Analysis of Security Protocols (V) John C. Mitchell Stanford University

Prior state of the art l Formal protocol analysis uses Dolev-Yao model  Adversary is nondeterministic process  Adversary can  Block network traffic  Read any message, decompose into parts  Decrypt if key is known to adversary  Insert new message from data it has observed  Adversary cannot  Gain partial knowledge  Guess part of a key  Perform statistical tests, …

Power and limitations l Can find some attacks  Needham-Schroeder by exhaustive search l Other attacks are outside model  Interaction between protocol and encryption l Some protocols cannot be modeled  Probabilistic protocols  Steps that require specific properties of encryption l Possible to prove erroneous protocol correct

Recent Language Approach [AG97] l Write protocol in process calculus l Express security using observational equivalence  Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q]  Context (environment) represents adversary l Use proof rules for  to prove security  Protocol is secure if no adversary can distinguish it from some idealized version of the protocol

Probabilistic Poly-time Analysis l Adopt spi-calculus approach, add probability l Probabilistic polynomial-time process calculus  Protocols use probabilistic primitives  Key generation, nonce, probabilistic encryption,...  Adversary may be probabilistic  Modal type system guarantees complexity bounds l Express protocol and specification in calculus l Study security using observational equivalence  Use probabilistic form of process equivalence Our Framework

Technical Challenges l Language for prob. poly-time functions  Extend Hofmann language with rand l Replace nondeterminism with probability  Otherwise adversary is too strong... l Define probabilistic equivalence  Related to poly-time statistical tests... l Develop specification by equivalence  Several examples carried out l Proof systems for probabilistic equivalence  Goal for the future

Example protocol in process calc l “Notation found in the literature” A  B: { m } K B  A: { m+1 } K l Process calculus with cryptographic primitives let k = new_key(n) in let m = pick_a_number(n) in AB  encrypt(k,m)  | AB (x). BA  encrypt(k, decrypt(k,x)+1)  end This form makes assumptions and response explicit output on port AB not m

How we specify secrecy l Original protocol P A  B: { m } K B  A: { m+1 } K l “Obviously’’ secret protocol Q (zero knowledge) A  B: { random_number } K B  A: { random_number } K l Basic idea: P  Q implies P preserves secrecy If not, then some context can obtain some information from the original protocol

Nondeterminism is traditional, but... l Nondeterminism is a useful idealization  Classical  disguised as a computational primitive  Expresses extreme “good luck” or “bad luck”  Nondeterministic algorithm for traveling salesman “Guess” a path and check that it is correct  Nondeterministic semantics for parallel composition Treat any possible interleaving as significantly possible Appropriate for “worst case” correctness l Not an intrinsic property of system itself

Nondeterminism breaks encryption l Alice encrypts message and sends to Bob A  B: { msg } K l Adversary uses nondeterministic parallelism Process E 0 E  0  | E  0  | … | E  0  Process E 1 E  1  | E  1  | … | E  1  Process E E  b 1 . E  b 2 ... E  b n . decrypt(b 1 b 2...b n, msg) In reality, adversary has  2 -n chance to guess n-bit key

Solution: probabilistic scheduler l Define operational semantics  Probabilistic steps let x = M in P  r [v/x]P  Nondeterministic choice between parallel processes l Each run requires probabilistic scheduler  Chooses step from “nondeterministic” alternatives  Scheduler runs in probabilistic polynomial time  Quantify over schedulers to get universal properties Similar ideas in literature on Markov decision diagrams

Toward probabilistic equivalence l Background: poly-time statistical tests  Standard notion from cryptography  Define crypto. strong pseudo-random sequence l Main ideas  Pseudo-random generator family G = {G n } n>0  Test generator G n in time poly(n)  Compare Test(G k (random(n)) to Test(random(n k ))  Generator “secure” if results within 1/poly(n)

Observing Probabilistic Process l Observations  Compare |Prob[ P  “yes” ] - Prob[ Q  “yes” ] | <   How small  is small ?  Less than 1/2, 1/4, … ? (not equiv relation for fixed  )  Vanishingly small ?  How fast should   0 ? As a function of what? l Cryptographic protocols  Use encryption keys of a certain length  Protocol is family { P n } n>0 indexed by key length  Increasing key length  increasing security

Probabilistic Observational Equiv l Processes P, Q are  -indistinguishable P   Q if  contexts C[ ].  observations v. |Prob[C[ P ]  v ] - Prob[C[ Q ]  v ] | <  l Asymptotically within f Process, context families { P n } n>0 { Q n } n>0 { C n } n>0 P  f Q if  contexts C[ ].  obs v.  n 0.  n> n 0. | Prob[C n [ P n ]  v ] - Prob[C n [ Q n ]  v ] | < f(n) l Asymptotically polynomially indistinguishable P  Q if P  f Q for every polynomial f(n) = 1/p(n) Final def’n gives robust equivalence relation

Basic example l Sequence generated from random seed P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end l Truly random sequence Q n : let b = sequence of n k random bits in PUBLIC  b  end l P is crypto strong pseudo-random generator P  Q

Protocol P [Diffie, Hellman, ElGamal] g a mod p g b mod p msg * g ab mod p Prime p and generator g of Z p are public Passive eavesdropper has small chance at msg AB

Specification Q random_number mod p Network traffic should look like 3 random numbers AB

Analysis l Prove P  Q ?  Prove difficulty of computing discrete logarithm ? l Better: reduction from a discrete log problem  Strategy to distinguish P from Q with prob > 1/poly  win Diffie-Hellman game with prob >1/poly l Decision-Diffie-Hellman problem  Given two triples:  x, y, z   g u, g v, g uv   Decide which is which (u,v,x,y,z chosen randomly) Note: this is for passive eavesdropper only

ElGamal Analysis: So what? l Characterize security by number-theoretic game  Decision Diffie-Hellman appears in literature  Previously studied, believed hard l Remove doubt about protocol, up to common cryptographic assumptions  Simplified example since this protocol can be subverted by replacing g a by g c

Current state of project l Better foundations for protocol analysis ?  Determine crypto requirements of protocols ! l Probabilistic ptime language  Extended Hofmann language with rand l Probabilistic process framework  replaced nondeterminism with rand  equivalence based on ptime statistical tests l Specifications of secrecy, authenticity l Simple examples l Work in progress...