1 / 18

A Reactively Secure Dolev-Yao-style Cryptographic Library

Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research, Zurich. A Reactively Secure Dolev-Yao-style Cryptographic Library. DIMACS, June 2004. Signature. Encryption. Hashfunction. Key establishment. The Big Picture. But can we justify . Idealized Crypto. given. ?.

questa
Download Presentation

A Reactively Secure Dolev-Yao-style Cryptographic Library

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research, Zurich A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS,June 2004

  2. Signature Encryption Hashfunction Key establishment The Big Picture But can we justify Idealized Crypto given ? Designed by CAD Verified by CAV

  3. Limits of Automation • Full arithmetic is out • Probability theory just developing • So how do current tools handle cryptography?

  4. Dolev-Yao Model • Idea [DY81] • Abstraction as term algebras, e.g.,Dx(Ex(Ex(m))) • Cancelation Rules, e.g., DxEx = e • Well-developed proof theories • Abstract data types • Equational 1st-order logic • Important for security proofs • Inequalities! (Everything that cannot be derived.) • Known as “initial model” • Important goal: Justify or replace

  5. sign pk’ E pk ( , ) N m Dolev-Yao Model – Variants [Ours] [EG82, M83, EGS85...] • Operators and equations • sym enc, pub enc, nonce, payload, pairing, sigs, ... • Inequalities assumed across operators! • Untyped or typed • Destructors explicit or implicit • Abstraction from probabilism • Finite selection, counting, multisets • Surrounding protocol language • Special-purpose, CSP, pi-calculus, ... [any]

  6. Overview of Our Approach • Precise system model allowing cryptographic and abstract operations • “As secure as” with composition theorem • Preservation theorems for security properties • Concrete pairs of idealizations and secure realizations • In particular: Dolev-Yao style cryptographic library • Detailed Proofs • Poly-time, cryptographic bisimulations with static information flow analysis, …

  7. Other Work on DY Justification • [AR00, AJ01, L01]: symmetric encryption, passive • [HLM03]: public-key encryption, passive • [MW04]: public-key encryption, much more restricted, slightly more efficient • [L04]: Active symmetric encryption (earlier than ours).

  8. •  •  H H A’  A M1 M2 TH Real system Ideal system viewreal(H)  viewideal(H) Indistinguishability of random variables Reactive Simulatability Idea: Whatever happens with real system could also happen with ideal system. [Y82, GMW87, GM95, LMMS98, HM00, PW00, PW01, C01, …]

  9. ³ Ü And transitivity ³ Composition Given: ³ Does this hold? ³

  10. Cryptographic Idealization Layers VSS Certified mail Creden-tials ... Larger abstractions [GM95] [PSW00] [CL01] Securechannels Auth/sigs as statement database ... Small real abstractions [PW00, PW01, CK02, BJP02,...] [BPW03 ...]Related: [SM93,P93] ... Encryption as E(pk, 1len(m)) Real auth/sig’s + integrity lookup Low-level crypto (not abstract) [LMMS98, PW00, C01,...] [LMMS98, C01,...] Normal cryptographic definitions

  11. Dolev-Yao-style Crypto Abstractions • Recall: Term algebra, inequalities • Major tasks: • Represent ideal and real library in the same way to higher protocols • Prevent honest users from stupidity with real crypto objects, but don’t restrict adversary • E.g., sending a bitstring that’s almost a signature • What imperfections are tolerable / must be allowed?

  12. handles handles For U: For V: For A: Tu,1 - - Tu,2 Tv,1 Ta,1 Tu,3 - - Ideal Cryptographic Library U V No crypto outputs! Deterministic! Commands, payloads, terms? Payloads / test results, terms? Term 1 Term 2 Term 3 Not globally known A E E pk pk m pk m TH

  13. received(U, Tv,2) send(V, Tu,4) Ideal Cryptographic Library (2) U V Tu,4encrypt(Tu,1, Tu,3) get_type(Tv,2) Tv,3 := decrypt(...) Term 1 Term 2 Term 3 Term 4 ... For U: For V: For A: Tu,1 - - Tu,2 Tv,1 Ta,1 Tu,3 - - E A E E pk E pk pk m pk m pk m TH

  14. Main Differences to Dolev-Yao • Tolerable imperfections: • Lengths of encrypted messages cannot be kept secret • Adversary may include incorrect messages inside encryptions • Signature schemes can have memory

  15. Real Cryptographic Library U V No crypto outputs! Commands, payloads, handles Payloads / test results, handles pk c1¬ E(pk, m) c2¬ E(pk, m) c1 A Bitstrings Real system

  16. Main Additions to Given Cryptosystems • Standard model, standard assumptions • Type tags • Tagging with keys • Additional randomization (e.g., needed when correct machines use A’s keys)

  17. Reduction proofs for collisions, guesses, forgeries • With error sets (of runs) • With info-flow analysis Proof of Correct Simulation (2) Combined system Probabilistic bisimulations

  18. ³ Summary • Needham-Schroeder-Lowe (hand-proved) • sometimes better • TBD: Tool proof; more primitives & variants

More Related