universally composable symbolic analysis of security protocols
DESCRIPTION
Universally Composable Symbolic Analysis of Security Protocols. Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004. - PowerPoint PPT PresentationTRANSCRIPT
Universally ComposableSymbolic Analysis of
Security ProtocolsJonathan Herzog
(Joint work with Ran Canetti)
7 June 2004
The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
Introduction This talk: symbolic analysis can guarantee universally
composable (UC) security Dolev-Yao (symbolic) model
Adversary extremely limited Proofs simple, can even be automated
UC (concrete) framework Complexity- and information-theoretic approach Guarantees strong security and composability properties Requires “hand-crafted” proofs
Symbolic security proofs are sound in UC framework Traditional (symbolic) mutual-authentication definitions suffice Need strengthened notion of symbolic key-exchange
Analysis strategy
Concrete protocol UC security
Symbolic protocol
Symbolic property
Would likeNatural translation for
encryption-based protocols
Simple, automatedMain result of talk:
mutual authenticationand key exchange
Analysis strategy (expanded)
Concrete protocol
UC concretesecurity
Symbolic single-instance protocol
Symbolic property
Single-instanceSetting
Security usingUC encryption
Security for multiple instances
Idealcryptography
UCtheorem
Sim
plify
UC w/jointstate
Prior work Abadi-Rogaway/Abadi-Jürjens
First connection of formal, computational Passive adversary
Micciancio-Warinschi Trace properties (e.g. mutual authentication) No intermediate composition
Complex analysis No composition guarantees
We lift to UC Backes, Pfitzmann, Waidner
UC library of primitives (including symmetric encryption, sigs) Multi-instance Primitive vs. protocol (at level 2)
Overview of talk Describe UC framework Describe Dolev-Yao model
Extended with local outputs Mutual authentication result Key-exchange results
Strengthened symbolic definition Future work
Traditional (non-UC) security
S AP P
F
"Functionality” specifies: what protocol does, what info released to adversary
P
P A∏
P
P A∏
Security: A, S : ViewReal(A) = ViewIdeal(A)Adversary learns only what allowed by F, even in real protocol
Desired: Composition
Q
Q A
Q
Q A
F F F
=
(Higher-levelprotocol)
Achieving Composition
ASP P
F
P
P A Adversary now sets participant input, sees output
Simulator sees neither! Adversary given special name: “environment”
Achieving Composition UC security:
A, S : ViewReal(A) = ViewIdeal(A)
Enforces that protocol messages and protocol outputs are independent
Strongest known (computational) notion of protocol security
The Dolev-Yao model Messages modeled symbolically
Symbols might be compound (crypto operations) Participant hears symbol, replies with symbol
AP1 P2
M1
M2
L
New: local output Not seen by adversary
The Dolev-Yao adversary Adversary maintains set of knowledge:
P1 P2
A
Know
Application of deduction
Dolev-Yao adversary powers
Already in Know Can add to Know
M1, M2 Pair(M1, M2)
Pair(M1, M2) M1 and M2
M, K Enc(M,K)
Enc(M, K), K-1 M
Only four possible deductions:
(Always in Know:• Randomness generated by adversary• Private keys generated by adversary• All public keys)
The Dolev-Yao adversary
AP1 P2
Know
Mutual Authentication UC: need only consider a single (two-party) instance Symbolic condition: Adversary cannot make party Pi
(locally) output (finished Pi Pj)
before both Pi and Pj output (starting Pj Pi)
UC: FMA only sends (success) to participants after both submit (start)
Mutual Authentication Results Theorem: let be a concrete protocol that uses ideal
encryption. Then:DY() achieves mutual auth iff
securely realizes FMA
Cor:let be a concrete protocol that uses concrete (UC) encryption. Then:
DY() achieves mutual auth iff securely realizes FMA
(Note: UC analog to MW04)
Key exchange UC: FKE creates single new key, sends to
requesting participants (but not adversary) Symbolic:
1. Key Agreement: If P1 outputs (Finished P1 P2 K) and P2 outputs (Finished P2 P1 K’) then K = K’.
2. Traditional Dolev-Yao secrecy: If Pi outputs (Finished Pi Pj K), then K can never be in adversary’s set Know
Not strong enough!
Composition and secrecy
Modified protocol still satisfies traditional secrecy Might be insecure when used as sub-protocol
P1 P2Outputs sessionkey: K
{K}K2
K
Traditional secrecy goals fail under composition Session key used in higher-level protocol
Example: let satisfy traditional secrecy for K
Real-or-random (1/3) Need: real-or-random property for session keys
Can think of traditional goal as “computational” Need a stronger “decisional” goal Expressed in Dolev-Yao framework
Let be a protocol Let r be , except that when participant outputs (Finished Pi Pj Kr), Kr added to Know
Let f be , except that when any participant outputs (Finished Pi Pj Kr), fresh key Kf added to adversary set Know
Want: adversary can’t distinguish two protocols
Real-or-random (2/3) Let S be a strategy
Sequence of deductions and transmissions Attempt 1: For any strategy,
Trace(S, r) = Traces(S, f) Problem: Kf not in any traces of r
Attempt 2: Trace(S, r) = Rename(Trace(S, f), Kf Kr)
Sufficient for “if,” too strong for “only if” Two different traces may ‘appear’ the same to adversary
Real-or-random (3/3) Observable part of trace: Abadi-Rogaway pattern
Undecipherable encryptions replaced by “blob” Example:
t = {N1, N2}K1, {N2}K2, K1-1 Pattern(t) = {N1, N2}K1, K2, K1-1
Final condition: for any strategy:
Pattern(Trace(S, r)) =
Pattern(Rename(Trace(S, f), Kf Kr)))
Main results Theorem: let be a concrete protocol that uses (UC)
ideal encryption. Then:
securely realizes FKE iff DY() satisfies1. Key agreement2. Traditional Dolev-Yao secrecy of session key3. Real-or-random
(Note: condition 3 implies 2 for Dolev-Yao message space with equality checks.)
Cor: same for that uses concrete UC encryption
Future work How to prove Dolev-Yao real-or-random?
Needed for UC security Not previously considered in the Dolev-Yao literature Can it be automated? Simpler form?
Similar results for protocols using symmetric encryption, signatures, Diffie-Hellman?
Symbolic representation of other types of tasks Zero-Knowledge from ideal commitment Secure function evaluation from ideal Oblivious Transfer Etc.
Backup-slides
“Simple” protocols Concrete protocols that map naturally to Dolev-Yao framework Two cryptographic operations:
Randomness generation Encryption/decryption
(This talk: asymmetric encryption) Example: Needham-Schroeder-Lowe
P1 P2
{P1, N1}K2
{P2, N1, N2}K1
{N2}K2
UC Key-Exchange Functionality
FKE
(P1 P2)
k {0,1}n
Key P2
P1
(P1 P2)
Key k
P2
(P2 P1)
Key k
(P1 P2)
A
Key P1
(P2 P1)
Key P2
(P2 P1)
Goal of the adversary Recall that the adversary A sees outputs of participants Goal: distinguish real protocol from simulation In protocol execution, output of participants (session key) related to
protocol messages In ideal world, output independent of simulated protocol If there exists a detectable relationship between session key and
protocol messages, adversary can distinguish Example: last message of protocol is {“confirm”}K where K is
session key Can decrypt with participant output from real protocol Can’t in simulated protocol