provable security of internet cryptography protocols
play

Provable security of Internet cryptography protocols Douglas - PowerPoint PPT Presentation

May 07, 2023 •176 likes •899 views

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Gnther, Luke Garratt, Florian Kohlar, Jrg Schwenk Funding

  1. Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Günther, Luke Garratt, Florian Kohlar, Jörg Schwenk Funding acknowledgements: ATN-DAAD, ARC Summer School on real-world crypto and privacy • Šibenik, Croatia • June 15, 2018 https://www.douglas.stebila.ca/research/presentations

  2. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 2 Introduction

  3. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 3 Establishing secure channels • Primary goal of much of cryptography: enabling secure communication between two parties auth kex conf int

  4. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 4 auth Authenticated key exchange kex • Goal: two parties establish a random shared session key between them; the key is unknown to any active adversary • Variety of very complex security models which capture subtly different properties • BR93 • BR95 • BJM97 • BPR00 • CK01 • CK02 • LLM07 (eCK) • …

  5. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 5 auth AKE setting kex • Multiple parties, each with a long-term secret key / public key pair • Distribution of public keys is typically outside the scope of the protocol (e.g., assume a PKI or magical key delivery fairy*) • A "session" is an instance of the protocol run at a party • Each party can run multiple sessions in parallel or sequentially • Each session eventually "accepts" (outputting a session key and name of a peer), or "rejects" * Some attempts to model PKI in AKE: e.g. [Boyd et al, ESORICS 2013]

  6. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 6 auth AKE security goals kex • Session key indistinguishability: • Two parties establish a session key that is indistinguishable from random • Server-to-client authentication: • If a client accepts in a session, then there exists a (unique) "matching" session at the peer • A party should accept only if its peer really was active in this sequence of communications • Client-to-server authentication

  7. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 7 auth AKE attack powers, informally kex • Adversary can control all network communications , including: • Directing parties to send protocol messages • Changing the destination of a protocol message • Reordering, dropping, changing a protocol message • Creating protocol messages • Adversary can reveal certain secret values held by parties

  8. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 8 auth AKE attack powers, formally kex Adversary can access several oracles: Some oracles simulate "normal" operation of the protocol: • Send (U, i, m): Send message m to instance i of user U

  9. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 9 auth AKE attack powers, formally kex Adversary can access several oracles: Some oracles enable the experiment to be executed: • Test (U, i): A hidden bit b is chosen. If b=0, the adversary is given the real session key for user U's i'th session; if b=1, the adversary is given a uniform random string of the same length. The adversary must output a guess of b at the end of its execution.

  10. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 10 auth AKE attack powers, formally kex Adversary can access several oracles: Some oracles allow the attacker to learn certain secret values: • RevealLongTermKey (U): Returns party U's long- term secret key • RevealRandomness (U, i): Returns any randomness used by party U in session i • RevealSessionState (U, i): Returns party U's local state in session i • RevealSessionKey (U, i): Returns the session key derived by party U in session i

  11. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 11 auth AKE freshness kex • Since some oracles allow the adversary to learn secret values, we have to prohibit the adversary from learning so many values that it could trivially compute the test session's session key: " freshness " • Different combinations of prohibited queries lead to different security properties and different AKE security models in the literature • E.g. eCK versus CK • Also introduces a notion of "matching" or "partnering"

  12. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 12 conf Authenticated encryption int • Goal: two parties can transmit messages in a confidential way and be sure they are not interfered with (integrity) • Symmetric authenticated encryption assumes parties have a uniformly random shared secret key to begin with • Variety of increasingly complex security definitions to capture increasingly realistic security properties: • [Bellare, Namprempre ASIACRYPT 2000] • [Rogaway CCS 2002] – with associated data • [Bellare, Kohno, Namprempre; CCS 2002] • [Kohno, Palacio, Black eprint 2003/177] • [Paterson, Ristenpart,, Shrimpton ASIACRYPT 2011] • [Boldyreva, Degabriele, Paterson, Stam EUROCRYPT 2012] • [Fischlin, Günther, Marson, Paterson CRYPTO 2015] • [Shrimpton, yesterday's talk] • …

  13. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 13 conf AE models int Realism • Partially-specified authenticated encryption for streams • Authenticated encryption for streams • Buffered stateful authenticated encryption • Stateful length-hiding authenticated encryption • Stateful authenticated encryption • Authenticated encryption • Confidentiality • Integrity Complexity Inspired by Tom Shrimpton's talk yesterday

  14. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 14 conf Stateful length-hiding authenticated int encryption with associated data • "Authenticated": integrity of ciphertexts • "Encryption": confidentiality of plaintexts • "Associated data": integrity of some associated "header" data which is not necessarily confidential (maybe not even transmitted) • "Stateful": cryptographic protection against reordering of ciphertexts • "Length-hiding": adversary can't distinguish between short and long messages (up to a maximum length)

  15. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 15 Composing AKE and AE auth kex conf int To establish a secure channel: Use an AKE protocol to establish a shared secret key 1. Use the shared secret key in an authenticated 2. encryption scheme Apply a composability result, e.g. [Canetti, Krawczyk 3. EUROCRYPT 2001]

  16. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 16 "Provable security" Be aware of limitations of provable security methodology, e.g. Koblitz and Menezes All these results are at the "specification level", not the "implementation level"

  17. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 17 TLS 1.2

  18. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 18 History of TLS • SSL: Secure Sockets Layer • HTTPS: HTTP (Hypertext Transport Protocol) over • Proposed by Netscape SSL • SSLv2: 1995 • SSLv3: 1996 • TLS: Transport Layer Security • IETF Standardization of SSL • TLSv1.0 = SSLv3: 1999 • TLSv1.1: 2006 • TLSv1.2: 2008 • TLSv1.3: 2018?

  19. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 19 SSL/TLS Protocol 1. Negotiate cryptographic algorithms HANDSHAKE 2. Authenticate using certificates Client Server Typically signed 3. Establish encryption keys Diffie–Hellman RECORD LAYER Key Key Authenticated Ciphertext Decryption & Message 1 Message 1 encryption verification Internet Ciphertext Decryption & Authenticated Message 2 Message 2 verification encryption

  20. Provable security of Internet protocols Stebila • Summer school on real-world crypto & privacy • 2018-06-15 20 SSL/TLS Protocol 1. Negotiate cryptographic algorithms HANDSHAKE 2. Authenticate using certificates Client Server Typically signed 3. Establish encryption keys Diffie–Hellman RECORD LAYER Key Key Message 1 Message 1 Internet TLS session Message 2 Message 2

Recommend

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Cryptography Provable Security Encryption Assumptions Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange information securely Que peut nous garantir la cryptographie ? With the all-digital world, security

190 views • 4 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

References Introduction to Cryptography Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar & Pelzl Wide Mouth Frog Protocol from Wikipedia Jim Royer

281 views • 9 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Cryptography Game-based Proofs Assumptions BLS Signature BF IB-Encryption Conclusion Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable Security Game-based Methodology 2 Game-based Approach

345 views • 12 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA,

Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA,

Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA, Probabilistic Encryption, Provable Security Against Efficiency of RSA 2 Passive Attacks Security of RSA 3 Mathematical Security of RSA Renate Scheidler

410 views • 7 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Introduction to Cryptography Summarized from Applied Cryptography, Protocols, Algorithms, and

Introduction to Cryptography Summarized from Applied Cryptography, Protocols, Algorithms, and

Introduction to Cryptography Summarized from Applied Cryptography, Protocols, Algorithms, and Source Code in C , 2nd. Edition, Bruce Schneier, John Wiley & Sons, Inc. Outline Cryptographic Protocols Introduction Introduction

759 views • 45 slides
Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Probability in Cryptography Two Tools: H-Coefficient and 2 Some Constructions and Applications Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK Workshop, Changsha 10 Dec. 2017 1 / 72

1.48k views • 71 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Cryptography Game-based Proofs Assumptions BF IB-Encryption Conclusion Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs Introduction Provable Security David Pointcheval 2 Game-based Methodology

722 views • 10 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions

666 views • 40 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides

More recommend