Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © IBM, 2003-2004 A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © IBM, 2003-2004 A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,"— Presentation transcript:

1 1 © IBM, 2003-2004 A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research, Zurich

2 2 © IBM, 2003-2004 But can we justify The Big Picture Designed by CAD Verified by CAV Signature Signature Hashfunction Hashfunction Encryption Encryption Key establishment Key establishment Idealized Crypto given ?

3 3 © IBM, 2003-2004 Limits of Automation Full arithmetic is out Probability theory just developing So how do current tools handle cryptography?

4 4 © IBM, 2003-2004 Dolev-Yao Model Idea [DY81] Abstraction as term algebras, e.g., D x (E x (E x (m))) Cancelation Rules, e.g., D x E x =  Well-developed proof theories Abstract data types Equational 1 st -order logic Important for security proofs Inequalities! (Everything that cannot be derived.) Known as “initial model” Important goal: Justify or replace

5 5 © IBM, 2003-2004 Dolev-Yao Model – Variants [Ours] Operators and equations sym enc, pub enc, nonce, payload, pairing, sigs,... Inequalities assumed across operators! Untyped or typed Destructors explicit or implicit Abstraction from probabilism Finite selection, counting, multisets Surrounding protocol language Special-purpose, CSP, pi- calculus,... [any] sign Epk’ (, ) pk mN [EG82, M83, EGS85...]

6 6 © IBM, 2003-2004 Overview of Our Approach Precise system model allowing cryptographic and abstract operations “As secure as” with composition theorem Preservation theorems for security properties Concrete pairs of idealizations and secure realizations In particular: Dolev-Yao style cryptographic library Detailed Proofs Poly-time, cryptographic bisimulations with static information flow analysis, …

7 7 © IBM, 2003-2004 Other Work on DY Justification [AR00, AJ01, L01]: symmetric encryption, passive [HLM03]: public-key encryption, passive [MW04]: public-key encryption, much more restricted, slightly more efficient [L04]: Active symmetric encryption (earlier than ours).

8 8 © IBM, 2003-2004 Idea: Whatever happens with real system could also happen with ideal system. Reactive Simulatability H  A  H A’  Real system Ideal system M2M2M2M2 M1M1M1M1 TH Indistinguishability of random variables view real (H)  view ideal (H) [Y82, GMW87, GM95, LMMS98, HM00, PW00, PW01, C01, …]

9 9 © IBM, 2003-2004 Composition  Given: Does this hold?  And transitivity   

10 10 © IBM, 2003-2004 Cryptographic Idealization Layers Encryption as E(pk, 1 len(m) ) Secure channels Small real abstractions [LMMS98, PW00, C01,...] Low-level crypto (not abstract) Auth/sigs as statement database Real auth/sig’s + integrity lookup Larger abstractions [PW00, PW01, CK02, BJP02,...] Certified mail... [PSW00] Normal cryptographic definitions [LMMS98, C01,...] [GM95] [BPW03...] Related: [SM93,P93] [CL01] VSS Creden- tials...

11 11 © IBM, 2003-2004 Dolev-Yao-style Crypto Abstractions Recall: Term algebra, inequalities Major tasks: Represent ideal and real library in the same way to higher protocols Prevent honest users from stupidity with real crypto objects, but don’t restrict adversary E.g., sending a bitstring that’s almost a signature What imperfections are tolerable / must be allowed?

12 12 © IBM, 2003-2004 Ideal Cryptographic Library E mpk E m Term 1Term 2Not globally known Term 3 Commands, payloads, terms? Payloads / test results, terms? TH UV No crypto outputs! Deterministic! A handles For U: For V: For A: T u,2 T v,1 T a,1 T u,3 - T u,1 -

13 13 © IBM, 2003-2004 Ideal Cryptographic Library (2) TH UV E Epk m Term 4...  T u,4  encrypt(T u,1, T u,3 ) get_type(T v,2 ) T v,3 := decrypt(...) received(U, T v,2 ) send(V, T u,4 ) A E mpk E m Term 1Term 2Term 3 For U: For V: For A: T u,2 T v,1 T a,1 T u,3 - T u,1 -

14 14 © IBM, 2003-2004 Main Differences to Dolev-Yao Tolerable imperfections: Lengths of encrypted messages cannot be kept secret Adversary may include incorrect messages inside encryptions Signature schemes can have memory

15 15 © IBM, 2003-2004 Real Cryptographic Library Commands, payloads, handles Payloads / test results, handles pk c 1  E(pk, m) c 2  E(pk, m) Real system UV No crypto outputs! A c1c1 Bitstrings

16 16 © IBM, 2003-2004 Main Additions to Given Cryptosystems Standard model, standard assumptions Type tags Tagging with keys Additional randomization (e.g., needed when correct machines use A’s keys)

17 17 © IBM, 2003-2004 Proof of Correct Simulation (2) Probabilistic bisimulations Combined system With error sets (of runs) With info-flow analysis Reduction proofs for collisions, guesses, forgeries

18 18 © IBM, 2003-2004 Summary Needham-Schroeder-Lowe (hand-proved) sometimes better TBD: Tool proof; more primitives & variants 

Download ppt "1 © IBM, 2003-2004 A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,"

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.

Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google