Computer Aided Security : Cryptographic Primitives, Voting - PowerPoint PPT Presentation

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Pascal Lafourcade November 6, 2012 Habilitation ` a Diriger des Recherches 1 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Motivations Nowadays Security is Everywhere! 2 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Motivations What is cryptography based security? Cryptography: ◮ Primitives: RSA, Elgamal, AES, DES, SHA-3 ... ◮ Protocols: Distributed Algorithms Properties: ◮ Secrecy, ◮ Authentication, ◮ Privacy ... Intruders: ◮ Passive ◮ Active ◮ CPA, CCA ... Designing secure cryptographic protocols is difficult 3 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Motivations Security of Cryptographic Protocols How can we be convinced that a protocols is secure? ◮ Prove that there is no attack under some assumptions. ◮ proving is a difficult task, ◮ pencil-and-paper proofs are error-prone. How can we be convinced that a proof is correct? 4 / 48 Computer-Aided Security.

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Motivations Formal Verification Approaches Designer Attacker Give a proof Find a flaw 5 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Motivations Back to 1995 ≥ 17 (Casper/FDR) ◮ Cryptography: Perfect Encryption hypothesis ◮ Property: Secrecy, Authentication ◮ Intruder: ◮ Active ◮ Controlling the network ◮ Several sessions 6 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Motivations Success Story of Symbolic Verification Tools based on different theories for several properties 1995 Casper/FRD [Lowe] 2001 Proverif [Blanchet] 2003 Proof of certified email protocol with Proverif [AB] OFMC [BMV] Hermes [BLP] Flaw in Kerberos 5.0 with MSR 3.0 [BCJS] 2004 TA4SP [BHKO] 2005 SATMC [AC] 2006 CL-ATSE [Turuani] 2008 Scyther [Cremers] Flaw of Single Sign-On for Google Apps with SAT-MC [ACCCT] Proof of TLS using Proverif [BFCZ] 2010 TOOKAN [DDS] using SAT-MC for API 2012 Tamarin [BCM] 7 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Motivations Main Contributions: • Verification techniques for cryptography ◮ Asymmetric Encryptions ◮ Encryption Modes ◮ Message Authentication Codes • Properties for E-voting protocols ◮ Taxonomy of privacy notions ◮ Weighted votes • Intruder models and algorithms for WSN ◮ Neighbourhood Discovery Protocols ◮ Independent Intruders ◮ Routing Algorithms 8 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Related Work ◮ CryptoVerif [BP06]: ◮ tool that generates proofs by sequences of games ◮ has automatic and manual modes ◮ CIL [BDKL10]: Computational Indistinguishability Logic for proving cryptographic primitives. ◮ CertiCrypt [BGZB09] /EasyCrypt [BGHB11]: ◮ Framework for machine-checked cryptographic proofs in Coq ◮ Improved by EasyCrypt: generates CertiCrypt proofs from proof sketches 10 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Our Approach Automatically proving security of cryptographic primitives 1. Defining a language 2. Modeling security properties 3. Building a Hoare Logic for proving the security Correct but not complete. ◮ Asymmetric Encryption SchemesAsymmetric Encryption Schemes [CDELL’08,CDELL’10] ◮ Encryption Modes [GLLS’09] ◮ Message Authentication Codes (MACs) Submitted [GLL’13] 11 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Examples of Asymmetric Encryptions [BR’93] : f ( r ) || x ⊕ G ( r ) || H ( x || r ) ◮ [SZ’93] : f ( r ) || G ( r ) ⊕ ( x || H ( x )) ◮ [BR’94] OAEP : f ( s || r ⊕ H ( s )) ◮ where s = x 0 k ⊕ G ( r ) [Shoup’02] OAEP+ : f ( s || r ⊕ H ( s )) ◮ where s = x ⊕ G ( r ) || H ′ ( r || x ). [FO’99] : E (( x || r ); H ( x || r )) ◮ where E is IND-CPA. f is a one-way trapdoor permutation, H and G are hash functions and r is a random seed. 12 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Security Property: Indistinguishability Indis( x ; V 1 ; V 2 ): seeing V 1 and f ( V 2 ). 13 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Modelling: Generic Encryption Scheme Grammar for Generic Encryption cmd ::= x ← U | x := f ( y ) | x := H ( y ) | x := y ⊕ z | x := y || z | cmd; cmd Bellare & Rogaway’93: f ( r ) || in e ⊕ G ( r ) || H (in e || r ) A Generic Encryption Scheme E BR 93 (in e , out e ) = E (in e , out e )= r ← U ; r c 1 ; a := f ( r ); c 2 ; g := G ( r ); . . . b := in e ⊕ g ; c n ; t := in e || r ; c := H ( t ); out e := a || b || c 14 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Only Three Predicates in the ROM Predicates ::= H( G , e ) | WS( x ; V ) | Indis( x ; V 1 ; V 2 ) ψ ϕ ::= true | ψ | ϕ ∧ ϕ ◮ H ( G , e ): Not-Hashed-Yet r Pr[ S ← X : S ( e ) ∈ S ( T H ) . dom ] is negligible. ◮ WS ( x ; V ): cannot to compute some “hidden” value. r Pr[ S ← X : A ( S ) = S ( x )] is negligible. ◮ Indis ( x ; V 1 ; V 2 ): seeing V 1 and f ( V 2 ). But more than 30 rules 15 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Verification Technique: Hoare Logic Set of rules ( R i ) : { P } cmd { Q } ( R 5 ) { P 0 } c 1 { Q 0 } ( R 2 ) { P 1 } c 2 { Q 2 } , where P 1 ⊆ Q 0 . . . ( R 8 ) { P n } c n { Indis ( out e ) } ? Examples of rules: (X2): { Indis( w ; V 1 , y , z ; V 2 ) } x := y ⊕ z { Indis( w ; V 1 , x , y , z ; V 2 ) } (H6): { WS( y ; V 1 ; V 2 , y ) ∧ H( H , y ) } x := H ( y ) { WS( y ; V 1 , x ; V 2 , y ) } 16 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Example : Bellare & Rogaway’s 1993 r ← { 0 , 1 } n 0 − Indis( r ) ∧ H( G , r ) ∧ H( H , h || r ) r a := f ( r ) − Indis( a ; Var − r ) ∧ WS( r ; Var − r ) ∧ − H( H , h || r ) g := G ( r ) − Indis( a ; Var − r ) ∧ Indis( g ; Var − r ) ∧ − WS( r ; Var − r ) ∧ H( H , h || r ) e := h ⊕ g − Indis( a ; Var − r ) ∧ Indis( e ) ∧ − ∧ WS( r ; Var − r ) ∧ H( H , h || r ) d := h || r − Indis( a ) ∧ Indis( e ) ∧ − WS( r ; Var − r ) ∧ − H( H , d ) ∧ WS( d ) c := H ( d ) − Indis( a ) ∧ Indis( e ) − ∧ Indis( c ) out e := a || e || c − Indis( oute ; { in e , out e } ) 17 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Hoare Logic for Proving Cryptographic Primitives Conclusion: Hoare Logics for proving ◮ Asymmetric Encryption Schemes ◮ An OCAML prototype of our 30 rules ◮ Extensions done for proving IND-CCA using IND-CPA + Plaintext Awareness ◮ Exact Security ◮ Symmetric Encryption Modes ◮ Counters ◮ FOR loops ◮ Exact Security ◮ An OCAML prototype of our 21 rules ◮ Message Authentication Codes (MACs) ◮ Different property: Unforgeability ◮ Almost-universal Hash function ◮ Keep track of possible collisions ◮ FOR loops ◮ An OCAML prototype of our 44 rules 18 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Electronic Voting Protocols Revisited Benaloh’s Encryption Revisited [Benaloh’94] Homomorphic Encryption n n � � { 0 } pk S { 1 } pk S { v i } pk S = { v i } pk S i =1 i =1 Result [FLA’11] ◮ Original Benaloh’s scheme is ambiguous (33%) : dec ( enc (14 , pk S ) , sk S ) = 14 mod 15 or 14 mod 5 = 4 ◮ Proposition of corrected version ◮ Proof using Kristian Gjosteen result Impact on an election: Result can change (either 14 or 4) 20 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Electronic Voting Protocols Hierarchy of Privacy Notions Security Properties of E-Voting Protocols Fairness Individual Verifiability Eligibility Universal Verifiability Privacy Correctness Receipt-Freeness Robustness Coercion-Resistance 21 / 48

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Electronic Voting Protocols Hierarchy of Privacy Notions Motivation Existing several models for Privacy, but they ◮ designed for a specific type of protocol ◮ often cannot be applied to other protocols Our Contributions: ◮ Define fine-grained Privacy definitions to compare protocols ◮ Analyze weighted votes protocols ◮ One coercer is enough 22 / 48