Equivalence-Based Security Specifications

A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V. Shmatikov

A. Scedrov, V. Teague, P. Mateus

General approach

Real protocol• The protocol we want to use• Expressed precisely in some formalism

Idealized protocol• May use unrealistic mechanisms (e.g., private

channels)• Defines the behavior we want from real protocol• Expressed precisely in same formalism

Specification• Real protocol indistinguishable from ideal protocol• Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91• Depends on some characterization of observability

Achieves compositionality

Secrecy for Challenge-Response

Protocol P A B: { i } K

B A: { f(i) } K

“Obviously’’ secret protocol Q A B: { random_number } K

B A: { random_number } K

Specification with Authentication

Protocol P A B: { random i } K

B A: { f(i) } K

A B: “OK” if f(i) received

“Obviously’’ authenticating protocol Q A B: { random i } K

B A: { random j } K i , j

A B: “OK” if private i, j match public msgs

public channel private channel

public channel private channel

Pseudo-random number generators

Sequence generated from random seedPn: let b = nk-bit sequence generated from n random bits

in PUBLIC b end Truly random sequence

Qn: let b = sequence of nk random bits

in PUBLIC b end P is crypto strong pseudo-random number

generatorP QEquivalence is asymptotic in security parameter

n

Compositionality (intuition)

Crypto primitives• Ciphertext indistinguishable from

noise encryption secure in all protocols

Protocols• Protocol indistinguishable from ideal

key distribution protocol secure in all systems that

rely on secure key distributions

Compositionality

Intuitively, if: • Q securely realizes I , • R securely realizes J, • R, J use I as a component,

then R{Q/I} securely realizes J

Fits well with process calculus because is a congruence

• Q I C[Q] C[I] • contexts constructed from R, J, simulators

Three technical settings

Canetti – Universal composability• Condition: two adversaries and environment• Computation: Communicating Turing machines

PW, … – Black-box simulatability• Condition: one adversary, simulator, environment• Computation: I/O automata (or CT machines)

AG,LMMRST… - Process equivalence• Condition: observational equivalence• Computation: ppoly or nondet process calculus

Compare symmetric version of conditions over uniform computation model

More Background

Universal Compos.

Black-box Simulat.

Observ. Equiv.

Communicating Turing Mach

Canetti Canetti

I/O Automata Pfitz-W Pfitz-W

Nondet. Process Calc

Spi, Applied

Prob Poly Process Calc

LMMRST

This study

Universal Compos.

Black-box Simulat.

Observ. Equiv.

Communicating Turing Mach

Canetti Canetti

I/O Automata Pfitz-W Pfitz-W

Nondet. Process Calculus

Spi, Applied

Prob Poly Process Calculus

LMMRST

Axiomatic Calculus

UC BB PE

Ideal functionality (UC,BB)

What is the ideal key exchange protocol?• Clients ask server for key, receive response?• Server chooses keys and sends secretly?

Issue• Easy to distinguish number of messages• No “canonical” key exchange protocol is

equivalent to all secure key exchange protocols

Ideal functionality• Not a protocol with number of messages, etc.• A functionality that can be used to create

ideal protocols

Adversary vs Environment (UC,BB)

Adversary• Interacts with protocol over network• Does not choose messages to send, contract to

sign, certificate authority,…

Environment• Represents the configuration of honest users

who are trying to use the protocol• Input to general protocol• Example

– Kerberos TGS, KDC, clients, servers set by environment

Universal composability (UC)

Given• Protocol P• Ideal functionality F

Require• For every attack A1 on P, there exists an

attack A2 on F revealing same

information in any environment E• And conversely (in symmetric form of

UC)

Black-box simulatability

Given• Protocol P• Ideal functionality F

Require• There exists a simulator S such that

for any attacker A, protocols P and SF reveal same information in any environ E

Observational Equivalence

Given• Protocol P• Ideal protocol Q (not functionality F)

Require• Protocols P and Q reveal same

information in any context

No simulator, context = attacker + env

Comparison

UC and BB use “ideal functionality”+ Allows single specification, regardless of

communication pattern of protocol Observational equivalence

+ Standard relation, well-known properties

+ Bisimulation technique

+ Proof system Separate adversary and environment

- Not clear if useful, except in exposition

Add ideal functionality to specification using process equivalence

Language Approach

Write protocol in process calculus• Accepted and long-studied approach to concurrency

Express security using observational equivalence• Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q]• Inherently compositional • Context represents adversary

Use proof rules for to prove security• Protocol is secure if no adversary can distinguish it from

some idealized version of the protocol

BB

UC

PE

Rest of talk

Process calculus summary Formal definition of relations Sketch proof of equivalences Future directions

Syntax

Bounded -calculus with integer termsP :: = 0| cq(|n|) T send up to q(|n|) bits

| cq(|n|) (x). P receive

| cq(|n|) . P private channel

| [T=T] P test| P | P parallel composition| ! q(|n|) . P bounded replication

Terms may contain symbol n; channel width and replication bounded by poly in |n|

Equational principles

P | Q Q | P P | (Q | R) (P | Q) | R P | 0 P c. P d. [d/c]P same bandwidth, … c. C[P] C[c.P] c channels( C[0] )

P Q Q P P Q, Q R P R P Q C[P] C[Q]

Prove results using these properties of process calculus; true for TM, IOA

Formal definitions

Universal composabilityA1 A2 . net(P | A1) net(F | A2)

Black-box simulability S A . net(P | A) net(sim(F|S)|A)

Process equivalenceS . P sim(F | S)

Notes• Relation includes quantifying over

environments• Divide channels into network channels,

simulator channels, environment channels

Results

UC and BB• Equivalent w/synchronous communication• Equivalent w/asynchronous communication

BB and Process Equivalence (PE)• PE implies BB in synch communication• PE equivalent BB with asynch communication

These results are proved formally in process calculus (we worked out soundness for PPC and spi-calculus).

Results hold for any computational framework satisfying equational principles given in earlier slide

Proof sketch (also have nice pictures)

PE BB UC : Easy. Congruence and quantifier order.

UC BB

BB PE

Key Lemmas

Lemma 6. Scope Extrusion c. (P | Q) (c.P) | Q c channels( Q )

Lemma 8. Double buffering• One asynchronous buffer is indistinguishable

from the composition of two

Lemma 9. Dummy adversary and buffer• Composing a dummy adversary (that just

sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone

Synchronous communication

Buffering fails• With synchronous communication, adding a buffer or

dummy adversary can change the observable order of actions

Some future directions

Complete this study• Relate computational models• Look at asymmetric specifications

– P is at least as secure as Q

Relate logical specification methods• Equivalence P Q

– P is detailed, Q more abstract

• Properties of Q– Prove Q achieves authenticated key

exchange