Digital signature in automatic analyses for confidentiality against active adversaries

1
Digital signature in automatic analyses for
confidentiality against active adversaries

• Ilja Tšahhirov,
• Peeter Laud

2
Goal of the analysis

• Problem statement
• Given the protocol (set of programs making
  calculations and exchanging messages)
• It works with some secret data
• No active adversary should be able to learn
  anything about the secret data
• Automatically determine whether the protocol is
  secure or not.

3
Original technique

• Published in Peeter Laud. Symmetric encryption
  in automatic analyses for confidentiality against
  active adversaries. 2004 IEEE Symposium on
  Security and Privacy, pages 71-85, May 2004.
• Automatic analyzer present
• Programming language
• Single cryptographic primitive symmetric
  encryption
• Definition of the adversary
• Definition of the security
• Protocol transformations

4
Programming language

• Instruction set
• P kgen_key y(x1,,xm) x pim(y)
• xencrk(y) ydecrk(x) xrandom
• send(x) xreceivel check(xy)
• xconstant(b) xy
• kpgen_key_pair pkpublic_key(kp)
• smsignkp(m) testpk(sm)
• mget_signed_message(sm)
• The only cryptographic primitive in original
  analysis symmetric encryption
• Our contribution is adding the digital signature
  primitive support (commands in bold) to the
  language.

5
Adversary

• Adversary is active - it schedules the
  participants and relays messages between them
• Can modify, create new, or not deliver sent
  messages

6
Security definition

• The protocol is considered secure if the secret
  message is computationally independent from the
  adversarys view.

7
Security against chosen-ciphertextattacks

• No PPT adversary should be able to distinguish
  second black box from the first
• Without querying the second algorithm with the
  outputs from the first

8
Protocol transformations - encryption

• During the analysis protocols are transformed
• Protocols working with the first black box can be
  replaced to use the second (under certain
  conditions)

9
Information flow analysis

• If some participant of the protocol contains a
  statement of the form xE(x1,,xn) there is an
  information flow from the variable xi to the
  variable x.
• The protocol is deemed secure if M ? y holds
  for no y affecting the adversarys view.
• The protocol transformation described above
  breaks some of those links.

10
Unforgeability under adaptive chosen message
attack

• The property we require signature scheme to
  satisfy
• Adversary making queries to the signature oracle
  should not be able to create a valid signature
  for the message that has not previously been
  signed by it

11
Protocol transformations digital signature

• Signature operations are replaced with checking
  whether the signed message being tested belongs
  to the set of the actually signed messages.

12
Running example

• Transmit the public key and signature from A to B
• A generates KPA
• A?? public_key(KPA)
• A?B enc(KAB public_key(KPA))
• A?B enc(KABsign(KPAM))
• B verifies the signature
• B ? OK
• KAB is a long-term key shared between A and B.

13
Data dependencies
14
Control dependencies
15
Criterion for security

• No path from M to any Si ?
• ?
• The system is secure

16
Security does not follow
17
Encryptions replaced
18
Security still does not follow
19
Case handling Case 1
20
Case 1 - Replacing the signature test
21
Case 1 in statement handling.
22
Case 1 check statement handling
Sub-protocol is secure (result of check can be
statically determined)
23
Case 2
Sub-protocol is secure (test statement always
fails)
24
Conclusions and future work

• Conclusions
• The presented technique can be used in automated
  analysis of the cryptographic protocols
• Technique is published in Nordsec 2005
  proceedings, p 29-41.
• Future work
• Implementation of the automated analyser
• Introducing the support for other cryptographic
  primitives