The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

1
The author's affiliation with The MITRE
Corporation is provided for identification
purposes only, and is not intended to convey or
imply MITRE's concurrence with, or support for,
the positions, opinions or viewpoints expressed
by the author.
2
The author's affiliation with The MITRE
Corporation is provided for identification
purposes only, and is not intended to convey or
imply MITRE's concurrence with, or support for,
the positions, opinions or viewpoints expressed
by the author.
3
Overview

• This talk symbolic analysis can guarantee
  universally composable (UC) key exchange
• (Paper also includes mutual authentication)
• Symbolic (Dolev-Yao) model high-level framework
• Messages treated symbolically adversary
  extremely limited
• Despite (general) undecidability, proofs can be
  automated
• Result symbolic proofs are computationally sound
  (UC)
• For some protocols
• For strengthened symbolic definition of secrecy
• With UC theorems, suffices to analyze single
  session
• Implies decidability!

4
Needham-Schroeder-Lowe protocol

• (Prev A, B get others public encryption keys)

A
B
K
K
Version 1 K Na Version 2 K Nb
Which one is secure? Which one is secure?
5
Two approaches to analysis

• Standard (computational) approach reduce attacks
  to weakness of encryption
• Alternate approach apply methods of the symbolic
  model
• Originally proposed by Dolev Yao (1983)
• Cryptography without probability, security
  parameter, etc.
• Messages are parse trees
• Countable symbols for keys (K, K,), names (A,
  B,) and nonces (N, N, Na, Nb, )
• Encryption ( EK(M) ) pairing ( M N ) are
  constructors
• Participants send/receive messages
• Output some key-symbol

6
The symbolic adversary

• Explicitly enumerated powers
• Interact with countable number of participants
• Knowledge of all public values, non-secret keys
• Limited set of re-write rules

M1, M2 ? M1 M2
M1 M2 ? M1, M2
M, K ? EK(M)
EK(M), K-1 ? M
7
Traditional symbolic secrecy

• Conventional goal for symbolic secrecy proofs
• If A or B output K, then no sequence of
• interactions/rewrites can result in K
• Undecidable in general EG, HT, DLMS but
• Decidable with bounds DLMS, RT
• Also, general case can be automatically verified
  in practice
• Demo 1 analysis of both NSLv1, NSLv2
• So what?
• Symbolic model has weak adversary, strong
  assumptions
• We want computational properties!
• But can we harness these automated tools?

8
What wed like
Symbolic protocol
Symbolic key-exchange
Concrete protocol
Computational key-exchange
9
Some previous work

• General area
• AR soundness for indistinguishability
• Passive adversary
• MW, BPW soundness for general trace properties
• Includes mutual authentication active adversary
• Many, many others
• Key-exchange in particular (independent work)
• BPW (later)
• CW soundness for key-exchange
• Traditional symbolic secrecy implies (weak)
  computational secrecy

10
Limitations of traditional secrecy

• Big question
• Can traditional symbolic secrecy imply standard
  
• computational definitions of secrecy?
• Unfortunately, no
• Counter-example
• Demo NSLv2 satisfies traditional secrecy
• Cannot provide real-or-random secrecy in standard
  models
• Falls prey to the Rackoff attack

11
The Rackoff attack (on NSLv2)
A
B
K if K Nb
? O.W.
Adv
12
Achieving soundness

• Soundness requires new symbolic definition of
  secrecy
• BPW traditional secrecy non-use
• Thm new definition implies secrecy (in their
  framework)
• But must analyze infinite concurrent sessions
  and all resulting protocols
• Here traditional secrecy symbolic
  real-or-random
• Non-interference property close to strong
  secrecy B
• Thm new definition equivalent to UC secrecy
• Demonstrably automatable (Demo 2)
• Suffices to consider single session!
• (Infinite concurrency results from joint-state UC
  theorems)
• Implies decidability (forthcoming)

13
Decidability (not in paper)
Traditional secrecy Symbolic real-or-random
Unbounded sessions Undecidable EG, HT, DLMS Undecidable B
Bounded sessions Decidable (NP-complete) DLMS, RT Decidable (NP-complete)
14
Proof overview (soundness)
Symbolic key-exchange

• Construct simulator
• Information-theoretic
• Must strengthen notion of UC public-key
  encryption
• Intermediate step trace properties (as in
  MW,BPW)
• Every activity-trace of UC adversary could also
  be produced by symbolic adversary
• Rephrase UC adversary no more powerful than
  symbolic adversary

Single session UC KE (ideal crypto)
UC w/ joint state CR (Info-theor.)
Multi-session UC KE (ideal crypto)
UC theorem
Multi-session KE (CCA-2 crypto)
15
Summary future work

• Result symbolic proofs are computationally sound
  (UC)
• For some protocols
• For strengthened symbolic definition of secrecy
• With UC theorems, suffices to analyze single
  session
• Implies decidability!
• Additional primitives
• Have public-key encryption, signatures P
• Would like symmetric encryption, MACs, PRFs
• Symbolic representation of other goals
• Commitment schemes, ZK, MPC

16
Backup slides
17
Two challenges

• Traditional secrecy is undecidable for
• Unbounded message sizes EG, HT or
• Unbounded number of concurrent sessions
• (Decidable when both are bounded) DLMS
• Traditional secrecy is unsound
• Cannot imply standard security definitions for
  computational key exchange
• Example NSLv2 (Demo)

18
Prior work BPW
New symbolic definition
Theory Practice
Implies UC key exchange
(Public-key symmetric encryption, signatures)
19
Our work
New symbolic definition real-or-random
Theory Practice
Automated verification!
Equiv. to UC key exchange
(Public-key encryption CH, signatures P)
UC suffices to examine single protocol run
Decidability?
Demo 3 UC security for NSLv1
20
Our work solving the challenges

• Soundness requires new symbolic definition of
  secrecy
• Ours purely symbolic expression of
  real-or-random security
• Result new symbolic definition equivalent to UC
  key exchange
• UC theorems sufficient to examine single
  protocol in isolation
• Thus, bounded numbers of concurrent sessions
• Automated verification of our new definition is
  decidable! Probably

21
Summary

• Summary
• Symbolic key-exchange sound in UC model
• Computational crypto can now harness symbolic
  tools
• Now have the best of both worlds security and
  automation!
• Future work

22
Secure key-exchange UC
?
P
P
A

• Answer yes, it matters
• Negative result CH traditional symbolic
  secrecy does not imply universally composable key
  exchange

23
Secure key-exchange UC
?
P
P
?
A

• Adversary gets key when output by participants
• Does this matter? (Demo 2)

24
Secure key-exchange CW
P
P
A

• Adversary interacts with participants
• Afterward, receives real key, random key
• Protocol secure if adversary unable to
  distinguish
• NSLv1, NSLv2 satisfy symbolic def of secrecy
• Therefore, NSLv1, NSLv2 meet this definition as
  well

25
KE
?
P
P
A

• Adversary unable to distinguish real/ideal worlds
• Effectively real or random keys
• Adversary gets candidate key at end of protocol
• NSL1, NSL2 secure by this defn.

26
Analysis strategy
Dolev-Yao protocol
Dolev-Yao key-exchange
Concrete protocol
UC key-exchange functionality
27
Simple protocols

• Concrete protocols that map naturally to
  Dolev-Yao framework
• Two cryptographic operations
• Randomness generation
• Encryption/decryption
• (This talk asymmetric encryption)
• Example Needham-Schroeder-Lowe

P1
P2
28
UC Key-Exchange Functionality
FKE
(P1 P2)
A
P1
k ? 0,1n
(P2 P1)
P2
29
The Dolev-Yao model

• Participants, adversary take turns
• Participant turn

A
P1
P2
30
The Dolev-Yao adversary

• Adversary turn

A
P1
P2
Know
31
Dolev-Yao adversary powers
Already in Know Can add to Know
M1, M2 Pair(M1, M2)
Pair(M1, M2) M1 and M2
M, K Enc(M,K)
Enc(M, K), K-1 M
Always in Know Randomness generated by
adversary Private keys generated by adversary All
public keys
32
The Dolev-Yao adversary
A
Know
M
P1
P2
33
Dolev-Yao key exchange

• Assume that last step of (successful) protocol
  execution is local output of
• (Finished Pi Pj K)
• Key Agreement If P1 outputs (Finished P1 P2 K)
  and P2 outputs (Finished P2 P1 K) then K K.
• Traditional Dolev-Yao secrecy If Pi outputs
• (Finished Pi Pj K), then K can never be in
  adversarys set Know
• Not enough!

34
Goal of the environment

• Recall that the environment Z sees outputs of
  participants
• Goal distinguish real protocol from simulation
• In protocol execution, output of participants
  (session key) related to protocol messages
• In ideal world, output independent of simulated
  protocol
• If there exists a detectable relationship between
  session key and protocol messages, environment
  can distinguish
• Example last message of protocol is confirmK
  where K is session key
• Can decrypt with participant output from real
  protocol
• Cant in simulated protocol

35
Real-or-random (1/3)

• Need real-or-random property for session keys
• Can think of traditional goal as computational
• Need a stronger decisional goal
• Expressed in Dolev-Yao framework
• Let ? be a protocol
• Let ?r be ?, except that when participant outputs
  (Finished Pi Pj Kr), Kr added to Know
• Let ?f be ?, except that when any participant
  outputs (Finished Pi Pj Kr), fresh key Kf added
  to adversary set Know
• Want adversary cant distinguish two protocols

36
Real-or-random (2/3)

• Attempt 1 Let Traces(?) be traces adversary can
  induce on ?. Then
• Traces(?r) Traces(?f)
• Problem Kf not in any traces of ?r
• Attempt 2
• Traces(?r) Rename(Traces(?f), Kf ? Kr)
• Problem Two different traces may look the same
• Example protocol If participant receives session
  key, encrypts yes under own (secret) key.
  Otherwise, encrypts no instead
• Traces different, but adversary cant tell

37
Real-or-random (3/3)

• Observable part of trace Abadi-Rogaway pattern
• Undecipherable encryptions replaced by blob
• Example
• t N1, N2K1, N2K2, K1-1
• Pattern(t) N1, N2K1, ?K2, K1-1
• Final condition
• Pattern(Traces(?r))
• Pattern(Rename(Traces(?f), Kf ? Kr)))

38
Main results

• Let key-exchange in the Dolev-Yao model be
• Key agreement
• Traditional Dolev-Yao secrecy of session key
• Real-or-random
• Let ? be a simple protocol that uses UC
  asymmetric encryption. Then
• DY(?) satisfies Dolev-Yao key exchange
• iff
• UC(?) securely realizes FKE

39
Future work

• How to prove Dolev-Yao real-or-random?
• Needed for UC security
• Not previously considered in the Dolev-Yao
  literature
• Can it be automated?
• Weaker forms of DY real-or-random
• Similar results for symmetric encryption and
  signatures