Equivalence-Based Security Specifications A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V....
-
date post
21-Dec-2015 -
Category
Documents
-
view
217 -
download
2
Transcript of Equivalence-Based Security Specifications A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V....
Equivalence-Based Security Specifications
A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V. Shmatikov
A. Scedrov, V. Teague, P. Mateus
General approach
Real protocol• The protocol we want to use• Expressed precisely in some formalism
Idealized protocol• May use unrealistic mechanisms (e.g., private
channels)• Defines the behavior we want from real protocol• Expressed precisely in same formalism
Specification• Real protocol indistinguishable from ideal protocol• Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91• Depends on some characterization of observability
Achieves compositionality
Secrecy for Challenge-Response
Protocol P A B: { i } K
B A: { f(i) } K
“Obviously’’ secret protocol Q A B: { random_number } K
B A: { random_number } K
Specification with Authentication
Protocol P A B: { random i } K
B A: { f(i) } K
A B: “OK” if f(i) received
“Obviously’’ authenticating protocol Q A B: { random i } K
B A: { random j } K i , j
A B: “OK” if private i, j match public msgs
public channel private channel
public channel private channel
Pseudo-random number generators
Sequence generated from random seedPn: let b = nk-bit sequence generated from n random bits
in PUBLIC b end Truly random sequence
Qn: let b = sequence of nk random bits
in PUBLIC b end P is crypto strong pseudo-random number
generatorP QEquivalence is asymptotic in security parameter
n
Compositionality (intuition)
Crypto primitives• Ciphertext indistinguishable from
noise encryption secure in all protocols
Protocols• Protocol indistinguishable from ideal
key distribution protocol secure in all systems that
rely on secure key distributions
Compositionality
Intuitively, if: • Q securely realizes I , • R securely realizes J, • R, J use I as a component,
then R{Q/I} securely realizes J
Fits well with process calculus because is a congruence
• Q I C[Q] C[I] • contexts constructed from R, J, simulators
Three technical settings
Canetti – Universal composability• Condition: two adversaries and environment• Computation: Communicating Turing machines
PW, … – Black-box simulatability• Condition: one adversary, simulator, environment• Computation: I/O automata (or CT machines)
AG,LMMRST… - Process equivalence• Condition: observational equivalence• Computation: ppoly or nondet process calculus
Compare symmetric version of conditions over uniform computation model
More Background
Universal Compos.
Black-box Simulat.
Observ. Equiv.
Communicating Turing Mach
Canetti Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calc
Spi, Applied
Prob Poly Process Calc
LMMRST
This study
Universal Compos.
Black-box Simulat.
Observ. Equiv.
Communicating Turing Mach
Canetti Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calculus
Spi, Applied
Prob Poly Process Calculus
LMMRST
Axiomatic Calculus
UC BB PE
Ideal functionality (UC,BB)
What is the ideal key exchange protocol?• Clients ask server for key, receive response?• Server chooses keys and sends secretly?
Issue• Easy to distinguish number of messages• No “canonical” key exchange protocol is
equivalent to all secure key exchange protocols
Ideal functionality• Not a protocol with number of messages, etc.• A functionality that can be used to create
ideal protocols
Adversary vs Environment (UC,BB)
Adversary• Interacts with protocol over network• Does not choose messages to send, contract to
sign, certificate authority,…
Environment• Represents the configuration of honest users
who are trying to use the protocol• Input to general protocol• Example
– Kerberos TGS, KDC, clients, servers set by environment
Universal composability (UC)
Given• Protocol P• Ideal functionality F
Require• For every attack A1 on P, there exists an
attack A2 on F revealing same
information in any environment E• And conversely (in symmetric form of
UC)
Black-box simulatability
Given• Protocol P• Ideal functionality F
Require• There exists a simulator S such that
for any attacker A, protocols P and SF reveal same information in any environ E
Observational Equivalence
Given• Protocol P• Ideal protocol Q (not functionality F)
Require• Protocols P and Q reveal same
information in any context
No simulator, context = attacker + env
Comparison
UC and BB use “ideal functionality”+ Allows single specification, regardless of
communication pattern of protocol Observational equivalence
+ Standard relation, well-known properties
+ Bisimulation technique
+ Proof system Separate adversary and environment
- Not clear if useful, except in exposition
Add ideal functionality to specification using process equivalence
Language Approach
Write protocol in process calculus• Accepted and long-studied approach to concurrency
Express security using observational equivalence• Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q]• Inherently compositional • Context represents adversary
Use proof rules for to prove security• Protocol is secure if no adversary can distinguish it from
some idealized version of the protocol
Rest of talk
Process calculus summary Formal definition of relations Sketch proof of equivalences Future directions
Syntax
Bounded -calculus with integer termsP :: = 0| cq(|n|) T send up to q(|n|) bits
| cq(|n|) (x). P receive
| cq(|n|) . P private channel
| [T=T] P test| P | P parallel composition| ! q(|n|) . P bounded replication
Terms may contain symbol n; channel width and replication bounded by poly in |n|
Equational principles
P | Q Q | P P | (Q | R) (P | Q) | R P | 0 P c. P d. [d/c]P same bandwidth, … c. C[P] C[c.P] c channels( C[0] )
P Q Q P P Q, Q R P R P Q C[P] C[Q]
Prove results using these properties of process calculus; true for TM, IOA
Formal definitions
Universal composabilityA1 A2 . net(P | A1) net(F | A2)
Black-box simulability S A . net(P | A) net(sim(F|S)|A)
Process equivalenceS . P sim(F | S)
Notes• Relation includes quantifying over
environments• Divide channels into network channels,
simulator channels, environment channels
Results
UC and BB• Equivalent w/synchronous communication• Equivalent w/asynchronous communication
BB and Process Equivalence (PE)• PE implies BB in synch communication• PE equivalent BB with asynch communication
These results are proved formally in process calculus (we worked out soundness for PPC and spi-calculus).
Results hold for any computational framework satisfying equational principles given in earlier slide
Proof sketch (also have nice pictures)
PE BB UC : Easy. Congruence and quantifier order.
UC BB
BB PE
Key Lemmas
Lemma 6. Scope Extrusion c. (P | Q) (c.P) | Q c channels( Q )
Lemma 8. Double buffering• One asynchronous buffer is indistinguishable
from the composition of two
Lemma 9. Dummy adversary and buffer• Composing a dummy adversary (that just
sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone
Synchronous communication
Buffering fails• With synchronous communication, adding a buffer or
dummy adversary can change the observable order of actions