Probabilistic Process Calculus and Authentication

1
Probabilistic Process Calculusand Authentication

• P.D. Lincoln J.C. Mitchell
  M. Mitchell A. Scedrov
• Supported by ONR MURI

2
Main Scientific Problem

• How powerful is the adversary?
• Simple replay of previous messages
• Decompose, reassemble and resend
• Statistical analysis of network traffic
• Timing attacks
• No absolute notion of security
• Weak adversary any correct system is secure
• Strong adversary nothing is secure

3
Analyzing Security Protocols

• Think long and hard
• BAN and other belief logics
• Search using symbolic representation of states
• Meadows NRL Analyzer, Millen Interrogator
• Exhaustive state-enumeration tools
• Model checking using FDR Lowe, Roscoe, Mur?,
  ...
• New directions
• Abadi-Gordon Spi-calculus
• Probabilistic poly-time framework

4
Dolev-Yao model

• Formal protocol analysis uses Dolev-Yao model
• Adversary is nondeterministic process
• Adversary can
• Block network traffic
• Read any message, decompose into parts
• Decrypt if key is known to adversary
• Insert new message from data it has observed
• Adversary cannot
• Gain partial knowledge
• Guess part of a key
• Perform statistical tests,

5
Process Calculus Description

• Protocol defined by set of processes
• Each process gives one step of one principal
• Can derive by translation from unifying notation
• F1, , Fk ?? ?x1 ?xm. G1, , Gn is one
  process
• Replace predicates by port names
• Replace pattern-matching by explicit
  destructuring
• In pi-calculus, use ? in place of ?
• Example
• B1(x,y) ?? N2(x,y), B2(x,y)
• b1(p). let xfst(p) and ysnd(p) in n2?x,y? b2
  ?x,y? end

6
Recent Language Approach AG97

• Write protocol in process calculus
• Express security using observational equivalence
• Standard relation from programming language
  theory
• P ? Q iff for all contexts C , same
• observations about CP and CQ
• Context (environment) represents adversary
• Use proof rules for ? to prove security
• Protocol is secure if no adversary can
  distinguish it from some idealized version of the
  protocol

7
Power and limitations

• Can find some attacks
• Needham-Schroeder by exhaustive search
• Other attacks are outside model
• Interaction between protocol and encryption
• Some protocols cannot be modeled
• Probabilistic protocols
• Steps that require specific properties of
  encryption
• Possible to prove erroneous protocol correct

8
Probabilistic Poly-time Analysis
Our Framework P. Lincoln, J.
Mitchell, M. Mitchell, A. Scedrov

• Process calculus approach, add probability
• Probabilistic polynomial-time process calculus
• Protocols use probabilistic primitives
• Key generation, nonce, probabilistic encryption,
  ...
• Adversary may be probabilistic
• Modal type system guarantees complexity bounds
• Express protocol and specification in calculus
• Study security using observational equivalence
• Use probabilistic form of process equivalence

9
Technical Challenges

• Language for prob. poly-time functions
• Extend Hofmann language with rand
• Replace nondeterminism with probability
• Otherwise adversary is too strong
• Probabilistic scheduling vs. private channels
• Define probabilistic equivalence
• Related to poly-time statistical tests ...
• Develop specification by equivalence
• Bellare-Rogaway mutual authentication protocol
• Proof systems for probabilistic equivalence

10
Nondeterminism is traditional, but ...

• Nondeterminism is a useful idealization
• Classical ? disguised as a computational
  primitive
• Expresses extreme good luck or bad luck
• Nondeterministic algorithm for traveling salesman
• Guess a path and check that it is correct
• Nondeterministic semantics for parallel
  composition
• Treat any possible interleaving as significantly
  possible
• Appropriate for worst case correctness
• Not an intrinsic property of system itself

11
Nondeterminism breaks encryption

• Alice encrypts message and sends to Bob
• A ? B msg K
• Adversary uses nondeterministic parallelism
• Process E0 ?E?0? ?E?0? ?E ?0?
• Process E1 ?E ?1? ?E ?1? ?E ?1?
• Process E ?E?b1?.?E?b2?...?E?bn?.
  decrypt(b1b2...bn, msg)
• In reality, adversary has ? 2-n chance to guess
  n-bit key

12
Solution probabilistic scheduler

• Define operational semantics
• Probabilistic steps let x M in P ?r
  v/xP
• Nondeterministic choice between parallel
  processes
• Each run requires probabilistic scheduler
• Chooses step from nondeterministic alternatives
• Scheduler runs in probabilistic polynomial time
• Quantify over schedulers to get universal
  properties
• Similar ideas in literature on Markov decision
  diagrams

13
Toward probabilistic equivalence

• Background poly-time statistical tests
• Standard notion from cryptography
• Define crypto. strong pseudo-random sequence
• Main ideas
• Pseudo-random generator family G Gnngt0
• Test generator Gn in time poly(n)
• Compare Test(Gk(random(n)) to Test(random(nk))
• Generator secure if results within 1/poly(n)

14
Observing Probabilistic Process

• Observations
• Compare ProbP ? yes - Prob Q ? yes lt
  ?
• How small ? is small ?
• Less than 1/2, 1/4, ? (not equiv relation
  for fixed ?)
• Vanishingly small ?
• How fast should ? ? 0 ? As a function of what?
• Cryptographic protocols
• Use encryption keys of a certain length
• Protocol is family Pn ngt0 indexed by key
  length
• Increasing key length ? increasing security

15
Probabilistic Observational Equiv

• Processes P, Q are ?-indistinguishable
• P ?? Q if ? contexts C . ? observations v.
• ProbCP ? v - ProbCQ ? v
  lt ?
• Asymptotically within f
• Process, context families Pn ngt0 Qn ngt0
  Cn ngt0
• P ?f Q if ? contexts C . ? obs v. ?n0 . ? ngt
  n0 .
• ProbCnPn ? v - ProbCnQn ?
  v lt f(n)
• Asymptotically polynomially indistinguishable
• P ? Q if P ?f Q for every polynomial f(n)
  1/p(n)
• Final defn gives robust
  equivalence relation

16
Scheduling silent actions

• Private channel communication not observable
• Any process P should be equivalent to a process
  that transmits some value on a private channel,
  discards the result, and then proceeds as P
• P ? (?c).(?c??? c(x).P)
• Problem with uniform probabilistic scheduler
• P ?A ??? is run in parallel with ?A?1?
• ?A??? ?A?1? ?? (?c).(?c ??? c(x).?A ??? )
  ?A?1?
• Silent action biases the process
• Our solution silent actions have priority

17
Needham-Schroeder Private Key

• Analyze part of the protocol P
• A ? B i K
• B ? A f(i) K
• Obviously secret protocol Q (zero
  knowledge)
• A ? B random_number K
• B ? A random_number K
• Analysis P ? Q reduces to crypto condition
• related to non-malleability Dolev, Dwork,
  Naor
• not true for RSA encryption, f(i) 2i

18
Pseudo-random family of functions

• Family generated from random seed
• Pn let b function 0,1?2n ? 0,1n gen.
  from n random bits
• in make b public end
• Truly random function
• Qn let b random function 0,1?2n ? 0,1n
• in make b public end
• P is pseudo-random family of functions
• Goldreich, Goldwasser, Micali
• P ? Q

19
Mutual authentication protocol

• Bellare-Rogaway
• Suppose fnn is a pseudo-random family of
  functions whose indices are shared by A and B.
  Consider
• A ? B Ra
• B ? A ? Ra , Rb , fn(? Ra , Rb?) ?
• A ? B ? Rb , fn(Rb) ?
• A knows Rb , B knows Ra , and both A and B
  are
• assured that these values came from the other
  party

20
Specification

• Similar to the original protocol
• Use random function instead of fn
• The parties transmit the values they receive on
  public channels back to each other on private
  channels
• The recipient of the private message can thus
  verify that the message she sent earlier was
  accurately received --- checks on private
  channels
• Authenticity protocol equivalent to specification

21
Proof of equivalence

• Assumption is also in the form of equivalence
• Chain of equivalences
• Replace random function in spec by pseudo-random
  family of functions
• Omit checks on private channels
• Private channels are superfluous provided the
  data sent on them is never used, and provided the
  write is always available by the time the read
  is ready

22
Current state of project

• New framework for protocol analysis
• Determine crypto requirements of protocols !
• Probabilistic ptime language
• Pi-calculus-like process framework
• replaced nondeterminism with rand
• equivalence based on ptime statistical tests
• Proof methods for establishing equivalence
• Formal Bellare-Rogaway entity authentication
• Future work compositionality, commitment,
  zero-knowledge, tool development