Presentation is loading. Please wait.

Presentation is loading. Please wait.

Universally Composable Symbolic Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE.

Similar presentations


Presentation on theme: "Universally Composable Symbolic Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE."— Presentation transcript:

1 Universally Composable Symbolic Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

2 Universally Composable Automated Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

3 Overview This talk: symbolic analysis can guarantee universally composable (UC) key exchange (Paper also includes mutual authentication) Symbolic (Dolev-Yao) model: high-level framework Messages treated symbolically; adversary extremely limited Despite (general) undecidability, proofs can be automated Result: symbolic proofs are computationally sound (UC) For some protocols For strengthened symbolic definition of secrecy With UC theorems, suffices to analyze single session Implies decidability!

4 Needham-Schroeder-Lowe protocol (Prev: A, B get others public encryption keys) AB E KB (A || Na) E KA (Na || Nb || B) E KB (Nb) K K Version 1: K = Na Version 2: K = Nb Which one is secure?

5 Two approaches to analysis Standard (computational) approach: reduce attacks to weakness of encryption Alternate approach: apply methods of the symbolic model Originally proposed by Dolev & Yao (1983) Cryptography without: probability, security parameter, etc. Messages are parse trees Countable symbols for keys ( K, K,…), names ( A, B,…) and nonces ( N, N, Na, Nb, …) Encryption ( E K (M) ) pairing ( M || N ) are constructors Participants send/receive messages Output some key-symbol

6 The symbolic adversary Explicitly enumerated powers Interact with countable number of participants Knowledge of all public values, non-secret keys Limited set of re-write rules: M 1, M 2 M 1 || M 2 M 1, M 2 M, K E K (M) E K (M), K -1 M

7 Traditional symbolic secrecy Conventional goal for symbolic secrecy proofs: If A or B output K, then no sequence of interactions/rewrites can result in K Undecidable in general [EG, HT, DLMS] but: Decidable with bounds [DLMS, RT] Also, general case can be automatically verified in practice Demo 1: analysis of both NSLv1, NSLv2 So what? Symbolic model has weak adversary, strong assumptions We want computational properties! …But can we harness these automated tools?

8 What wed like Concrete protocol Computational key-exchange Symbolic protocol Symbolic key-exchange Would like Natural translation for large class of protocols Simple, automated Soundness (need only be done once)

9 Some previous work General area: [AR]: soundness for indistinguishability Passive adversary [MW, BPW]: soundness for general trace properties Includes mutual authentication; active adversary Many, many others Key-exchange in particular (independent work): [BPW]: (later) [CW]: soundness for key-exchange Traditional symbolic secrecy implies (weak) computational secrecy

10 Limitations of traditional secrecy Big question: Can traditional symbolic secrecy imply standard computational definitions of secrecy? Unfortunately, no Counter-example: Demo: NSLv2 satisfies traditional secrecy Cannot provide real-or-random secrecy in standard models Falls prey to the Rackoff attack

11 The Rackoff attack (on NSLv2) AB E KB ( A || Na) E KA ( Na || Nb || B ) E KB (Nb) Adv K =? Nb E KB (K) K if K = Nb O.W. ?

12 Achieving soundness Soundness requires new symbolic definition of secrecy [BPW]: traditional secrecy + non-use Thm: new definition implies secrecy (in their framework) But: must analyze infinite concurrent sessions and all resulting protocols Here: traditional secrecy + symbolic real-or-random Non-interference property; close to strong secrecy [B] Thm: new definition equivalent to UC secrecy Demonstrably automatable (Demo 2) Suffices to consider single session! (Infinite concurrency results from joint-state UC theorems) Implies decidability (forthcoming)

13 Decidability (not in paper) Traditional secrecy Symbolic real-or-random Unbounded sessions Undecidable [EG, HT, DLMS] Undecidable [B] Bounded sessionsDecidable (NP-complete) [DLMS, RT] Decidable (NP-complete)

14 Proof overview (soundness) Multi-session KE (CCA-2 crypto) Symbolic key-exchange Single session UC KE (ideal crypto) Multi-session UC KE (ideal crypto) UC w/ joint state [CR] (Info-theor.) UC theorem Construct simulator Information-theoretic Must strengthen notion of UC public-key encryption Intermediate step: trace properties (as in [MW,BPW]) Every activity-trace of UC adversary could also be produced by symbolic adversary Rephrase: UC adversary no more powerful than symbolic adversary

15 Summary & future work Result: symbolic proofs are computationally sound (UC) For some protocols For strengthened symbolic definition of secrecy With UC theorems, suffices to analyze single session Implies decidability! Additional primitives Have public-key encryption, signatures [P] Would like symmetric encryption, MACs, PRFs… Symbolic representation of other goals Commitment schemes, ZK, MPC…

16 Backup slides

17 Two challenges 1. Traditional secrecy is undecidable for: Unbounded message sizes [EG, HT] or Unbounded number of concurrent sessions (Decidable when both are bounded) [DLMS] 2. Traditional secrecy is unsound Cannot imply standard security definitions for computational key exchange Example: NSLv2 (Demo)

18 Prior work: BPW New symbolic definition Implies UC key exchange (Public-key & symmetric encryption, signatures) Theory Practice

19 Our work New symbolic definition: real-or-random Equiv. to UC key exchange (Public-key encryption [CH], signatures [P]) UC suffices to examine single protocol run Automated verification! + Finite system Decidability? Theory Practice Demo 3: UC security for NSLv1

20 Our work: solving the challenges Soundness: requires new symbolic definition of secrecy Ours: purely symbolic expression of real-or-random security Result: new symbolic definition equivalent to UC key exchange UC theorems: sufficient to examine single protocol in isolation Thus, bounded numbers of concurrent sessions Automated verification of our new definition is decidable!… Probably

21 Summary Summary: Symbolic key-exchange sound in UC model Computational crypto can now harness symbolic tools Now have the best of both worlds: security and automation! Future work

22 Secure key-exchange: UC ? PP A KK Answer: yes, it matters Negative result [CH]: traditional symbolic secrecy does not imply universally composable key exchange

23 Secure key-exchange: UC ? PP A Adversary gets key when output by participants Does this matter? (Demo 2) KK F S ?

24 Secure key-exchange [CW] PP A Adversary interacts with participants Afterward, receives real key, random key Protocol secure if adversary unable to distinguish NSLv1, NSLv2 satisfy symbolic def of secrecy Therefore, NSLv1, NSLv2 meet this definition as well K, K

25 KE ? PP A F S Adversary unable to distinguish real/ideal worlds Effectively: real or random keys Adversary gets candidate key at end of protocol NSL1, NSL2 secure by this defn.

26 Analysis strategy Concrete protocol UC key-exchange functionality Dolev-Yao protocol Dolev-Yao key-exchange Would like Natural translation for large class of protocols Simple, automated Main result of talk (Need only be done once)

27 Simple protocols Concrete protocols that map naturally to Dolev-Yao framework Two cryptographic operations: Randomness generation Encryption/decryption (This talk: asymmetric encryption) Example: Needham-Schroeder-Lowe P1P2 {P1, N1} K2 {P2, N1, N2} K1 {N2} K2

28 UC Key-Exchange Functionality F KE (P 1 P 2 ) k {0,1} n Key P 2 P1P1 (P 1 P 2 ) Key k P2P2 (P 2 P 1 ) Key k (P 1 P 2 ) A Key P 1 (P 2 P 1 ) Key P 2 (P 2 P 1 ) X

29 The Dolev-Yao model Participants, adversary take turns Participant turn: A P1P2 M1M1 M2M2 L Local output: Not seen by adversary

30 The Dolev-Yao adversary Adversary turn: P1P2 A Know Application of deduction

31 Dolev-Yao adversary powers Already in Know Can add to Know M 1, M 2 Pair(M 1, M 2 ) M 1 and M 2 M, KEnc(M,K) Enc(M, K), K -1 M Always in Know : Randomness generated by adversary Private keys generated by adversary All public keys

32 The Dolev-Yao adversary A P1P2 Know M

33 Dolev-Yao key exchange Assume that last step of (successful) protocol execution is local output of (Finished Pi Pj K) 1. Key Agreement: If P1 outputs (Finished P1 P2 K) and P2 outputs (Finished P2 P1 K) then K = K. 2. Traditional Dolev-Yao secrecy: If Pi outputs (Finished Pi Pj K), then K can never be in adversarys set Know Not enough!

34 Goal of the environment Recall that the environment Z sees outputs of participants Goal: distinguish real protocol from simulation In protocol execution, output of participants (session key) related to protocol messages In ideal world, output independent of simulated protocol If there exists a detectable relationship between session key and protocol messages, environment can distinguish Example: last message of protocol is {confirm} K where K is session key Can decrypt with participant output from real protocol Cant in simulated protocol

35 Real-or-random (1/3) Need: real-or-random property for session keys Can think of traditional goal as computational Need a stronger decisional goal Expressed in Dolev-Yao framework Let be a protocol Let r be, except that when participant outputs (Finished Pi Pj Kr), Kr added to Know Let f be, except that when any participant outputs (Finished Pi Pj Kr), fresh key Kf added to adversary set Know Want: adversary cant distinguish two protocols

36 Real-or-random (2/3) Attempt 1: Let Traces( ) be traces adversary can induce on. Then: Traces( r ) = Traces( f ) Problem: Kf not in any traces of r Attempt 2: Traces( r ) = Rename ( Traces( f ), Kf Kr ) Problem: Two different traces may look the same Example protocol: If participant receives session key, encrypts yes under own (secret) key. Otherwise, encrypts no instead Traces different, but adversary cant tell

37 Real-or-random (3/3) Observable part of trace: Abadi-Rogaway pattern Undecipherable encryptions replaced by blob Example: t = {N1, N2} K1, {N2} K2, K1 -1 Pattern(t) = {N1, N2} K1, K2, K1 -1 Final condition: Pattern ( Traces( r ) ) = Pattern ( Rename ( Traces( f ), Kf Kr) ) )

38 Main results Let key-exchange in the Dolev-Yao model be: Key agreement Traditional Dolev-Yao secrecy of session key Real-or-random Let be a simple protocol that uses UC asymmetric encryption. Then: DY( ) satisfies Dolev-Yao key exchange iff UC( ) securely realizes F KE

39 Future work How to prove Dolev-Yao real-or-random? Needed for UC security Not previously considered in the Dolev-Yao literature Can it be automated? Weaker forms of DY real-or-random Similar results for symmetric encryption and signatures


Download ppt "Universally Composable Symbolic Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE."

Similar presentations


Ads by Google