1 / 25

Inductive Proofs of Computational Secrecy of Network Protocols with Active Adversaries

Inductive Proofs of Computational Secrecy of Network Protocols with Active Adversaries. Anupam Datta Carnegie Mellon University Fall 2009. 18739A: Foundations of Security and Privacy. Protocols. Distributed Programs Protocol is a fixed set of ‘roles’ written as programs

iniko
Télécharger la présentation

Inductive Proofs of Computational Secrecy of Network Protocols with Active Adversaries

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Inductive Proofs of Computational Secrecy of Network Protocols with Active Adversaries Anupam Datta Carnegie Mellon University Fall 2009 18739A: Foundations of Security and Privacy

  2. Protocols • Distributed Programs • Protocol is a fixed set of ‘roles’ written as programs • A ‘thread’ is an instance of a role being executed by a principal • A single principal can execute multiple threads • Actions in a role • Communication: send m; recv m; • Pairing, Unpairing: m := pair m0, m1; match m as m0, m1; • Encryption, Decryption: m’ := enc m, k; m’ := dec m, k; • Nonce generation: new m; • Pattern matching: match m as m’; …

  3. , , , Protocol Execution Model Adversary: Prob. Poly Time Protocol Randomness Adversary Randomness • Adversary Randomness: • Random coin flips for the PPT algorithm • Protocol Randomness: • Key generation • Randomness for • encryption, signatures, … A B C • Result: • Set of computational traces: One for each choice of adversary and protocol randomness

  4. Secrecy Notion: Real or Random Game Adversary: Prob. Poly Time Protocol Execution Generating Nonce s0 Adv (A, η) = Pr[d’ = d] - ½ sd s Generate s1 Choose d  {0,1} Secrecy: PPT A. Adv (A, η) is a negligible function of η d’

  5. Secretive Protocols • A trace is a secretive trace with respect to nonce s and set of keys K if the following properties hold for every thread belonging to honest principals: • The thread which generates s, ensures that s is encrypted with a key k in K in any message sent out. • Whenever a thread decrypts a message with a key k in K and parses the decryption, it ensures that the results are re-encrypted with some key k' in K in any message sent out. • A protocol is secretive if it overwhelmingly produces secretive traces. • An inductive property over actions of honest parties • Formalization in Computational Protocol Composition Logic.

  6. Relating “Secretive” Protocols to Computational Secrecy • Theorem: If • the protocol is “secretive” • the nonce-generator is honest • the key-holders are honest Then • the key generated from the nonce satisfies indistinguishability Do an inductive proof - for each protocol Proof is by reduction to a multi-party IND-CCA game – one time soundness proof

  7. Two key steps • Prove that secretive protocols provide computational secrecy • By reduction to a multiparty IND-CCA game • Prove that a protocol is secretive • Using proof system

  8. (Key Gen Algo K, Encryption Algo E, Decryption Algo D) Fix security parameter η m0, m1 Adversary Challenger Choose k  K(η) Choose b  {0,1} Ek(mb) c (*) Dk(c) b’ IND-CCA Game (*): c’s should be different from any encryption response Adv (A, η) = Pr[b’ = b] - ½ • An encryption scheme is IND-CCA secure if •  Prob-Polytime A. • Adv (A, η) is a negligible function of η

  9. n-IND-CCA Game (Key Gen Algo K, Encryption Algo E, Decryption Algo D) Fix security parameter η i, m0, m1 Adversary Challenger Choose k1, k2, …, kn K(η) Choose b  {0,1} (*): c’s should be different from any encryption response Eki(mb) i, c (*) Adv (A, η) = Pr[b’ = b] - ½ Dki(c) b’ • An encryption scheme is n-IND-CCA secure if •  Prob-Polytime A. Adv (A, η) is a negligible function of η [BBM00] shows that an encryption scheme is n-IND-CCA secure IND-CCA secure.

  10. n-IND-CCA Adversary Protocol Execution Reduction Protocol Adversary: Prob. Poly Time Simulate Protocol Execution Generating Nonce s0 n-IND-CCA Challenger Choose k1, …, kn K() Choose b  {0, 1} sb Generate s1 Choose d  {0,1} d’ d’ b’ Show that: If for nonce indist game Adv (A, η) is non-negligible Then for Simulator S, Adv(S, ) against n-IND-CCA game is non-negligible

  11. Protocol Example Adversary: Prob. Poly Time A new s m := pair a, s e := enc m, k1 send e B receive m’ l := dec m’, k1 t := pair l, c r := enc t, k2 send r C receive e’ j := dec e’, k3 Generate s1 Choose d  {0,1} sd d’

  12. Reduction via “Bilateral Simulator” Adversary: Prob. Poly Time new s m := pair a, s e := enc m, k1 send e s0s1 a.s0 a.s1 Ek1(a.sb) n-IND-CCA Challenger Choose k1, …, kn K() Choose b  {0, 1} 1, a.s0, a.s1 Ek1(a.sb) Ek1(a.sb) sd Choose d  {0, 1}; If ‘real’ then b’ = d else b’ = 1-d d’ b’ Adv (A, η) for nonce indist game = Adv(S, ) against n-IND-CCA game

  13. Reduction via “Bilateral Simulator” (Full) Adversary: Prob. Poly Time new s m := pair a, s e := enc m, k1 send e receive m’ l := dec m’, k1 t := pair l, c r := enc t, k2 send r receive e’ j := dec e’, k3 s0s1 a.s0 a.s1 Ek1(a.sb) m’ (=Ek1(l’b)) l0 l1 l0.c l1.c Ek2(lb.c) e’ Dk3(e’) n-IND-CCA Challenger Choose k1, …, kn K() Choose b  {0, 1} 1, a.s0, a.s1 Ek1(a.sb) Ek1(a.sb) m’ 2, l0.c, l1.c Ek1(a.sb) Ek2(lb.c) e’ 3, e’ Dk3(e’) sd Choose d  {0, 1}; If ‘real’ then b’ = d else b’ = 1-d d’ b’ Adv (A, η) for nonce indist game = Adv(S, ) against n-IND-CCA game

  14. Two key steps • Prove that secretive protocols provide computational secrecy • Soundness proof of relevant axiom by reduction to a multiparty IND-CCA game • Prove that a protocol is secretive • Using proof system

  15. PCL: Big Picture • PCL • Syntax (Properties) • Proof System (Proofs) • Computational PCL • Syntax ±  • Proof System±  Soundness Theorem (Induction) Soundness Theorem (Reduction) • Symbolic Model • PCL Semantics • (Meaning of formulas) • Cryptographic Model • PCL Semantics • (Meaning of formulas)

  16. Syntax

  17. Semantics • Q |=  if  adversary A  distinguisher D  negligible function f  n0 n > n0 s.t. Fraction represents probability |[[]](T,D,f(n))|/|T| > 1 – f(n) T(Q,A,n) • Fix protocol Q, PPT adversary A • Choose value of security parameter n • Vary random bits used by all programs • Obtain set T=T(Q,A,n) of equiprobable traces [[]](T,D,f)

  18. Proof System to Establish “Secretive” Protocol – “Good” terms • Proof of construction of good terms is carried out inductively over actions of honest principals

  19. Proof System to Establish “Secretive” Protocol – Induction • A protocol is “secretive” if all honest participants send out only “good” terms. roles  in protocol Q. segments P in role . SendGood(X, s, K) [P]XΦSendGood(X, s, K) Q |- ΦSecretive(s, K)

  20. Example • Let n be the putative secret and K = {k1, k2,…} • We want to prove that protocol satisfies Secretive(n, K) • Consider the following protocol fragment: recv e; t := dec e, k; match t as A.n’; p := enc n’, k; send p;

  21. Case: kK recv e; Good(e, n, K) Axiom G2 Good(e, n, K)  k  K t := dec e, k; Good(t, n, K) Axiom G8 Good(t, n, K) match t as A.n’; Good(A, n, K)  Good(n’, n, K) Axiom G4 Good(n’, n, K) p := enc n’, k; Good(p, n, K) Axiom G6 Good(p, n, K) send p;

  22. Case: kK recv e; t := dec e, k; match t as A.n’; k K p := enc n’, k; Good(p, n, K) Axiom G7 Good(p, n, K) send p;

  23. Applications • We proved the following protocols secure in the complexity theoretic model: • Kerberos V5 with Symmetric Key initialization • Secrecy proofs first time in literature • Kerberos V5 with Public Key initialization • Secrecy proofs first time in literature • IKEv2 • Proofs first time in literature • We found an attack on the first phase of Kerberos V5 with Diffie Hellman initialization, proposed an easy fix and proved the resulting protocol secure.

  24. Computational PCL: Summary • Syntax for specifying properties • Semantics capture idea that properties hold with high probability against PPT attackers • Explicit use of probabilities and computational complexity • Probabilistic polynomial time attackers • Proof system for direct reasoning • No explicit use of probabilities and computational complexity • No explicit arguments about actions of attackers • Composition theorems (similar to PCL in symbolic model) • Soundness theorem for proof system • By reduction to game-based definitions of security • Soundness proofs one time effort

  25. Thanks! Questions?

More Related