1 / 32

Cédric Fournet Microsoft Research Joint work with Pedro Adão, IST Lisboa

Formacrypt meeting, March 6. 2006 Cryptographically Sound Implementations for Communicating Processes. Cédric Fournet Microsoft Research Joint work with Pedro Adão, IST Lisboa Draft paper available at http://research.microsoft/com/~fournet/crypto-sound-processes-draft.pdf.

margo
Download Presentation

Cédric Fournet Microsoft Research Joint work with Pedro Adão, IST Lisboa

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formacrypt meeting, March 6. 2006CryptographicallySound Implementations for Communicating Processes Cédric FournetMicrosoft Research Joint work with Pedro Adão, IST Lisboa Draft paper available athttp://research.microsoft/com/~fournet/crypto-sound-processes-draft.pdf

  2. Abstractions for Cryptography • Abstractions are needed to design and analyze protocols;abstractions may hide important flaws of the real system. • Two main approaches have been successfully applied to protocols and programs that use cryptography • Formal, or algebraic approach • Structural view of protocols, using simple formal languages,and methods from logic, programming languages, concurrency • Compositional, good tool support for verification • Too abstract? • Computational approach • Messages are probability distributions over concrete bitstrings • Adversaries range over PPT Turing Machines • Mostly manual proofs, with scalability issues • Seems more accurate, hence more widely accepted

  3. XML ??? idealizedcrypto library abstracttraces securechannels PPTcalculi Our Perspective security abstractions cryptographic primitives simpler proofs & tools ML, C# formal (algebraic)computational (PPT) CCS, Pi, Join Spi, sjoin, applied pi sound encoding cryptoalgorithms& assumptions stronger guarantees

  4. This Work • We consider direct cryptographic implementationsof high-level communicating processes • We design and implement a distributed process calculuswith secure messaging and high-level authentication • Our calculus supports simple reasoning, based on labelled transitions and observational equivalence • We implement processes in a concrete computational setting, using standard machines and cryptographic assumptions • We obtain soundness and completeness for all safe processes,in the presence of active adversaries • We do not rely on DY cryptographic primitives • Full abstraction for spi or applied pi calculus is too hard • High-level code should not meddle with crypto materials(ruling out key cycles, key compromises,...)

  5. This Talk • Low-level target: spec, crypto assumptions, constraints • High-level language: design, semantics • High-level reasoning: traces, equivalences • Low-level implementation (outline) • Theorems • Conclusions, future work

  6. Low-Level Target Model

  7. Low-Level Systems Pa Pb Pc Adv

  8. Low-Level Adversary Pa Pb Pc Adv

  9. Low-Level Runs

  10. Pi Qi P1 P2 Q1 Q2 Adv Advguess Low-Level Equivalence (Target) ¼

  11. High-Level Processes

  12. Terms and Local Processes

  13. Two Forms of Authentication

  14. Local Semantics

  15. Distributed Systems

  16. Global Semantics (Messaging)

  17. Global Semantics (Certificates)

  18. High-Level Reasoning

  19. High-Level Equivalence

  20. High-Level Equivalence (Definition)

  21. Example – Secure Messaging

  22. Applications • Anonymizers (one synchronous mix-in) • An electronic commerce protocol (traces properties) • Initialization (bootstrap) • Encodings from other calculi • Local pi-calculus processes • Distributed authenticated channels a la join-calculus

  23. Low-Level Machinery

  24. Machines for Local Processes Adv

  25. We use an abstract machineto implement local reductions We normalize processes We use an arbitrary deterministic scheduler We internally represent names, tags, and principalsusing various bitstrings We draw random bitstringsof size  for new names P P P Random Random Random Run Run Run a a a (x:a M) (x:a M) (x:a M) a:x a:x a:x (M (M (M ),..., a:x ),..., a:x ),..., a:x (M (M (M ) ) ) Sig Cache Sig Cache Sig Cache 1 1 1 1 1 1 n n n n n n Unmarshall Unmarshall Unmarshall Marshall Marshall Marshall Sign Sign SKeyGen SKeyGen SKeyGen Verify Verify Verify K K K , , , a a a sign sign sign K K K a a a Receive Receive Receive Receive Send Send Send Send For each For each For each verify verify verify principal b principal b principal b Key Cache Key Cache Key Cache Key Cache AKeyGen AKeyGen AKeyGen AKeyGen K K K , , , b b b Check Check Check Check Auth Auth Auth Auth verify verify verify K K K , , , a a a K K K b b b dec dec dec enc enc enc K K K a a a Verify Verify Verify Verify Sign Sign Sign Sign enc enc enc Decrypt Decrypt Decrypt Decrypt Encrypt Encrypt Encrypt Encrypt EKeyGen EKeyGen EKeyGen Route Route Collect; Sort Collect; Sort ?inp ?inp ?inp !out !out !out a a a a a a Init Init Init a a a Machines for Local Processes Adv

  26. Marshall and unmarshall functions convert betweenour wire format and internal representations for terms Signatures are generated on demand during marshalling (and cached) All signatures are checked during unmarshalling P P P Random Random Random Run Run Run a a a (x:a M) (x:a M) (x:a M) a:x a:x a:x (M (M (M ),..., a:x ),..., a:x ),..., a:x (M (M (M ) ) ) Sig Cache Sig Cache Sig Cache 1 1 1 1 1 1 n n n n n n Unmarshall Unmarshall Unmarshall Marshall Marshall Marshall Sign Sign SKeyGen SKeyGen SKeyGen Verify Verify Verify K K K , , , a a a sign sign sign K K K a a a Receive Receive Receive Receive Send Send Send Send For each For each For each verify verify verify principal b principal b principal b Key Cache Key Cache Key Cache Key Cache AKeyGen AKeyGen AKeyGen AKeyGen K K K , , , b b b Check Check Check Check Auth Auth Auth Auth verify verify verify K K K , , , a a a K K K b b b dec dec dec enc enc enc K K K a a a Verify Verify Verify Verify Sign Sign Sign Sign enc enc enc Decrypt Decrypt Decrypt Decrypt Encrypt Encrypt Encrypt Encrypt EKeyGen EKeyGen EKeyGen Route Route Collect; Sort Collect; Sort ?inp ?inp ?inp !out !out !out a a a a a a Init Init Init a a a Machines for Local Processes Adv

  27. Principals run a basic communication protocol: Generate a fresh key k Authenticate msg with k Sign (k,b) with a’s signing key Encrypt (msg,ida,k,sig,auth) with b’s public key; We use an anti-replay cache We pad all messages toa fixed length We sort all outgoing messages after encryption P P P Random Random Random Run Run Run a a a (x:a M) (x:a M) (x:a M) a:x a:x a:x (M (M (M ),..., a:x ),..., a:x ),..., a:x (M (M (M ) ) ) Sig Cache Sig Cache Sig Cache 1 1 1 1 1 1 n n n n n n Unmarshall Unmarshall Unmarshall Marshall Marshall Marshall Sign Sign SKeyGen SKeyGen SKeyGen Verify Verify Verify K K K , , , a a a sign sign sign K K K a a a Receive Receive Receive Receive Send Send Send Send For each For each For each verify verify verify principal b principal b principal b Key Cache Key Cache Key Cache Key Cache AKeyGen AKeyGen AKeyGen AKeyGen K K K , , , b b b Check Check Check Check Auth Auth Auth Auth verify verify verify K K K , , , a a a K K K b b b dec dec dec enc enc enc K K K a a a Verify Verify Verify Verify Sign Sign Sign Sign enc enc enc Decrypt Decrypt Decrypt Decrypt Encrypt Encrypt Encrypt Encrypt EKeyGen EKeyGen EKeyGen Route Route Collect; Sort Collect; Sort ?inp ?inp ?inp !out !out !out a a a a a a Init Init Init a a a Machines for Local Processes Adv

  28. From Systems to Machines

  29. Soundness, Completeness

  30. Main Results

  31. Summary • We design a distributed process calculus with high-level primitivesfor communications and authentication • Our calculus supports simple reasoning, based on scopes, labelled transitions and observational equivalence • We give a computational interpretation of processes using abstract machines and standard cryptographic assumptions • We prove soundness and completeness in the presence ofactive adversaries (without factoring through spi/applied pi) • The proofs are tricky, and less modular than expected • Many small design choices affect cryptographic reductions • Intermediate states of low-level system are hard to represent • Many difficult problems left for future work • Expressiveness, various restrictions

  32. Questions?

More Related