Security and verification
Download
1 / 52

SECURITY AND VERIFICATION - PowerPoint PPT Presentation


  • 60 Views
  • Uploaded on
  • Presentation posted in: General

SECURITY AND VERIFICATION. Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th , 2012. QUESTIONS OF TODAY. What can fail when encryption is put in larger program contexts? How to automatically verify it?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SECURITY AND VERIFICATION ' - gloria-barron


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security and verification

SECURITY AND VERIFICATION

Lecture 4: Cryptography proofs in context

Tamara Rezk

INDES TEAM, INRIA

January 24th, 2012


Questions of today
QUESTIONS OF TODAY

What can fail when encryption is put in larger program contexts?

How to automatically verify it?


Security and verification

Security relying on CPA ?

x:= E (s,y)

ke, kd := Ge(); k’e, k’d := Ge(); y:= E (x, ke ); x’:= D (y, k’d )

ke, kd := Ge(); y:= E (x, ke ); y’:= E (kd, ke )

ke, kd := Ge(); k’e, k’d := Ge();

if (y=0) then {ke := k’e} else {skip} ; y’= E (x, ke )


Security and verification

Security relying on CPA ?

x:= E (s,y)

The program is not secure if y is not an encryption key

generated by the generation function.


Security and verification

Security relying on CPA ?

ke, kd := Ge(); k’e, k’d := Ge(); y:= E (x, ke ); x’:= D (y, k’d )

The program is not secure if a different decryption key does

not match the encryption key.


Security and verification

Security relying on CPA ?

ke, kd := Ge(); y:= E (x, ke ); y’:= E (kd, ke )

The CPA property does not state anything in case that the adversary is given the decryption key, even if this one is

encrypted. This is called a key cycle.

A key cycle occurs when there is an encryption of the decryption

key with the corresponding encryption key.

A longer key cycle: E ( E (kd, k’e ), ke)


Security and verification

Security relying on CPA ?

ke, kd := Ge(); k’e, k’d := Ge();

if (y=0) then {ke := k’e} else {skip} ; y’= E (x, ke )

If y can hold the value 0 then the encryption keys are

swaped. In this case a decryption x= D (u’, kd ) may fail.


Security and verification

Security relying on CPA ?

Even if we use encryption schemes that are proved to be

Resistent to chosen plaintext attacks, we need to check:

  • Keys are correctely genereated

  • Decryption key is not leaked to the adversary

  • There are no key cycles

  • No accidental leak of private information to the adversary

  • No mix of different encryption schemes


Security and verification

Security relying on CPA

We will state formally the security property

desired and we will see an automatic verification method:

  • Property: computational non-interference

  • Method (static) : a type system


Security and verification

Computational contexts?Non-Interference for V (CNI)

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

P ; A

The adversary does not have access to variables inBi, neither to b. It has access to variables V in I


Security and verification

Computational contexts?Non-Interference for V (CNI)

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

P ; A

iI only writes variables in V. Bi only writes variables outside V.A program P is CNI for variables V if for all

I ,Bi , the advantage of A is negligible on a security parameter.


Security and verification

CNI contexts? =b:={0,1}

I

if (b=0)

then {x:=1}

else {x:={0,1}};

g:=x;A;

The program “g:=x “ is not CNI (the adversary cannot see x, but can see g).


Security and verification

CNI contexts? =b:={0,1}

I

P[A];

The program is CNI if the adversary and the program P do not have b.


Security and verification

Types contexts?

A type T contains a data type t and a security level l

T:= t(l)

l := L | H with L ≤ H

t:= DATA | ENC T k | KE T k | KD T k

k := K | K1 | K2 | …


Security and verification

Typing rules contexts?

A typing rule is of the form:

constrains

-----------------------------------

F ├ commmand : l

constrains

-----------------------------------

F ├ expression: t(l)

where F is a mapping from variables to types


Security and verification

Typing rules contexts?

Typing rules for expressions:

-----------------------------------

F ├ v: DATA (L)

-----------------------------------

F ├ x: F(x)

F ├ ei : DATA(li) l = U li

-----------------------------------

F ├ op (e1,…, en) : DATA (l)


Security and verification

Typing rules contexts?

Typing rules for a value expression (VAL):

-----------------------------------

F ├ v: DATA (L)

Values are always typed as public and DATA. For example:

F ├ 0: DATA (L)


Security and verification

Typing rules contexts?

Typing rules for a variable expression (VAR):

-----------------------------------

F ├ x: F(x)

Variables are typed according to map F.

If F(y) = ENC DATA(L) K (L)

then F ├ y: ENC DATA(L) K (L)


Security and verification

Typing rules contexts?

Typing rules for an operation expression (OP):

F ├ ei : DATA(li) l = U li

-----------------------------------

F ├ op (e1,…, en) : DATA (l)

Operations on expressions are always of type DATA. The security level is the join of the security levels of the parameters. For example:

If F(y) = DATA (H ) then F ├ y + 3 : DATA (H)

If F(y) = ENC DATA(L) K (L) then y + 3 is not typable


Security and verification

Typing rules contexts?

Typing rule for assignment command (AS):

F(x) = t(l)

F ├ e : t(l’)

l’ ≤ l

-----------------------------------

F ├ x:= e : l

The typing rule prevents explicit information leakage. For example, if F(x) = DATA (L) and

F(y) = DATA (H) then

x := y is not typable but y:=x is

F ├ y: = x : H


Security and verification

Typing rules contexts?

Typing rule for assignment command:

F(x) = t(l)

F ├ e : t(l’)

l’ ≤ l

-----------------------------------

F ├ x:= e : l

The typing rule also prevents a violation of the data type wrt cryptographic types . For example,

if F(x) = DATA (L) and F(y) = KE DATA(L) K (L) then neither x := y or y:=x are typable


Security and verification

Typing rules contexts?

Typing rule for assignment command:

F(x) = t(l)

F ├ e : t(l’)

l’ ≤ l

-----------------------------------

F ├ x:= e : l

Notice that in this rule there is NO INFORMATION FLOW from high (H) to low (L).


Security and verification

Typing rules contexts?

Typing rule for if command (IF):

F ├ e : DATA(l)

F ├ P1 : l1

F ├ P2 : l2

l≤ l1 ∩ l2

----------------------------------

F ├ if e then P1 else P2 : l

The typing rule prevents implicit flows of information. For example: if F(y) = DATA(H) and

F(x) = DATA(L) then

if y=1 then x:=1 else x:=0 is not typable.


Security and verification

Typing rules contexts?

Typing rule for if command (WHILE):

F ├ e : DATA(l)

F ├ P : l1

l≤ l1

----------------------------------

F ├ while e P : l

The typing rule prevents implicit flows of information. For example: if F(y) = DATA(H) and

F(x) = DATA(L) then

F ├ while x=1 (y:= y + 1) : L


Security and verification

Typing rules contexts?

Typing rule for probabilistic function command (PROBFUN):

F(xi) = DATA(li)

l = ∩ li

F ├ yi : DATA(li’)

li ≤ l

----------------------------------

F ├ x1, x2 .. := f(y1,y2, …) : l

Probabilistic function {0,1} has no parameters and is trivially typable F ├ x : = {0,1} : F(x)

If F(ke) = KE T K (L) and F(kd) = KD T K (L) then

ke, kd:= Ge() is not typable


Security and verification

Typing rules contexts?

Typing rule for sequence (SEQ):

F ├ c1 :l

F ├ c2:l’

----------------------------------

F ├ c1; c2: l ∩ l’

Sequence is typable if all subcommands are typable.


An example

Typing derivation contexts?

An example

F(y) = t’(l’)

-----------------

l’’ ≤ l’ t’= DATA F ├ y: t’(l’)

F(x) = t(l)F(x) = t’(l’’ ) -------------------------- OP

F ├ y+1 : t’(l’)

---------------- AS -------------------------------------- AS

F ├ x:=1 :l F ├ y:=x+1:l’

--------------------------------------------------------------- SEQ

F ├ x:= 1; y:= x + 1 : l1

To see that program is typable solve the constrains:

l1= l ∩ l’

F(x) = t(l) and F(x) = t’(l’’ )

F(y) = t’(l’) and t’= DATA

l≤ l’


Security and verification

Typing rules contexts?

Typing rule for sequence:

F ├ c1 :l

F ├ c2:l’

----------------------------------

F ├ c1; c2: l ∩ l’

Sequence is typable if all subcommands are typable.


Security and verification

Typing rules contexts?

Typing rule for key generation (GEN):

F (ke) = KE T K (L)

F (kd) = KD T K (H)

----------------------------------

F ├ ke, kd: = Ge() : L

Notice that the type T must coincide as well as key label K for the corresponding pair of keys.


Security and verification

Typing rules contexts?

F (ke) = KE T K (L)

F (kd) = KD T K (H)

------------------------------GEN

F ├ ke, kd: = Ge() : L

A key generation command can also be typed by the PROBFUN typing rule, if the types for ke and kd are DATA:

F (ke) = DATA (L)

F (kd) = DATA (H)

------------------------------PROBFUN

F ├ ke, kd: = Ge() : L


Security and verification

Typing rules contexts?

F (ke) = KE t(H) K (L)

F (x) = ENC t(H) K (L)

F(y) = t(H)

------------------------------ENC

F ├ x:= E(y,ke) : L

Notice that in this rule there IS INFORMATION FLOW from high (H) to low (L).

But if the encryption scheme is CPA then it is “secure” to have it.


Security and verification

Typing rules contexts?

F (ke) = KE t(H) K (L)

F (x) = ENC t(H) K (L)

F(y) = t(H)

------------------------------ENC

F ├ x:= E(y,ke) : L

If there is no flow of information, encryption can

still be typable by PROBFUN:

F (ke) = DATA(L)

F (x) = DATA(L)

F(y) = t(L)

------------------------------PROBFUN

F ├ x:= E(y,ke) : L


Security and verification

Theorem contexts?

If

1. program P is typable with F, F ├ P: l

2. all encryption schemes used in P are CPA

3. each key label K in F is used for at most one key generation command typed with GEN

then P is CNI for the set of L variables.

We will prove this using games.


Security and verification

Lemma contexts?

If

1. program P is typable with F, F ├ P: l

2. neither rule ENC or GEN are used to type P

then P is CNI for the set of L variables.

Furthermore Pr[CNI(P) ; g=b] = 1/2

The theorem is a generalization of this lemma.

It is useful for the proof of the theorem.

We will prove this lemma using games.


Security and verification

Lemma contexts?

If

1. program P is typable with F, F ├ P: l

2. neither rule ENC or GEN are used to type P

then P is CNI for the set of L variables.

The proof is by structural induction on P , using the

game based technique.


Security and verification

Proof contexts?

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

P ; A

We will prove it for base cases: when P is a single command.


Security and verification

Proof contexts?

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

x:=e ; A

Two cases to analyze: either F(x) = t(L) or F(x) = t(H).


Security and verification

Proof contexts?

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

x:=e ; A

If F(x) = t(H), then by moving the command to Bi, by subexpression elimination, we obtain a valid CNI command.


Security and verification

Proof contexts?

CNI1 = b:={0,1} ;

I

if (b=0)

then {B0; x:=e }

else {B1; x:=e };

A

If F(x) = t(H), then by moving the command to Bi, by subexpression elimination, we obtain a valid CNI command.


Security and verification

Proof contexts?

CNI1 = b:={0,1} ;

I

if (b=0)

then {B0; x:=e }

else {B1; x:=e };

A

Since the adversary does not have access to variables in Bi, we can apply deadcode


Security and verification

Proof contexts?

CNI2 = b:={0,1} ;

I

A

Since the adversary does not have access to variables in Bi, we can apply deadcode and

CNI1≈g CNI2

By semantics probability of the adversary of guessing b is ½. End of the case for F(x) = t(H).


Security and verification

Proof contexts?

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

x:=e ; A

Two cases to analyze: either F(x) = t(L) or F(x) = t(H).


Security and verification

Proof contexts?

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

x:=e ; A

If F(x) = t(L), and because by assignment rule there is no flow from high to low, we know that e contains low variables. Then by moving the command to I, by swap (code motion), we obtain a valid CNI command.


Security and verification

Proof contexts?

CNI1 = b:={0,1} ;

I ; x:=e

if (b=0)

then {B0 }

else {B1 };

A

Since the adversary does not have access to variables in Bi, we can apply deadcode


Security and verification

Proof contexts?

CNI2 = b:={0,1} ;

I

A

Since the adversary does not have access to variables in Bi, we can apply deadcode and

CNI1≈g CNI2

By semantics probability of the adversary of guessing b is ½. End of the case for F(x) = t(L).


Security and verification

Proof contexts?

CNI = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

if e then P1 else P2 ; A

If it is typed as L, by the expression typing rules variables in e are L. Hence, for each execution of CNI the value of e is determined by command I. We will do two transformations: one for when the value of e is true and one for false (the case false is analog).


Security and verification

Proof contexts?

CNI1 = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

P1; A

If the value of e is true then the CNI program is equivalent to CNI1. By inductive hypothesis we conclude.


Security and verification

Proof contexts?

CNI1 = b:={0,1} ;

I

if (b=0)

then {B0}

else {B1};

P1; A

If the value of e is true then the CNI program is equivalent to CNI1. By inductive hypothesis we conclude.

Other cases as exercise.


Security and verification

Theorem contexts?

If

1. program P is typable with F, F ├ P: l

2. all encryption schemes used in P are CPA

3. each key label K in F is used for at most one key generation command typed with GEN

then P is CNI for the set of L variables.

We will prove this using games.


Security and verification

Proof sketch contexts?

We eliminate one key label at the time to obtain

P\K. P\K only encrypts 0s for each message m encrypted in P. We show that P\K can be typable without encryption rules.

We replace in P , encryption by call to the CPA oracle E.

We obtain P* that encrypts either m or 0.

CPA(P*) = b:={0,1};ke,kd:= G(); b1:={0,1}; I;

if b1 then B0 else B1; P*; A ; if b1=g1 then g:=1 else g:=0


Security and verification

Proof sketch contexts?

If P is x:= E(y,ke)

then

P* is x0:= 0; x1:=y; E; x:= c

and

P\K is x:= E(0,ke)


Reading

READING

  • Slides and exercises:

  • www-sop.inria.fr/members/Tamara.Rezk/teaching

  • Semantics and Program Analysis of

  • Computationally Secure Information Flow - Laud

  • Cryptographically sound implementations for

  • typed information-flow security – Fournet, Rezk


ad
  • Login