Docstoc

Universally Composable Symbolic

Document Sample
Universally Composable Symbolic Powered By Docstoc
					              Universally Composable
               Symbolic Analysis of
              Cryptographic Protocols
                                     Ran Canetti and Jonathan Herzog

                                                          6 March 2006




The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to conv ey or imply MITRE's
                         concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
              Universally Composable
              Automated Analysis of
              Cryptographic Protocols
                                     Ran Canetti and Jonathan Herzog

                                                          6 March 2006




The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to conv ey or imply MITRE's
                         concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
Overview
   This talk: symbolic analysis can guarantee universally
    composable (UC) key exchange
     • (Paper also includes mutual authentication)

   Symbolic (Dolev-Yao) model: high-level framework
     • Messages treated symbolically; adversary extremely limited
     • Despite (general) undecidability, proofs can be automated
   Result: symbolic proofs are computationally sound (UC)
     • For some protocols
     • For strengthened symbolic definition of secrecy

   With UC theorems, suffices to analyze single session
    • Implies decidability!
Needham-Schroeder-Lowe protocol

(Prev: A, B get other‟s public encryption keys)

           A           EKB(A || Na)         B
                  EKA(Na || Nb || B)
   K
                        EKB(Nb)
                                                     K


   Version 1: K = Na                  Version 2: K = Nb
                Which one is secure?
Two approaches to analysis
   Standard (computational) approach: reduce attacks to
    weakness of encryption

   Alternate approach: apply methods of the symbolic model
    •   Originally proposed by Dolev & Yao (1983)
    •   Cryptography without: probability, security parameter, etc.
    •   Messages are parse trees
          Countable symbols for keys (K, K’,…), names (A, B,…)
           and nonces (N, N’, Na, Nb, …)
          Encryption ( EK(M) ) pairing ( M || N ) are constructors
    •   Participants send/receive messages
            Output some key-symbol
The symbolic adversary
   Explicitly enumerated powers
     • Interact with countable number of participants
     • Knowledge of all public values, non-secret keys
     • Limited set of re-write rules:

         M1, M2                                    M1 || M2
         M1 || M2                                  M1, M2
         M, K                                           EK(M)
         EK(M), K-1                                        M
„Traditional‟ symbolic secrecy

   Conventional goal for symbolic secrecy proofs:
                  “If A or B output K, then no sequence of
                    interactions/rewrites can result in K”
   Undecidable in general [EG, HT, DLMS] but:
    •   Decidable with bounds [DLMS, RT]
    •   Also, general case can be automatically verified in practice
            Demo 1: analysis of both NSLv1, NSLv2

   So what?
     • Symbolic model has weak adversary, strong assumptions
     • We want computational properties!
     • …But can we harness these automated tools?
What we‟d like

    Symbolic                              Symbolic
     protocol                           key-exchange


                               Simple, automated
                      Natural translation for
                         „Soundness‟
                     large
                Would like class of protocols
                    (need only be done once)




    Concrete                            Computational
    protocol                            key-exchange
Some previous work
General area:
   [AR]: soundness for indistinguishability
    •   Passive adversary
   [MW, BPW]: soundness for general trace properties
    • Includes mutual authentication; active adversary
   Many, many others

Key-exchange in particular (independent work):
   [BPW]: (later)
   [CW]: soundness for key-exchange
    •   Traditional symbolic secrecy implies (weak) computational
        secrecy
Limitations of „traditional‟ secrecy

   Big question:
          Can „traditional‟ symbolic secrecy imply standard
                computational definitions of secrecy?


   Unfortunately, no
   Counter-example:
    • Demo: NSLv2 satisfies traditional secrecy
    • Cannot provide real-or-random secrecy in standard models
    • Falls prey to the „Rackoff‟ attack
The „Rackoff attack‟ (on NSLv2)

     A            EKB( A || Na)           B
               EKA( Na || Nb || B )

           EKB(Nb)          EKB(K)
                                                  ?


                                      K   if K = Nb
     K =? Nb
                     Adv                 O.W.
Achieving soundness
   Soundness requires new symbolic definition of secrecy

   [BPW]: „traditional‟ secrecy + „non-use‟
     • Thm: new definition implies secrecy (in their framework)
     • But: must analyze infinite concurrent sessions and all resulting
         protocols

   Here: „traditional‟ secrecy + symbolic real-or-random
    • Non-interference property; close to „strong secrecy‟ [B]
    • Thm: new definition equivalent to UC secrecy
    • Demonstrably automatable (Demo 2)
    • Suffices to consider single session!
          (Infinite concurrency results from joint-state UC theorems)
     •   Implies decidability (forthcoming)
Decidability (not in paper)


                    Traditional        Symbolic
                     secrecy        real-or-random
Unbounded          Undecidable       Undecidable
sessions           [EG, HT, DLMS]         [B]

Bounded sessions    Decidable         Decidable
                    (NP-complete)    (NP-complete)
                     [DLMS, RT]
Proof overview (soundness)
     Symbolic                          Construct simulator
   key-exchange                        • Information-theoretic
                                       • Must strengthen notion
                                       of UC public-key
Single session UC KE                   encryption
    (ideal crypto)       UC w/
                                       Intermediate step: trace
                       joint state     properties (as in
Multi-session UC KE       [CR]         [MW,BPW])
   (ideal crypto)
                       (Info-theor.)   • Every activity-trace of
                                       UC adversary could also
                         UC            be produced by symbolic
  Multi-session KE                     adversary
                       theorem
                                       • Rephrase: UC adversary
  (CCA-2 crypto)
                                       no more powerful than
                                       symbolic adversary
Summary & future work
   Result: symbolic proofs are computationally sound (UC)
     • For some protocols
     • For strengthened symbolic definition of secrecy
   With UC theorems, suffices to analyze single session
     • Implies decidability!


   Additional primitives
     •   Have public-key encryption, signatures [P]
     •   Would like symmetric encryption, MACs, PRFs…
   Symbolic representation of other goals
     •   Commitment schemes, ZK, MPC…
Backup slides
Two challenges

1.    Traditional secrecy is undecidable for:
     • Unbounded message sizes [EG, HT] or
     • Unbounded number of concurrent sessions
     (Decidable when both are bounded) [DLMS]



2.    Traditional secrecy is unsound
     • Cannot imply standard security definitions for
         computational key exchange
     •   Example: NSLv2 (Demo)
  Prior work: BPW
                           New symbolic
                            definition


                           Theory   Practice
   Implies UC key
     exchange
(Public-key & symmetric
 encryption, signatures)
   Our work
                           New symbolic
                             definition:
                          „real-or-random‟
                           Theory   Practice

    Equiv. to UC key                            Automated
       exchange                                 verification!
(Public-key encryption [CH],
       signatures [P])
 UC suffices to examine
                                               + Finite system
  single protocol run
                                                Decidability?
                   Demo 3: UC security for NSLv1
Our work: solving the challenges

    Soundness: requires new symbolic definition of secrecy
    • Ours: purely symbolic expression of „real-or-random‟ security
    • Result: new symbolic definition equivalent to UC key exchange

    UC theorems: sufficient to examine single protocol in
     isolation
    • Thus, bounded numbers of concurrent sessions
    • Automated verification of our new definition is decidable!…
       Probably
Summary
   Summary:
     • Symbolic key-exchange sound in UC model
     • Computational crypto can now harness symbolic tools
     • Now have the best of both worlds: security and
       automation!


   Future work
Secure key-exchange: UC

            P                                 P
                           ?
                K                         K
                            A

Answer: yes, it matters
   •   Negative result [CH]: traditional symbolic secrecy
       does not imply universally composable key exchange
Secure key-exchange: UC

         P              F               P
                       ?
                       S

             K                      K
                        A

Adversary gets key when output by participants
  • Does this matter? (Demo 2)
Secure key-exchange [CW]
                              K, K’
             P                                   P
                               A

   Adversary interacts with participants
    • Afterward, receives real key, random key
    • Protocol secure if adversary unable to distinguish

   NSLv1, NSLv2 satisfy symbolic def of secrecy
    • Therefore, NSLv1, NSLv2 meet this definition as well
KE

          P                              P
                         ?
                                               F
                         A                     S

Adversary unable to distinguish real/ideal worlds
  • Effectively: real or random keys
  • Adversary gets candidate key at end of protocol
  • NSL1, NSL2 secure by this defn.
Analysis strategy

   Dolev-Yao                          Dolev-Yao
    protocol                         key-exchange


                            Simple, automated
                   Natural translation for
           Main result of talk
            Would like class of
                  large
          (Need only be done protocols
                 once)


    Concrete                       UC key-exchange
    protocol                        functionality
“Simple” protocols
   Concrete protocols that map naturally to Dolev-Yao
    framework
   Two cryptographic operations:
     • Randomness generation
     • Encryption/decryption
           (This talk: asymmetric encryption)
   Example: Needham-Schroeder-Lowe
                                {P1, N1}K2
                             {P2, N1, N2}K1
     P1                                           P2
                                  {N2}K2
UC Key-Exchange Functionality
     (P1 P2)                   (P1 P2)
                     (P1 P2)
P1    Key k                     Key P1
                 k  {0,1}n

     X
                                Key P2

                                         A
     (P2 P1)                   (P2 P1)
                     (P2 P1)
P2    Key k                    Key P2
               FKE
The Dolev-Yao model
   Participants, adversary take turns
   Participant turn:
                        M1
    L                        A
           P1                            P2
                    M2

        Local output:
        Not seen by
        adversary
The Dolev-Yao adversary
   Adversary turn:




P1                Know                    P2

                         Application of
                           deduction
             A
 Dolev-Yao adversary powers
      Already in Know                    Can add to Know
      M1, M2                                Pair(M1, M2)
      Pair(M1, M2)                            M1 and M2
      M, K                                     Enc(M,K)
      Enc(M, K), K-1                                  M

Always in Know:
   Randomness generated by adversary
   Private keys generated by adversary
   All public keys
The Dolev-Yao adversary



          Know


                      M
P1                        P2
      A
Dolev-Yao key exchange
   Assume that last step of (successful) protocol execution
    is local output of
                 (Finished Pi Pj K)

    1.   Key Agreement: If P1 outputs (Finished P1 P2 K) and P2
         outputs (Finished P2 P1 K’) then K = K’.
    2.   Traditional Dolev-Yao secrecy: If Pi outputs
         (Finished Pi Pj K), then K can never be in adversary‟s set
         Know


   Not enough!
Goal of the environment
   Recall that the environment Z sees outputs of participants
   Goal: distinguish real protocol from simulation
   In protocol execution, output of participants (session key)
    related to protocol messages
   In ideal world, output independent of simulated protocol
   If there exists a detectable relationship between session
    key and protocol messages, environment can distinguish
     • Example: last message of protocol is {“confirm”}K where K is
        session key
    •   Can decrypt with participant output from real protocol
    •   Can‟t in simulated protocol
Real-or-random (1/3)
   Need: real-or-random property for session keys
    • Can think of traditional goal as “computational”
    • Need a stronger “decisional” goal
    • Expressed in Dolev-Yao framework

   Let  be a protocol
   Let r be , except that when participant outputs
    (Finished Pi Pj Kr), Kr added to Know
   Let f be , except that when any participant outputs
    (Finished Pi Pj Kr), fresh key Kf added to
    adversary set Know
   Want: adversary can‟t distinguish two protocols
Real-or-random (2/3)
   Attempt 1: Let Traces() be traces adversary can induce
    on . Then:
                   Traces(r) = Traces(f)
   Problem: Kf not in any traces of r

   Attempt 2:
          Traces(r) = Rename(Traces(f), Kf  Kr)
   Problem: Two different traces may “look” the same
     • Example protocol: If participant receives session key, encrypts
         “yes” under own (secret) key. Otherwise, encrypts “no” instead
     •   Traces different, but adversary can‟t tell
Real-or-random (3/3)
   Observable part of trace: Abadi-Rogaway pattern
     • Undecipherable encryptions replaced by “blob”
   Example:
                     t = {N1, N2}K1, {N2}K2, K1-1
            Pattern(t) = {N1, N2}K1,  , K1-1K2


   Final condition:
                       Pattern(Traces(r))
                                =
           Pattern(Rename(Traces(f), Kf  Kr)))
Main results
   Let key-exchange in the Dolev-Yao model be:
     • Key agreement
     • Traditional Dolev-Yao secrecy of session key
     • Real-or-random

   Let  be a simple protocol that uses UC asymmetric
    encryption. Then:

           DY() satisfies Dolev-Yao key exchange
                             iff
               UC() securely realizes FKE
Future work
   How to prove Dolev-Yao real-or-random?
     • Needed for UC security
     • Not previously considered in the Dolev-Yao literature
     • Can it be automated?
   Weaker forms of DY real-or-random
   Similar results for symmetric encryption and
    signatures