Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science
Agenda • Introduction • Probabilistic-spi calculus • Security protocol verification • Conclusion • Q&A
Protocol Analysis Techniques • Two view of cryptographic analyzing – Formal model – Computational model Crypto Protocol Analysis Dolev-Yao Formal Model Computational Model (perfect cryptography) Random oracle Probabilistic process calculi … Probabilistic I/O automata Model Checking Protocol Logics Process Calculi … Murphi, AVISPA BAN, PCL Applied Π -calculus
The Best of Both World, can we? Formal Model Computational Model Attacker actions -Fixed set of actions, e.g., + Any probabilistic poly- decryption with known key time computation (ABSTRACTION) Security properties Security properties -Idealized, e.g., secret -Idealized, e.g., secret + Fine-grained, e.g., secret + Fine-grained, e.g., secret message = not possessing message = no partial atomic term representing information about bitstring message representation (ABSTRACTION) Analysis methods + Successful array of tools - Hand-proofs are difficult, and techniques; automation error-prone; no automation
Our Approaches • A “hybrid” model – Semantics for imperfect cryptography – Probabilistic-spi calculus – Intruder model – Intruder model • Related works – Probabilistic Polynomial-time equivalence [Mitchell-Scedrov] – Reconciling Two Views of Cryptography [Abadi-Rogaway] – Soundness and completeness of formal encryption [Adao-Bana- Scedrov] – …
Semantics for imperfect cryptography • pPat grammar P. p , Q. p ::= probabilistic patterns K. p key (for K ∈ Keys) m. p string (for m ∈ String) (P. p , Q. p ). p pair p ∈ [0, 1] • Probability of obtaining m from {m} K without knowing K ∀ A, Pr[m � A({m} K , G)] ≤ p dec ({m} K , G)
Evaluate the Probability
Example • Consider M = (({{(m,K)} K1 } K2 , {(K1,K2)} K ),K’)
Example (3) • Consider M = (({{(m,K)} K1 } K2 , {(K1,K2)} K ),K’)
Example (4)
Security Notion • Indistinguishability M � � N � pP M ~ pP N /\ | pMax M – pMax N | � �
Security Notion (2) • Perfect encryption vs Ideal ecryption M ≅ N ⇔ M � 0 N M ≅ N � M � � N ∀ � ∈ [0,1] M ≅ N � M � � N ∀ � > 1/q( η ) �
Probabilistic-spi Calculus • Work with “imperfect” cryptography • Extended from spi-calculus – Probability to attack encrypted terms without knowing corresponding key knowing corresponding key – Allow statistics analysis, guessing, etc
Probabilistic-spi Grammar • Set of processes • Set of terms P,Q,R ::= processes L;M;N ::= terms M � N � .P output N name M(x).P input ( M;N) pair ( M;N) pair P | Q composition P | Q composition 0 zero ( ν n)P restriction !P replication suc(M) successor [M is N] P match x variable 0 nil {m} K.p let (x, y) =M in P pair splitting case M of 0 : P suc(x) : Q integer case
Result • When the probability of the intruder is zero (i.e. ideal cryptography), probabilistic-spi calculus is restricted to spi-calculus. • Unsafe in probabilistic-spi calculus implies unsafe in computational model computational model • Safe in probabilistic-spi calculus implies safe in computational model
Security Protocol Verification • Probabilistic computational tree
Security Protocol Verification (2) • Given protocol P with set of states S, set of transition rules R and set of rules AR for identifying an attack state qModelCheck(P) Input: Protocol P = (S,R,AR) and probability p Output: 1 if the protocol is secure, 0 otherwise Output: 1 if the protocol is secure, 0 otherwise 1. If (ispAttack AR (S) /\ pAttack AR (S) � p) then Return 0; 2. Compute set pApplicable lhs (S) for each r ∈ R with r = lhs � rhs; 3. Compute pSuccR(S); 4. For each S’ ∈ pSuccR(S); 5. B=qModelCheck(S’,R,AR); 6. If(B==0) then Return 0; 7. Return 1
Conclusion • Advantage – Simple model – Inherit from spi-calculus. Can apply automatic verification tools – Extending Dolev-Yao model. Can relate protocol – Extending Dolev-Yao model. Can relate protocol in formal view to computational view • Drawback – Need further consideration to be sure of compatibility with automatic verification tools – Restricted to spi-calculus. • Work with other model checking methods (e.g. lazy intruder model) ?
Thank you! Q &A
Recommend
More recommend
