Presentation is loading. Please wait.

Presentation is loading. Please wait.

Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with."— Presentation transcript:

1 Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

2 Introduction This talk: symbolic analysis can guarantee universally composable (UC) security Dolev-Yao (symbolic) model  Adversary extremely limited  Proofs simple, can even be automated UC (concrete) framework  Complexity- and information-theoretic approach  Guarantees strong security and composability properties  Requires “hand-crafted” proofs Symbolic security proofs are sound in UC framework  Traditional (symbolic) mutual-authentication definitions suffice  Need strengthened notion of symbolic key-exchange

3 Analysis strategy Concrete protocol UC security Symbolic protocol Symbolic property Would like Natural translation for encryption-based protocols Simple, automated Main result of talk: mutual authentication and key exchange

4 Analysis strategy (expanded) Concrete protocol UC concrete security Symbolic single- instance protocol Symbolic property Single-instance Setting Security using UC encryption Security for multiple instances Ideal cryptography UC theorem Simplify UC w/ joint state

5 Prior work Abadi-Rogaway/Abadi-Jürjens  First connection of formal, computational  Passive adversary Micciancio-Warinschi  Trace properties (e.g. mutual authentication)  No intermediate composition Complex analysis No composition guarantees  We lift to UC Backes, Pfitzmann, Waidner  UC library of primitives (including symmetric encryption, sigs)  Multi-instance  Primitive vs. protocol (at level 2)

6 Overview of talk Describe UC framework Describe Dolev-Yao model  Extended with local outputs Mutual authentication result Key-exchange results  Strengthened symbolic definition Future work

7 Traditional (non-UC) security SA PP F "Functionality” specifies: what protocol does, what info released to adversary P P A ∏ P P A ∏ Security:  A,  S : ViewReal(A) = ViewIdeal(A) Adversary learns only what allowed by F, even in real protocol

8 Desired: Composition Q Q A Q Q A FFF = (Higher-level protocol)

9 Achieving Composition AS PP F P P A Adversary now sets participant input, sees output  Simulator sees neither!  Adversary given special name: “environment”

10 Achieving Composition UC security:  A,  S : ViewReal(A) = ViewIdeal(A) Enforces that protocol messages and protocol outputs are independent Strongest known (computational) notion of protocol security

11 The Dolev-Yao model Messages modeled symbolically  Symbols might be compound (crypto operations) Participant hears symbol, replies with symbol A P1P2 M1M1 M2M2 L New: local output  Not seen by adversary

12 The Dolev-Yao adversary Adversary maintains set of knowledge: P1P2 A Know Application of deduction

13 Dolev-Yao adversary powers Already in Know Can add to Know M 1, M 2 Pair(M 1, M 2 ) M 1 and M 2 M, KEnc(M,K) Enc(M, K), K -1 M Only four possible deductions: (Always in Know : Randomness generated by adversary Private keys generated by adversary All public keys)

14 The Dolev-Yao adversary A P1P2 Know

15 Mutual Authentication UC: need only consider a single (two-party) instance Symbolic condition: Adversary cannot make party Pi (locally) output (finished Pi Pj) before both Pi and Pj output (starting Pj Pi) UC: F MA only sends (success) to participants after both submit (start)

16 Mutual Authentication Results Theorem: let  be a concrete protocol that uses ideal encryption. Then: DY(  ) achieves mutual auth iff  securely realizes F MA Cor:let  be a concrete protocol that uses concrete (UC) encryption. Then: DY(  ) achieves mutual auth iff  securely realizes F MA (Note: UC analog to MW04)

17 Key exchange UC: F KE creates single new key, sends to requesting participants (but not adversary) Symbolic: 1. Key Agreement: If P1 outputs (Finished P1 P2 K) and P2 outputs (Finished P2 P1 K’) then K = K’. 2. Traditional Dolev-Yao secrecy: If Pi outputs (Finished Pi Pj K), then K can never be in adversary’s set Know Not strong enough!

18 Composition and secrecy Modified protocol still satisfies traditional secrecy  Might be insecure when used as sub-protocol P1P2  Outputs session key: K {K} K2 K Traditional secrecy goals fail under composition  Session key used in higher-level protocol Example: let  satisfy traditional secrecy for K

19 Real-or-random (1/3) Need: real-or-random property for session keys  Can think of traditional goal as “computational”  Need a stronger “decisional” goal  Expressed in Dolev-Yao framework Let  be a protocol Let  r be , except that when participant outputs (Finished Pi Pj Kr), Kr added to Know Let  f be , except that when any participant outputs (Finished Pi Pj Kr), fresh key Kf added to adversary set Know Want: adversary can’t distinguish two protocols

20 Real-or-random (2/3) Let S be a strategy  Sequence of deductions and transmissions Attempt 1: For any strategy, Trace(S,  r ) = Traces(S,  f ) Problem: Kf not in any traces of  r Attempt 2: Trace(S,  r ) = Rename ( Trace(S,  f ), Kf  Kr ) Sufficient for “if,” too strong for “only if”  Two different traces may ‘appear’ the same to adversary

21 Real-or-random (3/3) Observable part of trace: Abadi-Rogaway pattern  Undecipherable encryptions replaced by “blob” Example: t = {N1, N2} K1, {N2} K2, K1 -1 Pattern(t) = {N1, N2} K1, K2, K1 -1 Final condition: for any strategy: Pattern ( Trace(S,  r ) ) = Pattern ( Rename ( Trace(S,  f ), Kf  Kr) ) )

22 Main results Theorem: let  be a concrete protocol that uses (UC) ideal encryption. Then:  securely realizes F KE iff DY(  ) satisfies 1. Key agreement 2. Traditional Dolev-Yao secrecy of session key 3. Real-or-random (Note: condition 3 implies 2 for Dolev-Yao message space with equality checks.) Cor: same for  that uses concrete UC encryption

23 Future work How to prove Dolev-Yao real-or-random?  Needed for UC security  Not previously considered in the Dolev-Yao literature  Can it be automated?  Simpler form? Similar results for protocols using symmetric encryption, signatures, Diffie-Hellman? Symbolic representation of other types of tasks  Zero-Knowledge from ideal commitment  Secure function evaluation from ideal Oblivious Transfer  Etc.

24 Backup-slides

25 “Simple” protocols Concrete protocols that map naturally to Dolev-Yao framework Two cryptographic operations:  Randomness generation  Encryption/decryption (This talk: asymmetric encryption) Example: Needham-Schroeder-Lowe P1P2 {P1, N1} K2 {P2, N1, N2} K1 {N2} K2

26 UC Key-Exchange Functionality F KE (P 1 P 2 ) k  {0,1} n Key P 2 P1P1 (P 1 P 2 ) Key k P2P2 (P 2 P 1 ) Key k (P 1 P 2 ) A Key P 1 (P 2 P 1 ) Key P 2 (P 2 P 1 )

27 Goal of the adversary Recall that the adversary A sees outputs of participants Goal: distinguish real protocol from simulation In protocol execution, output of participants (session key) related to protocol messages In ideal world, output independent of simulated protocol If there exists a detectable relationship between session key and protocol messages, adversary can distinguish  Example: last message of protocol is {“confirm”} K where K is session key  Can decrypt with participant output from real protocol  Can’t in simulated protocol

Download ppt "Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with."

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Proving Security Protocols Correct— Correctly Jonathan Herzog 21 March 2006 The author's affiliation with The MITRE Corporation is provided for identification.

Proving Security Protocols Correct— Correctly Jonathan Herzog 21 March 2006 The author's affiliation with The MITRE Corporation is provided for identification.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Daniel Moran & Marina Yatsina. Access control through encryption.

Daniel Moran & Marina Yatsina. Access control through encryption.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.

Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google