unifying equivalence-based definitions of protocol security a. datta, r. küsters, j. c. mitchell,...
Post on 21-Dec-2015
216 views
TRANSCRIPT
![Page 1: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/1.jpg)
Unifying Equivalence-Based Definitions of
Protocol Security
A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov
Stanford University SRI International
![Page 2: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/2.jpg)
Main Result
Universal composability, black box simulatability and process equivalence express the same properties of a protocol (with asynchronous communication)
•Result holds for any computational model satisfying standard process calculus equational principles
![Page 3: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/3.jpg)
Outline
Equivalence-Based Specification• Main Idea, Examples, Advantages
3 Approaches• Models: Turing Machines, IO
Automata, Process Calculus• Security Notions: UC, BB, PE
Comparative Study• Relating Security Notions• Relating models (WIP)
![Page 4: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/4.jpg)
General approach
Real protocol• The protocol we want to use• Expressed precisely in some formalism
Ideal protocol• Defines the behavior we want from real protocol• May use unrealistic mechanisms (e.g., private
channels)• Expressed precisely in same formalism
Specification• Real protocol indistinguishable from ideal protocol• Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91• Depends on some characterization of observability
Achieves compositionality
![Page 5: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/5.jpg)
Secrecy for Challenge-Response
Real Protocol P A B: { i } K
B A: { f(i) } K
Ideal Protocol Q A B: { random_number } K
B A: { random_number } K
![Page 6: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/6.jpg)
Specification with Authentication
Real Protocol P A B: { random i } K
B A: { f(i) } K
A B: “OK” if f(i) received
Ideal Protocol Q A B: { random i } K
B A: { random j } K i , j
A B: “OK” if private i, j match public msgs
public channel private channel
public channel private channel
![Page 7: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/7.jpg)
Pseudo-random number generators
Sequence from random seed (Real protocol)Pn: let b = nk-bit sequence generated from n random bits
in PUBLIC b end Truly random sequence (Ideal protocol)
Qn: let b = sequence of nk random bits
in PUBLIC b end P is crypto strong pseudo-random number
generatorP QEquivalence is asymptotic in security parameter n
![Page 8: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/8.jpg)
Many more…
Commitment Schemes Signature Schemes Key Exchange Secure channels Secure Multiparty Computation
![Page 9: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/9.jpg)
Compositionality
Crypto primitives• Cipher text indistinguishable from
noise encryption secure in all protocols
Protocols• Protocol indistinguishable from ideal
key distribution protocol secure in all systems that
rely on secure key distributions
![Page 10: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/10.jpg)
Outline
Equivalence-Based Specification 3 Schools of Thought
• Models: Turing Machines, IO Automata, Process Calculus
• Security Notions: UC, BB, PE Comparative Study
![Page 11: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/11.jpg)
Three technical settings
Can, …: Universal composability• Condition: two adversaries and environment• Computation: Communicating Turing machines
PW, … : Black-box simulatability• Condition: one adversary, simulator, environment• Computation: I/O automata
AG,LMMRST, …: Process equivalence• Condition: observational equivalence• Computation: ppoly or nondet process calculus
![Page 12: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/12.jpg)
More Background
Universal Compos.
Black-box Simulat.
Observ. Equiv.
Communicating Turing Machines
Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calculus
Spi, Applied
Prob Poly Process Calculus
LMMRST
![Page 13: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/13.jpg)
This study
Universal Compos.
Black-box Simulat.
Observ. Equiv.
Communicating Turing Machines
Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calculus
Spi, Applied
Prob Poly Process Calculus
LMMRST
Axiomatic Calculus
UC BB PECompare conditions over uniform computation model
![Page 14: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/14.jpg)
Ideal functionality (UC,BB)
What is the ideal key exchange protocol?• Clients ask server for key, receive response?• Server chooses keys and sends secretly?
Issue• Easy to distinguish number of messages• No “canonical” key exchange protocol is
equivalent to all secure key exchange protocols
Ideal functionality• Not a protocol with number of messages, etc.• A functionality that can be used to create
ideal protocols
![Page 15: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/15.jpg)
Adversary vs. Environment (UC,BB)
Adversary• Interacts with protocol over network• Does not choose messages to send, contract to
sign, certificate authority,…
Environment• Represents the configuration of honest users
who are trying to use the protocol• Provides input to and observes output of
protocol• Example
– Kerberos TGS, KDC, clients, servers set by environmentSeparation of net and io channels of a protocol
![Page 16: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/16.jpg)
Universal composability (UC)
Given• Protocol P• Ideal functionality F
Require
• For every adversary A1 for P, there exists an adversary A2 for F revealing same information in any environment E
P A1 A2F
io io io io
net net
E E
![Page 17: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/17.jpg)
Black-box simulatability
Given• Protocol P• Ideal functionality F
Require• There exists a simulator S such that for any adversary
A, protocols P and SF reveal same information in any environment E
P A A
io io io io
net net
E E
F Ssim
![Page 18: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/18.jpg)
Observational Equivalence
Given• Protocol P• Ideal protocol Q (not functionality F)
Require• Protocols P and Q reveal same information in any
context C[] Context = attacker + environment
P Q
C[]= E + A C[]= E + A
io net io net
![Page 19: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/19.jpg)
Comparison
UC and BB + ideal functionality: allows single specification,
regardless of communication pattern of protocol
- Separate adversary and environment :Not clear if useful, except in exposition
Observational equivalence+ Standard relation, well-known properties
+ Bisimulation technique
+ Proof system
- No ideal functionality
![Page 20: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/20.jpg)
Process Equivalence
Given• Protocol P• Ideal functionality F
Require• There exists a simulator S such that protocols P and
SF reveal same information in any context C[] Context = attacker + environment
P F
C[]= E + A C[]= E + A
io net io net
Ssim
![Page 21: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/21.jpg)
Outline
Equivalence-Based Specification 3 Schools of Thought Comparative Study
• Process calculus• Equational Principles• Security Definitions• Results
![Page 22: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/22.jpg)
Process Calculus
SyntaxP :: = 0| out(c,T). P send| in(c,x). P receive| c . (P) private channel
| [T=T] P test| P | P parallel composition| ! q(|n|) . P bounded replication
![Page 23: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/23.jpg)
Equational principles
P | Q Q | P P | (Q | R) (P | Q) | R P | 0 P c. P d. [d/c]P c. C[P] C[c.P] c channels( C[0] )
P Q Q P P Q, Q R P R P Q C[P] C[Q]
Prove results using these properties of process calculus
![Page 24: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/24.jpg)
Formal definitions
Universal composabilityA1 A2 . net(P | A1) net(F | A2)
Black-box simulatability S A . net(P | A) net(sim(F|S)|A)
Process equivalenceS . P sim(F | S)
Notes• Relation includes quantifying over
environments• Divide channels into network channels,
environment (io) channels
![Page 25: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/25.jpg)
Results
UC and BB• Equivalent w/synchronous communication• Equivalent w/asynchronous communication
BB and Process Equivalence (PE)• PE implies BB in synch communication• PE equivalent BB with asynch communication
Results hold for any computational framework satisfying standard equational principles (PPC, spi,…)
![Page 26: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/26.jpg)
Proof sketch (also have nice pictures)
PE BB UC : Easy. Congruence and quantifier order.
UC BB
BB PE
![Page 27: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/27.jpg)
Key Lemmas
Lemma 6. Scope Extrusion c. (P | Q) (c.P) | Q c channels( Q )
Lemma 8. Double buffering• One asynchronous buffer is indistinguishable
from the composition of two
Lemma 9. Dummy adversary and buffer• Composing a dummy adversary (that just
sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone
![Page 28: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/28.jpg)
Synchronous communication
Buffering fails (BB does not imply PE)• With synchronous communication, adding a buffer or
dummy adversary can change the observable order of actions
P A ASFnet netsi
m
P F Ssim
io io io io
io ionet net
![Page 29: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/29.jpg)
Conclusions and Future Work
UC, BB, PE: equivalent notions of security. So, use PE (simplest)
Complete this study• Relate computational models• Do results transfer?
![Page 30: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/30.jpg)
Questions?
![Page 31: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/31.jpg)
Language Approach
Write protocol in process calculus• Accepted and long-studied approach to concurrency
Express security using observational equivalence• Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q]• Inherently compositional • Context represents adversary
Use proof rules for to prove security• Protocol is secure if no adversary can distinguish it from
some idealized version of the protocol
![Page 32: Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International](https://reader030.vdocuments.mx/reader030/viewer/2022032521/56649d5d5503460f94a3ccd2/html5/thumbnails/32.jpg)