Presentation is loading. Please wait.

Presentation is loading. Please wait.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

Published byCarmella Flowers Modified over 8 years ago

Similar presentations

Presentation on theme: "Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University."— Presentation transcript:

1 Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University of Bristol)

2 Composition of key exchange with arbitrary tasks KK e.g. Secure Channel use K for TLS Handshake Protocol TLS Record Layer When is the composition secure? For modularity: sufficient condition on the key exchange to ensure security of the composition

3 Universal composability General composition results but... Too general? Assume preestablished session ids Generic (but not general) mechanism for dealing with shared state (JUC theorem) Too demanding? Does not support well adaptive corruption Commitment problem Does not seem to be easily applicable to practical protocols

4 Bellare-Rogaway Security(BR) KK The adversary controls the network and can mount insider attacks Keys should be indistinguishable from random, i.e.: Intuition: If keys are as good as random, they can later be used for applications. The adversary chooses a session between two honest users and either gets the session key or a value drawn uniformly from { 0,1 } n. Adversary‘s goal: Distinguish between real and random.

5 Security game Security game (Protocol) A queries answers 0/1

6 …in a bit more details Game state (e.g. challenge bit b, corrupt vs non corrupt sessions) Winning condition (predicate): P_win queries answers

7 Game-based composition Composition: – key agreement + symmetric key protocol – Adversary can access key agreement phase and secure channel phase – Adversary tries to break the security of the second part only – In particular, no winning condition against the key agreement – Session matching in key agreement phase via local, private sids Key Agreement Arbitrary two-party symmetric protocol A 0/1

8 Game-based composition security Winning condition (predicate): P_win Game state A

9 Game-based composition security Winning condition (predicate): P_win Game state A

10 Main Theorem Theorem: – Let ke be a key agreement that: Is Bellare-Rogaway-secure Has a public session matching algorithm – Let  be an arbitrary symmetric-key protocol Secure for randomly generated keys (  is given by its algorithms and a security game) – Then, the composition of ke and  is secure. ke  0/1

11 Proof B extracts session keys from key agreement to simulate the secure channel protocol. It uses the public session matching for consistent channel communication ke  A B 0/1

12 ``matching‘‘ protocol Public Session matching is necessary The ``matching‘‘ protocol forces B to match sessions correctly, if A shall be helpful at all. The proof works for non-rewinding B. Key Agreement A B

13 TLS and BR-security K1,K2 The key K1,K2 is used in the key agreement protocol. The adversary can easily distinguish the session key from random, i.e.: ENC K1 (T,MAC K2 (0|T)) TLS Handshake Protocol Session key: Decrypt with K1, check MAC with K2 : valid. Random value: Decrypt with K1, check MAC with K2 : invalid.

14 Idea: “Good” Key Agreement for  Key Agreement (ke) Application Protocol (  ) keys No winning condition for the key agreement, only winning condition of the application protocol. 0/1 Attack possibilities of both: ke and  A network + insider attacks As strong as necessary: If ke hurts security of protocol, then A wins. As weak as needed: No restrictions on syntax No restrictions on secrecy Still: Long composition proofs, if protocol is complicated Even if protocol security reduces to simple primitive, these composition proofs remain laborious.

15 Main Theorem If the ke is ``good“ for the primitive  ke  keys and if there is a key-independent reduction from  to    key-independent reduction then ke  keys the key agreement (ke) is good for the protocol .

16 Reductions   KeyGen keys B 0/1 A Reduction: For all B there is a A such that the probabilities of the games outputting 1 are close, where the probability are taken over the random bits used by the adversary, the key generation and the game.

17   A1A1 keys A1A1 B2B2 A2A2 0/1 Key-Independent Reduction: For all ( A 1, B 2 ) there is a A 2 such that the probabilities of the games outputting 1 are close, where the probability are taken over the random bits used by the adversary, the key generation and the game. (Key-Independent) Reductions

18 For both kinds of reduction: If B 2 breaks protocols with certain keys, then A 2 breaks primitive with same keys. (Key-Independent) Reductions   A1A1 keys A1A1 B2B2 A2A2 0/1 Restriction on the first stage of the adversary: Get old notion of reduction.   KeyGen keys B 0/1 A

19   A1A1 keys A1A1 B2B2 A2A2 If ( A 1, B 2 ) wins trivially, then ( A 1, A 2 ) will win, too. keys st Example: Let  be an authenticated channel and let  be a Mac. Usual Reduction: If ( A 1, B 2 ) breaks the authentication property, then one can extract a forgery against the Mac scheme. Key-independent Reduction: If ( A 1, B 2 ) breaks the authentication property, then one can extract a forgery against the Mac scheme. Key-Independent Reduction

20 Main Theorem If the ke is ``good“ for the primitive  ke  keys and if there is a key-independent reduction from  to    key-independent reduction then ke  keys the key agreement (ke) is good for the protocol .

21 Proof ke  keys B1B1 B2B2 st ke  keys B1B1 B2B2 st A1*A1* ke  keys B1B1 A2A2 st A1*A1* ke  keys B1B1 A2A2 st keys A 1 *   keys B2B2 A2A2 st key-independent reduction folding unfolding

22 TLS Example KK ENC K (T,MAC K (0|T)) TLS Handshake Protocol ENC K (m,MAC K (counter|m)) TLS Record Layer K 1, K 2 =

23 Roadmap KK ENC K (T,MAC K (0|T)) TLS Handshake Protocol ENC K (m,MAC K (counter|m)) TLS Record Layer is good for MAC and ENC. reduces to MAC and ENC. Key-Independent Reduction: If you break the authenticity of the channel, then you can forge a MAC. If you break the secrecy of the channel, then you can break the ENC scheme.

24 TLS Handshake Good for MAC/ENC Primitive KK ENC K (T,MAC K (0|T)) is good for MAC and ENC. First step: Define the primitive  : Mixed primitive of MAC and ENC, i.e.: The adversary wins if she breaks at least one of them. Additional modification: Weak primitive, i.e. the adversary may not output a forgery for the message MAC K (0|Transcript). Second Step: Show that except for the last message, the key K looks as good as random (using random oracles). Final Step: Games are as good as independent now. Reduce weak primitive to strong primitive. ke  keys A1A1 A2A2 st

25 Key-Independent Reduction ENC · (m,MAC · (counter|m)) TLS Record Layer reduces to MAC and ENC. Show that the TLS Record Layer can be reduced to weak primitive. Due to the use of counters, this is true. The adversary may not output a forgery for the message ENC · (T,MAC · (0|T)). Key-Independent Reduction: If you break the authenticity of the channel, then you can forge a MAC.

26 Conclusion Designed two composition theorems for key exchange protocols For BR-security, identified public matching as a necessary condition for general composability For protocols that use the key in the design, gave an alternative route for compositional analysis (applied it to TLS) More general game-based composition?

Download ppt "Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University."

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Similar presentations

Ads by Google