universally composable symbolic analysis of cryptographic protocols

39
Universally Composable Symbolic Analysis of Cryptographic Protocols Ran Canetti and Jonathan Herzog 6 March 2006 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

Upload: hana

Post on 10-Feb-2016

32 views

Category:

Documents


0 download

DESCRIPTION

Universally Composable Symbolic Analysis of Cryptographic Protocols. Ran Canetti and Jonathan Herzog 6 March 2006. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Universally ComposableSymbolic Analysis of

Cryptographic ProtocolsRan Canetti and Jonathan Herzog

6 March 2006

The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

Page 2: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Universally ComposableAutomated Analysis of

Cryptographic ProtocolsRan Canetti and Jonathan Herzog

6 March 2006

The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

Page 3: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Overview This talk: symbolic analysis can guarantee universally

composable (UC) key exchange • (Paper also includes mutual authentication)

Symbolic (Dolev-Yao) model: high-level framework• Messages treated symbolically; adversary extremely limited• Despite (general) undecidability, proofs can be automated

Result: symbolic proofs are computationally sound (UC) • For some protocols • For strengthened symbolic definition of secrecy

With UC theorems, suffices to analyze single session• Implies decidability!

Page 4: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Needham-Schroeder-Lowe protocol(Prev: A, B get other’s public encryption keys)

A BEKB(A || Na)

EKA(Na || Nb || B)

EKB(Nb)K

K

Version 1: K = Na Version 2: K = Nb

Which one is secure?

Page 5: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Two approaches to analysis Standard (computational) approach: reduce attacks to

weakness of encryption

Alternate approach: apply methods of the symbolic model• Originally proposed by Dolev & Yao (1983)• Cryptography without: probability, security parameter, etc.• Messages are parse trees

Countable symbols for keys (K, K’,…), names (A, B,…) and nonces (N, N’, Na, Nb, …)

Encryption ( EK(M) ) pairing ( M || N ) are constructors• Participants send/receive messages

Output some key-symbol

Page 6: Universally Composable Symbolic Analysis of  Cryptographic Protocols

The symbolic adversary Explicitly enumerated powers

• Interact with countable number of participants• Knowledge of all public values, non-secret keys• Limited set of re-write rules:

M1, M2 M1 || M2

M1 || M2 M1, M2

M, K EK(M)

EK(M), K-1 M

Page 7: Universally Composable Symbolic Analysis of  Cryptographic Protocols

‘Traditional’ symbolic secrecy Conventional goal for symbolic secrecy proofs:

“If A or B output K, then no sequence of interactions/rewrites can result in K”

Undecidable in general [EG, HT, DLMS] but:• Decidable with bounds [DLMS, RT]• Also, general case can be automatically verified in practice

Demo 1: analysis of both NSLv1, NSLv2

So what? • Symbolic model has weak adversary, strong assumptions• We want computational properties!• …But can we harness these automated tools?

Page 8: Universally Composable Symbolic Analysis of  Cryptographic Protocols

What we’d like

Concrete protocol

Computationalkey-exchange

Symbolic protocol

Symbolickey-exchange

Would likeNatural translation for

large class of protocols

Simple, automated‘Soundness’

(need only be done once)

Page 9: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Some previous workGeneral area: [AR]: soundness for indistinguishability

• Passive adversary [MW, BPW]: soundness for general trace properties

• Includes mutual authentication; active adversary Many, many others

Key-exchange in particular (independent work): [BPW]: (later) [CW]: soundness for key-exchange

• Traditional symbolic secrecy implies (weak) computational secrecy

Page 10: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Limitations of ‘traditional’ secrecy Big question:

Can ‘traditional’ symbolic secrecy imply standard computational definitions of secrecy?

Unfortunately, no Counter-example:

• Demo: NSLv2 satisfies traditional secrecy• Cannot provide real-or-random secrecy in standard

models• Falls prey to the ‘Rackoff’ attack

Page 11: Universally Composable Symbolic Analysis of  Cryptographic Protocols

The ‘Rackoff attack’ (on NSLv2)

A BEKB( A || Na)

EKA( Na || Nb || B )

EKB(Nb)

AdvK =? Nb

EKB(K)

K if K = Nb O.W.

?

Page 12: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Achieving soundness Soundness requires new symbolic definition of secrecy

[BPW]: ‘traditional’ secrecy + ‘non-use’• Thm: new definition implies secrecy (in their framework)• But: must analyze infinite concurrent sessions and all resulting

protocols

Here: ‘traditional’ secrecy + symbolic real-or-random• Non-interference property; close to ‘strong secrecy’ [B]• Thm: new definition equivalent to UC secrecy• Demonstrably automatable (Demo 2)• Suffices to consider single session!

(Infinite concurrency results from joint-state UC theorems)• Implies decidability (forthcoming)

Page 13: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Decidability (not in paper)

Traditional secrecy

Symbolic real-or-random

Unbounded sessions

Undecidable[EG, HT, DLMS]

Undecidable[B]

Bounded sessions Decidable(NP-complete)[DLMS, RT]

Decidable(NP-complete)

Page 14: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Proof overview (soundness)

Multi-session KE(CCA-2 crypto)

Symbolickey-exchange

Single session UC KE(ideal crypto)

Multi-session UC KE(ideal crypto)

UC w/ joint state

[CR](Info-theor.)

UC theorem

Construct simulator• Information-theoretic• Must strengthen notion of UC public-key encryption

Intermediate step: trace properties (as in [MW,BPW])• Every activity-trace of UC adversary could also be produced by symbolic adversary• Rephrase: UC adversary no more powerful than symbolic adversary

Page 15: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Summary & future work Result: symbolic proofs are computationally sound (UC)

• For some protocols • For strengthened symbolic definition of secrecy

With UC theorems, suffices to analyze single session• Implies decidability!

Additional primitives • Have public-key encryption, signatures [P]• Would like symmetric encryption, MACs, PRFs…

Symbolic representation of other goals• Commitment schemes, ZK, MPC…

Page 16: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Backup slides

Page 17: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Two challenges

1. Traditional secrecy is undecidable for:• Unbounded message sizes [EG, HT] or • Unbounded number of concurrent sessions(Decidable when both are bounded) [DLMS]

2. Traditional secrecy is unsound• Cannot imply standard security definitions for

computational key exchange• Example: NSLv2 (Demo)

Page 18: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Prior work: BPWNew symbolic

definition

Implies UC key exchange

(Public-key & symmetric encryption, signatures)

Theory Practice

Page 19: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Our workNew symbolic

definition: ‘real-or-random’

Equiv. to UC key exchange

(Public-key encryption [CH], signatures [P])

UC suffices to examine single protocol run

Automated verification!

+ Finite system Decidability?

Theory Practice

Demo 3: UC security for NSLv1

Page 20: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Our work: solving the challenges Soundness: requires new symbolic definition of secrecy

• Ours: purely symbolic expression of ‘real-or-random’ security• Result: new symbolic definition equivalent to UC key

exchange

UC theorems: sufficient to examine single protocol in isolation

• Thus, bounded numbers of concurrent sessions• Automated verification of our new definition is decidable!…

Probably

Page 21: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Summary Summary:

• Symbolic key-exchange sound in UC model• Computational crypto can now harness symbolic tools• Now have the best of both worlds: security and

automation!

Future work

Page 22: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Secure key-exchange: UC

?P P

AK K

Answer: yes, it matters• Negative result [CH]: traditional symbolic secrecy does

not imply universally composable key exchange

Page 23: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Secure key-exchange: UC

?P P

A

Adversary gets key when output by participants• Does this matter? (Demo 2)

K K

FS?

Page 24: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Secure key-exchange [CW]

P P

A

Adversary interacts with participants• Afterward, receives real key, random key• Protocol secure if adversary unable to distinguish

NSLv1, NSLv2 satisfy symbolic def of secrecy• Therefore, NSLv1, NSLv2 meet this definition as well

K, K’

Page 25: Universally Composable Symbolic Analysis of  Cryptographic Protocols

KE

?P P

A

FS

Adversary unable to distinguish real/ideal worlds• Effectively: real or random keys• Adversary gets candidate key at end of protocol• NSL1, NSL2 secure by this defn.

Page 26: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Analysis strategy

Concrete protocol

UC key-exchangefunctionality

Dolev-Yao protocol

Dolev-Yaokey-exchange

Would likeNatural translation for

large class of protocols

Simple, automatedMain result of talk

(Need only be done once)

Page 27: Universally Composable Symbolic Analysis of  Cryptographic Protocols

“Simple” protocols Concrete protocols that map naturally to Dolev-Yao framework Two cryptographic operations:

• Randomness generation• Encryption/decryption

(This talk: asymmetric encryption) Example: Needham-Schroeder-Lowe

P1 P2

{P1, N1}K2

{P2, N1, N2}K1

{N2}K2

Page 28: Universally Composable Symbolic Analysis of  Cryptographic Protocols

UC Key-Exchange Functionality

FKE

(P1 P2)

k {0,1}n

Key P2

P1

(P1 P2)

Key k

P2

(P2 P1)

Key k

(P1 P2)

A

Key P1

(P2 P1)

Key P2

(P2 P1)

X

Page 29: Universally Composable Symbolic Analysis of  Cryptographic Protocols

The Dolev-Yao model Participants, adversary take turns Participant turn:

AP1 P2

M1

M2

L

Local output:Not seen by adversary

Page 30: Universally Composable Symbolic Analysis of  Cryptographic Protocols

The Dolev-Yao adversary Adversary turn:

P1 P2

A

Know

Application of deduction

Page 31: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Dolev-Yao adversary powersAlready in Know Can add to Know

M1, M2 Pair(M1, M2)

Pair(M1, M2) M1 and M2

M, K Enc(M,K)

Enc(M, K), K-1 M

Always in Know:Randomness generated by adversaryPrivate keys generated by adversaryAll public keys

Page 32: Universally Composable Symbolic Analysis of  Cryptographic Protocols

The Dolev-Yao adversary

AP1 P2

Know

M

Page 33: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Dolev-Yao key exchange Assume that last step of (successful) protocol execution

is local output of (Finished Pi Pj K)

1. Key Agreement: If P1 outputs (Finished P1 P2 K) and P2 outputs (Finished P2 P1 K’) then K = K’.

2. Traditional Dolev-Yao secrecy: If Pi outputs (Finished Pi Pj K), then K can never be in adversary’s set Know

Not enough!

Page 34: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Goal of the environment Recall that the environment Z sees outputs of participants Goal: distinguish real protocol from simulation In protocol execution, output of participants (session key)

related to protocol messages In ideal world, output independent of simulated protocol If there exists a detectable relationship between session

key and protocol messages, environment can distinguish• Example: last message of protocol is {“confirm”}K where K is

session key• Can decrypt with participant output from real protocol• Can’t in simulated protocol

Page 35: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Real-or-random (1/3) Need: real-or-random property for session keys

• Can think of traditional goal as “computational”• Need a stronger “decisional” goal• Expressed in Dolev-Yao framework

Let be a protocol Let r be , except that when participant outputs (Finished Pi Pj Kr), Kr added to Know

Let f be , except that when any participant outputs (Finished Pi Pj Kr), fresh key Kf added to adversary set Know

Want: adversary can’t distinguish two protocols

Page 36: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Real-or-random (2/3) Attempt 1: Let Traces() be traces adversary can induce

on . Then:Traces(r) = Traces(f)

Problem: Kf not in any traces of r

Attempt 2: Traces(r) = Rename(Traces(f), Kf Kr)

Problem: Two different traces may “look” the same• Example protocol: If participant receives session key, encrypts

“yes” under own (secret) key. Otherwise, encrypts “no” instead• Traces different, but adversary can’t tell

Page 37: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Real-or-random (3/3) Observable part of trace: Abadi-Rogaway pattern

• Undecipherable encryptions replaced by “blob” Example:

t = {N1, N2}K1, {N2}K2, K1-1 Pattern(t) = {N1, N2}K1, K2, K1-1

Final condition:Pattern(Traces(r))

=

Pattern(Rename(Traces(f), Kf Kr)))

Page 38: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Main results Let key-exchange in the Dolev-Yao model be:

• Key agreement• Traditional Dolev-Yao secrecy of session key• Real-or-random

Let be a simple protocol that uses UC asymmetric encryption. Then:

DY() satisfies Dolev-Yao key exchangeiff

UC() securely realizes FKE

Page 39: Universally Composable Symbolic Analysis of  Cryptographic Protocols

Future work How to prove Dolev-Yao real-or-random?

• Needed for UC security• Not previously considered in the Dolev-Yao literature• Can it be automated?

Weaker forms of DY real-or-random Similar results for symmetric encryption and

signatures