Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with...

33
Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author. If captured, MITRE will disavow any knowledge of your activities. Void where prohibited by law. No warrantee expressed or implied.
  • date post

    22-Dec-2015
  • Category

    Documents

  • view

    226
  • download

    1

Transcript of Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with...

Page 1: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Universally ComposableSymbolic Analysis of

Key-Exchange Protocols

Jonathan Herzog(Joint work with Ran Canetti)

21 September 2004

The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author. If captured, MITRE will disavow any knowledge of your activities. Void

where prohibited by law. No warrantee expressed or implied.

Page 2: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Introduction

This talk: symbolic (Dolev-Yao) analysis can guarantee concrete (Universally Composable) security UC security: strongest known definition of security in

computational model Therefore: automated formal analysis as strong as

strongest concrete, hand-crafted proof

Previous work: AR, MW, BPW, Gergi, others Computational soundness for Dolev-Yao assumptions Only relates proof-steps of formal analysis to proof-

steps of computational analysis Are the two models trying to prove the same goal?

Page 3: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Our Results

Same security goals? Yes and no. Mutual authentication: Yes

DY-MA, UC-MA achieved by same protocols UC analog to MW04

Last mention of mutual authentication All interesting details in KE case, anyway

Key-Exchange (KE): No DY-KE is strictly weaker than UC-KE Why? DY notion of secrecy weaker than UC notion DY-KE and UC-KE equivalent, however, under “real-or-

random” notion of secrecy

Page 4: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Universally composable security

Strongest known computational definition of security [C, BPW] Definition phrased in terms of single execution Implies secure even when composed with

Arbitrary peer protocols Arbitrary sub-protocols Arbitrary higher-level protocols

Currently requires “hand-crafted” proofs Our goal: prove security in Dolev-Yao model

instead Show DY-KE equivalent to UC-KE

Page 5: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Analysis strategy

Concrete protocol

UC-KE using actual crypto

Symbolic single-instance protocol

Satisfies DY-KE

Single-instanceSetting

Securely realizes UC-KE (UC crypto)

Security for multiple instances

Idealcryptography

UCtheorem

Sim

plif

y

UC w/jointstate

Page 6: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Overview of talk

First half: overview of UC security (Familiarity with Dolev-Yao model assumed)

Second half: Relating Dolev-Yao and UC models Key-exchange

Page 7: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Computational protocols

Computational protocol: Each message a bit-string Each participant an

efficient Turing machine Take inputs, produce

outputs Adversary (also Turing

machine) controls network

Two questions: 1. What is a protocol

supposed to do?2. What does it mean to do it

securely?

P P

A

Page 8: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

The functionality Pretend each participant has

secure channel to a trusted third party called the functionality

“Dummy” participants send inputs to functionality

Functionality calculates, sends appropriate output to each participant

Functionality also provides channel to adversary

F

P’ P’

A

Page 9: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Example: KE functionality

(P1, P2)

(P2, P1)

(start, P1, P2) (start, P2, P1)

(Key, K)(Key, K)

(finished, P2)(start, P2, P1)(start, P1, P2)(finished, P1)

K

Page 10: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

The functionality (cont.)

Definition of F specifies what information, options available to adversary Adversary knows who starts protocol, Chooses who receives keys

Assumption: we are willing to tolerate that leakage, those options, but no more Adversary never learns key Participants never get different keys

Intuition: no adversary should be able to tell real setting from functionality setting

Page 11: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Formalizing intuition

In the “real” scenario, adversary sees potentially long series of messages

P P

A

Page 12: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Formalizing intuition (cont.) In the “ideal” scenario,

adversary sees different set of messages (defined by description of F)

Need to make functionality “look” like protocol

This task performed by simulator

F

P’ P’

A

Page 13: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

The simulator Sits between

functionality and simulator

Translates functionality output into “protocol”

Does not see F’s messages to participants!

F

P’ P’

A

S

Page 14: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Protocol security

A protocol securely realizes functionality F if:

simulator S so that no adversary can distinguish between execution of and execution of (F, S)

Note that simulator does not see “forbidden” information Participant inputs, outputs from F to participants

Thus, simulator output is independent of forbidden info If simulated protocol indistinguishable from real protocol,

real protocol must also be (computationally) independent of forbidden information as well

Page 15: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Higher-level protocols

Protocol may be sub-protocol of higher-level protocol ’

Protocol ’ may leak info about P to adversary

Worst case scenario: adversary learns from P’ entire output from P And can set inputs to P

F

P P

A

S

Page 16: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Higher-level protocols (cont.)

Is it meaningful to even talk about security when higher-level protocols reveal everything?

Answer: we have no control over higher-level protocol

Nevertheless, we will keep our end of the deal Will remain indistinguishable from F regardless of what

higher-level protocol (or adversary) does

Page 17: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

UC secure realization of F

S s. t. these two situations indistinguishable to all adversaries:

F

P P

A

SP P

A

Page 18: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Key exchange

Standard symbolic definition:� Key Agreement: If P1 outputs (Finished K) and

P2 outputs (Finished K’) then

K = K’. � Traditional Dolev-Yao secrecy: If either participant

outputs (Finished K), then adversary can never learn K

Not strong enough! Protocols exists that satisfy above, but not UC secure Example: Needham-Schroeder-Lowe

Page 19: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Needham-Schroeder-Lowe

Suppose K=Nb is used as secret key Secret, under traditional definition

K output by A before B receives third message Goal of adversary: distinguish

Real - K used in protocol Ideal - K independent of simulated protocol

A B

{A Na}KB

{B Na K}KA

{K}KB

Page 20: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Distinguisher for NSL

Test: Flip coin Heads: send {K}KB (real value) to B

Tails: make random key K’, send {K’}KB to B

Adversary knows B’s “correct” response from B B will give correct response in real setting Simulator in ideal setting won’t know what to do

Can’t tell K’ from K Both random values to simulator Will be wrong with probability .5

No simulator can fool this adversary

Page 21: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Real-or-random (1/3)

Need: real-or-random property for session keys:

Let be a protocol Let r be , except that when a participant

finishes, it outputs real key Kr Let f be , except that when a participant

finishes, it outputs random key Kf

Want: adversary can’t distinguish two protocols

Page 22: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Real-or-random (2/3)

Let S be a strategy Sequence of deductions and transmissions

Attempt 1: For any strategy,Trace(S, r) = Traces(S, f)

Problem: Kf not in any traces of r

Attempt 2:

Trace(S, r) = Rename(Trace(S, f), Kf Kr) Sufficient for “if,” too strong for “only if”

Two different traces may ‘appear’ the same to adversary

Page 23: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Real-or-random (3/3) Observable part of trace: Abadi-Rogaway pattern

Undecipherable encryptions replaced by “blob”

Example:

t = {N1, N2}K1, {N2}K2, K1-1

Pattern(t) = {N1, N2}K1, K2, K1-1

Final condition: for any strategy:

Pattern(Trace(S, r)) =

Pattern(Rename(Trace(S, f), Kf Kr)))

Page 24: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Main results

Theorem: let be a concrete protocol. Then

securely realizes FKE iff satisfies1. Key agreement2. Traditional Dolev-Yao secrecy of session key3. Real-or-random

Page 25: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Future work

How to prove Dolev-Yao real-or-random? Possibly related to Blanchet’s “super secrecy” Simpler form?

Similar results for protocols using symmetric encryption, signatures, Diffie-Hellman?

Page 26: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Backup-slides

Page 27: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Example: MA functionality

(P1, P2)

(P2, P1)

(start, P1, P2) (start, P2, P1)

(finished, P1, P2)(finished, P1, P2)

(finished, P1, P2)(start, P2, P1)(start, P1, P2)(finished, P2, P1)

Page 28: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Mutual Authentication Dolev-Yao mutual authentication (DY-MA): Adversary

cannot make party P1 (locally) output (finished P1 P2)

before P2 outputs (starting P1 P2)

and vice-versa UC: FMA only sends (success P1 P2) to participants

after both submit (start P1 P2) Theorem: let be a simple protocol. Then achieves

DY-MA iff securely realizes FMA (Note: UC analog to MW04)

Page 29: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

“Simple” protocols

Recall goal: equate DY and UC security Need protocols to be meaningful in both models

Efficient implementations (needed by UC) Messages with DY-like parse trees

Consider programs from a “programming language” Equality testing, branching Standard DY adversary actions

Uses UC-secure asymmetric encryption Will probably be replaced by CPPL

Page 30: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

UC Key-Exchange Functionality

FKE

(P1 P2)

k {0,1}n

Key P2

P1

(P1 P2)

Key k

P2

(P2 P1)

Key k

(P1 P2)

A

Key P1

(P2 P1)

Key P2

(P2 P1)

Page 31: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Mapping lemma Let be a simple protocol Every concrete execution of protocol (with any

concrete adversary) has valid Dolev-Yao interpretation Lemma: such interpretations could almost always be

generated by Dolev-Yao adversary in purely Dolev-Yao setting Similar result to MW04

Cor: To prove that simple protocol securely realizes F, need only show that it achieves Dolev-Yao goal G If F and G are equivalent over traces Note: traces now includes input/output

Page 32: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Protocol security

Intuition: A protocol securely realizes a functionality F if running is “just like” using F

F

P’ P’

A

P P

A

=

Page 33: Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.

Implications of definition

Purpose of protocol: jointly calculate the outputs specified by description of F

Security: No one learns more from than would be revealed by F

However: definition (in particular) requires that no adversary can distinguish the two situations Can this definition be realized?