Embed Size (px)
Citation preview
Unifying Equivalence-Based Definitions of
Protocol Security
A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov
Stanford University SRI International
Main Result
Universal composability, black box simulatability and process equivalence express the same properties of a protocol (with asynchronous communication)
•Result holds for any computational model satisfying standard process calculus equational principles
Outline
Equivalence-Based Specification• Main Idea, Examples, Advantages
3 Approaches• Models: Turing Machines, IO
Automata, Process Calculus• Security Notions: UC, BB, PE
Comparative Study• Relating Security Notions• Relating models (WIP)
General approach
Real protocol• The protocol we want to use• Expressed precisely in some formalism
Ideal protocol• Defines the behavior we want from real protocol• May use unrealistic mechanisms (e.g., private
channels)• Expressed precisely in same formalism
Specification• Real protocol indistinguishable from ideal protocol• Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91• Depends on some characterization of observability
Achieves compositionality
Secrecy for Challenge-Response
Real Protocol P A B: { i } K
B A: { f(i) } K
Ideal Protocol Q A B: { random_number } K
B A: { random_number } K
Specification with Authentication
Real Protocol P A B: { random i } K
B A: { f(i) } K
A B: “OK” if f(i) received
Ideal Protocol Q A B: { random i } K
B A: { random j } K i , j
A B: “OK” if private i, j match public msgs
public channel private channel
public channel private channel
Pseudo-random number generators
Sequence from random seed (Real protocol)Pn: let b = nk-bit sequence generated from n random bits
in PUBLIC b end Truly random sequence (Ideal protocol)
Qn: let b = sequence of nk random bits
in PUBLIC b end P is crypto strong pseudo-random number
generatorP QEquivalence is asymptotic in security parameter n
Many more…
Commitment Schemes Signature Schemes Key Exchange Secure channels Secure Multiparty Computation
Compositionality
Crypto primitives• Cipher text indistinguishable from
noise encryption secure in all protocols
Protocols• Protocol indistinguishable from ideal
key distribution protocol secure in all systems that
rely on secure key distributions
Outline
Equivalence-Based Specification 3 Schools of Thought
• Models: Turing Machines, IO Automata, Process Calculus
• Security Notions: UC, BB, PE Comparative Study
Three technical settings
Can, …: Universal composability• Condition: two adversaries and environment• Computation: Communicating Turing machines
PW, … : Black-box simulatability• Condition: one adversary, simulator, environment• Computation: I/O automata
AG,LMMRST, …: Process equivalence• Condition: observational equivalence• Computation: ppoly or nondet process calculus
More Background
Universal Compos.
Black-box Simulat.
Observ. Equiv.
Communicating Turing Machines
Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calculus
Spi, Applied
Prob Poly Process Calculus
LMMRST
This study
Universal Compos.
Black-box Simulat.
Observ. Equiv.
Communicating Turing Machines
Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calculus
Spi, Applied
Prob Poly Process Calculus
LMMRST
Axiomatic Calculus
UC BB PECompare conditions over uniform computation model
Ideal functionality (UC,BB)
What is the ideal key exchange protocol?• Clients ask server for key, receive response?• Server chooses keys and sends secretly?
Issue• Easy to distinguish number of messages• No “canonical” key exchange protocol is
equivalent to all secure key exchange protocols
Ideal functionality• Not a protocol with number of messages, etc.• A functionality that can be used to create
ideal protocols
Adversary vs. Environment (UC,BB)
Adversary• Interacts with protocol over network• Does not choose messages to send, contract to
sign, certificate authority,…
Environment• Represents the configuration of honest users
who are trying to use the protocol• Provides input to and observes output of
protocol• Example
– Kerberos TGS, KDC, clients, servers set by environmentSeparation of net and io channels of a protocol
Universal composability (UC)
Given• Protocol P• Ideal functionality F
Require
• For every adversary A1 for P, there exists an adversary A2 for F revealing same information in any environment E
P A1 A2F
io io io io
net net
E E
Black-box simulatability
Given• Protocol P• Ideal functionality F
Require• There exists a simulator S such that for any adversary
A, protocols P and SF reveal same information in any environment E
P A A
io io io io
net net
E E
F Ssim
Observational Equivalence
Given• Protocol P• Ideal protocol Q (not functionality F)
Require• Protocols P and Q reveal same information in any
context C[] Context = attacker + environment
P Q
C[]= E + A C[]= E + A
io net io net
Comparison
UC and BB + ideal functionality: allows single specification,
regardless of communication pattern of protocol
- Separate adversary and environment :Not clear if useful, except in exposition
Observational equivalence+ Standard relation, well-known properties
+ Bisimulation technique
+ Proof system
- No ideal functionality
Process Equivalence
Given• Protocol P• Ideal functionality F
Require• There exists a simulator S such that protocols P and
SF reveal same information in any context C[] Context = attacker + environment
P F
C[]= E + A C[]= E + A
io net io net
Ssim
Outline
Equivalence-Based Specification 3 Schools of Thought Comparative Study
• Process calculus• Equational Principles• Security Definitions• Results
Process Calculus
SyntaxP :: = 0| out(c,T). P send| in(c,x). P receive| c . (P) private channel
| [T=T] P test| P | P parallel composition| ! q(|n|) . P bounded replication
Equational principles
P | Q Q | P P | (Q | R) (P | Q) | R P | 0 P c. P d. [d/c]P c. C[P] C[c.P] c channels( C[0] )
P Q Q P P Q, Q R P R P Q C[P] C[Q]
Prove results using these properties of process calculus
Formal definitions
Universal composabilityA1 A2 . net(P | A1) net(F | A2)
Black-box simulatability S A . net(P | A) net(sim(F|S)|A)
Process equivalenceS . P sim(F | S)
Notes• Relation includes quantifying over
environments• Divide channels into network channels,
environment (io) channels
Results
UC and BB• Equivalent w/synchronous communication• Equivalent w/asynchronous communication
BB and Process Equivalence (PE)• PE implies BB in synch communication• PE equivalent BB with asynch communication
Results hold for any computational framework satisfying standard equational principles (PPC, spi,…)
Proof sketch (also have nice pictures)
PE BB UC : Easy. Congruence and quantifier order.
UC BB
BB PE
Key Lemmas
Lemma 6. Scope Extrusion c. (P | Q) (c.P) | Q c channels( Q )
Lemma 8. Double buffering• One asynchronous buffer is indistinguishable
from the composition of two
Lemma 9. Dummy adversary and buffer• Composing a dummy adversary (that just
sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone
Synchronous communication
Buffering fails (BB does not imply PE)• With synchronous communication, adding a buffer or
dummy adversary can change the observable order of actions
P A ASFnet netsi
m
P F Ssim
io io io io
io ionet net
Conclusions and Future Work
UC, BB, PE: equivalent notions of security. So, use PE (simplest)
Complete this study• Relate computational models• Do results transfer?
Questions?
Language Approach
Write protocol in process calculus• Accepted and long-studied approach to concurrency
Express security using observational equivalence• Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q]• Inherently compositional • Context represents adversary
Use proof rules for to prove security• Protocol is secure if no adversary can distinguish it from
some idealized version of the protocol
