,m)  | AB (x). BA  encrypt(k, decrypt(k,x)+1)  end This form makes assumptions and response explicit output on port AB not m

14 How we specify secrecy uOriginal protocol P A  B: { m } K B  A: { m+1 } K u“Obviously’’ secret protocol Q (zero knowledge) A  B: { random_number } K B  A: { random_number } K uBasic idea: P  Q implies P preserves secrecy If not, then some context can obtain some information from the original protocol

15 Nondeterminism is traditional, but... uNondeterminism is a useful idealization Classical  disguised as a computational primitive Expresses extreme “good luck” or “bad luck” –Nondeterministic algorithm for traveling salesman “Guess” a path and check that it is correct –Nondeterministic semantics for parallel composition Treat any possible interleaving as significantly possible Appropriate for “worst case” correctness uNot an intrinsic property of system itself

16 Nondeterminism breaks encryption uAlice encrypts message and sends to Bob A  B: { msg } K uAdversary uses nondeterministic parallelism Process E 0 E  0  | E  0  | … | E  0  Process E 1 E  1  | E  1  | … | E  1  Process E E  b 1 . E  b 2 ... E  b n . decrypt(b 1 b 2...b n, msg) In reality, adversary has  2 -n chance to guess n-bit key

17 Solution: probabilistic scheduler uDefine operational semantics Probabilistic steps let x = M in P  r [v/x]P Nondeterministic choice between parallel processes uEach run requires probabilistic scheduler Chooses step from “nondeterministic” alternatives Scheduler runs in probabilistic polynomial time Quantify over schedulers to get universal properties Similar ideas in literature on Markov decision diagrams

18 Toward probabilistic equivalence uBackground: poly-time statistical tests Standard notion from cryptography Define crypto. strong pseudo-random sequence uMain ideas Pseudo-random generator family G = {G n } n>0 Test generator G n in time poly(n) –Compare Test(G k (random(n)) to Test(random(n k )) –Generator “secure” if results within 1/poly(n)

19 Observing Probabilistic Process uObservations Compare |Prob[ P  “yes” ] - Prob[ Q  “yes” ] | <  How small  is small ? –Less than 1/2, 1/4, … ? (not equiv relation for fixed  ) –Vanishingly small ? –How fast should   0 ? As a function of what? uCryptographic protocols Use encryption keys of a certain length –Protocol is family { P n } n>0 indexed by key length Increasing key length  increasing security

20 Probabilistic Observational Equiv uProcesses P, Q are  -indistinguishable P   Q if  contexts C[ ].  observations v. |Prob[C[ P ]  v ] - Prob[C[ Q ]  v ] | <  uAsymptotically within f Process, context families { P n } n>0 { Q n } n>0 { C n } n>0 P  f Q if  contexts C[ ].  obs v.  n 0.  n> n 0. | Prob[C n [ P n ]  v ] - Prob[C n [ Q n ]  v ] | < f(n) uAsymptotically polynomially indistinguishable P  Q if P  f Q for every polynomial f(n) = 1/p(n) Final def’n gives robust equivalence relation

21 Basic example uSequence generated from random seed P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end uTruly random sequence Q n : let b = sequence of n k random bits in PUBLIC  b  end uP is crypto strong pseudo-random generator P  Q

22 Protocol P [Diffie, Hellman, ElGamal] g a mod p g b mod p msg * g ab mod p Prime p and generator g of Z p are public Passive eavesdropper has small chance at msg AB

23 Specification Q random_number mod p Network traffic should look like 3 random numbers AB

24 Analysis uProve P  Q ? Prove difficulty of computing discrete logarithm ? uBetter: reduction from a discrete log problem Strategy to distinguish P from Q with prob > 1/poly  win Diffie-Hellman game with prob >1/poly uDecision-Diffie-Hellman problem Given two triples:  x, y, z   g u, g v, g uv  Decide which is which (u,v,x,y,z chosen randomly) Note: this is for passive eavesdropper only

25 ElGamal Analysis: So what? uCharacterize security by number-theoretic game Decision Diffie-Hellman appears in literature Previously studied, believed hard uRemove doubt about protocol, up to common cryptographic assumptions Simplified example since this protocol can be subverted by replacing g a by g c

26 Current state of project uBetter foundations for protocol analysis ? Determine crypto requirements of protocols ! uProbabilistic ptime language Extended Hofmann language with rand uPi-calculus-like process framework replaced nondeterminism with rand equivalence based on ptime statistical tests uSpecifications of secrecy, authenticity uSimple examples uWork in progress...

Download ppt "Logical Foundations for Security Protocol Analysis Patrick Lincoln John Mitchell Mark Mitchell Andre Scedrov."

Similar presentations

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M.

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus,

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus,
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.

Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Similar presentations

Ads by Google