Communication security: Formal models and proofs

Transcription

1 Commnication secrity: Formal models and proofs Hbert Comon September 1, Introdction to protocol secrity The context (I) credit cards contactless cards telephones online transactions cars, fridges,... Internet of Things Big Brother: NSA Biomedical applications... The context (III) Secrity protocols Testing is not very sefl Hiding the code is not a good idea The scope of formal methods A simple handshake protocol A! B : n, r. aenc(ha, ni, pk(sk B ), r) B! A : r 0. aenc(n, pk(sk A ), r 0 ) 1

2 The formal verification problem 8A. A k P = 8A. A k P 1 A k P 2 Universal qantification on A: techniqes. we cannot apply directly model-checking One important isse: range of A? Attacker models The DY-attacker Messages are terms, the attacker is defined throgh an eqation theory or an inference system The comptational attacker Messages are bitstrings, the attacker is a probabilistic polynomial time Tring machine Other attackers Goals of the lectre Verification inpts Cryptographic libraries Protocol programs Attacker model Secrity property Goals of the lectre Show how to derive the proof obligations in a parametric way, abstracting from crypto libraries, attacker models. Focs on the semantics of protocols, for arbitrary libraries and attacker models. 2

3 Roadmap 4 sccessive versions of the calcls, by increasing expressiveness (we cold have considered the last case only...) 1. Simple case 2. Adding events: reqired for agreement properties 3. Adding replication 4. Adding channel generation: reqired for comptational semantics Then indistingishability properties (privacy). 2 A simple version of the process calcls Cryptographic libraries Syntax An arbitrary set of cryptographic primitives F : hash, pblic-key encryption(s), symmetric encryption(s), zkp,... represented by (typed) fnction symbols At least one random generation algorithm. Random nmbers are represented by names n, n 1, r,... ot of a set N Terms are bilt over variables, fnction symbols and names. Cryptographic libraries Semantics M is an interpretation domain. Typically grond or constrctor terms (the DY semantics) or bitstrings (the comptational semantics). M incldes error messages (exceptions) Err. If is an environment (mapping from variables to M), is a term, [] M is the interpretation of in M w.r.t. The interpretation is strict: : M is a (partial) F-algebra. Cryptographic libraries A possible set of fnction symbols i 2 Err ) [f( 1,..., n )]] M 2 Err aenc(, pk, r) is (spposed to be) the asymmetric encryption of with the pblic key pk and random inpt r. dec(, sk) is (spposed to be) the decryption of with the secret key sk 3

4 pk(sk) is (spposed to be) the pblic key associated with the secret key sk h, vi 1 (), 2 () Cryptographic libraries A DY model M DY (messages) is the least set of grond terms sch that: N M DY if, v 2 M DY then h, vi 2M DY if k 2N then pk(k) 2 M DY if 2 M DY, k, r 2N,thenaenc(, pk(k), r) 2 M DY. M DY also incldes special error terms Err (not messages). dec(aenc(, pk(k), r), k)! For k, r 2N, a message 1 (h, vi)!,v are messages 2 (h, vi)! v,v are messages [] M DY = # Any irredcible grond term, which is not a message, is an error. Cryptographic libraries Comptational models 2 N is a secrity parameter maps N to {0, 1} M c (, ) {0, 1} [[n]] Mc(, ) = (n) aenc(,, ), dec(, ), pk( ) are interpreted as a pblic-key encryption scheme. with an interpretation of pairing/projections, M c (, ) is an F-algebra 4

5 A simple process calcls Syntax P ::= 0 nll process (stalled) in(x).p inpt of x (binds x) ot(t).p otpt of t if EQ(, v) then P else P conditional branching let y = in P evalation (binds y) n.p random generation P kp parallel composition All variable occrrences are bond. Example The simple handshake protocol A! B : n, r. aenc(ha, ni, pk(sk B ), r) B! A : r 0. aenc(n, pk(sk A ), r 0 ) A(sk a, pk(sk b )) = B(sk b )= n, r. ot(aenc(hpk(sk a ), ni, pk(sk b ), r)). in(z). let z 1 = dec(z, sk a ) in if EQ(z 1, n) then 0(Sccess) else 0(Fail) r 0. in(x).let y = dec(x, sk b ) in let y 1 = 1 (y) in let y 2 = 2 (y) in ot(aenc(y 2, y 1, r 0 )). 0. sk a, sk b. ot(hpk(sk a ), pk(sk b )i). (A(sk a, pk(sk b )) k B(sk b )) Strctral eqivalence 0 k P P P k Q Q k P P k (Q k R) (P k Q) k R n.p n 0.P {n 7! n 0 } in(x).p in(x 0 ).P {x 7! x 0 } let x = in P let x 0 = in P {x 7! x 0 } ( n.p )kq n 0.(P kq) if n /2 freenames(q) Operational semantics States of the network are tples (,,P ), where 5

6 is a frame of the form n.m 1,...,m k,wheren is a set of names (sed so far) and m 1,...,m k is a seqence of vales in M (that have been sent ot so far) is an environment: an assignment of the free variables to vales in M P is a process The semantics is a labeled transition system, whose labels are the inpts provided by the attacker (sometimes, an empty inpt) 6

7 Operational semantics The transition system (I) (,,in(x).p )! (, ]{x 7! }, P ) (,,P ) (,,if EQ(s, t) then P else Q) 0, P 0 ) 0, P 0 ) if[[s]] M =[[t]] M /2 Err (,,Q) (,,if EQ(s, t) then P else Q) 0, P 0 ) 0, P 0 ) if[[s]] M 6=[[t]] M or [[s]] M 2 Err or [t] M 2 Err Operational semantics The transition system (II) if [] M = w/2 Err (,,let x = in P )! (, ]{x 7! w}, P ) ( n.,, ot(s).p )! ( n. [s] M,,P ) (,,P ) (,,P kq) 0, P 0 ) 0, P 0 kq) if n /2 n [ freename( ) ( n.,, n.p )! n ] n.,, P ) 7

8 Example Restricting the feasible transitions ( 1, 1, P 1 ) 1! k 1! ( k, k, P k ) is possible w.r.t. model M and an attacker A if, for every i, Note: cold inclde a state in A. A([[ i ] M i, P i)=[[ i ] M i Example DY There is a DY attacker A sch that A( )=[[] M DY where I is defined by: `I # i For every f 2F ` 1 ` n ` f( 1,..., n ) # n. 1,..., n ` i if n 0 2N\n. n. ` n 0 Exercise In the simple handshake example, describe all feasible transition seqences in the DY model (assme the name extrsion, let, conditionals and otpts are always performed before inpts). Is the nonce n secret? Example comptational A is a Probabilistic Polynomial Time Tring machine (PPT). Some inpts that were not possible in the DY model might now be possible. A typical example A might be able to compte (with a significant probability) [aenc(, pk(k 1 ), r 1 )]] Mc(, ) from [[aenc(v, pk(k 1 ), r 1 )]] Mc(, ) 9A, Prob{, : A([[aenc(v, pk(k 1 ), r 1 )]] Mc(, ) )= [aenc(, pk(k 1 ), r 1 )]] Mc(, ) } > ( ) 8

9 is non-negligible: there is a polynomial Pol sch that lim inf ( ) Pol( ) > 1!+1 Confidentiality In the DY case Is there a DY attacker A and a feasible transition seqence (;, ;, P )! (,,Q) sch that A(, Q) =s? This problem is in NP In the comptational case Is there a PPT A sch that, for every comptational model M c (, ), the probability that there is a feasible seqence (;, ;, P )! (,,Q) sch that A(, Q) =s is negligible in? This reqires in general assmptions on the libraries For example, the protocol n s.in(x).if EQ(x, n) then ot(s) 0 else 0 satisfies the confidentiality of s in the comptational model, as soon as n is niformly drawn at random. (For any attacker the probability of sccess is bonded by 1 2 ). Exercises In the following cases, give reasonable processes A, B and either give an attack on the confidentiality of s or prove that there is no sch attack in the DY model. 9

10 1. A! B : n, r. hpk(sk A ), aenc(s, pk(sk B ), r)i B! A r 0. hpk(sk B ), aenc(s, pk(sk A ), r 0 )i P = sk a, sk b. ot(hpk(sk A ), pk(sk B )i) (A(sk a, pk(sk B )) k B(sk b )) 2. A! B : s, r 1, r 2. aenc(hpk(sk A ), aenc(s, pk(sk B ), r 1 )i, pk(sk B ), r 2 ) B! A : r 3, r 4.aenc(hpk(sk B ), aenc(s, pk(sk A ), r 3 )i, pk(sk A ), r 4 ) P = sk a, sk b. ot(hpk(sk A ), pk(sk B )i) (A(sk a, pk(sk B )) k B(sk b ) k B(sk b )) 3 Symbolic (Abstract) semantics Gathering feasability conditions States of the network are tples (,,P, ), where,,p as before is a constraint: eqalities, diseqalities and comptational constraints of the form.. (,,in(x).p, )! (,,P, ^. x) (,,if EQ(s, t) then P else Q, )! (,,P, ^ EQ(s, t)) (,,if EQ(s, t) then P else Q, )! (,,P, ^ EQ(s, t)) Conseqences Advantages A finite transition system (regardless of the model) Confidentiality redces to constraint satisfaction ^ f. s in NP in the DY model 10

11 Conseqences Comptational case Specify the assmptions on the libraries: impossibility conditions. 6.n S, aenc(n, pk(k), r). n ) S. n S 1.x^ S 2,x.y ) S 1, S 2.y S 1.x 1 ^...^ S n.x n ) S 1,...,S n.f(x 1,...,x n ) S, S 1, S 2 are finite sets of terms. [3mm] Check the constraint satisfiability, together with (in PTIME!!). s and the above axioms Exercise Back to the simple handshake protocol. Stdy its secrity in the comptational model, assming the properties of the cryptographic libraries that are described in the lectre. 11