analysis of an e-voting protocol in the applied pi calculus may 7, 2012
TRANSCRIPT
![Page 1: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/1.jpg)
Verification of Security Protocols
Analysis of an E-voting Protocol in the Applied Pi Calculus
May 7, 2012
![Page 2: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/2.jpg)
2
Solution Consider the following protocol:
B A : nb;text1A: begin(A,B,nb)A B : pkA;A;{na;nb;text2}skA
B: end(A,B,nb)B: begin(B,A,na)B A : pkB;B;{na;text3}skB
A: end(B,A,na)◦ A public-key infrastructure is assumed: pkA, pkB are the public
keys of A and B, respectively◦ skA, skB are the signing keys of A and B, respectively◦ text1,text2,text3 are publicly known messages
Write a model of this protocol in ProVerif Check whether the protocol correctly realizes mutual
authentication between A and B; fix it if needed
![Page 3: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/3.jpg)
3
free c. (* channel *)
free A,B. (* identifiers *)
free text1,text2,text3. (* publicly known messages *)
fun sign/2.
fun pk/1.
private fun sk/1.
reduc check(sign(x,sk(y)),pk(y))=x.
(* queries *)
query evinj:end(x,y,z) ==> evinj:begin(x,y,z).
query evinj:end2(x,y,z) ==> evinj:begin2(x,y,z).
Solution (1)B A : nb;text1A B : pkA;A;{na;nb;text2}skA
B A : pkB;B;{na;text3}skB
![Page 4: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/4.jpg)
4
let initiatorB = new nb;
out(c,(B,nb,text1));
in(c,(x));
let ((pka,=A),mess1) = x in
let (na,=nb,=text2) = check(mess1,pka) in
event end(A,B,nb);
event begin2(B,A,na);
out(c,(pk(B),B,sign((na,text3),sk(B)))).
Solution (2)B A : nb;text1A B : pkA;A;{na;nb;text2}skA
B A : pkB;B;{na;text3}skB
![Page 5: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/5.jpg)
5
let responderA = in(c,x);
let (B,nb,=text1) = x in
event begin(A,B,nb);
new na;
out(c,((pk(A),A),sign((na,nb,text2),sk(A))));
in(c,(pkb, =B,mess1));
let (=na,=text3) = check(mess1,pkb) in
event end2(B,A,na).
process
!responderA | !initiatorB
Solution (3)
Mutual authentication? NO! The attacker can impersonate the users cheating on keys
How to fix: Certificates (pkID, ID) should be signed by a TTP and identities should be checked
B A : nb;text1A B : pkA;A;{na;nb;text2}skA
B A : pkB;B;{na;text3}skB
![Page 6: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/6.jpg)
6
Today’s class is based on a paper by Steve Kremer and Mark Ryan:◦ “Analysis of an Electronic Voting Protocol in the
Applied Pi Calculus”
Analysis of an e-voting protocol by Fujioka, Okamoto and Ohta known as FOO92◦ partly carried out using ProVerif◦ where ProVerif is not powerful enough, by hand
proofs
ProVerif as a proof assistant
![Page 7: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/7.jpg)
7
Fairness◦ No early results can be obtained (to avoid influencing the remaining
voters) Eligibility
◦ Only legitimate voters can vote, and only once Privacy
◦ The association of a voter with her vote is not revealed to anyone Individual verifiability
◦ A voter can verify that her vote was really counted Universal verifiability
◦ A voter can verify that the published outcome really is the sum of all votes
Receipt-freeness◦ A voter cannot prove that she voted in a certain way (to protect voters
from coercion)
… in the presence of corrupt election authorities
E-voting protocols:Security goals
![Page 8: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/8.jpg)
8
It is hard to achieve all the security goals simultaneously
EligibilityOnly legitimate voters can vote and only once
Individual verifiability
A voter can verify that her vote was
really counted
PrivacyThe association of a voter with her
vote is not revealed to anyone
Receipt-freenessA voter cannot prove that she
voted in a certain way
![Page 9: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/9.jpg)
9
Most of these security goals look different from the ones studied so far, but they can be expressed in terms of◦ Secrecy: ProVerif supports reasoning about
secrecy for direct flows ◦ Testing equivalence: ProVerif supports testing
equivalence, but its reasoning is notably incomplete
Formalizing the security goals
![Page 10: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/10.jpg)
10
Kremer and Ryan express FOO92 in ProVerif input language
Then they prove that it satisfies:◦ Fairness (with ProVerif)◦ Eligibility (with ProVerif)◦ Privacy (by hand)
FOO92 Analysis
![Page 11: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/11.jpg)
11
Voter Administrator
◦ Checks if the voter is legitimate The voter has the right to vote The voter has not voted already
Collector◦ Collects and publishes the votes
FOO92: The Agents
![Page 12: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/12.jpg)
12
Constructor◦ commit/2.
Destructor◦ open/2.
Reduction rule◦ open(commit(v,r),r) = v.
From our abstract point of view, bit commitment is exactly like symmetric encryption◦ v is a vote◦ r is a random key to encrypt the vote
Cryptographic Primitives:Bit Commitment
![Page 13: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/13.jpg)
13
Constructors◦ enc/1.◦ dec/1.◦ sign/2.
Destructor◦ checksign/2.
Reduction rule◦ checksign(sign(m,enc(kp)),dec(kp)) = m.
Cryptographic Primitives:Digital Signing
![Page 14: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/14.jpg)
14
Constructor◦ blind/2.
Destructor◦ unblind/2.
Reduction rules (where b is the blinding factor)◦ unblind(blind(m,b),b) = m.
Like symmetric encryption◦ unblind(sign(blind(m,b),sk),b) = sign(m,sk).
In order to legitimize a vote, an administrator signs the vote that has been blinded by a voter
The voter can unblind it while preserving the administrators signature, before forwarding it to the vote collector
Cryptographic Primitives:Blinding
![Page 15: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/15.jpg)
15
An observer who sees a message on a channel must not be able to tell the origin and the destination of the message
That is exactly how channels are modeled in the spi-calculus (and in ProVerif)
Implementing anonymous channels in reality is problematic, but there are some solutions, like MIX-nets and onion routing
Cryptographic Primitives:Anonymous Channels
![Page 16: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/16.jpg)
16
Three consecutive phases:◦ Legitimization phase
The administrator legitimizes the votes◦ Voting phase
The voters send their votes to the collectors◦ Opening phase
The collector publishes the votes
The end of each phase is a global synchronization point◦ the next phase does not start before the previous
phase has ended
The protocol: phases
![Page 17: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/17.jpg)
17
Voter V selects a vote v and computes the commitment x of v and a random key r◦ x = commit(v,r)
V computes the message e using a blinding function and a random blinding factor b◦ e = blind(x,b) = blind(commit(v,r),b)
V digitally signs e and sends the signature to the administrator A together with her identity◦ V A: V, sign(e,sv) = sign(blind(commit(v,r),b),sv)
A verifies that◦ V has the right to vote◦ V has not voted yet◦ The signature is valid
If so, A sends her digital signature to V◦ A V : sign(blind(commit(v,r),b),sa)
V unblinds the message obtaining y = sign(commit(v,r),sa)
The protocol:Phase 1 - Legitimization
![Page 18: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/18.jpg)
18
V sends y, A’s signature on the commitment to V’s vote, to the collector C using an anonymous channel◦ V C: y = sign(x,sa) = sign(commit(v,r),sa)
C checks correctness of the signature y and, if the test succeeds, enters (l,x,y) onto a list as an l-th item
The protocol:Phase 2 - Voting
![Page 19: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/19.jpg)
19
The collector C received all votes The voters reveal the random key r so that C can open the votes and publish them◦ C publishes the list of votes (li,xi,yi)◦ V verifies that her commitment is in the list and
sends l,r to C via an anonymous channel(V C: l, r)
◦ C opens the l-th ballot using the random r and publishes the vote v
The protocol:Phase 3 - Opening
![Page 20: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/20.jpg)
20
Which security goal would be violated if blinding was omitted?◦ Privacy
The first message, without blinding, would create an observable link between vote and voter (once the voter has revealed the random key r)
Which security goal would be violated if bit commitment was not collision-free?commit(v,r) = commit(v’,r’) for some (v,r)≠(v’,r’)
◦ Fairness The voter could change his vote after the voting
phase (by publishing r’ instead of r).
Motivations forblinding and commitment
![Page 21: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/21.jpg)
21
let voter = new r; new b; let (bcv) = blind(commit(v,r),b) in out(net,(v, sign(bcv,sv))); in(net,lbcv); let (=bcv) = checksign(lbcv,pka) in let (lcv) = unblind(lbcv,b) in phase 1; out(net,lcv); in(net,(l,=lcv)); phase 2; out(net,(l,r)).
The vote v is:◦ a free variable of the system...
votes are guessable◦ ... and not new-generated names
they model unguessable data ProVerif phases specifies global synchronization points
The voter process
![Page 22: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/22.jpg)
22
let administrator =
in(privCh,(V,pkv)); (* voter and public key *)
in(net,(=V,sbcv));
let (bcv) = checksign(sbcv,pkv) in
out(net,sign(bcv,ska)).
In Kremer and Ryan’s model, the administrator does not check for duplicate votes
The administrator process
![Page 23: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/23.jpg)
23
let collector = phase 1; in(net,lcv); new l; out(net,(l,lcv)); phase 2; in(net,(=l,r)); let (v) = open(checksign(lcv,pka),r) in out(net,v).
Remark: There is a small discrepancy◦ Informal description: Collector checks administrator signature in voting phase◦ ProVerif model: Collector checks administrator signature in opening phase
The collector process
![Page 24: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/24.jpg)
24
Fairness ensures that no early results can be obtained
Kremer and Ryan verify fairness as a secrecy property◦ It should be impossible for an attacker to learn a vote
before the opening phase (2) Strong secrecy of the votes up to the end of the voting
phase
ProVerif successfully proves that FOO92 guarantees that (in this model) an intruder cannot obtain the votes or learn any information about them before the voting phase ends
Fairness analysis
![Page 25: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/25.jpg)
25
Eligibility verifies that◦ only legitimate voters can vote…
The attacker has a challengeVote (a global name) The attacker is illegitimate (he does not have a valid signing key) They modify the collector process (it publishes a fresh name attack if and only if he receives the challengeVote)
Then attack becomes public if and only if the collector receives the challengeVote from the attacker
In order to verify that the challengeVote from the attacker never reaches the collector, it suffices to show that attack remains secret the problem is reduced to secrecy
◦ … and only once This cannot be verified in the model because all voters share
the same key
Eligibility analysis
![Page 26: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/26.jpg)
26
let collector = phase 1; in(net,lcv); new l; out(net,(l,lcv)); phase 2; in(net,(=l,r)); let (v) = open(checksign(lcv,pka),r) in new attack; if (v) = challengeVote then out(net,attack) else out(net,v).
ProVerif succeeds in verifying the standard secrecy of attack, therefore FOO92 guarantees eligibility
Eligibility analysisModified collector process
![Page 27: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/27.jpg)
27
Privacy aims to guarantee that the association of a voter with her vote is not revealed to anyone◦ We need to suppose that at least two voters are honest
(if there is only one honest voter then privacy can never be guaranteed) Voter V1 – vote1
Voter V2 – vote2
◦ Privacy: P[vote1/v1, vote2/v2] ≈ P[vote2/v1, vote1/v2]
ProVerif fails on this, because its reasoning about testing equivalence is incomplete (proof by hand)
Privacy analysis
![Page 28: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/28.jpg)
28
The phase separator between legitimization (1) and voting (2) phase is crucial for privacy
Without the separator, the following attack on privacy would be possible:◦ The attacker blocks all messages coming from voters
other than V until he has seen on the network two messages that are signed by A
◦ The attacker knows that the second of these A-signed messages contains V’s committed vote (unblinded!)
◦ Once V publishes his random key r, the attacker can open V’s committed vote (knowing that this is V’s vote)
Phases and privacy
![Page 29: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/29.jpg)
29
For their hand proof of privacy for FOO92, Kremer and Ryan use of a powerful proof method for testing equivalence, called labeled bisimilarity◦ Abadi, Fournet: “Mobile Values, New Names, and
Secure Communication”
Proving Testing Equivalenceby Labeled Bisimilarity
![Page 30: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/30.jpg)
30
Abadi and Fournet’s article is based on the applied pi calculus
Applied pi calculus vs ProVerif
ProVerif
1. distinguishes between constructors and destructors
2. reduction rules3. ProVerif language is restricted
to enable automatic analysis4. ProVerif actually allows certain
equations, too, (keyword: equation), but internally translates these to reduction rules
Applied pi calculus
1. no distinction between constructors and destructors
2. equations3. more general than ProVerif
language
![Page 31: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/31.jpg)
31
The trouble with testing equivalence is that, by definition, for proving P ≃ Q it quantifies over all the possible contexts
Labeled bisimilarity is a relation that is contained in testing equivalence, and whose definition avoids an infinite quantification
Why labeled bisimilarity?
![Page 32: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/32.jpg)
32
Abadi/Fournet enrich the syntax domain of processes with active substitutions {M/x}
They enrich the operational semantics with:◦ a labeled reduction rule that allows to reduce outputs
without matching input:new u; (Q | out c M;P)new u; (Q | P | {M/x})
where x is not a free variable in P or Q◦ a rule that allows to reduce inputs without matching
outputs:new u; (Q | inp c x;P)new u; (Q | {M/x}P)
where (fv(M) fn(M)) ∩ u = ∪ ∅
Labeled operational semantics
new x.out c x
inp c M
![Page 33: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/33.jpg)
33
A frame is a process that is built up from stop and active substitutions, using parallel composition and new-generation:
We let ψ range over frames and σ over substitutions. Every enriched process P can be mapped to a frame ψ(P) by
replacing by stop all processes that are not active substitutions, parallel compositions or new-generations.
Example:
(new c; new d; (inp c x;P | {M/x} | out d N;Q)) == new c; new d; (stop | {M/x} | stop)= new c; new d; ({M/x})
Frames
![Page 34: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/34.jpg)
34
(M = N)ψ iff ∃n,σ s.t.◦ ψ = new n.σ◦ σM=σN◦ n∩(fn(M)∪fn(N))=∅
Example: Assume fun f/1, fun g/1, and no equations
◦ ψ0 = new k; new s; {k/x, s/y}
◦ ψ1 = new k; new s; {f(k)/x, g(k)/y}
◦ ψ2 = new k; new s; {k/x, f(k)/y}
Then (f(x)=y)ψ2, but not (f(x)=y)ψ1 and not (f(x)=y)ψ0
Message Equality Under Frames
![Page 35: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/35.jpg)
35
Static Equivalence of Frames:
◦ φ≈sψ iff dom(φ)=dom(ψ) (∀M,N)((M=N)φ⇔(M=N))ψ)
Example: ψ0≈Fsψ2, ψ1≈Fsψ2, ψ0≈sψ1
Static Process Equivalence:
P≈sQ iff ψ(P)≈sψ(Q)
Depending on the underlying equational theory, static process equivalence can be quite hard to show, but at least it does not depend on the dynamics of processes
Static Equivalence
![Page 36: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/36.jpg)
36
Labeled bisimilarity ≈l is an equivalence relation on processes
In order to prove that P≈lQ, one needs to prove the existence of a relation R such that PRQ:◦ P≈sQ
◦ If P P’, then (∃Q’)(Q * Q’ and P’R Q’)◦ If P P’, then (∃Q’)(Q ** Q’ and P’R Q’).
Furthermore, one needs to prove these three statements with the roles of P and Q reversed
Note that one has to apply these rules iteratively, because R occurs in the 2nd and 3rd rule
Technically, ≈l is defined as the largest symmetric, binary relation on processes that satisfies the three rules
Labeled Bisimilarity
αα
![Page 37: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/37.jpg)
37
Theorem: If P≈lQ, then P Q≃
This theorem tells us that for proving testing equivalence P Q≃ , it suffices to prove labeled bisimilarity P≈lQ
Proving labeled bisimilarity is often simpler than proving testing equivalence directly
Bisimilarity implies Testing Equivalence
![Page 38: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/38.jpg)
38
In order to show privacy for FOO92, Kremer and Ryan show the following labeled bisimilarity:
P[vote1/v1, vote2/v2] ≈l P[vote2/v1, vote1/v2]
Privacy in FOO92
![Page 39: Analysis of an E-voting Protocol in the Applied Pi Calculus May 7, 2012](https://reader035.vdocument.in/reader035/viewer/2022062516/56649e295503460f94b17300/html5/thumbnails/39.jpg)
39
Consider the following protocol between two computers, a server and a client:S C: (hello; timestamp)C: begin(C,S,timestamp)C S: timestamp; hash(kCS)
S: end(C,S,timestamp)
◦ kCS is a long-term key shared between S and C
◦ timestamp may be considered as a nonce Write a model of this protocol in ProVerif Check whether the protocol correctly realizes the
authentication of C to S; fix it if needed Check whether the protocol preserves the
secrecy of kCS. What about weak secrecy?
Try it yourself