Protocoles cryptographiques (II)

1 / 89

# Protocoles cryptographiques (II) - PowerPoint PPT Presentation

Protocoles cryptographiques (II). Cédric Fournet Microsoft Research. This lecture. An overview of the applied pi calculus Motivation, syntax, semantics, … Some cryptographic primitives and protocols Observational equivalences A simple Diffie-Hellman key exchange protocol

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Protocoles cryptographiques (II)' - franz

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Protocoles cryptographiques (II)

Cédric FournetMicrosoft Research

This lecture
• An overview of the applied pi calculus
• Motivation, syntax, semantics, …
• Some cryptographic primitives and protocols
• Observational equivalences
• A simple Diffie-Hellman key exchange protocol
• A “real-world” protocol: Just Fast Keying
• Session establishment in IPSEC
• An overview of JFK & its design goals
• Modelling JFK in applied pi calculus
• Main security properties

### The applied pi calculus

Based on joint work with Martin Abadi:Mobile Values, New Names, and Secure Communications

A case for impurity
• In foundational calculi (pi, lambda), purity often comes before convenience & faithfulness.
• In applications, ad hoc extensions are often required: integers, strings,… , I/O,… , cryptography,…
• Extensions can sometimes be encoded, at some cost (complicated reasoning, ugly properties).
• Many results are first stated and proved in a pure setting, then proved again and again for extensions.
Security in the pi calculus ?
• Domain: security protocols,with interactions between cryptographic computations, controlled usage of secrets, and communications.
• Process calculi are useful for such protocols, e.g.,
• Pi calculus, to reason on high-level security properties.
• Spi calculus [Abadi&Gordon], to tackle some cryptography.
• Still, there is a gap between typical security specifications(e.g. RFCs) and what can be represented in those calculi.
The applied pi calculus
• Parameterise the pi calculus with computations on values.
• Keep communications and scopes!
• Uniformly develop equivalences and proof techniques.
Syntax for processes

Processes are those of the plain pi calculus.

Communicated values are terms, rather than names.

The calculus is parameterized by an equational theory for terms.

Syntax for terms

We assume given:

• a signature: a set of function symbols with an arity;
• a sort system;
• an equational theory:
• an equivalence relation (=) on terms;
• closed by substitutions of terms for variables;
• closed by one-to-one substitutions on names.

We distinguish three similar notions: constants, names, variables.

Example: pairs
• A constructor function “cons”, written (M,N)
• Two selector functions, written fst(M) and snd(M)
• The equations

+ all equations obtained by reflexivity, symmetry, transitivity, and substitutions.

Similarly, we can model tuples, arrays, lists, …

Shared-key cryptography
• To model shared-key cryptography, we can use two binary functions related with:
• We can use restricted names as keys (or not)
• This is much as the spi calculus.

For each variant of the spi calculus, one can select an equational theory that yields an applied pi calculus with the same reductions.

Operational semantics

We use a standard chemical-style semantics:

• reduction step (!) contains the rules

closed by structural equivalence & application of evaluation contexts.

• structural equivalence (´) is defined as usual, and also closed by equality on terms.
Token-based authentication
• The name s in the pair acts as a capability for the forwarding.
• Expected behaviour:

using the equations

Token-based authentication ?
• The name s in the pair acts as a capability for the forwarding.
• Expected behaviour:
• The token is not protected; we can representan (obvious) interception attack as the context I:
Cryptographic hash
• A one-way, collision-free hash functionis modelled as a constructor “h”with no equation.
• Example: message authentication code (MAC)
• A sends a hash code that depends on the secret.(The secret is not communicated.)
• B checks the authenticity of the received messageby recomputing its hash code.
• Attackers cannot produce another valid hash code.
Scope restriction for terms
• In the plain pi calculus,
• new restricted names can be created;
• scope restrictions nicely disappear when those names are passed to the environment (“scope extrusion”).
Scope restriction for terms
• In the plain pi calculus,
• With terms instead of names, scope restriction gets more interesting:
• How to represent the result of sending an opaque term?
• The environment can accumulate partial knowledgeon restricted names, and use it later.
• The problem already occurs in the spi calculus,when sending messages encrypted with a restricted key.[Abadi Gordon, Boreale deNicola Pugliese]
Scope restriction for terms
• In the plain pi calculus,
• With terms instead of names, scope restriction gets more interesting:
• How to represent the result of sending an opaque term?
• We extend processes with active substitutions that keep track of the values passed to the environment.
Substitutions as processes
• Active substitutions map distinct variables to terms
• They may appear under restrictions (not under guards)
• They operate on the environment.
• They represent terms passed to the environment“by reference”, much as a floating let x = M in …

(There are well-formed conditions for extended processes.)

Operational semantics
• Structural equivalence ´ is extended with rules for active substitutions (reduction is defined as before).
Substitutions as processes (2)
• Every closed extended process can be put in a normal form that separates its static and dynamic parts
• The static part operates only on the environment
• The dynamic part P is an ordinary processthat describes communications
• These two parts can share some restricted names

(However, “flattening” processes is not necessarily a good idea.)

Cryptographic hash, again
• Using active substitutions, we can represent a processthat has MACed several messages using the secret s:
• What an attacker can effectively do with x and ydepends on the equational theory being considered.
More encryption primitives
• To model shared-key cryptography, we used two binary functions related with:
• There are many variants of encryption primitives,with diverse properties
• Symmetric or not?
• Detection of decryption errors?
• Which-key concealing?
• We can select equations accordingly
Asymmetric encryption
• To model public-key cryptography, we generate public- and private-keys from a seed:
• Using active substitutions, we can write a process that exports the public key and keeps the private key secret:
• We can add “troublesome” equations for security protocols,for instance reflecting a typical weakness of RSA encryption:
Non-deterministic encryption
• To model probabilistic cryptography,we may add a third argument to the encryption function:
• With this variant, consider the protocol:

Without access to the decryption key, an attacker cannotdetect whether the underlying plaintexts are identical

### Observational Equivalence

How to compare applied pi processes?

Observational equivalence
• Our basic observation predicate, written A+a , tests whetherthe process A can send a message on the free channel a.
• Barbed Congruence (¼) is the largest symmetric relation between closed extended processes defining the same variables such that A ¼ B implies:
• if A+a , then B+a
• if A!*A’ then B !*B’ andA’ ¼B’
• for all evaluation contexts C[_], we haveC[A] ¼C[B]
• Many security properties can be expressed usingobservational equivalences (attackers = evaluation contexts).
• How to prove such properties?
Secrecy by equivalence
• With symmetric encryption,consider the simplistic protocol

The attacker observes a fresh, “opaque” message,apparently unrelated to the term M

The process on the right is simpler & more abstract

Secrecy by equivalence (2)
• With asymmetric encryption, this doesn’t work!

The attacker can guess the term M, then verify it

If M is a “weak secret”, such as a password,then this reflects a dictionary attack

Secrecy by equivalence (3)
• With non-deterministic encryption,we do have strong secrecy properties, e.g.

The attacker observes two unrelated fresh values

The attacker learns nothing on M ,and cannot detect that x is an encryption

Equivalence for frames ?
• Frames are extended processes that only consist ofactive substitutions and restrictions.What is equivalence for frames?
• Consider two functions f and g, no equations, and frames:
• 0and1 have the same observable behaviour: they provide two fresh, apparently independent values
• 2 is visibly different: y = f(x)with 2only.
Static equivalence (definition)
• We write when the terms and areequal in the theory after alpha-conversion and substitution.
• Two frames are statically equivalentwhen they agree for all term comparisons:

Two extended processes are statically equivalentwhen their frames are equivalent.

Static equivalence (properties)
• Static equivalence is closed by ´, !, C[_].
• For extended processes,observational equivalence is finer than static equivalence.
• For frames, static equivalence and observational equivalence coincide.

Hence, we can uniformly lift equational propertiesfrom (restricted) terms to (extended) processes.

We use special evaluation contexts instead of frame comparisons:

Labelled semantics
• Can we characterize observational semanticsusing labelled transitions?
• A good technical test for the calculus
• Standard, effective proof techniques
• No quantification over all contexts.
• Proofs “up to active substitutions”
• We have two such labelled semanticsthat refine static equivalence.
• Theorem: for any equational theory,the labelled and observational semantics coincide.

However, the generalization of the pi calculus LTS with scope extrusion (exporting terms instead of names) yields a labelled semantics that “sees through” all term constructors and discriminates too much.

A labelled semantics

Example transitions
• Labelled transitions systematically pass values by aliasing them to fresh variables.
• The environment can use these values indirectly,by forming terms that contain these variables.

### Diffie-Hellman key exchange

a classic protocol example

Diffie-Hellman
• A cryptographic protocol for creating a shared secret between two parties, e.g. establishing a session key.
• The two parties communicate over a public network,in the presence of a passive attacker
• The protocol relies on large exponentials,with the associative equation:
Diffie-Hellman exchange

i

r

We get “perfect forward secrecy”:the values are unrelated

exponentials

encryptedmessages

Diffie-Hellman in applied pi

i

r

exponentials

encryptedmessages

Diffie-Hellman in applied pi
• Processes Ai, Ar represent the initial state.
• Processes Pi, Pr represent the final statewith free variable for the shared key.
• Auxiliary substitutions account for the messagesbeing exchanged and the shared key .
Diffie-Hellman in applied pi
• A normal run consists of two reduction steps:
• A passive attacker intercepts both messages and forwards those messages unchanged, leading to the final state:
• We use an auxiliary frame that records messages and computations:
A correctness property
• Specification:

1. The final processes share a “pure secret” = a fresh name

2. Intercepted messages are “pure noise” = fresh names

• Theorem:
Perfect forward secrecy
• We can forget about the key establishment protocol:the key freshness & secrecy do not depend on its use
• Examples:
• Send a first message
• Reveal the keyto the environment
Summary (on applied pi)
• We develop a pi calculus parameterised by an equational theory for values.
• We obtain an expressive and flexible framework for reasoning on security protocols, which typically mix:
• creations of “fresh” values : “new” & scope extrusions
• various cryptographic operations :various equational theories
• communications :pi calculus
• We uniformly build tools to state and prove their properties (inspired by concurrency theory).
Many related works
• Complexity-theoretical analyses,focusing on the cryptographic operations.
• Higher-level presentations with black box cryptography, focusing on their usage in protocols.
• Trace models
• Process calculi
• the spi calculus [Abadi & Gordon]
• Labelled bisimilarity for cryptographic protocols [Boreale & De Nicola]
• Specific type systems for security
• Information control flow [Honda]
• Correspondence assertions [Gordon, Jeffrey]

### Just Fast Keying ?

Application to a “real-world” protocol

Session establishment
• Two parties want to open a secure session
• Telnet (SSH)
• Web connection (SSL, TLS)
• IP tunnel (VPN)
• Wireless network
• They need to
• Generate a shared secret (the “session key”)
• Agree on many parameters
• Verify each other’s identity
• Attackers might eavesdrop, delete, and insert messages, may impersonate principals,… in order to
• gain information
• confuse or hinder the participants
• This is a classical setting for cryptographic protocols
Building blocks (review)
• Shared-key encryption
• Cryptographic hash (HMAC)
• Diffie-Hellman computation
• Public-key signature
Two-round Diffie-Hellman

i

r

• Against active attackers,first create a shared key, then authenticate

exponentials

signatures

encryptedmessages

Some authentication

i

r

• The private key is a long-term secret used for signing
• The public key can be used by anyone to verify a signature
Complications
• Configuration
• Different security needs according to the application
• Many cryptographic algorithms to choose from
• Many flavours of authentication (PKIs)
• Different modes
• Concurrency
• Parallel sessions
• Various principals using several shared proxies
• Efficiency concerns
• Round-trips are expensive
• Cryptography can be expensive
• Session management
• Key derivation
• Rekeying
IKE and its successors
• IKE (Internet Key Exchange)
• Session management for IPSEC
• Quite secure
• Some concerns
• Too complicated
• Inefficient (too many messages & expensive operations)
• Poor resistance against denial of service
• The IETF is considering a successor for IKE,(now merging the different proposals into IKEv2)
• JFK (Just Fast Keying) is a simple proposal that incorporates several new mechanisms.http://www.ietf.org/internet-drafts/draft-ietf-ipsec-jfk-04.txt
Design goals for JFK
• Security

“The key should be cryptographically secure, according to standard measures of cryptographic security for key exchange”

• Simplicity
• Resistance to Memory DoS
• Resistance to CPU DoS
• Privacy

Identity protection for some parties,against some classes of attacks

• Efficiency
• Non-negotiated
• “Flexible” perfect forward secrecy

With reuse of exponentials

• Plausible deniability

Using JFK

a

responder

b

initiator

listen(A)

init(B,b’)

accept(a,k)

connect(b,k)

local

IP

local

The JFK protocol

The pair of nonces is unique to this session

Many keys can be derivedfrom the same exponentialsfor different usages

The JFK protocol

The responder uses an authenticator against DoS

The responder can check thatthe contents of msg 3 matches the contents of msg 1 & 2

The JFK protocol

Identities are always encrypted

Identities are never signed

### Some minor problems

Identity protection?
• Two flavours
• “JFKi protects id_i against active attacks”
• “JFKr protects id_r against active attacksand protects id_i against passive attacks”
• What is guaranteed? Does it make sense for the responder?This depends on relations between principals and roles
• Various leaks:
• An active attacker can get the initiator’s hint
• A passive attacker can perform traffic analysis
• A passive attacker can observe shared exponentials
• if exponentials are re-used by a single principal,all these sessions involve the same principal
• an active attacker (or an insider) may obtainthe identity for one of these sessions
• An active attacker can test the equality ofresponder authenticator keys
• arguably a passive attack
• fix: MAC the initiator exponential too
Non-negotiated?
• Usually, the cryptographic algorithms are negotiated:hash, encryption, certificates, compression, … Some algorithms are weak (legacy, legal…), or even nil.
• The protocol must (at least) authenticate the negotiation, and also relies on these operations for authentication! Cf. SSL
• “JFK is non-negotiated”: the responder demands specific algorithms, the initiator takes it or leaves it. Still…
• If the responder demands weak algorithms, no guarantees at all.
• What if the attacker modifies the responder’s demands?
• The session will fail, either immediately (the initiator rejects the demand) or after message 3 (the server detects the mismatch). Bad denial of service.
• If the initiator accepts a bad demand, her message 3 is not protected, and may reveal her identity.Bad identity protection (in JFKi)
• Fix in JFKi: sign the algorithm demand [Keromytis]
Caching message 3?
• The responder caches answers to identical message 3s
• More precisely, the responder should answer just oncefor every valid token received in a message 3.
• Otherwise, several attacks appear:
• There is a “blind” DOS attack that defeats the purpose of the authentication
• There is a (small) security failure:the same key may be used in many established sessions

### A model of JFK in applied pi

a

initiator

responder

b

local

IP

local

Public key signature
• To model public-key signature, we construct the public verification key form the private signing key:
• Using active substitutions, we can write a process that exports the public key, and keeps the signing key secret.
• We can also add equations for the attacker, rather than the protocol, e.g. key- and message-recovery:
Control actions
• We distinguish between
• principals (signers)
• JFK roles: initiator, responder (exponentials)
• We provide an “API” for using JFK

a

initiator

responder

b

local

IP

local

Providing more context
• We distinguish between
• principals (signers)
• JFK roles: initiator, responder (exponentials)
• We provide an “API” for using JFK

a

initiator

responder

b

local

IP

local

Providing more context (2)
• We distinguish between
• principals (signers)
• JFK roles: initiator, responder (exponentials)
• We provide an “API” for using JFK

a

initiator

responder

b

local

IP

local

Security properties ?
• Main results:
• In any state, the protocol can establish a secure session between compliant principals
• There are causality relations between control actions(aka authentication)
• When both protocols are compliant, the key is “secure”
• Stated independently of low-level messages
• Compliant principals are also part of the “attacker”
• Some identity protection
• Some DOS properties
• Some plausible deniability
Operational correctness
• The protocol uses internal steps:
• low-level communications
• tests after receiving messages

At the end of the protocol,we can use an observational equivalence to simplify the established keys.

We start from any reachable configuration of the protocol

(past & running sessions)

Each party gets the other’s identity & parameters, plus a shared key.

We end up exactly in the original configuration !In particular, kv is a perfect key.

Operational correctness
• We have a similar, more precise result for an attackerthat is temporarily passive on the network
• We model a passive attacker as an environment that gets messages and immediately put them back:
Operational correctness with eavesdropping

In addition, the environment can observe mostly-opaque messages, still unrelated to the session key.

Denial of service
• We characterize “round-trip communication” as a trace property:

and show an injective correspondence property from “expensive” responder steps to round-trips.

• The use of a token is a refinement, modelled as an equivalence
• The basic model uses local responder state after message 1 & 2
• The refined model uses the token instead

This is much like the parallel law for CCS

Plausible deniability
• What gets signed ?
• Authentication for an active party
• Deniability from some (data) evidence
• Example:
• a opens a session with e (which may not comply with JFK)
• Later, e tries to prove that a opened the session,from collected data.
• To refute e’s evidence, a must exhibit a trace where
• a never tries to open a session with e
• a complies with JFK
• e can still produce the same evidence
• Some plausible trace:
• a opens a session with a compliant be
• e is an active attacker that impersonates b
• a’s session fails, because e cannot produce b’s signature
• e can use the intercepted messages to build the same messages 1 and 3, so it can produce the same evidence too.
Plausible deniability
• Can be expressed as the existence of another tracewith the same outcome, up to static equivalence
Conclusions
• JFK
• is a rather nice protocol (well-written)
• is message-centric
• is often imprecise
• We had to interpret the specand supplement it with a “service API”
• We found several minor issues
• Writing down a precise definition for the intendedproperties of the protocol is difficult
• The applied pi calculus
• is a rather nice process calculus for network protocols
• represents powerful attackers as contexts
• Parallel session
• Both low-level and high-level (aka insider attacks)
• can be used to express a variety of security properties

… and to prove them compositionally

Questions?

References

Mobile Values, New Names, and Secure Communication (.ps)(.pdf), with Martín Abadi. Proceedings of the 28th ACM Symposium on Principles of Programming Languages (POPL'01), pages 104-115. January 2001.

Authentication Primitives and their Compilation (.ps)(.pdf), with Martín Abadi and Georges Gonthier. Proceedings of the 27th ACM Symposium on Principles of Programming Languages (POPL'00), pages 302-315. January 2000.

Secure Implementation of Channel Abstractions, with Martín Abadi and Georges Gonthier. To appear in Information and Computation. May 1999.

Diffie-Hellman in the pi calculus
• A normal run consists of two reduction steps:
Substitutions as processes (2)
• Locally, active substitutions and ordinary substitutionson processes are related by structural equivalence:
Labelled bisimilarity
• Labelled bisimilarity (¼l) is defined almost as usual: the largest symmetric relation such that A ¼ l B implies
• A ¼ s B
• if A * A’ , then B * B’ and A’ ¼ l B’ for some B’;
• if A a A’ and a has free variables in dom(A), and a has no bound names that are free in B,

then B *a * B’ and A’ ¼ l B’ for some B’.

• Labelled bisimilarity is observational equivalence: ¼l =¼
• Labelled bisimilarity has nice technical properties(e.g. proofs up to frame simplification).
Symbolic bisimulations (1/2)
• Message Output: active substitutions rely on “partial extrusion”, to deal with opaque terms.
• Message Input: the environment can supply arbitrary terms
• Infinite-branching transition systems
• Unbounded nesting of functions
• Infinite number of names
• Many different terms are uniformly handled by the protocol
• Symbolic inputs (and symbolic bisimulations) use insteadabstract “environment” variables for input terms [Huimin & Hennessy; Boreale].
Symbolic bisimulations (2/2)
• Symbolic inputs (and symbolic bisimulations) use instead abstract “environment” variables for input terms.
• Symbolic reductions introduce constraints on those variables.
• Equality between open terms
• Occur-checks on output variables (no causality loop)
• Constraints must be solvable to obtain concrete reductions.
A correctness property (3/3)
• Sketch of the proof:
• Static equivalence (not so easy: for all M and N…)
• Hence the process equivalence
• Apply an evaluation context + structural equivalence