First steps towards cryptographically sound confidentiality - PowerPoint PPT Presentation

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu ¨ Ulikool Cybernetica AS Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.1/27

Overview Cryptographic protocols. Introduction. Running example. Semantics. Security definition. Simple analysis. Main idea. Elaboration on the basis of the running example. Modifying the protocol. (Abstractly) interpreting the protocol. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.2/27

Cryptographic protocols — structure A protocol is a set of roles. A role is a sequence of statements. Statements — send and receive messages, construct new messages, take existing messages apart, check the equality of messages. Each role also has a name. “Initiatior”, “responder”, “server”, etc. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.3/27

Example protocol A has a message M , it wants to send it securely to B . 1. A − → S : A, B, N A 2. S − → A : encr K AS ( N A , B, K AB , encr K BS ( K AB , A )) 3. A − → B : encr K BS ( K AB , A ) 4. A − → B : encr K AB ( M ) K AS [resp. K BS ] is the shared key between A [resp. B ] and the server S . K AB is a new key generated by the server. N A is a nonce — a random number. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.4/27

More formal write-up A B Generate random N ( A ) Recieve msg 3 A forB ( B ) := decr K BS ( msg 3 ) Send ( A, B, N ( A ) A ) K ( B ) AB := π 1 ( forB ( B ) ) Receive msg 2 forA ( A ) := decr K AS ( msg 2 ) Recieve msg 4 M ( B ) := decr K ( B ) N ( A 2) := π 1 ( forA ( A ) ) AB ( msg 4 ) A Check if N ( A ) = N ( A 2) A A K ( A ) AB := π 3 ( forA ( A ) ) S forB ( A ) := π 4 ( forA ( A ) ) Receive msg 1 N ( S ) Send forB ( A ) := π 3 ( msg 1 ) A Generate key K AB eM := encr K ( A ) AB ( M ) forB ( S ) := encr K BS ( K AB , A ) . Send eM forA ( S ) := encr K AS ( N ( S ) A , B, K AB , forB ( S ) ) Send forA ( S ) Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.5/27

Semantics — computation All values are bit-strings. An encryption scheme — a triple of algorithms ( G , E , D ) is given. All algorithms here and later are probabilistic polynomial-time (PPT). Key generation, encryption and decryption is done by the algorithms G , E , D . If “Check if . . . ” fails, then the protocol party gets stuck. If decryption fails (encryption is not necessarily surjective) or projection fails, then the party gets stuck. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.6/27

Semantics — communication All communication is under the control of the adversary — a PPT algorithm. P 1 P 2 P 3 Adv P n P 4 Sending means handing the message over to the adversary. Receiving waits, until the adversary provides it with some message. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.7/27

Security definition M remains confidential, if ( M, view Adv ( M )) ≈ ( M ′ , view Adv ( M )) . P 1 P 2 P 3 Adv P n P 4 view Adv Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.8/27

A very simple-minded analysis tainted ( M ) x := Expr( x 1 , . . . , x k ) ∃ i : tainted ( x i ) = ⇒ tainted ( x ) if ∃ ( Send y ) : tainted ( y ) , then protocol is insecure, other- wise it is secure. Makes no use of the security properties of encryption. . . Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.9/27

Security against chosen-ciphertext attack ( G , E , D ) is secure against CCA, if no PPT algorithm A can distinguish the following: Pair of black boxes ( E k ( · ) , D k ( · ) ) , where k is generated by G (we denote this k ← G ). Algorithm A can access these black boxes through oracle interface — it can make queries to them. Pair of black boxes ( E k ( 0 ) , D k ( · ) ) , where k ← G . 0 is a fixed bit-string. When queried, E k ( 0 ) discards its input. Under the condition that A does not query D k ( · ) with any- thing outputted by the other black box. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.10/27

Main idea We could replace some encr K ( x ) with encr K ( Z ) . Z is such, that [ ] = 0 . [ Z ] This would reduce the dependencies in the analysis. The analysis may give more interesting information about the modified protocol. If certain conditions are satisfied then the distributions of ( M, view Adv ( M )) and ( M ′ , view Adv ( M )) do not significantly change. In this case, anything that the analysis claims about the modified protocol is also true for the original protocol. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.11/27

“Certain conditions” Key k must be replacable by E k ( · ) and D k ( · ) . In construction of messages that are sent out, the key k may only be used as an encryption key. May be determined similarly to “ tainted ”. We must know exactly, where the key k is used. Key k may occur under several names. We’ll elaborate on it later. We must make sure that D k ( · ) is not queried with non-allowed values. A program transformation helps. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.12/27

On querying the decryption oracle Let the uses of E k ( · ) [before evaluating decr k ( w ) ] be x 1 := encr k 1 ( y 1 ) , x n := encr k n ( y n ) . . . , Replace decr k ( w ) by case w of x 1 → y 1 No change to . . . . . . . . . . . . . . adversary’s view x n → y n else → decr k ( w ) For not creating circular dependencies, we consider all seri- alisations of the protocol. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.13/27

Example protocol — a serialisation A: Generate random N ( A ) A: N ( A 2) := π 1 ( forA ( A ) ) A A A: Send ( A, B, N ( A ) A: Check if N ( A ) = N ( A 2) A ) A A A: K ( A ) AB := π 3 ( forA ( A ) ) S: Receive msg 1 A: forB ( A ) := π 4 ( forA ( A ) ) S: N ( S ) := π 3 ( msg 1 ) A A: Send forB ( A ) S: Generate key K AB S: tmp 1 := ( K AB , A ) B: Recieve msg 3 S: forB ( S ) := encr K BS ( tmp 1 ) B: forB ( B ) := decr K BS ( msg 3 ) S: tmp 2 := ( N ( S ) A , B, K AB , forB ( S ) ) B: K ( B ) AB := π 1 ( forB ( B ) ) S: forA ( S ) := encr K AS ( tmp 2 ) A: eM := encr K ( A ) AB ( M ) S: Send forA ( S ) A: Send eM A: Receive msg 2 B: Recieve msg 4 A: forA ( A ) := decr K AS ( msg 2 ) B: M ( B ) := decr K ( B ) AB ( msg 4 ) Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.14/27

The adversary schedules... Is the following case possible? M remains confidential in all serialisations. The schedule itself depends on M (and leaks something about it). Answer: no. The schedule depends only on adversary’s actions. . . which depend only on adversary’s input. . . which is independent of M . Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.15/27

Example: Using keys Generate random N ( A ) N ( A 2) := π 1 ( forA ( A ) ) A A Send ( A, B, N ( A ) Check if N ( A ) = N ( A 2) A ) A A K ( A ) AB := π 3 ( forA ( A ) ) Receive msg 1 forB ( A ) := π 4 ( forA ( A ) ) N ( S ) := π 3 ( msg 1 ) A Send forB ( A ) Generate key K AB tmp 1 := ( K AB , A ) Recieve msg 3 forB ( S ) := encr K BS ( tmp 1 ) forB ( B ) := decr K BS ( msg 3 ) tmp 2 := ( N ( S ) A , B, K AB , forB ( S ) ) K ( B ) AB := π 1 ( forB ( B ) ) forA ( S ) := encr K AS ( tmp 2 ) eM := encr K ( A ) AB ( M ) Send forA ( S ) Send eM Receive msg 2 Recieve msg 4 forA ( A ) := decr K AS ( msg 2 ) M ( B ) := decr K ( B ) AB ( msg 4 ) Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.16/27

Example: Using K AS Generate random N ( A ) N ( A 2) := π 1 ( forA ( A ) ) A A Send ( A, B, N ( A ) Check if N ( A ) = N ( A 2) A ) A A K ( A ) AB := π 3 ( forA ( A ) ) Receive msg 1 forB ( A ) := π 4 ( forA ( A ) ) N ( S ) := π 3 ( msg 1 ) A Send forB ( A ) Generate key K AB tmp 1 := ( K AB , A ) Recieve msg 3 forB ( S ) := encr K BS ( tmp 1 ) forB ( B ) := decr K BS ( msg 3 ) tmp 2 := ( N ( S ) A , B, K AB , forB ( S ) ) K ( B ) AB := π 1 ( forB ( B ) ) forA ( S ) := encr K AS ( tmp 2 ) eM := encr K ( A ) AB ( M ) Send forA ( S ) Send eM Receive msg 2 Recieve msg 4 forA ( A ) := decr K AS ( msg 2 ) M ( B ) := decr K ( B ) AB ( msg 4 ) K BS is not K AS . K (?) AB comes from a message from the network. Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.17/27

Example: replacing K AS Generate random N ( A ) N ( A 2) := π 1 ( forA ( A ) ) A A Send ( A, B, N ( A ) Check if N ( A ) = N ( A 2) A ) A A K ( A ) AB := π 3 ( forA ( A ) ) Receive msg 1 forB ( A ) := π 4 ( forA ( A ) ) N ( S ) := π 3 ( msg 1 ) A Send forB ( A ) Generate key K AB tmp 1 := ( K AB , A ) Recieve msg 3 forB ( S ) := encr K BS ( tmp 1 ) forB ( B ) := decr K BS ( msg 3 ) tmp 2 := ( N ( S ) A , B, K AB , forB ( S ) ) K ( B ) AB := π 1 ( forB ( B ) ) forA ( S ) := encr K AS ( Z ) eM := encr K ( A ) AB ( M ) Send forA ( S ) Send eM Receive msg 2 Recieve msg 4 forA ( A ) := case msg 2 of M ( B ) := decr K ( B ) AB ( msg 4 ) forA ( S ) → tmp 2 → decr K AS ( msg 2 ) else Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.18/27

Example: replacing K BS Generate random N ( A ) N ( A 2) := π 1 ( forA ( A ) ) A A Send ( A, B, N ( A ) Check if N ( A ) = N ( A 2) A ) A A K ( A ) AB := π 3 ( forA ( A ) ) Receive msg 1 forB ( A ) := π 4 ( forA ( A ) ) N ( S ) := π 3 ( msg 1 ) A Send forB ( A ) Generate key K AB tmp 1 := ( K AB , A ) Recieve msg 3 forB ( S ) := encr K BS ( Z ) forB ( B ) := case msg 3 of tmp 2 := ( N ( S ) A , B, K AB , forB ( S ) ) forB ( S ) → tmp 1 forA ( S ) := encr K AS ( Z ) → decr K BS ( msg 3 ) else K ( B ) Send forA ( S ) AB := π 1 ( forB ( B ) ) Receive msg 2 eM := encr K ( A ) AB ( M ) forA ( A ) := case msg 2 of Send eM forA ( S ) → tmp 2 Recieve msg 4 M ( B ) := decr K ( B ) → decr K AS ( msg 2 ) else AB ( msg 4 ) Teooriap¨ aevad Arulas, 3.-5.02.2003 – p.19/27