Analysis of Security Protocols (V) - PowerPoint PPT Presentation

About This Presentation
Title:

Analysis of Security Protocols (V)

Description:

Formal protocol analysis uses Dolev-Yao model. Adversary is nondeterministic process ... Probabilistic Poly-time Analysis. Adopt spi-calculus approach, add probability ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 21
Provided by: cryptoS
Category:

less

Transcript and Presenter's Notes

Title: Analysis of Security Protocols (V)


1
Analysis of Security Protocols
(V)
  • John C. Mitchell
  • Stanford University

2
Prior state of the art
  • Formal protocol analysis uses Dolev-Yao model
  • Adversary is nondeterministic process
  • Adversary can
  • Block network traffic
  • Read any message, decompose into parts
  • Decrypt if key is known to adversary
  • Insert new message from data it has observed
  • Adversary cannot
  • Gain partial knowledge
  • Guess part of a key
  • Perform statistical tests,

3
Power and limitations
  • Can find some attacks
  • Needham-Schroeder by exhaustive search
  • Other attacks are outside model
  • Interaction between protocol and encryption
  • Some protocols cannot be modeled
  • Probabilistic protocols
  • Steps that require specific properties of
    encryption
  • Possible to prove erroneous protocol correct

4
Recent Language Approach AG97
  • Write protocol in process calculus
  • Express security using observational equivalence
  • Standard relation from programming language
    theory
  • P ? Q iff for all contexts C , same
  • observations about CP and CQ
  • Context (environment) represents adversary
  • Use proof rules for ? to prove security
  • Protocol is secure if no adversary can
    distinguish it from some idealized version of the
    protocol

5
Probabilistic Poly-time Analysis
Our Framework
  • Adopt spi-calculus approach, add probability
  • Probabilistic polynomial-time process calculus
  • Protocols use probabilistic primitives
  • Key generation, nonce, probabilistic encryption,
    ...
  • Adversary may be probabilistic
  • Modal type system guarantees complexity bounds
  • Express protocol and specification in calculus
  • Study security using observational equivalence
  • Use probabilistic form of process equivalence

6
Technical Challenges
  • Language for prob. poly-time functions
  • Extend Hofmann language with rand
  • Replace nondeterminism with probability
  • Otherwise adversary is too strong ...
  • Define probabilistic equivalence
  • Related to poly-time statistical tests ...
  • Develop specification by equivalence
  • Several examples carried out
  • Proof systems for probabilistic equivalence
  • Goal for the future

7
Example protocol in process calc
  • Notation found in the literature
  • A ? B m K
  • B ? A m1 K
  • Process calculus with cryptographic primitives
  • let k new_key(n) in
  • let m pick_a_number(n) in AB
    ?encrypt(k,m)?
  • AB(x). BA ?encrypt(k, decrypt(k,x)1)?
  • end
  • This form makes assumptions and response explicit

output on port AB
not m
8
How we specify secrecy
  • Original protocol P
  • A ? B m K
  • B ? A m1 K
  • Obviously secret protocol Q (zero
    knowledge)
  • A ? B random_number K
  • B ? A random_number K
  • Basic idea
  • P ? Q implies P preserves secrecy
  • If not, then some context can obtain some
    information from the original protocol

9
Nondeterminism is traditional, but ...
  • Nondeterminism is a useful idealization
  • Classical ? disguised as a computational
    primitive
  • Expresses extreme good luck or bad luck
  • Nondeterministic algorithm for traveling salesman
  • Guess a path and check that it is correct
  • Nondeterministic semantics for parallel
    composition
  • Treat any possible interleaving as significantly
    possible
  • Appropriate for worst case correctness
  • Not an intrinsic property of system itself

10
Nondeterminism breaks encryption
  • Alice encrypts message and sends to Bob
  • A ? B msg K
  • Adversary uses nondeterministic parallelism
  • Process E0 E?0? E?0? E?0?
  • Process E1 E?1? E?1? E?1?
  • Process E E?b1?.E?b2?...E?bn?.
    decrypt(b1b2...bn, msg)
  • In reality, adversary has ?2-n chance to guess
    n-bit key

11
Solution probabilistic scheduler
  • Define operational semantics
  • Probabilistic steps let x M in P ?r
    v/xP
  • Nondeterministic choice between parallel
    processes
  • Each run requires probabilistic scheduler
  • Chooses step from nondeterministic alternatives
  • Scheduler runs in probabilistic polynomial time
  • Quantify over schedulers to get universal
    properties
  • Similar ideas in literature on Markov decision
    diagrams

12
Toward probabilistic equivalence
  • Background poly-time statistical tests
  • Standard notion from cryptography
  • Define crypto. strong pseudo-random sequence
  • Main ideas
  • Pseudo-random generator family G Gnngt0
  • Test generator Gn in time poly(n)
  • Compare Test(Gk(random(n)) to Test(random(nk))
  • Generator secure if results within 1/poly(n)

13
Observing Probabilistic Process
  • Observations
  • Compare ProbP ? yes - Prob Q ? yes lt
    ?
  • How small ? is small ?
  • Less than 1/2, 1/4, ? (not equiv relation
    for fixed ?)
  • Vanishingly small ?
  • How fast should ? ? 0 ? As a function of what?
  • Cryptographic protocols
  • Use encryption keys of a certain length
  • Protocol is family Pn ngt0 indexed by key
    length
  • Increasing key length ? increasing security

14
Probabilistic Observational Equiv
  • Processes P, Q are ?-indistinguishable
  • P ?? Q if ? contexts C . ? observations v.
  • ProbCP ? v - ProbCQ ? v
    lt ?
  • Asymptotically within f
  • Process, context families Pn ngt0 Qn ngt0
    Cn ngt0
  • P ?f Q if ? contexts C . ? obs v. ?n0 . ? ngt
    n0 .
  • ProbCnPn ? v - ProbCnQn ?
    v lt f(n)
  • Asymptotically polynomially indistinguishable
  • P ? Q if P ?f Q for every polynomial f(n)
    1/p(n)
  • Final defn gives robust
    equivalence relation

15
Basic example
  • Sequence generated from random seed
  • Pn let b nk-bit sequence generated from n
    random bits
  • in PUBLIC ?b? end
  • Truly random sequence
  • Qn let b sequence of nk random bits
  • in PUBLIC ?b? end
  • P is crypto strong pseudo-random generator
  • P ? Q

16
Protocol P Diffie, Hellman, ElGamal
  • ga mod p
  • gb mod p
  • msg gab mod p

A
B
  • Prime p and generator g of Zp are public
  • Passive eavesdropper has small chance at msg

17
Specification Q
  • random_number mod p
  • random_number mod p
  • random_number mod p

A
B
  • Network traffic should look like 3 random numbers

18
Analysis
  • Prove P ? Q ?
  • Prove difficulty of computing discrete logarithm
    ?
  • Better reduction from a discrete log problem
  • Strategy to distinguish P from Q with prob gt
    1/poly ? win Diffie-Hellman game with prob
    gt1/poly
  • Decision-Diffie-Hellman problem
  • Given two triples ?x, y, z? ?gu, gv,
    guv?
  • Decide which is which (u,v,x,y,z chosen
    randomly)
  • Note this is for passive eavesdropper only

19
ElGamal Analysis So what?
  • Characterize security by number-theoretic game
  • Decision Diffie-Hellman appears in literature
  • Previously studied, believed hard
  • Remove doubt about protocol, up to common
    cryptographic assumptions
  • Simplified example since this protocol can be
    subverted by replacing ga by gc

20
Current state of project
  • Better foundations for protocol analysis ?
  • Determine crypto requirements of protocols !
  • Probabilistic ptime language
  • Extended Hofmann language with rand
  • Probabilistic process framework
  • replaced nondeterminism with rand
  • equivalence based on ptime statistical tests
  • Specifications of secrecy, authenticity
  • Simple examples
  • Work in progress...
Write a Comment
User Comments (0)
About PowerShow.com