Deriving GDOI. Dusko Pavlovic and Cathy Meadows

Transcription

1 Deriving GDOI Dusko Pavlovic and Cathy Meadows September

2 Outline 1. Trace logic 2. Axioms and rules 3. Deriving core GDOI 4. Global encryption and hashing transformations 5. Adding PFS and POP options 2

3 1. Trace logic 1.1. Actions send: t A, B C, receive: (x Y, Z) C, new: (νx) C match: (p(t)/p(x)) C 3

4 1.2. Statements Atomic predicates: a a < b a = b 4

5 Meaning t A < (x) Y some send t by A precedes some receive x by Y a = t A t A the action a is in the form U(t) X = V (t) Y X = Y U(t) = V (t) and 5

6 Composite predicates: Y. (m) Y n B, A Y < (n, Hm B, A) A (νx) A < x A < (k, H(x, k)) A X. v X< log v (νy) B < g y B < ((g y )) X < v y X< 6

7 Abbreviations: (t) (x)(x/t) t U(t/x), transparent for all ((t)) abbreviates (U(t/x)), transparent for receiver t A< a = t A b = t B. b a t A< a = t A b = t B. b a 7

8 Summary: protocol runs are partial orders of actions predicates are sets of protocol runs statements are A : Φ A knows that the current run satisfies Φ A : (νx)φ A knows that Φ holds after she has generated x 8

9 2. Axioms and rules 2.1. General axioms (t) = a. a = t a < (t) (rcv) (νm) M = a A. ( m F V (a) a > (νm) ) A M (νm) M < m M < ((m)) A a A (new) 9

10 2.2. Ping authentication by challenge-response A : (νm) A ( c AB m A < ((r AB m)) A = c AB m A < ((c AB m)) B < r AB m B< < ((r AB m)) A ) (cr) 10

11 2.3. Challenge-response by hashing Use shared secret σ AB keyed hash H AB x = h(σ AB, x) to implement c AB (x) = x r AB (x) = H AB (x) 11

12 Axioms of keyed hash H AB t X< = X = A X = B (hash1) Hs = Ht = s = t (hash2) 12

13 Proposition. Keyed hash implements a challengeresponse protocol: A : (νm) A ( m A < ((H AB u m )) A = m A < ((m)) B < H AB u m B< < ((H AB u m )) A ) (crh) where u m is a term containing m. 13

14 3. Deriving core GDOI 2.1. One-way ping authentication A B νm m Hm 14

15 Agents views A sees : (νm) A < m A < (Hm) A knows (crh) : (νm) A ( m A < ((Hm)) A = m A < ((m)) B < Hm B< < ((Hm)) A ) concludes : (νm) A < m A < ((m)) B < Hm B< < (Hm) A 15

16 B sees : (m A, B) B < Hm B knows (rcv) : (t) = a. a = t a < (t) concludes : X. m A, B X < (m A, B) B < Hm B 16

17 2.2. Two one-way ping authentications A B νm m n,hm Hn νn 17

18 Agents views A sees : (νm) A < m A < (n, Hm) A < Hn A knows (crh) : knows (rcv) (νm) A ( m A < ((Hm)) A = m A < ((m)) B < Hm B< < ((Hm)) A ) (t) = a. a = t a < (t) concludes : (νm) A < m A < ((m)) B < Hm B< < (n, Hm) A < Hn A Y. n B, A Y < (n, Hm B, A) A 18

19 B sees : (m A, B) B < (νn) B < n, Hm B < (Hn) B knows (crh) : knows (rcv) : (νn) B ( n B < ((Hn)) B = n B < ((n)) A < Hn A< < ((Hn)) B ) (t) = a. a = t a < (t) concludes : X. m A, B X < (m A, B) B < (νn) B < n, Hm B < ((n)) A < Hn A< < (Hn) B 19

20 2.3. Two-way challenge-response A B νm m n,h(m,n) Hn νn 20

21 Agents views A sees : (νm) A < m A < (n, H(m, n)) A < Hn A knows (crh) : knows (rcv) : (νm) A ( m A < ((Hu m )) A = m A < ((m)) B < Hu m B< < ((Hu m )) A ) (t) = a. a = t a < (t) knows : B honest (m) B < (νy) B < y, H(m, y) B < (Hy) B 21

22 Like in the one-way authentication, A concludes (i) : (νm) A < m A < ((m)) B < H(m, n) B< < (n, H(m, n)) A 22

23 The honesty assumption implies A concludes (ii) : B honest H(x, n) B = (νy) B < y, H(x, y) B< y = n 23

24 (i) (ii) (hash) = H(m, n) B = n, H(m, n) B hence A concludes : B honest = (νm) A < m A < < (m) B < (νn) B < n, H(m, n) B < < (n, H(m, n)) A < Hn A 24

25 B sees : (m A, B) B < (νn) B < n, H(m, n) B < (Hn) B knows (crh) : knows (rcv) : (νn) B ( n B < ((Hn)) B = n B < ((n)) A < Hn A< < ((Hn)) B ) (t) = a. a = t a < (t) knows : A honest (νx) A < x A < (n, H(x, n)) A < Hn A 25

26 Like in the one-way authentication B concludes (i) : (m) B < (νn) B < n, H(m, n) B < ((n)) A < Hn A< < (Hn) B 26

27 The honesty implies B concludes (ii) : A honest Hy A = (νx) A < x A < (y, H(x, y)) A 27

28 To connect (i) and (ii), note that The premis Hy A of (ii) follows from (i) if we instantiate y = n. The origination implies that the action Hn A< in (i) is the same as Hy A< in (ii). Because (rcv) n, H(x, n) Y < < (n, H(x, n)) A in (ii), the agent B can conclude that n, H(x, n) Y = n, H(m, n) B and thus Y = B, provided that A is honest. This is a consequence of the (hash1)-axiom, which implies that the hashes must originate from A or B. Axiom (hash2) then tells that x = m. 28

29 Hence B concludes : A honest = (νm) A < m A < < (m) B < (νn) B < n, H(m, n) B < < (n, H(m, n)) A < Hn A < (Hn) B 29

30 Summary A and B can prove exactly what the run looks like except that A cannot know whether her last message was received. Starting from ping, in two refinement steps, the agents achieve matching histories, completely determined run, all security properties are testable. 30

31 The achieved security properties are freshness: each agent knows that the other agent, if she is honest, has freshly generated the challenge; entity authentication: each of the agents knows that the other has intentionally responded to her own challenge, and intentionally issued a challenge; and each agent furthermore knows that the other agent possesses a symmetric knowledge, and so on, so that authenticity of the session becomes their common knowledge ASSUMING security of hash expressed by (hash1) and (hash2) honesty of the participants 31

32 2.4. Hash-based authenticated key distribution IF YOU GET HERE, YOU MUST BE ASLEEP. 32