Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Published byAnnis McCarthy Modified over 9 years ago

Similar presentations

Presentation on theme: "Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,"— Presentation transcript:

1 Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan, A. Scedrov, V. Teague

2 Outline uSome discussion of protocols uGoals for process calculus uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Pseudo-random number generators Equational properties and challenges

3 Protocol Security uCryptographic Protocol Program distributed over network Use cryptography to achieve goal uAttacker Intercept, replace, remember messages Guess random numbers, do computation uCorrectness Attacker cannot learn protected secret or cause incorrect protocol completion

4 IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p Analysis involves probability, modular exponentiation, digital signatures, communication networks, … AB m1 m2, signB(m1,m2) signA(m1,m2)

5 Simpler: Challenge-Response uAlice wants to know Bob is listening Send “fresh” number n, Bob returns f(n) Use encryption to avoid forgery uProtocol Alice  Bob: { nonce } K Bob  Alice: { nonce * 5 } K uCan Alice be sure that –Message is from Bob? –Message is in response to one Alice sent?

6 Important Modeling Decisions uHow powerful is the adversary? Simple replay of previous messages Decompose, reassemble and resend Statistical analysis, timing attacks,... uHow much detail in model of crypto? Assume perfect cryptography Include algebraic properties –encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msg k mod N

7 Standard analysis methods uFinite-state analysis uLogic based models Symbolic search of protocol runs Proofs of correctness in formal logic uConsider probability and complexity More realistic intruder model Interaction between protocol and cryptography Hard Easy

8 Comparison LowHigh Low Sophistication of attacks Protocol complexity  Mur  FDR  NRL  Poly-time calculus  Athena  Hand proofs  Paulson  Bolignano  BAN logic  Spi-calculus

9 Outline uSome discussion of protocols Goals for process calculus uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Pseudo-random number generators Equational properties and challenges

10 Language Approach [Abadi, Gordon] uWrite protocol in process calculus uExpress security using observational equivalence Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] Context (environment) represents adversary uUse proof rules for  to prove security Protocol is secure if no adversary can distinguish it from some idealized version of the protocol Great general idea; application is complicated

11 Probabilistic Poly-time Analysis uAdd probability, complexity uProbabilistic polynomial-time process calc Protocols use probabilistic primitives –Key generation, nonce, probabilistic encryption,... Adversary may be probabilistic uExpress protocol and spec in calculus uSecurity using observational equivalence Use probabilistic form of process equivalence

12 Secrecy for Challenge-Response uProtocol P A  B: { i } K B  A: { f(i) } K u“Obviously’’ secret protocol Q A  B: { random_number } K B  A: { random_number } K uAnalysis: P  Q reduces to crypto condition related to non-malleability [Dolev, Dwork, Naor] –Fails for RSA encryption if f(i) = 2i

13 Specification with Authentication uProtocol P A  B: { random i } K B  A: { f(i) } K A  B: “OK” if f(i) received u“Obviously’’ authenticating protocol Q A  B: { random i } K B  A: { random j } K i, j A  B: “OK” if private i, j match public msgs public channel private channel public channel private channel

14 Nondeterminism vs encryption uAlice encrypts msg and sends to Bob A  B: { msg } K uAdversary uses nondeterminism Process E 0 c  0  | c  0  | … | c  0  Process E 1 c  1  | c  1  | … | c  1  Process E c(b 1 ).c(b 2 )...c(b n ).decrypt(b 1 b 2...b n, msg) In reality, at most 2-n chance to guess n-bit key

15 Semantics Nondeterministic SemanticsProbabilistic Semantics 0.5 0.2 0.3 0.5 0.2 0.3 0.2 0.3 0.5 0.2 0.3 0.2 0.5 0.2 0.3 0.5 Prove initial results for arbitrary scheduler

16 Methodology uDefine general system Process calculus Probabilistic semantics Asymptotic observational equivalence uApply to protocols Protocols have specific form “Attacker” is context of specific form –Induces coarser observational equivalence This talk: general calculus and properties

17 Outline uSome discussion of protocols uGoals for process calculus Specific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Pseudo-random number generators Equational properties and challenges

18 Technical Challenges uLanguage for prob. poly-time functions Extend work of Cobham, Cook, Hofmann uReplace nondeterminism with probability Otherwise adversary is too strong... uDefine probabilistic equivalence Related to poly-time statistical tests...

19 Syntax uBounded  -calculus with integer terms P :: = 0 | c q(|n|)  T  send up to q(|n|) bits | c q(|n|) (x). P receive |  c q(|n|). P private channel | [T=T] P test | P | P parallel composition | ! q(|n|). P bounded replication Terms may contain symbol n; channel width and replication bounded by poly in |n|

20 Probabilistic Semantics uBasic idea Alternate between terms and processes –Probabilistic evaluation of terms (incl. rand) –Probabilistic scheduling of parallel processes uTwo evaluation phases Outer term evaluation –Evaluate all exposed terms, evaluate tests Communication –Match send and receive –Probabilistic if multiple send-receive pairs

21 Scheduling uOuter term evaluation Evaluate all exposed terms in parallel Multiply probabilities uCommunication E(P) = set of eligible subprocesses S(P) = set of schedulable pairs Prioritize – private communication first Choose highest-priority communication with uniform (or other) probability

22 Example uProcess c  rand+1  | c(x).d  x+1  | d  2  | d(y). e  x+1  uOuter evaluation c  1  | c(x).d  x+1  | d  2  | d(y). e  x+1  c  2  | c(x).d  x+1  | d  2  | d(y). e  x+1  uCommunication c  1  | c(x).d  x+1  | d  2  | d(y). e  x+1  Each prob ½ Choose according to probabilistic scheduler

23 Example (again) Each with prob 0.5 Choose according to probabilistic scheduler c  rand+1  | c(x).d  x+1  | d  2  | d(y). e  x+1  c  2  | c(x).d  x+1  | d  2  | d(y). e  x+1  c  1  | c(x).d  x+1  | d  2  | d(y). e  x+1  Outer Eval Comm Step

24 Complexity results uPolynomial time For each process P, there is a poly q(x) such that –For all n –For all probabilistic schedulers –All minimal evaluation contexts C[ ] eval of C[P] halts in time q(|n|+|C[]|) Minimal evaluation context –C[ ] = c(x).d(y)…[ ] | c  20  | d  7  | e  492  | …

25 Complexity: Intuition uBound on number of communications Count total number of inputs, multiplying by q(|n|) to account for ! q(|n|). P uBound on term evaluation Closed T evaluated in time q T (|n|) uBound on time for each comm step Example: c  m  | c(x).P  [m/x]P Substitution bounded by orig length of P –Size of number m is bounded –Previous steps preserve # occurr of x in P

26 Outline uSome discussion of protocols uApplication of process calculus uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Pseudo-random number generators Equational properties and challenges

27 How to define process equivalence? uIntuition | Prob{ C[ P ]  “yes” } - Prob{ C[ Q ]  “yes” } | <  uDifficulty How do we choose  ? –Less than 1/2, 1/4, … ? (not equiv relation) –Vanishingly small ? As a function of what? uSolution Use security parameter –Protocol is family { P n } n>0 indexed by key length Asymptotic form of process equivalence Problem:

28 Probabilistic Observational Equiv uAsymptotic equivalence within f Process, context families { P n } n>0 { Q n } n>0 { C n } n>0 P  f Q if  contexts C[ ].  obs v.  n 0.  n> n 0. | Prob[C n [ P n ]  v ] - Prob[C n [ Q n ]  v ] | < f(n) uAsymptotically polynomially indistinguishable P  Q if P  f Q for every polynomial f(n) = 1/p(n) Final def’n gives robust equivalence relation

29 Outline uSome discussion of protocols uApplication of process calculus uSpecific process calculus Probabilistic semantics Complexity – probabilistic poly time Asymptotic equivalence Pseudo-random number generators Equational properties and challenges

30 Compare with standard crypto uSequence generated from random seed P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end uTruly random sequence Q n : let b = sequence of n k random bits in PUBLIC  b  end uP is crypto strong pseudo-random generator P  Q Equivalence is asymptotic in security parameter n

31 Desired equivalences u P | (Q | R)  (P | Q) | R u P | Q  Q | P u P | 0  P u P  Q  C[P]  C[Q] uP   c. ( c | c(x).P) x  FV(P) Warning: hard to get all of these…

32 How to establish equivalence uLabeled transition system Allow process to send any output, read any input Label with numbers “resembling probabilities” uSimulation relation Relation  on processes If P Q and P P’, then exists Q’ with Q Q’ and P’ Q’ uWeak form of prob equivalence But enough to get started … r  ~  ~  ~ r

33 Hold for uniform scheduler u P | (Q | R)  (P | Q) | R u P | Q  Q | P u P | 0  P u P  Q  C[P]  C[Q]

34 Problem uWant this equivalence P   c. ( c | c(x).P) x  FV(P) uFails for general calculus, general  P = d(x).e C[ ] =  d.( d | d(y).e | [ ] )

35 Comparison  d.( d | d(y).e | d(x).e )  d.( d | d(y).e |  c. ( c | c(x).P) ) e leftc e P Even prioritizing private channels, equivalence fails c left right left

36 Paradox uTwo processors connect by network uEach does private actions uUnrealistic interaction Private coin flip in Beijing does not influence coin flip in Washington

37 Solutions uModify scheduler Process private channels left-to-right Each channel: random send-receive pair uRestrict syntax of protocol, attack C[ P ] = C[  c. ( c | c(x).P) ] for all contexts C[ ] that –do not share private channels –do not bind channel names used in [ ] Modification of scheduler more reasonable for protocols

38 Current State of Project uFramework for protocol analysis Determine crypto requirements of protocols Precise definition of crypto primitives uProbabilistic ptime language uProcess framework Replace nondeterminism with rand Equivalence based on ptime statistical tests uMethods for establishing equivalence Develop probabilistic simulation technique uExamples: Diffie-Hellman, Bellare-Rogaway, …

39 Compositionality uProperty of observational equiv A  B C  D A|C  B|D similarly for other process forms

40 Zero-Knowledge Protocol u Witness protection program Q(x) iff  w. P(x,w) Prove  w. P(x,w) without revealing w PV I know a number x with Q(x) Answer these questions Here. Now you’ll believe me.

41 Identify Friend or Foe uSequential One conversation at a time uConcurrent Base station proves identity concurrently Base M A V S proververifiers Are concurrent sessions still zero-k ?

42

Download ppt "Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,"

Similar presentations

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M.

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus,

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus,
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.

Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Similar presentations

Ads by Google