1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.

Slides:

Advertisements

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Advertisements

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

A Logic of Secure Systems and its Application to Trusted Computing Anupam Datta, Jason Franklin, Deepak Garg, and Dilsun Kaynar Carnegie Mellon University.

Security Definitions in Computational Cryptography

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

CS 395T Computational Soundness of Formal Models.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Computationally Sound Symbolic Protocol Analysis: Correspondence Theorems 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall

1 Security analysis of an enhanced authentication key exchange protocol Authors ： H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date ： 2005/5/20.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.

Identity Based Encryption

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.

1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,

Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic II Anupam Datta Fall A: Foundations of Security and Privacy.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Key Distribution CS 470 Introduction to Applied Cryptography

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Logics for Security Protocols Anupam Datta Fall A: Foundations of Security and Privacy.

Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Computational Soundness for PCL Dilsun Kaynar Carnegie Mellon University Foundations of Security and Privacy October 11, 2007.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

8. Data Integrity Techniques

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

Computationally Sound Mechanized Proofs of Basic and Public-key Kerberos FormaCrypt meeting, Nov. 30, 2007 B. Blanchet 1, A. D. Jaggard 2, A. Scedrov 3,

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

CS 4/585: Cryptography Tom Shrimpton FAB

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.

S EMINAR P RESENTATION ON N OTIONS OF S ECURITY 1 S M Masud Karim January 18, 2008 Bonn, Germany.

Protocol Composition Logic (PCL): Part II Anupam Datta CS 259.

多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date： Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.

On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu

Protocol Composition Logic II

Modern symmetric-key Encryption

Topic 14: Random Oracle Model, Hashing Applications

Digital Signature Schemes and the Random Oracle Model

Topic 11: Authenticated Encryption + CCA-Security

Protocol Composition Logic (PCL)

The power of Pairings towards standard model security

The “Modular” Approach

Cryptography Lecture 26.

Presentation transcript:

1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy

2 Motivation  We want to answer questions like:  Given a cryptographic protocol and a security property  How frequently should we refresh the keys?  How does any advance in breaking the specific cryptographic primitives used quantitatively affect security?  We base the analysis on the known security properties of the crypto primitives used  A protocol may use a number of different crypto primitives  How do we translate the quantitative guarantees?  How do we handle composition?  Precursor:  Computational PCL [DDMST05,DDMW06,RDDM07,RDM07]  Used to reason about asymptotic security

3 Security of signatures Adversary Challenger k mimi sig k (m i ) m’, sig k (m’) : m’  m i Existential Unforgeability under Chosen Message Attack Advantage(Adversary,  ) = Prob[Adversary succeeds for sec. param.  ] A signature scheme is CMA secure if  Prob-Polytime A. Advantage (A,  ) is a negligible function of   Cryptographic Security  Complexity Theoretic  Concrete vk vk : public verification key k : private signing key

4 Security of signatures Adversary Challenger k mimi sig k (m i ) m’, sig k (m’) : m’  m i Existential Unforgeability under Chosen Message Attack Advantage(Adversary,  ) = Prob[Adversary succeeds for sec. param.  ] A signature scheme is (t, q, e) - CMA secure if  t time bounded A making at most q sig queries. Advantage (A,  ) is less than e  Cryptographic Security  Complexity Theoretic  Concrete vk vk : public verification key k : private signing key

5 A Challenge-Response Protocol AB m, A n, sig B {m, n, A} sig A {m, n, B}  Alice reasons: if Bob is honest, then:  only Bob can generate his signature  if Bob generates a signature of the form sig B {m, n, A},  he sends it as part of msg2 of the protocol, and  he must have received msg1 from Alice  Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

6 Computational PCL  Proof system for direct reasoning  Verify (X, sig Y (m), Y)  Honest (Y)  Sign (Y, m)  No explicit use of probabilities and computational complexity  No explicit arguments about actions of attackers  Semantics capture idea that properties hold with high probability against PPT attackers  Explicit use of probabilities and computational complexity  Probabilistic polynomial time attackers  Soundness proofs one time  Soundness implies result equivalent to security proof by cryptographic reductions  Formal Proofs  Syntax, Semantics, Proof System

7 Axiomatizing Security of signatures Adversary Challenger k mimi sig k (m i ) m’, sig k (m’) : m’  m i Existential Unforgeability under Chosen Message Attack vk vk : public verification key k : private signing key  Formal Proofs  Syntax, Semantics, Proof System Computational PCL: Verify (X, sig Y (m), Y)  Honest (Y)  Sign (Y, m) Quantitative PCL: T  esig(t,q,  ) (Verify (X, sig Y (m), Y)  Honest (Y)  Sign (Y, m))

8 Axioms and Proof Rules where,  = e sig (t,q,  ) where,  ’ = l(  )(l(  )+1)/2 where, B i are basic steps of the protocol

9 XY m, X n, sig Y {m, n, X} sig X {m, n, Y}

10 Previous CPCL Results  Core logic [ICALP05]  Key exchange [CSFW06]  New security definition: key usability  Used by Blanchet et al in CryptoVerif Kerberos proof  Reasoning about computational secrecy [ESORICS07]  Application to Kerberos  Reasoning about Diffie-Hellman [TGC07]  Applications to IKEv2 (standard model) and DH Kerberos (random oracle model)

11 Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

12 Thanks ! Questions?

13 Example Property

14 PCL: Big Picture Symbolic Model PCL Semantics (Meaning of formulas) Unbounded # concurrent sessions PCL Syntax (Properties) Proof System (Proofs) Soundness Theorem (Induction) High-level proof principles Cryptographic Model PCL Semantics (Meaning of formulas) Polynomial # concurrent sessions Computational PCL Syntax ±  Proof System±  Soundness Theorem (Reduction) [BPW, MW,…]

15 Fundamental Question PCLCPCL Axioms and rules for reasoning about cryptographic protocols (Soundness) Axioms and rules for reasoning about cryptographic protocols (Computational soundness) First-order logic (Soundness and completeness) ??? Conditional first-order logic (Soundness and completeness) [?]

16 Towards QPCL PCLQPCL Axioms and rules for reasoning about cryptographic protocols (Soundness) Axioms and rules for quantitative reasoning about cryptographic protocols (Computational soundness) First-order logic (Soundness and completeness) Conditional first-order logic (Soundness and completeness)

17 Protocol language

18 Conditional implication (OLD) Implication uses conditional probability  [[  1   2 ]] (T,D,  ) = [[   1 ]] (T,D,  )  [[  2 ]] (T ’,D,  ) where T ’ = [[  1 ]] (T,D,  )