Guessing Attacks in the pi-calculus

About This Presentation

Title:

Guessing Attacks in the pi-calculus

Description:

A(M) = new cAB. send cAS cAB; send cAB M. S = rec cAS x; send cBS x ... A(M) = new cAB. send cAS cAB; send cAB M. S = rec cAS x; send cBS x. Bspec = rec cSB x ; ... – PowerPoint PPT presentation

Number of Views:31

Avg rating:3.0/5.0

Slides: 83

Provided by: a15144

Category:

more less

Transcript and Presenter's Notes

Title: Guessing Attacks in the pi-calculus

1
Guessing Attacks in the pi-calculus
(Work in progress)
Tom Chothia École Polytechnique
2
Outline of Talk

Background
Formal security in the pi-calculus.
Computational arguments.
Bridging the gap.
The pi-calculus with guessing.
Calculating the cost of a guessing attack.
The computational correctness of the calculus

3
pi-g Summary

A pi-calculus extended with primitives for
guessing and tracking the effects of the guess.
A method of scoring traces in the calculus to
show how hard that attack would be using
guesses and multiple tries.
With most of the simplicity of formal methods and
some of the power of computational methods.

4
Pi-calculus

Process P,Q,A 0
send a b
rec a bP
! P
new aP
( P Q )
ab P

5
Pi-calculus

Key reduction rules
( send a b rec a xP ) -gt P b/x
new a( P ) Q new a( P Q )
if a
not free in Q
N.B. send a b ( new a rec a x P) cannot
communicate.

6
Pi-calculus

Analyse a process P with message M.
An attacker is any context CP(M)
If for all M we have P(M) is weakly bi-similar
P(M) then M is secure in P.
N.B. weak bi-simulation is a congruence for the
spi-calculus
So above condition implies that for all hostile
attackers A, AP(M) is weakly bi-similar to
AP(M).

7
Pi-calculus example

A(M) new cAB
send cAS cAB
send cAB M
S rec cAS x
send cBS x
B rec cSB x
rec x yF(y)

A
S
B
8
Pi-calculus example

A(M) new cAB
send cAS cAB
send cAB M
S rec cAS x
send cBS x
B rec cSB x
rec x yF(y)

Inst(M) new cAS new cBS( A(M) S
B) Secrecy ? M and M Inst(M) Inst(M)
iff F(M) F(M)
9
Pi-calculus example

A(M) new cAB
send cAS cAB
send cAB M
S rec cAS x
send cBS x
Bspec rec cSB x
rec x yF(M)

Instspec(M) new cAS new cBS( A(M) S
Bspec) Secrecy ? M and M Inst(M) Inst(M)
iff F(M) F(M) Authenticity ? M
Inst(M) Instspec(M)
10
Spi-calculus

The spi-calculus adds encryption
New terms
MN M encrypted with N
(M,N) and numbers
New Processes
case L of xN in P
let (x,y) M in P

11
Computational properties.

DES no good anymore (fixed 56 bit key).
RSA key from 128 bits to 512 now 1024 (could have
been illegal).
802.11 weak nonce.
RSA timing bug.

12
Computational analysis

No fixed nonces and passwords etc.
Random sampling, e.g. pwd is randomly chosen from
the probability distribution Dn where n is the
size or security parameter
pwd lt-r- Dn
The chance of Cpwd failing must be almost zero.

13
What is almost zero?

Function f is negligible if for all c there
exists N such that for all x gt N we have that
f(x) lt x-c.
Dn and Dn are indistinguishable if for all
probabilistic, polynomial time Turing machines A,
f (n) Pr x lt-r- Dn A(n,x) 1
- Pr x lt-r- Dn
A(n,x) 1
is negligible.

14
Safe

We could say that an encryption scheme is safe
if
Adv(n) Pr k lt-r- Keyn, x lt-r- Dn
A(n,Ek(x),x) 1
- Pr k lt-r- Keyn, x,y lt-r- Dn
A(n,Ek(y),x) 1
is negligible.
But there are many, many other criteria.

15
Oracles

Oracles perform functions for the attacker, such
as encryption with a key k Ek(_).
To conceal repetitions of encryption
Adv(n) Pr k lt-r- Keysn AEk(-) (n) 1
- Pr k lt-r- Keysn, x lt-r- D AEk(x)
(n) 1
To conceal key identity
Adv(n) Pr k,k lt-r- Keysn AEk(-),Ek(-)
(n) 1
- Pr k lt-r- Keysn, x lt-r- D
AEk(-),Ek(-) (n) 1

16
Summary of computational method

The computational method uses a randomly sampled
secrete value from a domain of size n.
Secure if impossible for a probabilistic,
polynomial time (in n) Turing machines to met a
given criterion with non-negligible probability.
You roll your own criterion e.g. Type 0,, Type
7, IND-CCA, N-PAT-IND-CCA, N-PAT-UNF-IND-CCA,
Block cipher,

17
Story so far

Protocols and encryption are
prefect for computer scientists
fundamental to computer communication
often wrong
Formally analysis is
machine checkable, neat.
often wrong
Computational analysis is
strong, not often wrong
very hard

18
Bridging the Gap.

Find conditions under which you can use formal
analysis to get computational proofs.
You dont have to do the proof, just fulfill the
conditions.
Abadi and Rogaway
Janvier, Lakhnech and Mazare
Backes, Pfitzmann and Waidner
Micciancio and Warinschi

19
Abadi and Rogaway

Define a translation of Delov-Yao terms into
computational terms
K in Delov-Yao becomes a newly generated key of
length n. Nonces become new, hard to guess
strings.
Delov-Yao equivalence then implies computational
indistinguishability.

20
Others

Janvier, Lakhnech and Mazare Delov-Yao is
computationally sound in the presence of active
attackers.
Backes, Pfitzmann and Waidner a library of
formal methods backed up by computational
reasoning. Symmetric keys, attacker taking part
in the protocol.
Micciancio and Warinschi Abadi and Rogaway are
not complete but can be made complete by using
stronger security criterion.

21
Outline of Talk

Background
Formal security in the pi-calculus.
Computational arguments.
Bridging the gap.
The pi-calculus with guessing.
Calculating the cost of a guessing attack.
The computational correctness of the calculus

22
Guessing an attack vs Guessing attacks.

What is the chance of finding/guessing that
attack on NSP Needham-Schroeder Protocol?
2120
If the nonce was 64 bits long how can we tell
your automated method not attack the protocol by
guessing the nonce?

23
Back to the pi-calculus

Ppwd Qpwd A
System with a password can be attacked by A
knowing the password.
pi-calculus can restrict a name
new pwd ( P Q ) A
This marks the name as important to the
correctness of the process. So it cannot be
guessed.

24
A Guess Rule

new pwdDn ( P Q ) A
Similar to random sampling of the computational
method pwd lt-r- Dn. Pwd is still unknown to A
but can be guessed, at a price
new pwdDnP guess xDnA
?pwdn
new pwdDn(P A pwd / x )
So the only way for A to find pwd is to be told
it or to pay the price.

25
pi-calculus with Guessing

Process P,Q,A 0
send a b
rec a bP
! P
( P Q )
ab P
new xDn
guess
xDnP

26
Password checking process

new chn,rew,b1D2bnD2
send a (chn,rew)
rec chn x1x1b1
rec chn x2x2b2
rec chn(xn)xnbn
send rew bingo )

send
27
Guessing a password

A
rec a (chn,rew)
!(guess bD2send chn b)
rec rew x )

28
send a
rec a
send chn
guess D2
rec rew
?

rec rew
29
pi-calculus with Guessing

Top level N new aDnN
P A
Process P,Q,A 0
send a b
rec a bP
! P
( P Q )
ab P
new xDn
guess
xDnP

30
Guess rule

The guess rule works between the attacker and
the process i.e. across the doubt bar
new aDn P guess xDnA
?an new aDn (P Aa/x
)

31
A different view
x1 1
x1 0
x2 0
x2 1
x2 1
x2 0

2n

?
32
What is the difference?

Before, I calculated the probability of ending up
in each state, particular the unsafe state.
Now, I calculate the amount of work needed to
reach the unsafe state by following the given
path.

33
Guessing a password

new chn,rew,b1D2 bnD2 (
( send a (chn,rew)
rec chn x1x1b1( send ack
rec chn x2x2b2(send ack
rec
rec chn xnxnbnsend rew bingo
)
Q )
A rec a (chn,rew) send ack
!rec ackguess bD2send chn b
rec rew x

34
send a
rec a
rec ack
send chn
guess D2
rec rew
?

rec rew
35
A bit of a mind shift
x1 1
x1 0
x2 0
x1 1
x1 0
n 1

?
36
P ?a3???????2 ?b2 P3?(a) P4?c2 P5
P
Cost
37
pi-calculus with Guessing

Top level N new aDnN
P A
Process P,Q,A 0 send a b rec a bP
! P (PQ)
abP
new xDn
guess
xDnP
(ga)P

38
Tracing dependences

Key reduction rules
agaP ?a (ga)P
(ga)sent c d rec c xQ
?ac(d)
Qd/x

39
Worthless dependencies

new chn,rew,b1D2 bnD2 (
( send a (chn,rew) ! send ack
rec chn x1x1b1( send ack
rec chn x2x2b2(send ack
rec
rec chn xnxnbnsend rew bingo
)
Q )

40
The cost of a trace

Traces ? P??? P
e.g. P ?a3???????2 ?b2 P3?a P4?ae(d) P5,
cost of trace ( ? ) cost (?, , )
cost ( P?????????, com?????????????????g?, com??
cost (?? ?an ?, gu, com) cost ( ?,
(an)gu,com)
cost (?? ?a ?, gu, com) cost ( ?, gu,
(a,P)com)
cost (P, gu, com ) ????map snd ( gu
) )

41
The cost of a trace

cost ( P?(ab(c)) ?, (a,n)gu, (a,P)com )
If ( new dP /gtsend b c ) then
?? ??snd( gu ) x n-1 cost ( ?, gu, com )
else
cost ( ?, (a,n)gu, (a,P)com )

42
P ?a3?????a??2 ?b,2 P3?(a?) P4?c2 P5
P
Cost
43
spi-calculus with Guessing

Top level N new aDnN
names a,b,x,n,m,k
P A
ak
Process P,Q,A 0 send a b rec a bP
! P (PQ)
abP
new xDn
guess
xDnP
(ga)P
decrypt m as xkP

44
Decryption verifies the guess of a key

The attacker can verity a guess by a successful
decryption
P decrypt mk as xgk in A
????????????????????????????????????????????(gk)
P Am/x

45
Outline of Talk

Background
Formal security in the pi-calculus.
Computational arguments.
Bridging the gap.
The pi-calculus with guessing.
Calculating the cost of a guessing attack.
The computational correctness of the calculus

46
Correctness Summary

We map the pi-calculus to a computation setting
with a matching correctness criterion.
An sub-exponential attack in the calculus implies
the existence of a poly-time Turing machine that
defeats the criterion.
No sub-exponential attacker in the calculus
implies (given a correctness for spi), no
computational attacker that defeats the
criterion. I.e. any errors are down to spi not
guessing.

47
Relating the spi-calculus and the computational
model.

We allow a Turing machine to interact with a
correct implementation of a spi-calculus
process.
AP(c) the Turing machine A with access
to an oracle for process P.

48
Process security

In spi P(a) bi-similar P(b) for all a,b
or P(a) A(a) outputs on a
but P(a) A(b) does not.
Adv Pr s lt- Dn AP(s)( n,s,fn(P) ) 1
- Pr s,t lt- Dn AP(s)( n,t,fn(P) )
1

49
Unsafe in pi-g implies unsafe in the
computational model.

Theorem 1 If a pi-g calculus process is unsafe
then the translation of the process into the
computational setting is also unsafe.
i.e. if there is a sub-exponential cost attack in
the pi-g calculus then there is a Turing machine
A such that
Pr s lt- Dn AP(s)( n,s,fn(P) ) 1
- Pr s,t lt- Dn
AP(s)( n,t,fn(P) ) 1
is non-negligible.

50
Proof

Let P be the process that produces a finite error
trace with cost polynomial in n.
There is a polynomial process that can also
produce this trace.
Add guess command to Turing machines and let M
be a polynomial Turing machine that produce the
trace.

51
Proof

Execute each guess xDn by make n copies of the
machine and running them in parallel.
For each guess verification stop all incorrect
turning machines. As processes and trace is
finite there is a constant probability that that
this verification action really does verify the
guess.
Result polynomial time Turing machines that
produces the unsafe trace with a non-negligible
probability.

52
P ?a3?????a??2 ?b,2 P3?(a?) P4?c2 P5
P
Cost
53
Safe in the computational model implies safety in
the pi-g calculus

pi-g calculus processes are mapping to the
computational model in the same way as
spi-calculus processes.
Except names are mapped to bit strings with the
same length as their domain sizes.

54
Safe in the pi-g calculus implies safety in the
computational model

A simple result
There is a zero cost attack in the pi-g
calculus if and only if there is an attack in the
spi-calculus.

55
Safe in the pi-g calculus implies safety in the
computational model

Theorem 2 if there is no sub-exponential cost
attack in the pi-g calculus then either
the translation is unsafe in the computational
model,
or the encoding of the spi-calculus is unsafe.

56
Proof

Let there be a computational attack against P.
We can write P new a1,,anP where a1,,an
are all the sub-expo length names used in the
attack.
Unwinding a finite number of replicates if
necessary.
Hence we have an spi-calculus attack against P.

57
Proof

Assuming the correctness of the spi-calculus, we
have a successful attacking spi-calculus process
Pa.
Therefore guess a1,,anPa will be a successful
attacking pi-g calculus process against P.

58
Extended Example Bank Cards

Card ! ( rec card (test,reply) test pin
send reply (acc_no, bon_code)
Customer send shop ( pin, card )
Shop rec shop ( test_pin, card )
( new replyDtop send card ( test_pin,
reply )
rec reply ( acc_on, bon_code )
send bank acc_no,pin,amout,acc_shopKbank
Bank rec packet decrypt packet as
acc_no,pin,amout,acc_shopKbank

59
Extended Example Bank Cards

new acc_onD1012
new pin D104,card D1 ( Card Customer )
new KbankD2128acc_shop( Shop Bank)
Closed system forces attack to guess Kbank.

60
Attacker

New system
new card new KBankA ( Card Bank A )
Gives attacker has access to the card.
Pin can be guessed and verified using the card,
at cost 104. The acc_on is public. So total cost
of attack 104.

61
A safer system

Account number is never made public. Pin number
is checked by bank.
Card2 !rec card (test,reply)
send reply acc_no, test Kcard
Bank2 rec packet decrypt packet as
test_pin,card_pack,amout,acc_shopKbank
in decrypt as acc_no, test_pin Kcard in
new KcardD2128 ( Card2
new pinD104( Customer Bank2 ) )

62
A safer system

Now attacker must guess pin and acc_no without
verification 1041012 1016.
Bank cards allow for a off-line system. Banks
willing to take risk and repay theft.
Also cards will lock up, after a number of guess.

63
Summary

pi-g gives a cost to a guess, tests repeat
attacks on a process,
without forcing you to do complexity analysis on
the guess and test.
Correctness is in terms of the computational
model of security.

64
Other related work

Probabilistic polynomial-time process calculus,
Lincon, Mitchell, Scedrov.
Gavin Lowe and others Analysing of guessing weak
passwords.
Iliano Cervesato, Multi-set rewriting with an
additive of each step.

65
Further work.

Spi-calculus computational correctness.
Meta theorem, showing that attacks are not
possible, bi-simulation methods
Application to really protocol.
Automated checking, theorem prover, Prolog

66
Questions?
67
Next Slides
68
Conjecture

There exists a mapping from spi-calculus
processes to Turing machines, such that
a process is safe in the spi-calculus if and only
if it is safe in the computational setting.

69
Mapping

0 -gt halt
new aP -gt associate a tape with a"
send a b -gt write b to the tape for a
rec a xP -gt read x off the tape for a
( P Q ) -gt run the machines for P
and Q in parallel.

70
Correctness Summary

We map the pi-calculus to a computation setting
(Turing machines).
With a matching correctness criterion.
An attack in the calculus implies the existence
of a poly-time Turing machine that defeats the
criterion.
No attacker in the calculus implies (given a
correct implementation), no computational
attacker that defeats the criterion.

71
My work

Extend formal methods.
Make then aware of guess and domain size.

Protocol
Formal analysis
Formal analysis
analysis
Computational analysis
Computational
72
Complete-ish?

Can I find an interesting example that can not be
found by existing formal methods?
Bank cards, PKI systems, any system with many
users

Protocol
Formal analysis
Guessing
Computational analysis
73
Summary

I presents some formal and computational methods
proving process correct.
I presented some work that tries to bridge the
gap between then
I am working on a pi-like calculus for guessing
attacks.

74
Delov-Yao

A good, early attempt to apply formal methods to
protocol.
Protocol is formally defined.
Attacker can observe messages, construct new
messages, and interact with the protocol.

75
Delov-Yao rules

If m in E then E - m
If E - m and E - n then E - (m,n)
If E - (m,n) then E - m and E - n
If E - m and E - k then E - mk
If E - mk and E - k-1 then E - m

76
BAN Judgments

Judgments include
?????????P????? P believes X
P ? X P sees X
P ???? P once said X
P ?????? P is trusted to say X
??X? X is a fresh nonce.
P ????Q K is a key for P,Q
????P K is Ps public key

77
BAN rule examples

If P believes P and Q share K and P see a message
encrypted with K then P believes X once said X
?????????????????????P???? P ????Q P ? XK
P???? Q ????
If P believes X is a fresh nounce and P believes
that Q once said X then P believes that Q
currently believes X
????? ????P??????X? ?P????Q ????
P????Q??? X

78
Not complete