Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005."— Presentation transcript:

1 Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005

2 Security Protocols uSecurity Protocol Distributed program Uses cryptography to accomplish goal Network controlled by adversary uExamples Internet Engineering Task Force (IETF), IEEE Working Group Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication –802.11i - wireless security

3 Engineering practice uIdentify requirements uDesign protocol uThink hard uThink some more uCan’t find attack  protocol “secure” uImplement uDeploy

4 Protocol flaws uIEEE 802.11i wireless authentication uIPSec’s IKE key exchange uIETF GDOI secure group communication uIETF Mobile IPv6 security u…many more These are protocols designed for real networks

5 Engineering Practice (Cycle 2) uSomeone else thinks hard and finds attack uGo back to cycle 1: Fix protocol Reimplement Redeploy

6 This is Theory Lunch… uWe like to do rigorous proofs uBut prove what? uWhat does “secure” mean? uWhat is the model of protocol execution and attack?

7 Problem Statement Cryptographers and logicians working in computer security don’t talk to each other (Disclaimer: Examples not representative)

8 Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

9 Logic 101 (Recall) uLogic Syntax Formulas –p, p  q,  (p  q), p  q SemanticsTruth –Model, M = {p = true, q = false} M |= p  q uProof System Axioms and proof rules Provability –p  (q  p)p p  q q Soundness Theorem –Provability implies truth

10 Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics PhD Oral May 10, 11AM Right here

11 Main Result uComputational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption uSoundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1. + Symbolic proofs + Complexity-theoretic model

12 Computational PCL uSyntax Expressing security properties uProof System Proving security properties Soundness Theorem uSemantics Complexity-theoretic Model –Attacker – any PPT algorithm –Meaning of security properties

13 Example 1 AB A, B, {n, A} B B, A, n uSecurity Property - authentication [Initiator Program] A Honest(B)  ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )

14 Example 2 AB A, B, {n, A} B uSecurity Property - secrecy [Initiator Program] A Honest(B)  (  X (X  A,B)  Indistinguishable(X,n)

15 Logic Syntax

16 Proof System

17 Soundness of proof system uInformation-theoretic reasoning [new u] X (Y  X)  Indistinguishable(Y, u) uComplexity-theoretic reductions Source(Y,u,{m} X )   Decrypts(X, {m} X )  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uAsymptotic calculations         Sum of two negligible functions is a negligible function Reduction to IND-CCA2-secure encryption scheme

18 Big picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

19 Complexity-theoretic semantics uQ |=  if  A  D  f negligible  n 0  n > n 0 function s.t. Fix protocol Q, PPT adversary A, security parameter n Vary random bits used by all programs Obtain set of equi- probable traces, T(Q,A,n) T(  ) T(Q,A,n) |T(  )|/|T(Q,A,n)| > 1 –f(n) Represents probability

20 Inductive Semantics uConsider set of traces T(Q,A,n) T(  1   2 ) = T(  1 )  T(  2 ) T(  1   2 ) = T(  1 )  T(  2 ) T(   ) = T(  ) Semantics of formulas are transformers on probability distribution over traces

21 Future Work uInvestigate nature of logic Propositional fragment not classical  represents conditional probability – complexity-theoretic reductions –connections with probabilistic logics (e.g. Nilsson86) uGeneralize reasoning about secrecy Probability close to ½ instead of 1 Not a trace property uExtend logic More primitives: signature, hash functions,… Remove current syntactic restrictions on formulas u Information-theoretic semantics Only probability; no complexity

22 Related Work uProcess calculus LMMS98-RMST05 uLogic AR00 (passive eavesdropper; encryption) IK03 (computational indistinguishability) uRelating symbolic and crypto models BPW03-05 (active attacker) MW04-05 (active attacker)

Download ppt "Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005."

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.

SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.

Symbolic and Computational Analysis of Network Protocol Security John Mitchell Stanford University Asian 2006.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall 2007-08.

Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.

Proving Security of Industrial Network Protocols: Theory and Practice Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.

Similar presentations

Ads by Google