Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Analysis of Security Protocols (V) John C. Mitchell Stanford University."— Presentation transcript:

1 Analysis of Security Protocols (V) John C. Mitchell Stanford University

2 Prior state of the art l Formal protocol analysis uses Dolev-Yao model  Adversary is nondeterministic process  Adversary can  Block network traffic  Read any message, decompose into parts  Decrypt if key is known to adversary  Insert new message from data it has observed  Adversary cannot  Gain partial knowledge  Guess part of a key  Perform statistical tests, …

3 Power and limitations l Can find some attacks  Needham-Schroeder by exhaustive search l Other attacks are outside model  Interaction between protocol and encryption l Some protocols cannot be modeled  Probabilistic protocols  Steps that require specific properties of encryption l Possible to prove erroneous protocol correct

4 Recent Language Approach [AG97] l Write protocol in process calculus l Express security using observational equivalence  Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q]  Context (environment) represents adversary l Use proof rules for  to prove security  Protocol is secure if no adversary can distinguish it from some idealized version of the protocol

5 Probabilistic Poly-time Analysis l Adopt spi-calculus approach, add probability l Probabilistic polynomial-time process calculus  Protocols use probabilistic primitives  Key generation, nonce, probabilistic encryption,...  Adversary may be probabilistic  Modal type system guarantees complexity bounds l Express protocol and specification in calculus l Study security using observational equivalence  Use probabilistic form of process equivalence Our Framework

6 Technical Challenges l Language for prob. poly-time functions  Extend Hofmann language with rand l Replace nondeterminism with probability  Otherwise adversary is too strong... l Define probabilistic equivalence  Related to poly-time statistical tests... l Develop specification by equivalence  Several examples carried out l Proof systems for probabilistic equivalence  Goal for the future

7 Example protocol in process calc l “Notation found in the literature” A  B: { m } K B  A: { m+1 } K l Process calculus with cryptographic primitives let k = new_key(n) in let m = pick_a_number(n) in AB  encrypt(k,m)  | AB (x). BA  encrypt(k, decrypt(k,x)+1)  end This form makes assumptions and response explicit output on port AB not m

8 How we specify secrecy l Original protocol P A  B: { m } K B  A: { m+1 } K l “Obviously’’ secret protocol Q (zero knowledge) A  B: { random_number } K B  A: { random_number } K l Basic idea: P  Q implies P preserves secrecy If not, then some context can obtain some information from the original protocol

9 Nondeterminism is traditional, but... l Nondeterminism is a useful idealization  Classical  disguised as a computational primitive  Expresses extreme “good luck” or “bad luck”  Nondeterministic algorithm for traveling salesman “Guess” a path and check that it is correct  Nondeterministic semantics for parallel composition Treat any possible interleaving as significantly possible Appropriate for “worst case” correctness l Not an intrinsic property of system itself

10 Nondeterminism breaks encryption l Alice encrypts message and sends to Bob A  B: { msg } K l Adversary uses nondeterministic parallelism Process E 0 E  0  | E  0  | … | E  0  Process E 1 E  1  | E  1  | … | E  1  Process E E  b 1 . E  b 2 ... E  b n . decrypt(b 1 b 2...b n, msg) In reality, adversary has  2 -n chance to guess n-bit key

11 Solution: probabilistic scheduler l Define operational semantics  Probabilistic steps let x = M in P  r [v/x]P  Nondeterministic choice between parallel processes l Each run requires probabilistic scheduler  Chooses step from “nondeterministic” alternatives  Scheduler runs in probabilistic polynomial time  Quantify over schedulers to get universal properties Similar ideas in literature on Markov decision diagrams

12 Toward probabilistic equivalence l Background: poly-time statistical tests  Standard notion from cryptography  Define crypto. strong pseudo-random sequence l Main ideas  Pseudo-random generator family G = {G n } n>0  Test generator G n in time poly(n)  Compare Test(G k (random(n)) to Test(random(n k ))  Generator “secure” if results within 1/poly(n)

13 Observing Probabilistic Process l Observations  Compare |Prob[ P  “yes” ] - Prob[ Q  “yes” ] | <   How small  is small ?  Less than 1/2, 1/4, … ? (not equiv relation for fixed  )  Vanishingly small ?  How fast should   0 ? As a function of what? l Cryptographic protocols  Use encryption keys of a certain length  Protocol is family { P n } n>0 indexed by key length  Increasing key length  increasing security

14 Probabilistic Observational Equiv l Processes P, Q are  -indistinguishable P   Q if  contexts C[ ].  observations v. |Prob[C[ P ]  v ] - Prob[C[ Q ]  v ] | <  l Asymptotically within f Process, context families { P n } n>0 { Q n } n>0 { C n } n>0 P  f Q if  contexts C[ ].  obs v.  n 0.  n> n 0. | Prob[C n [ P n ]  v ] - Prob[C n [ Q n ]  v ] | < f(n) l Asymptotically polynomially indistinguishable P  Q if P  f Q for every polynomial f(n) = 1/p(n) Final def’n gives robust equivalence relation

15 Basic example l Sequence generated from random seed P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end l Truly random sequence Q n : let b = sequence of n k random bits in PUBLIC  b  end l P is crypto strong pseudo-random generator P  Q

16 Protocol P [Diffie, Hellman, ElGamal] g a mod p g b mod p msg * g ab mod p Prime p and generator g of Z p are public Passive eavesdropper has small chance at msg AB

17 Specification Q random_number mod p Network traffic should look like 3 random numbers AB

18 Analysis l Prove P  Q ?  Prove difficulty of computing discrete logarithm ? l Better: reduction from a discrete log problem  Strategy to distinguish P from Q with prob > 1/poly  win Diffie-Hellman game with prob >1/poly l Decision-Diffie-Hellman problem  Given two triples:  x, y, z   g u, g v, g uv   Decide which is which (u,v,x,y,z chosen randomly) Note: this is for passive eavesdropper only

19 ElGamal Analysis: So what? l Characterize security by number-theoretic game  Decision Diffie-Hellman appears in literature  Previously studied, believed hard l Remove doubt about protocol, up to common cryptographic assumptions  Simplified example since this protocol can be subverted by replacing g a by g c

20 Current state of project l Better foundations for protocol analysis ?  Determine crypto requirements of protocols ! l Probabilistic ptime language  Extended Hofmann language with rand l Probabilistic process framework  replaced nondeterminism with rand  equivalence based on ptime statistical tests l Specifications of secrecy, authenticity l Simple examples l Work in progress...

Download ppt "Analysis of Security Protocols (V) John C. Mitchell Stanford University."

Similar presentations

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Complexity and Cryptography

Complexity and Cryptography
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.

Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Equivalence-Based Security Specifications A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V. Shmatikov A. Scedrov, V. Teague, P. Mateus.

Equivalence-Based Security Specifications A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V. Shmatikov A. Scedrov, V. Teague, P. Mateus.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

Similar presentations

Ads by Google