1 / 27

Universally Composable Symbolic Analysis of Security Protocols

Universally Composable Symbolic Analysis of Security Protocols. Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004.

shawnlynch
Download Presentation

Universally Composable Symbolic Analysis of Security Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

  2. Introduction • This talk: symbolic analysis can guarantee universally composable (UC) security • Dolev-Yao (symbolic) model • Adversary extremely limited • Proofs simple, can even be automated • UC (concrete) framework • Complexity- and information-theoretic approach • Guarantees strong security and composability properties • Requires “hand-crafted” proofs • Symbolic security proofs are sound in UC framework • Traditional (symbolic) mutual-authentication definitions suffice • Need strengthened notion of symbolic key-exchange

  3. Natural translation for encryption-based protocols Would like Main result of talk: mutual authentication and key exchange Simple, automated Analysis strategy Symbolic protocol Symbolic property Concrete protocol UC security

  4. Analysis strategy (expanded) Symbolic single- instance protocol Symbolic property Single-instance Setting Security using UC encryption UC theorem Simplify Ideal cryptography Security for multiple instances UC w/ joint state Concrete protocol UC concrete security

  5. Prior work • Abadi-Rogaway/Abadi-Jürjens • First connection of formal, computational • Passive adversary • Micciancio-Warinschi • Trace properties (e.g. mutual authentication) • No intermediate composition • Complex analysis • No composition guarantees • We lift to UC • Backes, Pfitzmann, Waidner • UC library of primitives (including symmetric encryption, sigs) • Multi-instance • Primitive vs. protocol (at level 2)

  6. Overview of talk • Describe UC framework • Describe Dolev-Yao model • Extended with local outputs • Mutual authentication result • Key-exchange results • Strengthened symbolic definition • Future work

  7. P P P P S A "Functionality” specifies: what protocol does, what info released to adversary ∏ ∏ P P A A F Traditional (non-UC) security Security: A, S : ViewReal(A) = ViewIdeal(A) Adversary learns only what allowed by F, even in real protocol

  8. Q Q Q Q A A Desired: Composition (Higher-level protocol) = F F F

  9. P P S A P F P A Achieving Composition • Adversary now sets participant input, sees output • Simulator sees neither! • Adversary given special name: “environment”

  10. Achieving Composition • UC security: A, S : ViewReal(A) = ViewIdeal(A) • Enforces that protocol messages and protocol outputs are independent • Strongest known (computational) notion of protocol security

  11. A P1 P2 M1 L M2 The Dolev-Yao model • Messages modeled symbolically • Symbols might be compound (crypto operations) • Participant hears symbol, replies with symbol • New: local output • Not seen by adversary

  12. Application of deduction The Dolev-Yao adversary • Adversary maintains set of knowledge: A P1 P2 Know

  13. Dolev-Yao adversary powers • Only four possible deductions: • (Always in Know: • Randomness generated by adversary • Private keys generated by adversary • All public keys)

  14. The Dolev-Yao adversary A Know P1 P2

  15. Mutual Authentication • UC: need only consider a single (two-party) instance • Symbolic condition: Adversary cannot make party Pi (locally) output (finished Pi Pj) before both Pi and Pj output (starting Pj Pi) • UC: FMA only sends (success) to participants after both submit (start)

  16. Mutual Authentication Results • Theorem: let  be a concrete protocol that uses ideal encryption. Then: DY() achieves mutual auth iff  securely realizes FMA • Cor:let  be a concrete protocol that uses concrete (UC) encryption. Then: DY() achieves mutual auth iff  securely realizes FMA (Note: UC analog to MW04)

  17. Key exchange • UC: FKE creates single new key, sends to requesting participants (but not adversary) • Symbolic: • Key Agreement: If P1 outputs (Finished P1 P2 K)and P2 outputs (Finished P2 P1 K’)thenK = K’. • Traditional Dolev-Yao secrecy: If Pi outputs (Finished Pi Pj K), then K can never be in adversary’s set Know • Not strong enough!

  18. P1  P2 Outputs session key: K {K}K2 K Composition and secrecy • Traditional secrecy goals fail under composition • Session key used in higher-level protocol • Example: let  satisfy traditional secrecy for K • Modified protocol still satisfies traditional secrecy • Might be insecure when used as sub-protocol

  19. Real-or-random (1/3) • Need: real-or-random property for session keys • Can think of traditional goal as “computational” • Need a stronger “decisional” goal • Expressed in Dolev-Yao framework • Let be a protocol • Let r be , except that when participant outputs (Finished Pi Pj Kr),Kr added to Know • Let f be , except that when any participant outputs (Finished Pi Pj Kr), fresh key Kf added to adversary set Know • Want: adversary can’t distinguish two protocols

  20. Real-or-random (2/3) • Let S be a strategy • Sequence of deductions and transmissions • Attempt 1: For any strategy, Trace(S, r) = Traces(S, f) • Problem: Kf not in any traces of r • Attempt 2: Trace(S, r) = Rename(Trace(S, f), KfKr) • Sufficient for “if,” too strong for “only if” • Two different traces may ‘appear’ the same to adversary

  21. Real-or-random (3/3) • Observable part of trace: Abadi-Rogaway pattern • Undecipherable encryptions replaced by “blob” • Example: t = {N1, N2}K1, {N2}K2, K1-1 Pattern(t) = {N1, N2}K1, K2, K1-1 • Final condition: for any strategy: Pattern(Trace(S, r)) = Pattern(Rename(Trace(S, f), KfKr)))

  22. Main results • Theorem: let  be a concrete protocol that uses (UC) ideal encryption. Then:  securely realizes FKE iff DY() satisfies • Key agreement • Traditional Dolev-Yao secrecy of session key • Real-or-random (Note: condition 3 implies 2 for Dolev-Yao message space with equality checks.) • Cor: same for  that uses concrete UC encryption

  23. Future work • How to prove Dolev-Yao real-or-random? • Needed for UC security • Not previously considered in the Dolev-Yao literature • Can it be automated? • Simpler form? • Similar results for protocols using symmetric encryption, signatures, Diffie-Hellman? • Symbolic representation of other types of tasks • Zero-Knowledge from ideal commitment • Secure function evaluation from ideal Oblivious Transfer • Etc.

  24. Backup-slides

  25. {P1, N1}K2 {P2, N1, N2}K1 {N2}K2 “Simple” protocols • Concrete protocols that map naturally to Dolev-Yao framework • Two cryptographic operations: • Randomness generation • Encryption/decryption • (This talk: asymmetric encryption) • Example: Needham-Schroeder-Lowe P1 P2

  26. (P1 P2) (P2 P1) (P1 P2) (P2 P1) Key P2 Key P1 Key k Key k Key P2 UC Key-Exchange Functionality FKE (P1 P2) A P1 k  {0,1}n (P2 P1) P2

  27. Goal of the adversary • Recall that the adversary A sees outputs of participants • Goal: distinguish real protocol from simulation • In protocol execution, output of participants (session key) related to protocol messages • In ideal world, output independent of simulated protocol • If there exists a detectable relationship between session key and protocol messages, adversary can distinguish • Example: last message of protocol is {“confirm”}K where K is session key • Can decrypt with participant output from real protocol • Can’t in simulated protocol

More Related