Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Similar documents
Authentication Tests and the Structure of Bundles

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CPSA and Formal Security Goals

Lecture 28: Public-key Cryptography. Public-key Cryptography

Notes on BAN Logic CSG 399. March 7, 2006

The Faithfulness of Abstract Protocol Analysis: Message Authentication

THE SHAPES OF BUNDLES

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

The Sizes of Skeletons: Security Goals are Decidable

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

Proving Properties of Security Protocols by Induction

THE SHAPES OF BUNDLES

Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation

Verification of the TLS Handshake protocol

Computing on Encrypted Data

On the Automatic Analysis of Recursive Security Protocols with XOR

Complexity of Checking Freshness of Cryptographic Protocols

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Lecture Notes on Secret Sharing

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Automata-based analysis of recursive cryptographic protocols

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Analysing Layered Security Protocols

Discrete Logarithm Problem

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Automatic, computational proof of EKE using CryptoVerif

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

1 Secure two-party computation

A progress report on using Maude to verify protocol properties using the strand space model

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

NSL Verification and Attacks Agents Playing Both Roles

Group Diffie Hellman Protocols and ProVerif

Round-Efficient Multi-party Computation with a Dishonest Majority

State and Protocols: The Envelope Example

Verification of Security Protocols in presence of Equational Theories with Homomorphism

PERFECTLY secure key agreement has been studied recently

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture 1: Introduction to Public key cryptography

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Introduction to Cryptography. Lecture 8

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

A Relay-assisted Handover Pre-authentication Protocol in the LTE Advanced Network

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

CRYPTANALYSIS OF COMPACT-LWE

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Symbolic Protocol Analysis for Diffie-Hellman

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Strand Spaces: Why is a Security Protocol Correct?

CPSC 467b: Cryptography and Computer Security

On Achieving the Best of Both Worlds in Secure Multiparty Computation

1 Number Theory Basics

Cryptographical Security in the Quantum Random Oracle Model

Question: Total Points: Score:

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Lecture 8: The Dummy Adversary

Event structure semantics for security protocols

A Logic of Authentication

Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols

Skeletons and the Shapes of Bundles

14 Diffie-Hellman Key Agreement

Fundamentals of Modern Cryptography

Public Key Cryptography

arxiv: v1 [cs.cr] 27 May 2016

Lecture 3: Interactive Proofs and Zero-Knowledge

Practice Assignment 2 Discussion 24/02/ /02/2018

Credential Authenticated Identification and Key Exchange

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Lecture Notes 20: Zero-Knowledge Proofs

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

CPSC 467b: Cryptography and Computer Security

Lecture 9 - Symmetric Encryption

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Notes on Zero Knowledge

Introduction to Modern Cryptography Lecture 11

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Multiparty Computation

Credential Authenticated Identification and Key Exchange

On Expected Constant-Round Protocols for Byzantine Agreement

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Chapter 2 : Perfectly-Secret Encryption

Notes for Lecture 17

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

BAN Logic A Logic of Authentication

Typed MSR: Syntax and Examples

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

On the Cryptographic Complexity of the Worst Functions

Secure Multiparty Computation with General Interaction Patterns

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Modeling and Verifying Ad Hoc Routing Protocols

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

Transcription:

Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001

Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction Imposed strong assumptions Showed that flaws can exist independent of u cryptography Discussed one approach to analysis (model ch 3This talk: Strand Spaces Pencil & paper proof technique Joint work with Guttman, Thayer

Overview of talk 3Brief review of problem Running example: Otway-Rees protocols 3Strand Space formalization Standard assumptions Regular participants, penetrator (adversary) Model protocol executions Global view from local views Definitions and machinery Proofs of security conditions Discovery of previously unpublished flaw

Protocols 3Sequence of messages between small number (2 o cipals No conditionals (except to abort) 3Abstract cryptographic primitives (encryption, sign 3Achieve authentication and/or key transmission

Otway-Rees Protocol 1.A B: M A B { N a M A B } Kas 2.B S: M A B { N a M A B } Kas { N b M A B } Kbs 3.S B: { N a K ab } Kas { N b K ab } Kbs 4.B A: { N a K ab } Kas 3 M: Public, unique session ID 3 N a, N b : fresh nonces 3 K as, K bs : secret keys shared with distinguished se 3 K ab : fresh session key 3Designed to provide mutual authentication and s K ab Formalized later in terms of strands

Message Algebra 3Messages are elements of an algebra A 32 disjoint sets of atomic messages: Texts (T ) Keys (K) 3 2 operators: enc : K A A (Range: E) pair : A A A (Range: C) 3 Often distinguish T Names T, T Nonces T T Names T Nonces =

Message Algebra (continued) 3Message algebra is free Unique representation of terms Exactly one way to build elements from atom ations Formulas, rather than bit-strings 3 K, T, E, C mutually disjoint 3 For all M 1, M 2, M 3, M 4 A, k 1, k 2 K, T T M 1 M 2 M 3 M 4, unless M 1 = M 3, M 2 = M 4 { M 1 } k1 { M 2 } k2 unless M 1 = M 2, k 1 = k 2

Message Algebra Structure 3 3 There is structure in the message algebra to explo Define the subterm relation as the smallest rela that for all a, g and h: a a, a g a { g } k a g a g h a h g

Strands 3Two types of actions: transmissions and receptio Written M and M (sign omitted when irre Assumed to have unsecured sender, recipient Ignored in this framework 3 Trace: sequence of actions 3 Strand: trace unique identifier Particular execution of a trace Two different strands may have the same trac Represent two different executions Actions on strands called nodes A, B, C, D

Regular Participants 3 Regular participants: All non-adversary agents 3Protocol defines all possible regular traces 3Regular participants represented by strands conta sible traces 3Internal actions, knowledge not modeled

Regular Participants (continued) 3Strand patterns for regular participants (Otway-Re Initiator (A) Responder: (B) M A C { N a M A C } Kas { N a K ac } Kas M D B { g } k M D B { g } k { N b M D B } Kbs { h } k { N b K db } Kbs { h } k Server: (S) M A B { N a M A B } Kbs { N b M A B { N a K ab } Kas { N b K ab } Kbs

Regular Participants (continued) 3Strands refuse to receive any messages other expected ones Implicit abort/fail operation in such cases 3Regular strands completely defined by values No variables These are different strands: M A B { Na M A B } Kas, { N a K ab } K M A B { Na M A B } Kas, { N a K ab } K

Regular Participants (continued) 3Often convenient to define sets of strands with sim Init-Strands[A, B, M, N a, k ab ] = { s : s has trace M A B { Na M A B } Kas, { N a K (Empty if parameters of wrong types) 3Build larger sets from these: Init-Strands[, B, M,, k ab ] = A T Names, N a T Nonces Init-Strands[A, B, M, N a, k

Penetrator (Adversary) 3Represented in terms of atomic (abstract) actions More complex actions can be built from these 3Unbounded number of strands of the forms: [C]: g, h, gh [S]: gh, g, h [E]: g, k, { g } k [D]: { g } k, k 1, g 3 3 [M]: g, if g T P T [K]: k, if k K P K (Often assume limits on T P, K P ) Communication channels double as penetrator wo Model penetrator control over network later

Bundles 3Consider graphs where Nodes are actions on regular, penetrator stran Two types of edges: We write g g (transmission/receptio We write g h if (g, h) are consecutive s strand 3A bundle is such a graph C (finite) where If n is a node of C, then there exists a un n of C such that n n is an edge of C If n 1 is a node of C, and n 0 n 1, then n 0 is C and n 0 n 1 is an edge of C C is acyclic 3Models concepts of causality

Example Bundle A B S M A B M 1 M A B M 1 M A B M 1 M 2 M A B M 1 M M 3 M 4 M 3 M 4 M 4 M 4

Example Bundle M M M A B K K A B { M } K B M A B M A B { M } K M M A B { M } K N (Where N = { N b M A B } Kbs )

Bundle Properties 3Bundles are partial orders Any non-empty set has minimal elements 3Important Definition 1: A value v originates on a node n if n is a positive node (transmission) v n, If n... n, then v n Origination points are where values spontane pear Minimal elements of {n v n} are origination We model the freshness of a value by saying t a unique origination point in the bundle

Bundle Properties (continued) 3Important Definition 2: A set H A is honest, with respect to a set trator strands, if For all bundles C, minimal elements of {n nodes(c) term(n) H} are not on penetrator nodes. Important tool for proving security conditions Example of honest set will come later

Secrecy Conditions 3Intuitively, a value v is secret if no penetrator can v from the messages of regular participants 3A value v is secret, with respect to a set of assum if no bundle that satisfies A contains a node of the 3One proof technique: Show that v is in an honest set H Fix an arbitrary bundle that satisfies A. Through case analysis, show that H has no m ements on regular strands Because H is honest, no minimal elements on p strands Hence, no nodes in bundle in H

Authentication Conditions 3Example: If a bundle contains all of a given initiat then it must also contain a given responder strand 3Formalized as inference: If a bundle contains a str α, then the bundle also contains a strand from a s β 3One proof technique: Suppose the bundle contains a strand s α Find a honest set H s so that s contains a nod Since the bundle has a node in H s, it must ha imal element Minimal elements must be on regular strands Show that those strands must be in β

Ideals 3 3 3 Honest sets only useful if they exist Let k K. Then a k-ideal I is a set such that g I g h I, h g I g I, k k { g } k I Let S be a set of messages. Then I k [S] is the smallest k-ideal that contain 3Big theorem: If S T K, S (T P K P ) =, k = (K \ S) 1, and Then I k [S] is honest

Ideals Intuition 3 Typically, S is a set of secrets Since k = (K \ S) 1, k contains (inverse of) e key 3 I k [S] contains every term in which a secret is encry with non-secret keys 3Theorem: penetrator can only produce one of thes ing one first

Otway-Rees Secrecy 3 Wish to show secrecy of K ab: Suppose K ab is uniquely originating Suppose K as, K bs K P Suppose the bundle C contains a strand in Serv-Strands[A, B, M, N a, N b, K ab ] Let S = {K as, K bs, K ab }, k = K \ S Then no node in C is in I k [S] 3 Proof: S, k meet criteria of big theorem Case analysis: no regular node are minimal el I k [S] Hence, no nodes in bundle in I k [S]

Corollary to Big Theorem 3 Suppose S T K, (K \ S) 1 = k, and S (T P K P ) No regular node is a minimal element of I k [S Then any message of the form { g } k for k S m originated on a regular node.

Otway-Rees Authentication 3Suppose C contains a strand in Init-Strands[A, B, M 3 If: A B, N a is uniquely originating, All keys that originate on server strands uniqu nate on server strands K as, K bs K P, 3 Then for some N b, C contains strands in Serv-Strands[A, B, M, N a, N b, K ab ], and Resp-Strands[A, B, M, N b, ]

Otway-Rees Authentication: Proof 3Proof: Messy 3 Let S = {K as}, k = K \ S. 3 Show no regular nodes are minimal elements I k [S 3 Apply Corollary: Any term of the form { g } K as orig regular node 3 Hence, { N a K ab } Kas originates on regular node Case analysis: strand in Serv-Strands[A, B, M, N a, N b, K ab ] (for some 3 Apply previous result: No minimal elements of I k [ S = {K as, K bs, K ab }, k = K \ S 3 Hence { M N b A B } Kbs originates on regular strand Case analysis: Resp-Strands[A, B, M, N b, ]

Otway-Rees Authentication (continued) 3Similar result for Responder: suppose C contains a strand in 3 3 Resp-Strands[A, B, M, N a, K ab ] A B, N b is uniquely originating, All keys that originate on server strands uniqu nate on server strands K as, K bs K P, Then C contains strands in Serv-Strands[A, B, M, and Init-Strands[A, B, M,, ] Note: Cannot show that initiator, responder agree key

Closing Remarks 3Further developments: Protocol composition Automated protocol analysis Athena (Song) Simpler results Authentication tests 3Open questions Non-free algebras (Xor, Diffie Hellman) Reconciliation with computational viewpoint

What Good are Proofs? 3Strands: proof technique Uses (standard) strong assumptions Proves (at present) protocol-specific statemen 3Proof fails: Find cryptography-independent flaw 3Proof works: What have you shown? Strong motivation for justifying assumptions Goal for further work on cryptographic primiti

Formalization of Security Conditions 3In practice, two types of security conditions to pro Secrecy of values (keys, nonces) Authentication 3State of the art: Competing models, formalizations, intuitions Most methods prove protocol-specific condi pressed in model Why? Still debate over right definitions Protocols seem to satisfy points on cont conditions 3No reason Strand Space reasoning would be inva universal definitions

Origination Vs. Minimality g g h h g h g h g g h h g h a a b b a b a b a

Subterm relation 3 Note that k { g } k k g Intuition: a b means that a can be learned To say that k { g } k (unless k g) prohibits attacks Other definitions of subterm possible Lead to similar results

Ideals (continued) 3Proof of big theorem case analysis 3 Example: [D] strand ( { g } k, k 1, g ) If g is a minimal element, then k 1 I k [S k 1 S Since (K \ S) 1 = k, k 1 k 1. Hence, k But since g I k [S], { g } k I k [S]

Ideals (continued) 3More complex example: [E] strand ( g, k, { g Suppose { g } k I k [S], but g I k [S] Let I = I k [S] \ {{ g } k }. I still contains S S T K I still closed under join operator I still closed under encryption with keys in k If not, because g Ik [S] and k k Hence, I a smaller k-ideal containing S, a con

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback