Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis
description
Transcript of Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis
![Page 1: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/1.jpg)
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis
John MitchellStanford University
P. Lincoln, M. Mitchell, A. Ramanathan, A. Scedrov, V.
Teague
![Page 2: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/2.jpg)
Outline
Some discussion of protocols Goals for process calculus Specific process calculus
• Probabilistic semantics• Complexity – probabilistic poly time• Asymptotic equivalence • Pseudo-random number generators• Equational properties and challenges
![Page 3: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/3.jpg)
Protocol Security
Cryptographic Protocol• Program distributed over network• Use cryptography to achieve goal
Attacker• Intercept, replace, remember messages • Guess random numbers, do
computation Correctness
• Attacker cannot learn protected secret or cause incorrect protocol completion
![Page 4: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/4.jpg)
IKE subprotocol from IPSEC
A, (ga mod p)
B, (gb mod p)
Result: A and B share secret gab mod p
Analysis involves probability, modular exponentiation, digital signatures, communication networks, …
A B
m1
m2 ,
signB(m1,m2)
signA(m1,m2)
![Page 5: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/5.jpg)
Simpler: Challenge-Response
Alice wants to know Bob is listening• Send “fresh” number n, Bob returns f(n)• Use encryption to avoid forgery
Protocol• Alice Bob: { nonce }K
• Bob Alice: { nonce * 5 }K
Can Alice be sure that– Message is from Bob?– Message is in response to one Alice sent?
![Page 6: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/6.jpg)
Important Modeling Decisions
How powerful is the adversary?• Simple replay of previous messages• Decompose, reassemble and resend• Statistical analysis, timing attacks, ...
How much detail in model of crypto?• Assume perfect cryptography• Include algebraic properties
– encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msgk mod N
![Page 7: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/7.jpg)
Standard analysis methods
Finite-state analysis Logic based models
• Symbolic search of protocol runs • Proofs of correctness in formal logic
Consider probability and complexity• More realistic intruder model• Interaction between protocol and
cryptographyHard
Easy
![Page 8: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/8.jpg)
Comparison
Low High
Hig
hL
ow
Sop
hist
icat
ion
of a
ttac
ks
Protocol complexity
Mur
FDR
NRL
Poly-time calculus
Athena
Hand proofs
Paulson
Bolignano
BAN logic
Spi-calculus
![Page 9: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/9.jpg)
Outline
Some discussion of protocols Goals for process calculus Specific process calculus
• Probabilistic semantics• Complexity – probabilistic poly time• Asymptotic equivalence • Pseudo-random number generators• Equational properties and challenges
![Page 10: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/10.jpg)
Language Approach [Abadi, Gordon]
Write protocol in process calculus Express security using observational equivalence
• Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q]• Context (environment) represents adversary
Use proof rules for to prove security• Protocol is secure if no adversary can distinguish it from
some idealized version of the protocol
Great general idea; application is complicated
![Page 11: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/11.jpg)
Probabilistic Poly-time Analysis
Add probability, complexity Probabilistic polynomial-time process calc
• Protocols use probabilistic primitives– Key generation, nonce, probabilistic encryption, ...
• Adversary may be probabilistic
Express protocol and spec in calculus Security using observational equivalence
• Use probabilistic form of process equivalence
![Page 12: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/12.jpg)
Secrecy for Challenge-Response
Protocol P A B: { i } K
B A: { f(i) } K
“Obviously’’ secret protocol Q A B: { random_number } K
B A: { random_number } K
Analysis: P Q reduces to crypto condition related to non-malleability [Dolev, Dwork, Naor]
– Fails for RSA encryption if f(i) = 2i
![Page 13: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/13.jpg)
Specification with Authentication
Protocol P A B: { random i } K
B A: { f(i) } K
A B: “OK” if f(i) received
“Obviously’’ authenticating protocol Q A B: { random i } K
B A: { random j } K i , j
A B: “OK” if private i, j match public msgs
public channel private channel
public channel private channel
![Page 14: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/14.jpg)
Nondeterminism vs encryption
Alice encrypts msg and sends to Bob• A B: { msg } K
Adversary uses nondeterminism• Process E0 c0 | c0 | … | c0
• Process E1 c1 | c1 | … | c1
• Process E c(b1).c(b2)...c(bn).decrypt(b1b2...bn, msg)
In reality, at most 2-n chance to guess n-bit key
![Page 15: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/15.jpg)
Semantics
Nondeterministic SemanticsProbabilistic Semantics
0.5
0.5
0.2
0.3
0.5
0.2
0.3
0.2
0.3
0.5
0.5
0.5
0.2
0.3
0.2
0.5
0.2
0.3
0.5
0.5
Prove initial results for arbitrary scheduler
![Page 16: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/16.jpg)
Methodology
Define general system• Process calculus• Probabilistic semantics• Asymptotic observational equivalence
Apply to protocols• Protocols have specific form• “Attacker” is context of specific form
– Induces coarser observational equivalence
This talk: general calculus and properties
![Page 17: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/17.jpg)
Outline
Some discussion of protocols Goals for process calculus Specific process calculus
• Probabilistic semantics• Complexity – probabilistic poly time• Asymptotic equivalence • Pseudo-random number generators• Equational properties and challenges
![Page 18: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/18.jpg)
Technical Challenges
Language for prob. poly-time functions• Extend work of Cobham, Cook, Hofmann
Replace nondeterminism with probability• Otherwise adversary is too strong ...
Define probabilistic equivalence• Related to poly-time statistical tests ...
![Page 19: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/19.jpg)
Syntax
Bounded -calculus with integer termsP :: = 0| cq(|n|) T send up to q(|n|) bits
| cq(|n|) (x). P receive
| cq(|n|) . P private channel
| [T=T] P test| P | P parallel composition| ! q(|n|) . P bounded replication
Terms may contain symbol n; channel width and replication bounded by poly in |n|
![Page 20: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/20.jpg)
Probabilistic Semantics
Basic idea• Alternate between terms and processes
– Probabilistic evaluation of terms (incl. rand)– Probabilistic scheduling of parallel processes
Two evaluation phases• Outer term evaluation
– Evaluate all exposed terms, evaluate tests
• Communication– Match send and receive– Probabilistic if multiple send-receive pairs
![Page 21: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/21.jpg)
Scheduling
Outer term evaluation• Evaluate all exposed terms in parallel• Multiply probabilities
Communication• E(P) = set of eligible subprocesses• S(P) = set of schedulable pairs• Prioritize – private communication first• Choose highest-priority communication
with uniform (or other) probability
![Page 22: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/22.jpg)
Example
Process• crand+1 | c(x).dx+1 | d2 | d(y).
ex+1 Outer evaluation
• c1 | c(x).dx+1 | d2 | d(y). ex+1• c2 | c(x).dx+1 | d2 | d(y). ex+1
Communication• c1 | c(x).dx+1 | d2 | d(y). ex+1
Each prob ½
Choose according to probabilistic scheduler
![Page 23: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/23.jpg)
Example (again)
Each with prob 0.5
Choose according to probabilistic scheduler
crand+1 | c(x).dx+1 | d2 | d(y). ex+1
c2 | c(x).dx+1 | d2 | d(y). ex+1
c1 | c(x).dx+1 | d2 | d(y). ex+1
OuterEval
Comm
Step
![Page 24: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/24.jpg)
Complexity results
Polynomial time• For each process P, there is a poly q(x)
such that– For all n– For all probabilistic schedulers– All minimal evaluation contexts C[ ]
eval of C[P] halts in time q(|n|+|C[]|)
• Minimal evaluation context– C[ ] = c(x).d(y)…[ ] | c20 | d7 | e492 | …
![Page 25: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/25.jpg)
Complexity: Intuition
Bound on number of communications• Count total number of inputs, multiplying by
q(|n|) to account for ! q(|n|) . P
Bound on term evaluation• Closed T evaluated in time qT(|n|)
Bound on time for each comm step• Example: cm | c(x).P [m/x]P • Substitution bounded by orig length of P
– Size of number m is bounded– Previous steps preserve # occurr of x in P
![Page 26: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/26.jpg)
Outline
Some discussion of protocols Application of process calculus Specific process calculus
• Probabilistic semantics• Complexity – probabilistic poly time• Asymptotic equivalence• Pseudo-random number generators• Equational properties and challenges
![Page 27: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/27.jpg)
How to define process equivalence?
Intuition• | Prob{ C[P] “yes” } - Prob{ C[Q] “yes” } | <
Difficulty
• How do we choose ?– Less than 1/2, 1/4, … ? (not equiv relation)– Vanishingly small ? As a function of what?
Solution• Use security parameter
– Protocol is family { Pn } n>0 indexed by key length
• Asymptotic form of process equivalence
Problem:
![Page 28: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/28.jpg)
Probabilistic Observational Equiv
Asymptotic equivalence within fProcess, context families { Pn } n>0 { Qn } n>0 { Cn } n>0
P f Q if contexts C[ ]. obs v. n0 . n> n0 .
| Prob[Cn[Pn] v] - Prob[Cn[Qn] v] | < f(n)
Asymptotically polynomially indistinguishableP Q if P f Q for every polynomial f(n) = 1/p(n)
Final def’n gives robust equivalence relation
![Page 29: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/29.jpg)
Outline
Some discussion of protocols Application of process calculus Specific process calculus
• Probabilistic semantics• Complexity – probabilistic poly time• Asymptotic equivalence• Pseudo-random number generators• Equational properties and challenges
![Page 30: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/30.jpg)
Compare with standard crypto
Sequence generated from random seedPn: let b = nk-bit sequence generated from n random bits
in PUBLIC b end
Truly random sequenceQn: let b = sequence of nk random bits
in PUBLIC b end
P is crypto strong pseudo-random generatorP QEquivalence is asymptotic in security parameter n
![Page 31: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/31.jpg)
Desired equivalences
P | (Q | R) (P | Q) | R P | Q Q | P P | 0 P P Q C[P] C[Q]
P c. ( c<1> | c(x).P) x FV(P)
Warning: hard to get all of these…
![Page 32: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/32.jpg)
How to establish equivalence
Labeled transition system• Allow process to send any output, read any input• Label with numbers “resembling probabilities”
Simulation relation• Relation on processes• If P Q and P P’, then exists Q’ with Q Q’ and P’ Q’
Weak form of prob equivalence• But enough to get started …
r
~~ ~
r
![Page 33: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/33.jpg)
Hold for uniform scheduler
P | (Q | R) (P | Q) | R P | Q Q | P P | 0 P P Q C[P] C[Q]
![Page 34: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/34.jpg)
Problem
Want this equivalence• P c. ( c<1> | c(x).P) x FV(P)
Fails for general calculus, general • P = d(x).e<x>• C[ ] = d.( d<1> | d(y).e<0> | [ ] )
![Page 35: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/35.jpg)
Comparison
d.( d<1> | d(y).e<0> | d(x).e<x> )
d.( d<1> | d(y).e<0> | c. ( c<1> | c(x).P) )
e<0> e<1>
left c<1>
e<0> e<1>
P
e<0>
Even prioritizing private channels, equivalence fails
c<1>left right right left
![Page 36: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/36.jpg)
Paradox
Two processors connect by network
Each does private actions Unrealistic interaction
• Private coin flip in Beijing does not influence coin flip in Washington
![Page 37: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/37.jpg)
Solutions
Modify scheduler• Process private channels left-to-right• Each channel: random send-receive
pair Restrict syntax of protocol, attack
• C[ P ] = C[ c. ( c<1> | c(x).P) ] for all contexts C[ ] that – do not share private channels– do not bind channel names used in [ ]
Modification of scheduler more reasonable for protocols
![Page 38: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/38.jpg)
Current State of Project
Framework for protocol analysis • Determine crypto requirements of protocols • Precise definition of crypto primitives
Probabilistic ptime language Process framework
• Replace nondeterminism with rand• Equivalence based on ptime statistical tests
Methods for establishing equivalence• Develop probabilistic simulation technique
Examples: Diffie-Hellman, Bellare-Rogaway, …
![Page 39: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/39.jpg)
Compositionality
Property of observational equiv
A B C D
A|C B|D
similarly for other process forms
![Page 40: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/40.jpg)
Zero-Knowledge Protocol
Witness protection program• Q(x) iff w. P(x,w) • Prove w. P(x,w) without revealing w
P V
I know a number x with Q(x)
Answer these questions
Here. Now you’ll believe me.
![Page 41: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/41.jpg)
Identify Friend or Foe
Sequential• One
conversation at a time
Concurrent • Base station
proves identity concurrently
Base
M
AV
S
prover verifiers
Are concurrent sessions still zero-k ?
![Page 42: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader036.fdocuments.us/reader036/viewer/2022062804/5681491e550346895db65a92/html5/thumbnails/42.jpg)