Universally Composable
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Universally Composable Symbolic Analysis of Cryptographic Protocols PowerPoint PPT Presentation

Universally Composable Symbolic Analysis of Cryptographic Protocols. Ran Canetti and Jonathan Herzog 6 March 2006.

Related searches for Universally Composable Symbolic Analysis of Cryptographic Protocols

Download Presentation

Universally Composable Symbolic Analysis of Cryptographic Protocols

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Overview 7855

Universally Composable

Symbolic Analysis of

Cryptographic Protocols

Ran Canetti and Jonathan Herzog

6 March 2006

The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.


Overview 7855

Universally Composable

Automated Analysis of

Cryptographic Protocols

Ran Canetti and Jonathan Herzog

6 March 2006

The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.


Overview

Overview

  • This talk: symbolic analysis can guarantee universally composable (UC) key exchange

    • (Paper also includes mutual authentication)

  • Symbolic (Dolev-Yao) model: high-level framework

    • Messages treated symbolically; adversary extremely limited

    • Despite (general) undecidability, proofs can be automated

  • Result: symbolic proofs are computationally sound (UC)

    • For some protocols

    • For strengthened symbolic definition of secrecy

  • With UC theorems, suffices to analyze single session

    • Implies decidability!


Needham schroeder lowe protocol

EKB(A || Na)

EKA(Na || Nb || B)

EKB(Nb)

Needham-Schroeder-Lowe protocol

(Prev: A, B get other’s public encryption keys)

A

B

K

K


Two approaches to analysis

Two approaches to analysis

  • Standard (computational) approach: reduce attacks to weakness of encryption

  • Alternate approach: apply methods of the symbolic model

    • Originally proposed by Dolev & Yao (1983)

    • Cryptography without: probability, security parameter, etc.

    • Messages are parse trees

      • Countable symbols for keys (K, K’,…), names (A, B,…) and nonces (N, N’, Na, Nb, …)

      • Encryption ( EK(M) ) pairing ( M || N ) are constructors

    • Participants send/receive messages

      • Output some key-symbol


The symbolic adversary

The symbolic adversary

  • Explicitly enumerated powers

    • Interact with countable number of participants

    • Knowledge of all public values, non-secret keys

    • Limited set of re-write rules:


Traditional symbolic secrecy

‘Traditional’ symbolic secrecy

  • Conventional goal for symbolic secrecy proofs:

    “If A or B output K, then no sequence of

    interactions/rewrites can result in K”

  • Undecidable in general [EG, HT, DLMS] but:

    • Decidable with bounds [DLMS, RT]

    • Also, general case can be automatically verified in practice

      • Demo 1: analysis of both NSLv1, NSLv2

  • So what?

    • Symbolic model has weak adversary, strong assumptions

    • We want computational properties!

    • …But can we harness these automated tools?


What we d like

Natural translation for

large class of protocols

‘Soundness’

(need only be done once)

Would like

Simple, automated

What we’d like

Symbolic

protocol

Symbolic

key-exchange

Concrete

protocol

Computational

key-exchange


Some previous work

Some previous work

General area:

  • [AR]: soundness for indistinguishability

    • Passive adversary

  • [MW, BPW]: soundness for general trace properties

    • Includes mutual authentication; active adversary

  • Many, many others

    Key-exchange in particular (independent work):

  • [BPW]: (later)

  • [CW]: soundness for key-exchange

    • Traditional symbolic secrecy implies (weak) computational secrecy


Limitations of traditional secrecy

Limitations of ‘traditional’ secrecy

  • Big question:

    Can ‘traditional’ symbolic secrecy imply standard

    computational definitions of secrecy?

  • Unfortunately, no

  • Counter-example:

    • Demo: NSLv2 satisfies traditional secrecy

    • Cannot provide real-or-random secrecy in standard models

    • Falls prey to the ‘Rackoff’ attack


The rackoff attack on nslv2

EKB( A || Na)

EKA( Na || Nb || B )

EKB(Nb)

EKB(K)

?

K =? Nb

The ‘Rackoff attack’ (on NSLv2)

A

B

Adv


Achieving soundness

Achieving soundness

  • Soundness requires new symbolic definition of secrecy

  • [BPW]: ‘traditional’ secrecy + ‘non-use’

    • Thm: new definition implies secrecy (in their framework)

    • But: must analyze infinite concurrent sessions and all resulting protocols

  • Here: ‘traditional’ secrecy + symbolic real-or-random

    • Non-interference property; close to ‘strong secrecy’ [B]

    • Thm: new definition equivalent to UC secrecy

    • Demonstrably automatable (Demo 2)

    • Suffices to consider single session!

      (Infinite concurrency results from joint-state UC theorems)

    • Implies decidability (forthcoming)


Decidability not in paper

Decidability (not in paper)


Proof overview soundness

Proof overview (soundness)

Symbolic

key-exchange

  • Construct simulator

  • Information-theoretic

  • Must strengthen notion of UC public-key encryption

  • Intermediate step: trace properties(as in [MW,BPW])

  • Every activity-trace of UC adversary could also be produced by symbolic adversary

  • Rephrase: UC adversary no more powerful than symbolic adversary

Single session UC KE

(ideal crypto)

UC w/ joint state [CR]

(Info-theor.)

Multi-session UC KE

(ideal crypto)

UC theorem

Multi-session KE

(CCA-2 crypto)


Summary future work

Summary & future work

  • Result: symbolic proofs are computationally sound (UC)

    • For some protocols

    • For strengthened symbolic definition of secrecy

  • With UC theorems, suffices to analyze single session

    • Implies decidability!

  • Additional primitives

    • Have public-key encryption, signatures [P]

    • Would like symmetric encryption, MACs, PRFs…

  • Symbolic representation of other goals

    • Commitment schemes, ZK, MPC…


Backup slides

Backup slides


Two challenges

Two challenges

  • Traditional secrecy is undecidable for:

    • Unbounded message sizes [EG, HT] or

    • Unbounded number of concurrent sessions

      (Decidable when both are bounded) [DLMS]

  • Traditional secrecy is unsound

    • Cannot imply standard security definitions for computational key exchange

    • Example: NSLv2 (Demo)


Prior work bpw

Prior work: BPW

New symbolic definition

Theory Practice

Implies UC key exchange

(Public-key & symmetric encryption, signatures)


Our work

+ Finite system

Our work

New symbolic definition:

‘real-or-random’

Theory Practice

Automated verification!

Equiv. to UC key exchange

(Public-key encryption [CH], signatures [P])

UC suffices to examine single protocol run

Decidability?

Demo 3: UC security for NSLv1


Our work solving the challenges

Our work: solving the challenges

  • Soundness: requires new symbolic definition of secrecy

    • Ours: purely symbolic expression of ‘real-or-random’ security

    • Result: new symbolic definition equivalent to UC key exchange

  • UC theorems: sufficient to examine single protocol in isolation

    • Thus, bounded numbers of concurrent sessions

    • Automated verification of our new definition is decidable!… Probably


Summary

Summary

  • Summary:

    • Symbolic key-exchange sound in UC model

    • Computational crypto can now harness symbolic tools

    • Now have the best of both worlds: security and automation!

  • Future work


Secure key exchange uc

K

K

Secure key-exchange: UC

?

P

P

A

Answer: yes, it matters

  • Negative result [CH]: traditional symbolic secrecy does not imply universally composable key exchange


Secure key exchange uc1

F

S

K

K

Secure key-exchange: UC

P

?

?

P

A

Adversary gets key when output by participants

  • Does this matter? (Demo 2)


Secure key exchange cw

K, K’

Secure key-exchange [CW]

P

P

A

  • Adversary interacts with participants

    • Afterward, receives real key, random key

    • Protocol secure if adversary unable to distinguish

  • NSLv1, NSLv2 satisfy symbolic def of secrecy

    • Therefore, NSLv1, NSLv2 meet this definition as well


Overview 7855

F

S

KE

?

P

P

A

Adversary unable to distinguish real/ideal worlds

  • Effectively: real or random keys

  • Adversary gets candidate key at end of protocol

  • NSL1, NSL2 secure by this defn.


Analysis strategy

Natural translation for

large class of protocols

Would like

Main result of talk

(Need only be done

once)

Simple, automated

Analysis strategy

Dolev-Yao

protocol

Dolev-Yao

key-exchange

Concrete

protocol

UC key-exchange

functionality


Simple protocols

{P1, N1}K2

{P2, N1, N2}K1

{N2}K2

“Simple” protocols

  • Concrete protocols that map naturally to Dolev-Yao framework

  • Two cryptographic operations:

    • Randomness generation

    • Encryption/decryption

      • (This talk: asymmetric encryption)

  • Example: Needham-Schroeder-Lowe

P1

P2


Uc key exchange functionality

(P2 P1)

(P1 P2)

(P1 P2)

(P2 P1)

Key P2

Key P1

Key k

Key k

X

Key P2

UC Key-Exchange Functionality

FKE

(P1 P2)

A

P1

k  {0,1}n

(P2 P1)

P2


The dolev yao model

M1

L

M2

Local output:

Not seen by

adversary

The Dolev-Yao model

  • Participants, adversary take turns

  • Participant turn:

A

P1

P2


The dolev yao adversary

Application of

deduction

The Dolev-Yao adversary

  • Adversary turn:

A

P1

P2

Know


Dolev yao adversary powers

Dolev-Yao adversary powers

  • Always in Know:

    • Randomness generated by adversary

    • Private keys generated by adversary

    • All public keys


The dolev yao adversary1

The Dolev-Yao adversary

A

Know

M

P1

P2


Dolev yao key exchange

Dolev-Yao key exchange

  • Assume that last step of (successful) protocol execution is local output of

    (Finished Pi Pj K)

    • Key Agreement: If P1 outputs (Finished P1 P2 K)and P2 outputs(Finished P2 P1 K’)thenK = K’.

    • Traditional Dolev-Yao secrecy: If Pi outputs

      (Finished Pi Pj K), then K can never be in adversary’s set Know

  • Not enough!


Goal of the environment

Goal of the environment

  • Recall that the environment Z sees outputs of participants

  • Goal: distinguish real protocol from simulation

  • In protocol execution, output of participants (session key) related to protocol messages

  • In ideal world, output independent of simulated protocol

  • If there exists a detectable relationship between session key and protocol messages, environment can distinguish

    • Example: last message of protocol is {“confirm”}K where K is session key

    • Can decrypt with participant output from real protocol

    • Can’t in simulated protocol


Real or random 1 3

Real-or-random (1/3)

  • Need: real-or-random property for session keys

    • Can think of traditional goal as “computational”

    • Need a stronger “decisional” goal

    • Expressed in Dolev-Yao framework

  • Let be a protocol

  • Let r be , except that when participant outputs (Finished Pi Pj Kr),Kr added to Know

  • Let f be , except that when any participant outputs (Finished Pi Pj Kr), fresh key Kf added to adversary set Know

  • Want: adversary can’t distinguish two protocols


Real or random 2 3

Real-or-random (2/3)

  • Attempt 1: Let Traces() be traces adversary can induce on . Then:

    Traces(r) = Traces(f)

  • Problem: Kf not in any traces of r

  • Attempt 2:

    Traces(r) = Rename(Traces(f), KfKr)

  • Problem: Two different traces may “look” the same

    • Example protocol: If participant receives session key, encrypts “yes” under own (secret) key. Otherwise, encrypts “no” instead

    • Traces different, but adversary can’t tell


Real or random 3 3

Real-or-random (3/3)

  • Observable part of trace: Abadi-Rogaway pattern

    • Undecipherable encryptions replaced by “blob”

  • Example:

    t = {N1, N2}K1, {N2}K2, K1-1

    Pattern(t) = {N1, N2}K1, K2, K1-1

  • Final condition:

    Pattern(Traces(r))

    =

    Pattern(Rename(Traces(f), KfKr)))


Main results

Main results

  • Let key-exchange in the Dolev-Yao model be:

    • Key agreement

    • Traditional Dolev-Yao secrecy of session key

    • Real-or-random

  • Let  be a simple protocol that uses UC asymmetric encryption. Then:

    DY() satisfies Dolev-Yao key exchange

    iff

    UC() securely realizes FKE


Future work

Future work

  • How to prove Dolev-Yao real-or-random?

    • Needed for UC security

    • Not previously considered in the Dolev-Yao literature

    • Can it be automated?

  • Weaker forms of DY real-or-random

  • Similar results for symmetric encryption and signatures


  • Login