Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis - PowerPoint PPT Presentation

About This Presentation
Title:

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis

Description:

Title: POPL 01 Talk Author: John C Mitchell Last modified by: John C Mitchell Created Date: 9/7/1997 8:51:32 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:158
Avg rating:3.0/5.0
Slides: 53
Provided by: JohnCMi9
Category:

less

Transcript and Presenter's Notes

Title: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis


1
Probabilistic Polynomial-Time Process Calculus
for Security Protocol Analysis
  • John Mitchell
  • Stanford University
  • P. Lincoln, M. Mitchell,
  • A. Ramanathan, A. Scedrov, V. Teague

2
Computer Security
Goal protection of computer systems and digital
information
Security
  • Access control
  • OS security
  • Network security
  • Cryptography

Crypto
3
Research challenge
  • Invent the logic of computer security
  • Reasoning principles for systems that use
    cryptography and are subject to attack
  • Analogy
  • Effective topos, synthetic domain thy,
  • Recursion, recursive domains, collections of
    types, form a model of intuitionistic set
    theory with additional axioms

4
LICS presence at CSFW
Abadi Blanchet Fiore Gordon Gunter
Halpern Jeffrey Kirli Pierce Pavlovic Rusinowitch
Scedrov
Abadi Roscoe
2001
2000
1999
1998
  • Check out Crypto, Oakland, CCS,

5
Today Protocols and Probability
  • Security protocols
  • Goals for process calculus
  • Specific process calculus
  • Probabilistic semantics
  • Complexity probabilistic poly time
  • Asymptotic equivalence
  • Pseudo-random number generators
  • Equational properties and challenges

6
Protocol Security
  • Cryptographic Protocol
  • Program distributed over network
  • Use cryptography to achieve goal
  • Attacker
  • Intercept, replace, remember messages
  • Guess random numbers, some computation
  • Correctness
  • Attacker cannot learn protected secret or cause
    incorrect conclusion

7
IKE subprotocol from IPSEC
  • A, (ga mod p)
  • B, (gb mod p)

, signB(m1,m2) signA(m1,m2)
A
B
Result A and B share secret gab mod p Analysis
involves probability, modular exponentiation,
digital signatures, communication networks,
8
Simpler Challenge-Response
  • Alice wants to know Bob is listening
  • Send fresh number n, Bob returns f(n)
  • Use encryption to avoid forgery
  • Protocol
  • Alice ?? Bob nonce K
  • Bob ?? Alice nonce 5 K
  • Can Alice be sure that
  • Message is from Bob?
  • Message is fresh response to Alices challenge?

9
Important Modeling Decisions
  • How powerful is the adversary?
  • Simple replay of previous messages
  • Decompose, reassemble and resend
  • Statistical analysis, timing attacks, ...
  • How much detail in model of crypto?
  • Assume perfect cryptography
  • Include algebraic properties
  • encr(xy) encr(x) encr(y) for
  • RSA encrypt(k,msg) msgk mod N

10
Standard analysis methods
  • Finite-state analysis
  • Logic based models
  • Symbolic search of protocol runs
  • Proofs of correctness in formal logic
  • Consider probability and complexity
  • More realistic intruder model
  • Interaction between protocol and cryptography

Easy
Hard
11
Comparison
Hand proofs
?
?
High
Poly-time calculus
Spi-calculus
Athena
Paulson
?
Sophistication of attacks
?
?
?
NRL
?
Bolignano
BAN logic
?
Low
FDR
Murj
?
?
Low
High
Protocol complexity
12
Outline
  • Security protocols
  • Goals for process calculus
  • Specific process calculus
  • Probabilistic semantics
  • Complexity probabilistic poly time
  • Asymptotic equivalence
  • Pseudo-random number generators
  • Equational properties and challenges

13
Language Approach Abadi, Gordon
  • Write protocol in process calculus
  • Express security using observational equivalence
  • Standard relation from programming language
    theory
  • P ? Q iff for all contexts C , same
  • observations about CP and CQ
  • Context (environment) represents adversary
  • Use proof rules for ? to prove security
  • Protocol is secure if no adversary can
    distinguish it from some idealized version of the
    protocol
  • Great general idea application is complicated

14
Probabilistic Poly-time Analysis
  • Add probability, complexity
  • Probabilistic polynomial-time process calc
  • Protocols use probabilistic primitives
  • Key generation, nonce, probabilistic encryption,
    ...
  • Adversary may be probabilistic
  • Express protocol and spec in calculus
  • Security using observational equivalence
  • Use probabilistic form of process equivalence

15
Secrecy for Challenge-Response
  • Protocol P
  • A ? B i K
  • B ? A f(i) K
  • Obviously secret protocol Q
  • A ? B random_number K
  • B ? A random_number K
  • Analysis P ? Q reduces to crypto condition
    related to non-malleability Dolev, Dwork,
    Naor
  • Fails for plain old RSA if f(i) 2i

16
Specification with Authentication
  • Protocol P
  • A ? B random i K
  • B ? A f(i) K
  • A ? B OK if f(i) received
  • Obviously authenticating protocol Q
  • A ? B random i K
  • B ? A random j K i , j
  • A ? B OK if private i, j match
    public msgs

17
Nondeterminism vs encryption
  • Alice encrypts msg and sends to Bob
  • A ? B msg K
  • Adversary uses nondeterminism
  • Process E0 c?0? c?0? c?0?
  • Process E1 c?1? c?1? c?1?
  • Process E
  • c(b1).c(b2)...c(bn).decrypt(b1b2...bn, msg)
  • In reality, at most 2-n chance to guess n-bit key

18
Semantics
Nondeterministic Semantics
Prove initial results for arbitrary scheduler
19
Methodology
  • Define general system
  • Process calculus
  • Probabilistic semantics
  • Asymptotic observational equivalence
  • Apply to protocols
  • Protocols have specific form
  • Attacker is context of specific form
  • Induces coarser observational equivalence
  • This talk general calculus and properties

20
Outline
  • Security protocols
  • Goals for process calculus
  • Specific process calculus
  • Probabilistic semantics
  • Complexity probabilistic poly time
  • Asymptotic equivalence
  • Pseudo-random number generators
  • Equational properties and challenges

21
Technical Challenges
  • Language for prob. poly-time functions
  • Extend work of Cobham, Cook, Hofmann
  • Replace nondeterminism with probability
  • Otherwise adversary is too strong ...
  • Define probabilistic equivalence
  • Related to poly-time statistical tests ...

22
Syntax
  • Bounded ?-calculus with integer terms
  • P 0
  • cq(n) ?T? send up to q(n)
    bits
  • cq(n) (x). P receive
  • ?cq(n) . P private channel
  • TT P test
  • P P parallel
    composition
  • ! q(n) . P bounded
    replication

Terms may contain symbol n channel width and
replication bounded by poly in n
23
Probabilistic Semantics
  • Basic idea
  • Alternate between terms and processes
  • Probabilistic evaluation of terms (incl. rand)
  • Probabilistic scheduling of parallel processes
  • Two evaluation phases
  • Outer term evaluation
  • Evaluate all exposed terms, evaluate tests
  • Communication
  • Match send and receive
  • Probabilistic if multiple send-receive pairs

24
Scheduling
  • Outer term evaluation
  • Evaluate all exposed terms in parallel
  • Multiply probabilities
  • Communication
  • E(P) set of eligible subprocesses
  • S(P) set of schedulable pairs
  • Prioritize private communication first
  • Choose highest-priority communication with
    uniform (or other) probability

25
Example
  • Process
  • c?rand1? c(x).d?x1? d?2? d(y). e?x1?
  • Outer evaluation
  • c?1? c(x).d?x1? d?2? d(y). e?x1?
  • c?2? c(x).d?x1? d?2? d(y). e?x1?
  • Communication
  • c?1? c(x).d?x1? d?2? d(y). e?x1?

Each prob ½
Choose according to probabilistic scheduler
26
Example (again)
c?rand1? c(x).d?x1? d?2? d(y). e?x1?
Outer Eval
Each with prob 0.5
c?2? c(x).d?x1? d?2? d(y). e?x1?
c?1? c(x).d?x1? d?2? d(y). e?x1?
Comm Step
Choose according to probabilistic scheduler
27
Complexity results
  • Polynomial time
  • For each process P, there is a poly q(x) such
    that
  • For all n
  • For all probabilistic schedulers
  • All minimal evaluation contexts C
  • eval of CP halts in time q(nC)
  • Minimal evaluation context
  • C c(x).d(y) c?20? d?7? e?492?

28
Complexity Intuition
  • Bound on number of communications
  • Count total number of inputs, multiplying by
    q(n) to account for ! q(n) . P
  • Bound on term evaluation
  • Closed T evaluated in time qT(n)
  • Bound on time for each comm step
  • Example c?m? c(x).P ? m/xP
  • Substitution bounded by orig length of P
  • Size of number m is bounded
  • Previous steps preserve occurr of x in P

29
Outline
  • Security protocols
  • Application of process calculus
  • Specific process calculus
  • Probabilistic semantics
  • Complexity probabilistic poly time
  • Asymptotic equivalence
  • Pseudo-random number generators
  • Equational properties and challenges

30
How to define process equivalence?
Problem
  • Intuition
  • Prob CP ? yes - Prob CQ ? yes lt
    ?
  • Difficulty
  • How do we choose ??
  • Less than 1/2, 1/4, ? (not equiv relation)
  • Vanishingly small ? As a function of what?
  • Solution
  • Use security parameter
  • Protocol is family Pn ngt0 indexed by key
    length
  • Asymptotic form of process equivalence

31
Probabilistic Observational Equiv
  • Asymptotic equivalence within f
  • Process, context families Pn ngt0 Qn ngt0
    Cn ngt0
  • P ?f Q if ? contexts C . ? obs v. ?n0 . ? ngt
    n0 .
  • ProbCnPn ? v - ProbCnQn ?
    v lt f(n)
  • Asymptotically polynomially indistinguishable
  • P ? Q if P ?f Q for every polynomial f(n)
    1/p(n)
  • Final defn gives robust equivalence
    relation

32
Outline
  • Security protocols
  • Application of process calculus
  • Specific process calculus
  • Probabilistic semantics
  • Complexity probabilistic poly time
  • Asymptotic equivalence
  • Pseudo-random number generators
  • Equational properties and challenges

33
Compare with standard crypto
  • Sequence generated from random seed
  • Pn let b nk-bit sequence generated from n
    random bits
  • in PUBLIC ?b? end
  • Truly random sequence
  • Qn let b sequence of nk random bits
  • in PUBLIC ?b? end
  • P is crypto strong pseudo-random generator
  • P ? Q
  • Equivalence is asymptotic in security parameter n

34
Desired equivalences
  • P (Q R) ? (P Q) R
  • P Q ? Q P
  • P 0 ? P
  • P ? Q ? CP ? CQ
  • P ? ? c. ( clt1gt c(x).P) x ?FV(P)
  • Warning hard to get all of these

35
One way to get equivalences
  • Labeled transition system
  • Allow process to send any output, read any input
  • Label with numbers resembling probabilities
  • Simulation relation
  • Relation ? on processes
  • If P Q and P P, then exists Q
  • with Q Q and P Q
  • Weak form of prob equivalence
  • But enough to get started

36
Hold for uniform scheduler
  • P (Q R) ? (P Q) R
  • P Q ? Q P
  • P 0 ? P
  • P ? Q ? CP ? CQ

Compositionality is important issue in computer
security
37
Problem
  • Want this equivalence
  • P ? ?c. ( clt1gt c(x).P) x ?FV(P)
  • Fails for general calculus, general ?
  • P d(x).eltxgt
  • C ?d.( dlt1gt d(y).elt0gt )

38
Comparison
?d.( dlt1gt d(y).elt0gt ?c. ( clt1gt c(x).P) )
left
clt1gt
?d.( dlt1gt d(y).elt0gt d(x).eltxgt )
P
right
clt1gt
left
right
left
elt0gt
elt0gt
elt1gt
elt0gt
elt1gt
Even prioritizing private channels, equivalence
fails
39
Paradox
  • Two processors connect by network
  • Each does private actions
  • Unrealistic interaction
  • Private coin flip in Beijing does not influence
    coin flip in Washington

40
Solutions
  • Modify scheduler
  • Process private channels left-to-right
  • Each channel random send-receive pair
  • Restrict syntax of protocol, attack
  • C P C ?c. ( clt1gt c(x).P)
  • for all contexts C that
  • do not share private channels
  • do not bind channel names used in

Modification of scheduler more reasonable for
protocols
41
Current State of Project
  • Framework for protocol analysis
  • Determine crypto requirements of protocols
  • Precise definition of crypto primitives
  • Probabilistic ptime language
  • Process framework
  • Replace nondeterminism with rand
  • Equivalence based on ptime statistical tests
  • Methods for establishing equivalence
  • Develop probabilistic simulation technique
  • Examples Diffie-Hellman, Bellare-Rogaway,

42
Connections with modern crypto
  • Cryptosystem consist of three parts
  • Key generation
  • Encryption
  • Decryptions
  • Many forms of security
  • Semantic security, non-malleability,
    chosen-ciphertext security,
  • Common conditions use prob. games

43
Chosen-ciphertext security
  • Probabilistic poly-time player A cannot win game
    (gt1/2)
  • A gets public key
  • A submits ciphertexts and receives decryptions
  • A submits two messages m0, m1 and receives either
    ? Encr(m0) or ? Encr(m1) at random
  • A submits ciphertexts ? ? and receives
    decryptions
  • A declares guess g 0 or 1
  • Score win if ? Encr(mg), else lose

Deterministic encryption vulnerable to chosen-c
attack
44
Simulation security of K,E,D
?
?
pk
m
m
?
?
pk
m
m
pk
K
sk
E
K
D
sk
D
P
plain
cipher
Q
  • Algorithms K, E, D indistinguishable from variant
    where encryption uses random messages and private
    table

Canetti 00 Shoup Pfitzmann-Waidner 00,01
45
Goal Chosen-c-secure iff sim-secure
  • P ? P1 ? P2 ? ? Q
  • Hope to prove using process calculus
  • Derive protocol correctness by congruence
  • where
  • P Game on previous slide
  • P1 Same, but quit if some output ? of E seen
    before as input to D or output of E
  • P2 If input ? to D was output by E, use table
    instead of algorithm D
  • Q instead of encrypt, use Encr(0) and table

46
Conclusion
  • Computer security
  • Exacting subject amenable to analysis
  • Analysis useful since correctness critical
  • Protocols
  • Short but complex
  • Probabilistic poly-time process calc
  • Challenging semantics, proof theory
  • Appropriate for game equivalence

47
(No Transcript)
48
(No Transcript)
49
Chosen-ciphertext security
pk
Key Gen
  1. A gets public key
  2. A submits ciphertexts and receives decryptions
  3. A submits two messages m0, m1 and receives either
    ? Encr(mi) for i1 or i2
  4. A submits ciphertexts ? ? and gets decryptions
  5. A guesses g 0 or 1
  6. Score win if ? Encr(mg), else lose

sk
Decrypt
m0, m1
choose i0,1
?
mi
Encrypt(mi)
Encrypt
i

50
Compositionality
  • Property of observational equiv
  • A ? B C ? D
  • AC ? BD
  • similarly for other process forms

51
Zero-Knowledge Protocol
P
V
  • Witness protection program
  • Q(x) iff ? w. P(x,w)
  • Prove ?? w. P(x,w) without revealing w

52
Identify Friend or Foe
  • Sequential
  • One conversation at a time
  • Concurrent
  • Base station proves identity concurrently

M
V
A
Base
S
prover
verifiers
Are concurrent sessions still zero-k ?
Write a Comment
User Comments (0)
About PowerShow.com