digital signature in automatic analyses for confidentiality against active adversaries
DESCRIPTION
Digital signature in automatic analyses for confidentiality against active adversaries. Ilja Tšahhirov, Peeter Laud. Goal of the analysis. Problem statement Given the protocol (set of programs making calculations and exchanging messages) It works with some secret data - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/1.jpg)
Digital signature in automatic analyses for confidentiality against
active adversariesIlja Tšahhirov,
Peeter Laud
![Page 2: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/2.jpg)
Goal of the analysis
• Problem statement– Given the protocol (set of programs making
calculations and exchanging messages)– It works with some secret data– No active adversary should be able to learn
anything about the secret data• Automatically determine whether the protocol
is secure or not.
![Page 3: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/3.jpg)
Original technique
• Published in: Peeter Laud. Symmetric encryption in automatic analyses for confidentiality against active adversaries. 2004 IEEE Symposium on Security and Privacy, pages 71-85, May 2004.– Automatic analyzer present– Programming language– Single cryptographic primitive – symmetric encryption– Definition of the adversary – Definition of the security – Protocol transformations
![Page 4: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/4.jpg)
Programming language• Instruction setP :: = k:=gen_key | y:=(x1,…,xm) | x:= πi
m(y)
| x:=encrk(y) | y:=decrk(x) | x:=random
| send(x) | x:=receivel | check(x=y)| x:=constant(b) | x:=y| kp:=gen_key_pair | pk:=public_key(kp)| sm:=signkp(m) | testpk(sm)| m:=get_signed_message(sm)
• The only cryptographic primitive in original analysis – symmetric encryption
• Our contribution is adding the digital signature primitive support (commands in bold) to the language.
![Page 5: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/5.jpg)
Adversary
• Adversary is active - it schedules the participants and relays messages between them
• Can modify, create new, or not deliver sent messages
![Page 6: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/6.jpg)
Security definition
The protocol is considered secure if the secret message is computationally independent from the adversary’s view.
![Page 7: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/7.jpg)
Security against chosen-ciphertextattacks
• No PPT adversary should be able to distinguish second black box from the first
Without querying the second algorithm with the outputs from the first
![Page 8: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/8.jpg)
Protocol transformations - encryption
• During the analysis protocols are transformed• Protocols working with the first black box can
be replaced to use the second (under certain conditions)
![Page 9: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/9.jpg)
Information flow analysis
• If some participant of the protocol contains a statement of the form x:=E(x1,…,xn) there is an information flow from the variable xi to the variable x.
• The protocol is deemed secure if M * y holds for no y affecting the adversary’s view.
• The protocol transformation described above breaks some of those links.
![Page 10: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/10.jpg)
Unforgeability under adaptive chosen message attack
• The property we require signature scheme to satisfy
• Adversary making queries to the signature oracle should not be able to create a valid signature for the message that has not previously been signed by it
S T
KP
Query
Answer
Query
Answer
![Page 11: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/11.jpg)
Protocol transformations – digital signature
• Signature operations are replaced with checking whether the signed message being tested belongs to the set of the actually signed messages.
![Page 12: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/12.jpg)
Running example• Transmit the public key and signature from A to B
A generates KPA
A : public_key(KPA)AB : enc(KAB: public_key(KPA))AB : enc(KAB:sign(KPA:M))
B verifies the signatureB : OK
• KAB is a long-term key shared between A and B.
![Page 13: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/13.jpg)
Data dependencies
B
A KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign M
enc
dec
test
dec
S4
![Page 14: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/14.jpg)
Control dependencies
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign M
enc
dec
test
dec
S4
B
A
![Page 15: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/15.jpg)
Criterion for security
No path from M to any Si
The system is secure
![Page 16: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/16.jpg)
Security does not follow
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign M
enc
dec
test
dec
S4
![Page 17: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/17.jpg)
Encryptions replaced
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign
Menc
case
test
case
0
0
S4
![Page 18: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/18.jpg)
Security still does not follow
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign
Menc
case
test
case
0
0
S4
![Page 19: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/19.jpg)
Case handling – Case 1
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign
Menc
=?
test
=?
0
0
S4
![Page 20: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/20.jpg)
Case 1 - Replacing the signature test
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign
Menc
=?
get_signed_message
=?
0
0
in
S4
![Page 21: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/21.jpg)
Case 1 – in statement handling.
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign
Menc
=?
get_signed_message
=?
0
0
=?
S4
![Page 22: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/22.jpg)
Case 1 – check statement handling
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign
Menc
=?
get_signed_message
=?
0
0
=?
S4
Sub-protocol is secure (result of check can be statically determined)
![Page 23: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/23.jpg)
Case 2
KAB
R2 R3
S1 S2 S3
enc
KPA
public_key
sign
Menc
=?
test
=?
0
0
S4
2x
Sub-protocol is secure (test statement always fails)
![Page 24: Digital signature in automatic analyses for confidentiality against active adversaries](https://reader035.vdocuments.us/reader035/viewer/2022070503/5681564e550346895dc3edd7/html5/thumbnails/24.jpg)
Conclusions and future work
• Conclusions– The presented technique can be used in automated
analysis of the cryptographic protocols– Technique is published in Nordsec 2005
proceedings, p 29-41.• Future work
– Implementation of the automated analyser– Introducing the support for other cryptographic
primitives