Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contract-Signing Protocols J. Mitchell CS 259. Revised schedule uTuesday 1/24 Contract-signing protocols uThursday 1/26 Secure hardware architecture (XOM)

Published byAlbert Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "Contract-Signing Protocols J. Mitchell CS 259. Revised schedule uTuesday 1/24 Contract-signing protocols uThursday 1/26 Secure hardware architecture (XOM)"— Presentation transcript:

1 Contract-Signing Protocols J. Mitchell CS 259

2 Revised schedule uTuesday 1/24 Contract-signing protocols uThursday 1/26 Secure hardware architecture (XOM) uFriday 1/27 PRISM tool and contract signing uTuesday 1/31 Password authentication protocols uThursday 2/2 Project presentation #1

3 Before contract signing … uQuestions about projects? Want help? Meet with us this week for suggestions uDiscussion of security properties Authentication Secrecy uPrecise definitions Set of runs of a system When a run violates a security condition –Definition of successful attack Safety vs liveness properties

4 Protocol uA Protocol is defined by a set of roles, and initial conditions (if needed) uWhat is a role? A “program” executed at one site Includes communication, internal actions uWhat are initial conditions? Example: each agent has a secret key, shared only with the server Example: each agent knows the public verification key for every other agent

5 Example roles: NSL protocol new m; send encrypt( Key(Y),  X,m  ); recv encrypt( Key(X),  m, B, n  ); send encrypt( Key(B), n ) recv encrypt( Key(X),  Y,m  ); new n; send encrypt( Key(A),  m, B, n  ); recv encrypt( Key(B), n ) Initial conditions: each agent has a private key, knows the public keys of other agents “Alice” “Bob”

6 Execution model uInitial configuration Set of principals and keys Assignment of  1 role to each principal uRun new x send (…) receive (…) A B C send (…)new y Honest principals follow roles of the protocol; some agents may be dishonest Actions can be arranged in a linear trace

7 Data “known” to agent uAt each point in run, each agent knows All the data provided by initial conditions –Public keys, a private key, shared secret key, … All the data generated by that agent –Fresh nonces chosen at random, new keys, … All the messages received Any data derivable from this information –Can decrypt a message if decryption key known Symbolic representation of data and symbolic characterization of “data knowledge” is called “the Dolev-Yao model.”

8 Protocol correctness A B Initiate Respond C D Correct if no security violation in any run Attacker

9 Correctness conditions uAuthentication Idea: “I know I am talking to you” Formalization 1 –If Alice initiates conversation by sending to Bob, then data she receives was generated by Bob for Alice. Formalization 2 –If Alice completes the initiator role, sending messages to Bob, then Bob completes the responder role with the same messages in the same order. –One-to-one correspondence between sessions Your thoughts and alternatives?

10 Correctness conditions uSecrecy Idea: “The attacker does not know our secrets” Formalization 1 –The session key cannot be computed from the data available to the attacker. Formalization 2 –The entire conversation between Alice and Bob is indistinguishable (to others) from a run with completely different nonces, keys, etc. Your thoughts and alternatives?

11 Safety vs Liveness uTrace property Property is true of a system iff it is true for all traces (runs) of the system uSafety property Bad things do not happen Examples: no deadlock, no page fault, … uLiveness property Good things do happen (eventually) Example: every process gets scheduled to run

12 Safety vs Liveness uSafety property “Bad things do not happen”  traces t, possibly infinite: P(t) iff  t’ < t. P(t’) If a safety property fails, it fails at some finite point uLiveness property “Good things do happen (eventually)”  finite initial traces s: P(s) iff  trace t. P(st) A liveness property holds if every beginning of a trace can be extended to one with the desired property

13 Contract Signing uTwo parties want to sign a contract Multi-party signing is more complicated uThe contract is known to both parties The protocols we will look at are not for contract negotiation (e.g., auctions) uThe attacker could be Another party on the network The “person” you think you want to sign a contract with

14 Example uBoth parties want to sign the contract uNeither wants to commit first Immunity deal

15 Another example: stock trading Willing to sell stock at price X Ok, willing to buy at price X stock broker customer uWhy signed contract? Suppose market price changes Buyer or seller may want proof of agreement

16 Network is Asynchronous uPhysical solution Two parties sit at table Write their signatures simultaneously Exchange copies uProblem How to sign a contract on a network? Fair exchange: general problem of exchanging information so both succeed or both fail

17 Fundamental limitation uImpossibility of consensus Very weak consensus is not solvable if one or more processes can be faulty uAsynchronous setting Process has initial 0 or 1, and eventually decides 0 or 1 Weak termination: some correct process decides Agreement: no two processes decide on different values Very weak validity: there is a run in which the decision is 0 and a run in which the decision is 1 uReference M. J. Fischer, N. A. Lynch and M. S. Paterson, Impossibility of Distributed Consensus with One Faulty Process. J ACM 32(2):374-382 (April 1985).

18 Implication for fair exchange uNeed a trusted third party (TTP) It is impossible to solve strong fair exchange without a trusted third party. The proof is by relating strong fair exchange to the problem of consensus and adapting the impossibility result of Fischer, Lynch and Paterson. uReference H. Pagnia and F. C. Gärtner, On the impossibility of fair exchange without a trusted third party. Technical Report TUD-BS-1999-02, Darmstadt University of Technology, March 1999

19 Two forms of contract signing uGradual-release protocols Alice and Bob sign contract Exchange signatures a few bits at a time Issues –Signatures are verifiable –Work required to guess remaining signature decreases –Alice, Bob must be able to verify that what they have received so far is part of a valid signature uAdd trusted third party

20 Easy TTP contract signing AB TTP signature contract uProblem TTP is bottleneck Can we do better?

21 Optimistic contract signing uUse TTP only if needed Can complete contract signing without TTP TTP will make decisions if asked uGoals Fair: no one can cheat the other Timely: no one has to wait indefinitely (assuming that TTP is available) Other properties …

22 General protocol outline uTrusted third party can force contract Third party can declare contract binding if presented with first two messages. AB I am going to sign the contract Here is my signature

23 Commitment (idea from crypto) uCryptographic hash function Easy to compute function f Given f(x), hard to find y with f(y)=f(x) Hard to find pairs x, y with f(y)=f(x) uCommit Send f(x) for randomly chosen x uComplete Reveal x

24 Refined protocol outline uTrusted third party can force contract Third party can declare contract binding by signing first two messages. AB sign(A,  contract, hash(rand_A)  ) sign(B,  contract, hash(rand_B)  ) rand_A rand_B

25 Optimistic Protocol [Asokan, Shoup, Waidner] M K Input: PK K, T, text Input: PK M, T, text m 1 = sig M (PK M, PK K, T, text, hash(R M )) m 2 = sig K (m 1, hash(R K )) m 3 = R M m 4 = R K m 1, R M, m 2, R K

26 uContract from normal execution uContract issued by third party uAbort token issued by third party Asokan-Shoup-Waidner Outcomes m 1, R M, m 2, R K sig T (m 1, m 2 ) sig T (abort, a 1 )

27 Role of Trusted Third Party uT can issue a replacement contract Proof that both parties are committed uT can issue an abort token Proof that T will not issue contract uT acts only when requested decides whether to abort or resolve on the first-come-first-serve basis only gets involved if requested by M or K

28 Resolve Subprotocol T K Net M r 1 = m 1, m 2 r2r2 aborted? Yes: r 2 = sig T (abort, a 1 ) No: resolved := true r 2 = sig T (m 1, m 2 ) r2r2 m 1 = sig M (… hash(R M )) m 3 = ???m 4 = ??? m 2 = sig K (… hash(R K )) sig T (m 1, m 2 ) sig T (abort, a 1 ) OR

29 Abort Subprotocol M m 2 = ??? K Network T a 1 = sig M (abort, m 1 ) a2a2 resolved? Yes: a 2 = sig T (m 1, m 2 ) No: aborted := true a 2 = sig T (abort, a 1 ) m 1 = sig M (… hash(R M )) sig T (m 1, m 2 ) sig T (abort, a 1 ) OR

30 Fairness and Timeliness If A cannot obtain B’s signature, then B should not be able to obtain A’s signature and vice versa Fairness “One player cannot force the other to wait -- a fair and timely termination can always be forced by contacting TTP” Timeliness [Asokan, Shoup, Waidner Eurocrypt ‘98]

31 B A m1= sign(A,  c, hash(r_A)  ) sign(B,  m1, hash(r_B)  ) r_A r_B Agree A B Network T Abort ??? ResolveAttack? B A Net T sig T (m 1, m 2 ) m1m1 ??? m2m2 A T Asokan-Shoup-Waidner protocol If not already resolved a 1 sig T (a 1,abort)

32 Attack M r 2 = sig T (m 1, m 2 ) m 1 = sig M (... hash(R M )) m 2 = sig K (m 1, hash(R K )) m 3 = R M T r 1 = m 1, m 2 secret Q K, m 2 sig T (m 1, m 2 ) m 1, R M, m 2, Q K contracts are inconsistent!

33 Later... sig M (PK M, PK K, T, text, hash(R M )) K Replay Attack Intruder causes K to commit to old contract with M sig K (m 1, hash(Q K )) RMRM QKQK M K RMRM sig M (… hash(R M )) RKRK sig K (... hash(R K ))

34 Fixing the Protocol M K Input: PK K, T, text Input: PK M, T, text m 1 = sig M (PK M, PK K, T, text, hash(R M )) m 2 = sig K (m 1, hash(R K )) m 3 = R M m 4 = R K m 1, R M, m 2, R K sig M (, hash(R K ))

35 Desirable properties uFair If one can get contract, so can other uAccountability If someone cheats, message trace shows who cheated uAbuse free No party can show that they can determine outcome of the protocol

36 Abuse-Free Contract Signing A B PCS A (text,B,T) PCS B (text,A,T) sig A (text) sig B (text) [Garay, Jakobsson, MacKenzie]

37 Preventing “abuse” uPrivate Contract Signature Special cryptographic primitive B cannot take msg from A and show to C T converts signatures, does not use own [Garay, Jakobsson, MacKenzie]

38 Role of Trusted Third Party uT can convert PCS to regular signature Resolve the protocol if necessary uT can issue an abort token Promise not to resolve protocol in future uT acts only when requested decides whether to abort or resolve on a first-come-first-served basis only gets involved if requested by A or B

39 Resolve Subprotocol B A Net T r 1 = PCS A (text,B,T), sig B (text) aborted? Yes: r 2 = sig T (a 1 ) No: resolved := true r 2 = sig A (text) store sig B (text) r2r2 PCS A (text,B,T) ??? PCS B (text,A,T) sig T (a 1 ) sig A ( text ) OR

40 Abort Subprotocol A ??? B Network T a 1 =sig A (m 1,abort) a2a2 resolved? Yes: a 2 = sig B (text) No: aborted := true a 2 = sig T (a 1 ) m 1 = PCS A (text,B,T) sig B ( text ) sig T (a 1 ) OR

41 B A PCS A (text,B,T) PCS B (text,A,T) sig A (text) sig B (text ) Agree A B Network T m 1 = PCS A (text,B,T) Abort ??? ResolveAttack B A Net T PCS A (text,B,T) sig B (text) PCS A (text,B,T) ??? PCS B (text,A,T) B T sig T (abort) abort AND sig B (text) abort Leaked by T Garay, Jakobsson, MacKenzie

42 Attack B PCS A (text,B,T), sig B (text) sig T (abort) PCS A (text,B,T) PCS B (text,A,T) T sig A (abort) sig T (abort) Leaked by T abort AND sig B (text)only abort

43 Repairing the Protocol B PCS A (text,B,T), PCS B (text,A,T) PCS A (text,B,T) PCS B (text,A,T) T If T converts PCS into a conventional signature, T can be held accountable

44 Balance No party should be able to unilaterally determine the outcome of the protocol Stock sale example: there is a point in the protocol where the broker can unilaterally choose whether the sale happens or not Balance may be violated even if basic fairness is satisfied! Can a timely, optimistic protocol be fair AND balanced?

45 Advantage Willing to sell stock at price X Ok, willing to buy at price X stock brokercustomer Must be able to ask TTP to cancel this instance of protocol, or will be stuck indefinitely if customer does not respond Can go ahead and complete the sale, OR can still ask TTP to cancel (TTP doesn’t know customer has responded) Optimistically waits for broker to respond … Chooses whether deal will happen: does not have to commit stock for sale, can cancel if sale looks unprofitable Cannot back out of the deal: must commit money for stock

46 “Abuse free”: as good as it gets uSpecifically: One signer always has an advantage over the other, no matter what the protocol is Best case: signer with advantage cannot prove it has the advantage to an outside observer

47 Theorem uIn any fair, optimistic, timely contract-signing protocol, if one player is optimistic*, the other player has an advantage. * optimistic player: waits a little before going to the third party

48 Abuse-Freeness No party should be able to unilaterally determine the outcome of the protocol Balance No party should be able to prove that it can unilaterally determine the outcome of the protocol Abuse-Freeness [Garay, Jakobsson, MacKenzie Crypto ‘99] impossible 

49 How to prove something like this? uDefine “protocol” Program for Alice, Bob, TTP Each move depends on –Local State (what’s happened so far) –Message from network –Timeout uConsider possible optimistic runs uShow someone gets advantage

50 Key idea (omitting many subtleties) uDefine “power” of a signer (A or B) in a state s if A can get contract by reading a message already in network, doing internal computation if A can get contract by communicating with TTT, assuming B does nothing otherwise Power A (s) = 210210 uLook at optimistic transition s  s’ where Power B (s) =1 > Power B (s) = 0.

51 Advantage (intuition for main argument) uIf Power B (s) = 0  Power B (s’) =1 then This is result of some move by A –Power B (s) = 0 means B cannot get contract without B’s help The move by A is not a message to TTP –The proof is for an optimistic protocol, so we are thinking about a run without msg to T B could abort in state s –We assume protocol is timely and fair: B must be able to do something, cannot get contract B can still abort in s’, so B has advantage!

52 Conclusions uOnline contract signing is subtle Fair Abuse-free Accountability uSeveral interdependent subprotocols Many cases and interleavings uFinite-state tools great for case analysis! Find bugs in protocols proved correct uProving properties of all protocols is harder Understand what is possible and what is not

Download ppt "Contract-Signing Protocols J. Mitchell CS 259. Revised schedule uTuesday 1/24 Contract-signing protocols uThursday 1/26 Secure hardware architecture (XOM)"

Similar presentations

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google