1 / 52

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis . John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan, A. Scedrov, V. Teague. Computer Security. Access control OS security Network security Cryptography ….

annette
Download Presentation

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan, A. Scedrov, V. Teague

  2. Computer Security • Access control • OS security • Network security • Cryptography • … • Goal: protection of computer systems and digital information Security Crypto

  3. Research challenge • Invent the logic of computer security • Reasoning principles for systems that use cryptography and are subject to attack • Analogy • Effective topos, synthetic domain thy, … • Recursion, recursive domains, collections of types, … form a model of intuitionistic set theory with additional axioms

  4. LICS presence at CSFW Check out: Crypto, Oakland, CCS, … Abadi Blanchet Fiore Gordon Gunter Halpern Jeffrey Kirli Pierce Pavlovic Rusinowitch Scedrov Abadi Roscoe 1998 1999 2000 2001

  5. Today: Protocols and Probability • Security protocols • Goals for process calculus • Specific process calculus • Probabilistic semantics • Complexity: probabilistic poly time • Asymptotic equivalence • Pseudo-random number generators • Equational properties and challenges

  6. Protocol Security • Cryptographic Protocol • Program distributed over network • Use cryptography to achieve goal • Attacker • Intercept, replace, remember messages • Guess random numbers, some computation • Correctness • Attacker cannot learn protected secret or cause incorrect conclusion

  7. m1 m2 IKE subprotocol from IPSEC A, (ga mod p) B, (gb mod p) , signB(m1,m2) signA(m1,m2) A B Result: A and B share secret gab mod p Analysis involves probability, modular exponentiation, digital signatures, communication networks, …

  8. Simpler: Challenge-Response • Alice wants to know Bob is listening • Send “fresh” number n, Bob returns f(n) • Use encryption to avoid forgery • Protocol • Alice  Bob: { nonce }K • Bob  Alice: { nonce * 5 }K • Can Alice be sure that • Message is from Bob? • Message is fresh response to Alice’s challenge?

  9. Important Modeling Decisions • How powerful is the adversary? • Simple replay of previous messages • Decompose, reassemble and resend • Statistical analysis, timing attacks, ... • How much detail in model of crypto? • Assume perfect cryptography • Include algebraic properties • encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N

  10. Standard analysis methods • Finite-state analysis • Logic based models • Symbolic search of protocol runs • Proofs of correctness in formal logic • Consider probability and complexity • More realistic intruder model • Interaction between protocol and cryptography Easy Hard

  11. Future Future Comparison Hand proofs   High Poly-time calculus Spi-calculus Athena  Paulson Sophistication of attacks    NRL  Bolignano BAN logic  Low FDR Murj   Low High Protocol complexity

  12. Outline • Security protocols Goals for process calculus • Specific process calculus • Probabilistic semantics • Complexity – probabilistic poly time • Asymptotic equivalence • Pseudo-random number generators • Equational properties and challenges

  13. Language Approach [Abadi, Gordon] • Write protocol in process calculus • Express security using observational equivalence • Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] • Context (environment) represents adversary • Use proof rules for  to prove security • Protocol is secure if no adversary can distinguish it from some idealized version of the protocol Great general idea; application is complicated

  14. Probabilistic Poly-time Analysis • Add probability, complexity • Probabilistic polynomial-time process calc • Protocols use probabilistic primitives • Key generation, nonce, probabilistic encryption, ... • Adversary may be probabilistic • Express protocol and spec in calculus • Security using observational equivalence • Use probabilistic form of process equivalence

  15. Secrecy for Challenge-Response • Protocol P A  B: { i } K B A: { f(i) } K • “Obviously’’ secret protocol Q A  B: { random_number } K B A: { random_number } K • Analysis: P  Q reduces to crypto condition related to non-malleability [Dolev, Dwork, Naor] • Fails for “plain old” RSA if f(i) = 2i

  16. private channel private channel public channel public channel Specification with Authentication • Protocol P A  B: { random i } K B A: { f(i) } K A  B: “OK” if f(i) received • “Obviously’’ authenticating protocol Q A  B: { random i } K B A: { random j } K i , j A  B: “OK” if private i, j match public msgs

  17. Nondeterminism vs encryption • Alice encrypts msg and sends to Bob A  B: { msg } K • Adversary uses nondeterminism Process E0c0 | c0 | … | c0 Process E1c1 | c1 | … | c1 Process E c(b1).c(b2)...c(bn).decrypt(b1b2...bn, msg) In reality, at most 2-n chance to guess n-bit key

  18. Probabilistic Semantics 0.5 0.2 0.2 0.3 0.2 0.2 0.5 0.5 0.5 0.3 0.3 0.5 0.2 0.5 0.2 0.5 0.3 0.5 0.3 0.5 Semantics Nondeterministic Semantics Prove initial results for arbitrary scheduler

  19. Methodology • Define general system • Process calculus • Probabilistic semantics • Asymptotic observational equivalence • Apply to protocols • Protocols have specific form • “Attacker” is context of specific form • Induces coarser observational equivalence This talk: general calculus and properties

  20. Outline • Security protocols • Goals for process calculus Specific process calculus • Probabilistic semantics • Complexity – probabilistic poly time • Asymptotic equivalence • Pseudo-random number generators • Equational properties and challenges

  21. Technical Challenges • Language for prob. poly-time functions • Extend work of Cobham, Cook, Hofmann • Replace nondeterminism with probability • Otherwise adversary is too strong ... • Define probabilistic equivalence • Related to poly-time statistical tests ...

  22. Syntax • Bounded -calculus with integer terms P :: = 0 | cq(|n|) T send up to q(|n|) bits | cq(|n|)(x). P receive | cq(|n|). P private channel | [T=T] P test | P | P parallel composition | ! q(|n|). P bounded replication • Terms may contain symbol n; channel width • and replication bounded by poly in |n|

  23. Probabilistic Semantics • Basic idea • Alternate between terms and processes • Probabilistic evaluation of terms (incl. rand) • Probabilistic scheduling of parallel processes • Two evaluation phases • Outer term evaluation • Evaluate all exposed terms, evaluate tests • Communication • Match send and receive • Probabilistic if multiple send-receive pairs

  24. Scheduling • Outer term evaluation • Evaluate all exposed terms in parallel • Multiply probabilities • Communication • E(P) = set of eligible subprocesses • S(P) = set of schedulable pairs • Prioritize – private communication first • Choose highest-priority communication with uniform (or other) probability

  25. Example • Process • crand+1 | c(x).dx+1 | d2 | d(y). ex+1 • Outer evaluation • c1 | c(x).dx+1 | d2 | d(y). ex+1 • c2 | c(x).dx+1 | d2 | d(y). ex+1 • Communication • c1 | c(x).dx+1 | d2 | d(y). ex+1 Each prob ½ Choose according to probabilistic scheduler

  26. Example (again) • crand+1 | c(x).dx+1 | d2 | d(y). ex+1 Outer Eval Each with prob 0.5 • c2 | c(x).dx+1 | d2 | d(y). ex+1 • c1 | c(x).dx+1 | d2 | d(y). ex+1 Comm Step Choose according to probabilistic scheduler

  27. Complexity results • Polynomial time • For each process P, there is a poly q(x) such that • For all n • For all probabilistic schedulers • All minimal evaluation contexts C[ ] eval of C[P] halts in time q(|n|+|C[]|) • Minimal evaluation context • C[ ] = c(x).d(y)…[ ] | c20 | d7 | e492 | …

  28. Complexity: Intuition • Bound on number of communications • Count total number of inputs, multiplying by q(|n|) to account for ! q(|n|). P • Bound on term evaluation • Closed T evaluated in time qT(|n|) • Bound on time for each comm step • Example: cm | c(x).P  [m/x]P • Substitution bounded by orig length of P • Size of number m is bounded • Previous steps preserve # occurr of x in P

  29. Outline • Security protocols • Application of process calculus • Specific process calculus • Probabilistic semantics • Complexity – probabilistic poly time • Asymptotic equivalence • Pseudo-random number generators • Equational properties and challenges

  30. Problem: How to define process equivalence? • Intuition • | Prob{ C[P] “yes” } - Prob{ C[Q] “yes” } | <  • Difficulty • How do we choose ? • Less than 1/2, 1/4, … ? (not equiv relation) • Vanishingly small ? As a function of what? • Solution • Use security parameter • Protocol is family { Pn } n>0 indexed by key length • Asymptotic form of process equivalence

  31. Probabilistic Observational Equiv • Asymptotic equivalence within f Process, context families { Pn } n>0{ Qn } n>0 { Cn } n>0 P f Q if  contexts C[ ].  obs v. n0 .  n> n0 . | Prob[Cn[Pn] v] - Prob[Cn[Qn] v] | < f(n) • Asymptotically polynomially indistinguishable P  Q if P f Q for every polynomial f(n) = 1/p(n) Final def’n gives robust equivalence relation

  32. Outline • Security protocols • Application of process calculus • Specific process calculus • Probabilistic semantics • Complexity – probabilistic poly time • Asymptotic equivalence • Pseudo-random number generators • Equational properties and challenges

  33. Compare with standard crypto • Sequence generated from random seed Pn: let b = nk-bit sequence generated from n random bits in PUBLICb end • Truly random sequence Qn: let b = sequence of nkrandom bits in PUBLICb end • P is crypto strong pseudo-random generator P  Q Equivalence is asymptotic in security parameter n

  34. Desired equivalences • P | (Q | R)  (P | Q) | R • P | Q  Q | P • P | 0  P • P  Q  C[P]  C[Q] • P  c. ( c<1> | c(x).P) x FV(P) Warning: hard to get all of these…

  35. r r    ~ ~ ~ One way to get equivalences • Labeled transition system • Allow process to send any output, read any input • Label with numbers “resembling probabilities” • Simulation relation • Relation  on processes • If P Q and P P’, then exists Q’ with Q Q’ and P’ Q’ • Weak form of prob equivalence • But enough to get started …

  36. Hold for uniform scheduler • P | (Q | R)  (P | Q) | R • P | Q  Q | P • P | 0  P • P  Q  C[P]  C[Q] Compositionality is important issue in computer security

  37. Problem • Want this equivalence • P c. ( c<1> | c(x).P) x FV(P) • Fails for general calculus, general  • P = d(x).e<x> • C[ ] = d.( d<1> | d(y).e<0> | [ ] )

  38. Comparison • d.(d<1> | d(y).e<0> | c. ( c<1> | c(x).P) ) left c<1> • d.(d<1> | d(y).e<0> | d(x).e<x> ) P right left c<1> right left e<0> e<0> e<1> e<0> e<1> Even prioritizing private channels, equivalence fails

  39. Paradox • Two processors connect by network • Each does private actions • Unrealistic interaction • Private coin flip in Beijing does not influence coin flip in Washington

  40. Solutions • Modify scheduler • Process private channels left-to-right • Each channel: random send-receive pair • Restrict syntax of protocol, attack • C[ P ] = C[ c. ( c<1> | c(x).P) ] for all contexts C[ ] that • do not share private channels • do not bind channel names used in [ ] Modification of scheduler more reasonable for protocols

  41. Current State of Project • Framework for protocol analysis • Determine crypto requirements of protocols • Precise definition of crypto primitives • Probabilistic ptime language • Process framework • Replace nondeterminism with rand • Equivalence based on ptime statistical tests • Methods for establishing equivalence • Develop probabilistic simulation technique • Examples: Diffie-Hellman, Bellare-Rogaway, …

  42. Connections with modern crypto • Cryptosystem consist of three parts • Key generation • Encryption • Decryptions • Many forms of security • Semantic security, non-malleability, chosen-ciphertext security, … • Common conditions use prob. games

  43. Chosen-ciphertext security Probabilistic poly-time player A cannot win game (>1/2): • A gets public key • A submits ciphertexts and receives decryptions • A submits two messages m0, m1 and receives either  = Encr(m0) or  = Encr(m1) at random • A submits ciphertexts   and receives decryptions • A declares guess g = 0 or 1 • Score win if  = Encr(mg), else lose Deterministic encryption vulnerable to chosen-c attack

  44. Simulation security of K,E,D Algorithms K, E, D indistinguishable from variant where encryption uses random messages and private table   m pk m   m pk m pk K sk E K D sk D P plain cipher Q • [Canetti 00; Shoup; Pfitzmann-Waidner 00,01]

  45. Goal: Chosen-c-secure iff sim-secure • P  P1  P2  …  Q • Hope to prove using process calculus • Derive protocol correctness by congruence • where • P = Game on previous slide • P1 = Same, but quit if some output  of E seen before as input to D or output of E • P2 = If input  to D was output by E, use table instead of algorithm D • Q = instead of encrypt, use Encr(0) and table

  46. Conclusion • Computer security • Exacting subject amenable to analysis • Analysis useful since correctness critical • Protocols • Short but complex • Probabilistic poly-time process calc • Challenging semantics, proof theory • Appropriate for game equivalence

  47. Chosen-ciphertext security • A gets public key • A submits ciphertexts and receives decryptions • A submits two messages m0, m1 and receives either  = Encr(mi) for i=1 or i=2 • A submits ciphertexts   and gets decryptions • A guesses g = 0 or 1 • Score win if  = Encr(mg), else lose pk Key Gen sk Decrypt m0, m1 choose i=0,1 ? mi Encrypt(mi) Encrypt i =

  48. Compositionality • Property of observational equiv A  B C  D A|C  B|D similarly for other process forms

More Related