verification of security protocols part ii
play

Verification of Security Protocols Part II eronique Cortier 1 V - PowerPoint PPT Presentation

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security


  1. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption : the old time Caesar encryption : A → E , B → F , C → G , . . . Cypher Disk (L´ eone Battista Alberti 1466) → subject to statistical analysis (Analyzing letter frequencies) 18/76 V´ eronique Cortier Verification of Security Protocols

  2. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption : mechanized time Automatic substitutions and permutations Enigma 19/76 V´ eronique Cortier Verification of Security Protocols

  3. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption nowadays → Based on algorithmically hard problems. RSA Function n = pq , p et q primes. e : public exponent x �→ x e mod n easy (cubic) y = x e �→ x mod n difficult x = y d o` u d = e − 1 mod φ ( n ) 20/76 V´ eronique Cortier Verification of Security Protocols

  4. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption nowadays → Based on algorithmically hard problems. RSA Function n = pq , p et q primes. e : public exponent x �→ x e mod n easy (cubic) y = x e �→ x mod n difficult x = y d o` u d = e − 1 mod φ ( n ) Diffie-Hellman Problem Given A = g a and B = g b , Compute DH( A , B ) = g ab 20/76 V´ eronique Cortier Verification of Security Protocols

  5. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption nowadays → Based on algorithmically hard problems. RSA Function n = pq , p et q primes. e : public exponent x �→ x e mod n easy (cubic) y = x e �→ x mod n difficult x = y d o` u d = e − 1 mod φ ( n ) Diffie-Hellman Problem Given A = g a and B = g b , Compute DH( A , B ) = g ab → Based on hardness of integer factorization. 20/76 V´ eronique Cortier Verification of Security Protocols

  6. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Estimations for integer factorization Module Operations (bits) (in log 2 ) 512 58 ≈ 2 60 years 1024 80 2048 111 4096 149 8192 156 → Lower bound for RSA and Diffie-Hellman. 21/76 V´ eronique Cortier Verification of Security Protocols

  7. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models How does an (asymmetric) encryption algorithm look like ? Example : OAEP [Bellare Rogaway] n k 1 k 2 M r 0 M : plaintext of length n G r : randomness of length ⊕ k 0 H G , H : hash function f k : trapdoor function ⊕ s t E K ( x ; r ) = f K ( s || t ) 22/76 V´ eronique Cortier Verification of Security Protocols

  8. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models What is a secure encryption scheme ? 23/76 V´ eronique Cortier Verification of Security Protocols

  9. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models What is a secure encryption scheme ? Intuitively : An adversary should not know the underlying plaintext. 23/76 V´ eronique Cortier Verification of Security Protocols

  10. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security of asymmetric encryption Public data : c = E k e ( m , r ) cyphertext k e encryption key There exists a unique message m satisfying the relation (with possible several relevant r ) → An exhaustive search on m and r yields m ! 24/76 V´ eronique Cortier Verification of Security Protocols

  11. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security of asymmetric encryption Public data : c = E k e ( m , r ) cyphertext k e encryption key There exists a unique message m satisfying the relation (with possible several relevant r ) → An exhaustive search on m and r yields m ! ⇒ Unconditional secrecy is impossible, one has to rely on algorithmic assumptions. 24/76 V´ eronique Cortier Verification of Security Protocols

  12. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models How to define an attacker/adversary We wish to model an attacker : as clever as possible → he/she should be able to perform any operation with a limited time. E.g. we do not wish to consider attacks that require 2 60 years Otherwise, the adversary could enumerate all keys (exponential time in 2 size ( keys ) ) 25/76 V´ eronique Cortier Verification of Security Protocols

  13. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models How to define an attacker/adversary We wish to model an attacker : as clever as possible → he/she should be able to perform any operation with a limited time. E.g. we do not wish to consider attacks that require 2 60 years Otherwise, the adversary could enumerate all keys (exponential time in 2 size ( keys ) ) Model : we consider any Turing machine that models any algorithm probabilistic : The adversary can generate keys and chose randomly his behavior polynomial in the size of the keys : which represents a reasonable execution time. 25/76 V´ eronique Cortier Verification of Security Protocols

  14. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security proof in a nutshell Proof by reduction 1 Hypothesis : The algorithmic problem P is hard = there is no polynomial algorithm ( P = RSA , DL , DDH , CDH ...) 26/76 V´ eronique Cortier Verification of Security Protocols

  15. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security proof in a nutshell Proof by reduction 1 Hypothesis : The algorithmic problem P is hard = there is no polynomial algorithm ( P = RSA , DL , DDH , CDH ...) 2 Reduction : If there exists a (polynomial) adversary A un adversaire (polynomial) breaking the encryption scheme, Then one can build upon A for solving P in polynomial time. 26/76 V´ eronique Cortier Verification of Security Protocols

  16. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security proof in a nutshell Proof by reduction 1 Hypothesis : The algorithmic problem P is hard = there is no polynomial algorithm ( P = RSA , DL , DDH , CDH ...) 2 Reduction : If there exists a (polynomial) adversary A un adversaire (polynomial) breaking the encryption scheme, Then one can build upon A for solving P in polynomial time. 3 Conclusion : the encryption scheme is secure, there is no polynomial adversary. 26/76 V´ eronique Cortier Verification of Security Protocols

  17. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models What is a secure encryption scheme ? An adversary should not know the underlying plaintext. → several possible definitions of knowledge 27/76 V´ eronique Cortier Verification of Security Protocols

  18. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models One-Wayness (OW) Basic security property : One-Wayness (OW) without the inverse key, one cannot retrieve the underlying plaintext : Pr m , r [ c = E ( m ; r ) | A ( c ) = m ] is negligible. 28/76 V´ eronique Cortier Verification of Security Protocols

  19. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models One-Wayness (OW) Basic security property : One-Wayness (OW) without the inverse key, one cannot retrieve the underlying plaintext : Pr m , r [ c = E ( m ; r ) | A ( c ) = m ] is negligible. Negligibility : f is negligible if for any polynomial p , there exists η 0 s.t. for all η ≥ η 0 f ( η ) ≤ 1 / p ( η ) 28/76 V´ eronique Cortier Verification of Security Protocols

  20. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Not strong enough ! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. 29/76 V´ eronique Cortier Verification of Security Protocols

  21. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Not strong enough ! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. → Introduction of a notion of indistinguishability. : The adversary shall not guess even one bit of the underlying plaintext. 29/76 V´ eronique Cortier Verification of Security Protocols

  22. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. pk A 1 A 2 A E 30/76 V´ eronique Cortier Verification of Security Protocols

  23. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . pk A 1 A 2 A ( m 0 , m 1 ) E 30/76 V´ eronique Cortier Verification of Security Protocols

  24. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . 3 one bit b = 0 , 1 is flipped and c = E ( m b ; r ) is given to the adversary. pk A 1 A 2 A ( m 0 , m 1 ) E ( m b ; r ) E 30/76 V´ eronique Cortier Verification of Security Protocols

  25. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . 3 one bit b = 0 , 1 is flipped and c = E ( m b ; r ) is given to the adversary. 4 The adversary A 2 outputs b ′ . b ′ pk A 1 A 2 A ( m 0 , m 1 ) E ( m b ; r ) E 30/76 V´ eronique Cortier Verification of Security Protocols

  26. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . 3 one bit b = 0 , 1 is flipped and c = E ( m b ; r ) is given to the adversary. 4 The adversary A 2 outputs b ′ . b ′ pk A 1 A 2 A ( m 0 , m 1 ) E ( m b ; r ) E The probability Pr[ b = b ′ ] − 1 2 should be negligible. 30/76 V´ eronique Cortier Verification of Security Protocols

  27. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Even stronger ! Non Malleability (NM) Given a cyphertext E ( m ; r ) , the adversary should not be able to create a cyphertext E ( m ′ ; r ′ ) such that messages m and m ′ have a meaningful relation. 31/76 V´ eronique Cortier Verification of Security Protocols

  28. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. pk A 1 A 2 A E 32/76 V´ eronique Cortier Verification of Security Protocols

  29. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a set of messages M . pk A 1 A 2 A M E 32/76 V´ eronique Cortier Verification of Security Protocols

  30. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a set of messages M . 3 Two messages m and m ∗ are chosen at random in M and c = E ( m ; r ) is given to the adversary. pk A 1 A 2 A M c = E ( m ; r ) E m ∈ M , r 32/76 V´ eronique Cortier Verification of Security Protocols

  31. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a set of messages M . 3 Two messages m and m ∗ are chosen at random in M and c = E ( m ; r ) is given to the adversary. 4 The adversary A 2 outputs a binary relation R and a cyphertext c ′ . R , c ′ pk A 1 A 2 A M c = E ( m ; r ) E m ∈ M , r 32/76 V´ eronique Cortier Verification of Security Protocols

  32. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) R , c ′ pk A 1 A 2 A M c = E ( m ; r ) E m ∈ M , r 33/76 V´ eronique Cortier Verification of Security Protocols

  33. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) m ′ = D ( c ′ ) R , c ′ pk A 1 A 2 A D M c = E ( m ; r ) E m ∈ M , r 33/76 V´ eronique Cortier Verification of Security Protocols

  34. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) m ′ = D ( c ′ ) R , c ′ pk A 1 A 2 A D M c = E ( m ; r ) E m ∈ M , r The probability Pr[ R ( m , m ′ )] − Pr[ R ( m , m ∗ )] should be negligible. 33/76 V´ eronique Cortier Verification of Security Protocols

  35. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Relations Non Malleability ⇓ Indistinguishability ⇓ One-Wayness Exercise (medium) : show the implications. 34/76 V´ eronique Cortier Verification of Security Protocols

  36. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Adding even more security The adversary has access to oracles : → Encryption of all messages of his choice → Decryption of all messages of his choice Three standard levels of security : Chosen-Plaintext Attacks (CPA) 35/76 V´ eronique Cortier Verification of Security Protocols

  37. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Adding even more security The adversary has access to oracles : → Encryption of all messages of his choice → Decryption of all messages of his choice Three standard levels of security : Chosen-Plaintext Attacks (CPA) Non adaptive Chosen-Ciphertext Attacks (CCA1) → access to the (decryption) oracle before the challenge. 35/76 V´ eronique Cortier Verification of Security Protocols

  38. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Adding even more security The adversary has access to oracles : → Encryption of all messages of his choice → Decryption of all messages of his choice Three standard levels of security : Chosen-Plaintext Attacks (CPA) Non adaptive Chosen-Ciphertext Attacks (CCA1) → access to the (decryption) oracle before the challenge. Adaptive Chosen-Ciphertext Attacks (CCA2) → unlimited access to the (decryption) oracle (except for the challenge) 35/76 V´ eronique Cortier Verification of Security Protocols

  39. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Relations NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 OW-CPA 36/76 V´ eronique Cortier Verification of Security Protocols

  40. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Outline of the talk Towards more cryptographic guarantees 1 Formal methods for protocols Yesterday course Adding equational theories 2 Cryptographic models Encryption schemes Security of encryption Cryptographic models Linking formal and cryptographic models 3 Passive case Setting Patterns Soundness of indistinguishability 4 Active case Setting Trace mapping A special case : computational secrecy General computational indistinguishability 37/76 V´ eronique Cortier Verification of Security Protocols

  41. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Cryptographic models Encryption is only one component of cryptographic models Cryptographic primitives : encryption, signatures, ... Protocol model Adversary Security notions 38/76 V´ eronique Cortier Verification of Security Protocols

  42. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Setting for cryptographic protocols Protocol : Message exchange program using cryptographic primitives Adversary A : any probabilistic polynomial Turing machine, i.e. any probabilistic polynomial program. polynomial : captures what is feasible probabilistic : the adversary may try to guess some information 39/76 V´ eronique Cortier Verification of Security Protocols

  43. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of secrecy preservation → Several notions of secrecy : One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). 1 ∀ p polynomial ∃ η 0 ∀ η ≥ η 0 Pr η m , r [ A ( P K ) = s ] ≤ p ( η ) η : security parameter = key length 40/76 V´ eronique Cortier Verification of Security Protocols

  44. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of secrecy preservation → Several notions of secrecy : One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). 1 ∀ p polynomial ∃ η 0 ∀ η ≥ η 0 Pr η m , r [ A ( P K ) = s ] ≤ p ( η ) η : security parameter = key length → Not enough ! (why ?) 40/76 V´ eronique Cortier Verification of Security Protocols

  45. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Computational secrecy Computational secrecy of s is defined through the following game : Two values n 0 and n 1 are randomly generated instead of s ; The adversary interacts with the protocol where s is replaced by n b , b ∈ { 0 , 1 } ; We give the pair ( n 0 , n 1 ) to the adversary ; The adversary gives b ′ , The data s is secret if Pr[ b = b ′ ] − 1 2 is a negligible function. 41/76 V´ eronique Cortier Verification of Security Protocols

  46. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models A typical cryptographic proof 1 Assume that some algorithmic problem P is difficult (E.g. RSA or integer factorization or Discrete Log or CDH, DDH, ...) 2 Suppose that a (polynomial probabilistic) adversary A breaks the protocol security with non negligible probability 42/76 V´ eronique Cortier Verification of Security Protocols

  47. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models A typical cryptographic proof 1 Assume that some algorithmic problem P is difficult (E.g. RSA or integer factorization or Discrete Log or CDH, DDH, ...) 2 Suppose that a (polynomial probabilistic) adversary A breaks the protocol security with non negligible probability 3 Build out of A an adversary B that solves P . 42/76 V´ eronique Cortier Verification of Security Protocols

  48. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models A typical cryptographic proof 1 Assume that some algorithmic problem P is difficult (E.g. RSA or integer factorization or Discrete Log or CDH, DDH, ...) 2 Suppose that a (polynomial probabilistic) adversary A breaks the protocol security with non negligible probability 3 Build out of A an adversary B that solves P . 4 Conclude that the protocol is secure provided P is difficult. 42/76 V´ eronique Cortier Verification of Security Protocols

  49. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Outline of the talk Towards more cryptographic guarantees 1 Formal methods for protocols Yesterday course Adding equational theories 2 Cryptographic models Encryption schemes Security of encryption Cryptographic models Linking formal and cryptographic models 3 Passive case Setting Patterns Soundness of indistinguishability 4 Active case Setting Trace mapping A special case : computational secrecy General computational indistinguishability 43/76 V´ eronique Cortier Verification of Security Protocols

  50. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Formal and Cryptographic approaches Formal approach Cryptographic approach Messages terms bitstrings Encryption idealized algorithm any polynomial Adversary idealized algorithm reachability-based Secrecy property indistinguishability property Guarantees unclear strong Protocol may be complex usually simpler 44/76 V´ eronique Cortier Verification of Security Protocols

  51. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Formal and Cryptographic approaches Formal approach Cryptographic approach Messages terms bitstrings Encryption idealized algorithm any polynomial Adversary idealized algorithm reachability-based Secrecy property indistinguishability property Guarantees unclear strong Protocol may be complex usually simpler by hand, tedious Proof automatic and error-prone Link between the two approaches ? 44/76 V´ eronique Cortier Verification of Security Protocols

  52. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Composition of the two approaches Automatic cryptographically sound proofs Formal approach: verification Ideal of idealized protocols protocol Implemented protocol Cryptographers: verification signature encryption of the cryptographic primitives algorithm algorithm 45/76 V´ eronique Cortier Verification of Security Protocols

  53. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Passive Case A first result : seminal result from M. Abadi and Ph. Rogaway J. of Cryptology, 2002 How to symbolically abstract computational indistinguishability of distributions ? 46/76 V´ eronique Cortier Verification of Security Protocols

  54. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Setting Messages are represented by terms T ::= term s | variable x | a name/nonce | f ( T 1 , . . . , T k ) application of symbol f ∈ F In the initial result of Abadi and Rogaway, F = { enc , � , �} Each functional symbol has a concrete implementation ⇒ a sequence of messages n , enc( n , k ) , enc( � n , n � , k ) generates a distribution : uniform distribution for nonces and application of the functions (symmetric encryption and pairing). 47/76 V´ eronique Cortier Verification of Security Protocols

  55. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . 48/76 V´ eronique Cortier Verification of Security Protocols

  56. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) φ 2 = n 0 , n 1 , enc( n 1 , k ) 48/76 V´ eronique Cortier Verification of Security Protocols

  57. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) φ 3 = n 0 , n 1 , enc( n 0 , k ) , k φ 4 = n 0 , n 1 , enc( n 1 , k ) , k 48/76 V´ eronique Cortier Verification of Security Protocols

  58. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k φ 6 = enc( n 0 , k ′ ) , k φ 5 = enc( n 0 , k ) , k 48/76 V´ eronique Cortier Verification of Security Protocols

  59. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k φ 5 = enc( n 0 , k ) , k �≈ φ 6 = enc( n 0 , k ′ ) , k 48/76 V´ eronique Cortier Verification of Security Protocols

  60. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with 49/76 V´ eronique Cortier Verification of Security Protocols

  61. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with � a if S ⊢ a Pat S ( a ) = otherwise � 49/76 V´ eronique Cortier Verification of Security Protocols

  62. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with � a if S ⊢ a Pat S ( a ) = otherwise � Pat S ( � M 1 , M 2 � ) � Pat S ( M 1 ) , Pat S ( M 2 ) � = 49/76 V´ eronique Cortier Verification of Security Protocols

  63. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with � a if S ⊢ a Pat S ( a ) = otherwise � Pat S ( � M 1 , M 2 � ) � Pat S ( M 1 ) , Pat S ( M 2 ) � = � { Pat S ( M ) } k if S ⊢ k Pat S ( { M } k ) = � otherwise 49/76 V´ eronique Cortier Verification of Security Protocols

  64. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Reminder : deduction system Standard “Dolev Yao” deduction system, seen Part I of this course. T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ u 50/76 V´ eronique Cortier Verification of Security Protocols

  65. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � 51/76 V´ eronique Cortier Verification of Security Protocols

  66. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k n 0 , n 1 , enc( n 0 , k ) , k n 0 , n 1 , enc( n 1 , k ) , k 51/76 V´ eronique Cortier Verification of Security Protocols

  67. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k n 0 , n 1 , enc( n 0 , k ) , k n 0 , n 1 , enc( n 1 , k ) , k enc( n 0 , k ′ ) , k φ 5 = enc( n 0 , k ) , k �≈ φ 6 = enc( n 0 , k ) , k � , k 51/76 V´ eronique Cortier Verification of Security Protocols

  68. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k n 0 , n 1 , enc( n 0 , k ) , k n 0 , n 1 , enc( n 1 , k ) , k enc( n 0 , k ′ ) , k φ 5 = enc( n 0 , k ) , k �≈ φ 6 = enc( n 0 , k ) , k � , k Definition Two patterns are equivalent, denoted by ≡ if they are equal up-to bijective renaming. 51/76 V´ eronique Cortier Verification of Security Protocols

  69. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] 52/76 V´ eronique Cortier Verification of Security Protocols

  70. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA 52/76 V´ eronique Cortier Verification of Security Protocols

  71. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA message length-concealing Pat(enc( n , k )) = � = Pat(enc( � n , n , n , n � , k )) 52/76 V´ eronique Cortier Verification of Security Protocols

  72. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA message length-concealing Pat(enc( n , k )) = � = Pat(enc( � n , n , n , n � , k )) which key-concealing Pat(enc( n , k ) , enc( n ′ , k )) = � = Pat(Pat(enc( n , k ) , enc( n ′ , k ′ ))) 52/76 V´ eronique Cortier Verification of Security Protocols

  73. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA message length-concealing Pat(enc( n , k )) = � = Pat(enc( � n , n , n , n � , k )) which key-concealing Pat(enc( n , k ) , enc( n ′ , k )) = � = Pat(Pat(enc( n , k ) , enc( n ′ , k ′ ))) S 1 , S 2 contain no key cycles Examples : enc( k , k ) or enc( k 1 , k 2 ) , enc( k 2 , k 1 ) 52/76 V´ eronique Cortier Verification of Security Protocols

  74. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of soundness of indistinguishability Lemma (Main lemma) [ [ S ] ] ≈ [ [Pat( S )] ] We can then easily deduce the main theorem. 53/76 V´ eronique Cortier Verification of Security Protocols

  75. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of soundness of indistinguishability Lemma (Main lemma) [ [ S ] ] ≈ [ [Pat( S )] ] We can then easily deduce the main theorem. Indeed, assume Pat( S 1 ) ≡ Pat( S 2 ). 1 By the lemma, we have [ [ S 1 ] ] ≈ [ [Pat( S 1 )] ] and [ [ S 2 ] ] ≈ [ [Pat( S 2 )] ]. 2 Then Pat( S 1 ) ≡ Pat( S 2 ) implies [ [Pat( S 1 )] ] ≈ [ [Pat( S 2 )] ]. 53/76 V´ eronique Cortier Verification of Security Protocols

  76. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . 54/76 V´ eronique Cortier Verification of Security Protocols

  77. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . Intermediate patterns We define a sequence Pat o ( S ) , . . . , . . . Pat n ( S ) such that Pat o ( S ) = Pat( S ) and Pat n ( S ) = S 54/76 V´ eronique Cortier Verification of Security Protocols

  78. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . Intermediate patterns We define a sequence Pat o ( S ) , . . . , . . . Pat n ( S ) such that Pat o ( S ) = Pat( S ) and Pat n ( S ) = S Hybrid argument If [ [ S ] ] �≈ [ [Pat( S )] ] then there exists i such that [ [Pat i ( S )] ] �≈ [ [Pat i +1 ( S )] ]. 54/76 V´ eronique Cortier Verification of Security Protocols

  79. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . Intermediate patterns We define a sequence Pat o ( S ) , . . . , . . . Pat n ( S ) such that Pat o ( S ) = Pat( S ) and Pat n ( S ) = S Hybrid argument If [ [ S ] ] �≈ [ [Pat( S )] ] then there exists i such that [ [Pat i ( S )] ] �≈ [ [Pat i +1 ( S )] ]. Security of encryption [ [Pat i ( S )] ] �≈ [ [Pat i +1 ( S )] ] contradicts the security of encryption. 54/76 V´ eronique Cortier Verification of Security Protocols

Recommend


More recommend