1 / 16

Towards Automated Security Proof for Symmetric Encryption Modes

Towards Automated Security Proof for Symmetric Encryption Modes. Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech 2nd Canada-France Workshop on Foundations & Practice of Security June 27, 2009. Motivation.

liora
Download Presentation

Towards Automated Security Proof for Symmetric Encryption Modes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech 2nd Canada-France Workshop on Foundations & Practice of Security June 27, 2009

  2. Motivation • Crypto protocol becoming increasingly complicated • Verification is hard, and conditions are not always optimal • Sometimes, mistakes get through e.g. OAEP

  3. Why use Automated Provers • Automated provers provide an alternate method for verifying the correctness of crypto protocols • Individual rules easier to prove and verify than whole protocols • Increase confidence in correctness of protocols

  4. Methodology • We propose a grammar that can be used to generate cryptographic protocols • Determine properties (invariants) that are relevant for proving security of protocols • Determine - and prove – rules to propagate invariants for each command in the grammar

  5. Proving Confidentiality • The traditional notion of security of encryption schemes is semantic security (indistinguishability of two chosen ciphertexts) • Our prover does something stronger: prove that the ciphertexts are indistinguishable from random bits

  6. Block Cipher vs Mode of Operation Block cipher: family of keyed functions with fixed input and output size

  7. Block Cipher vs Mode of Operation Block cipher mode of operation: algorithm to encrypt arbitrary length messages using a block cipher

  8. Our Grammar c ::= x U | x := e(y) | x := e-1(y) | x := y z | x := y || z | x := y[n,m] | x := y + 1 | c1; c2

  9. Invariants • Indis(nx;V): x is indistinguishable from random given the values in V • E(e,x): the probability that x has been queried to e is negligible • F(x): x is a ‘fresh’ random value • Rcounter(x): x is the most recent value of a counter that started at a fresh random value

  10. Rules Random Assignment • (R1) {true} x U {F(x)} Lemma: F(x) implies Indis(nx;Var) and E(e,x) Increment • (I1) {F(y)} x := y+1 {Rcounter(x)} and {E(e,x)} and {Indis(ny;Var-x)} • (I2) {RCounter(y)} x := y+1 {Rcounter(x)} and {E(e,x)}

  11. Rules (continued) Xor Operator • (X1) {Indis(ny;V,y,z)} x := y z {Indis(nx;V,x,z)} • (X2) {Indis(ny;V,x,z)} x := y z {Indis(ny;V,z)} • (X4) {F(y)} x := y z {E(e,x)} Block Cipher • (B1) {E(e,y)} x := e(y) {F(x)} Generic Preservation • (G1) {Indis(nt; V)} c {Indis(nt; V)} If t is not in V, c is either x U, x := y||z, x := y z or x := e(y) and t is not x, y or z

  12. Example of Proof CBC encryption mode

  13. Example of Proof Program for CBC (for 3 message blocks): IV U; z1 := IV m1; c1 := e(z1); z2 := c1 m2; c2 := e(z2); z3 := c2 m3; c3 := e(z3);

  14. Example of Proof

  15. Conclusion and Future Directions • We presented a grammar and logic rules that can be used to prove the security of many symmetric modes of operation (CBC, CFB, OFB, CTR) • We intend to test this grammar and rules on more complex modes of operation. This may suggest new rules that we have not yet considered • We may need to modify the grammar to include more operations and cryptographic primitives • We could try to use our method to prove security properties other than confidentiality of encryption

  16. Questions?

More Related