Add to collection(s) Add to saved
  1. Math
  2. Algebra

A Reactively Secure Dolev-Yao-style Cryptographic Library

advertisement 
1 © IBM, 2003-2004
Michael Backes, Birgit Pfitzmann, Michael Waidner
IBM Research, Zurich
A Reactively Secure
Dolev-Yao-style Cryptographic Library
DIMACS, June 2004
2 © IBM, 2003-2004
The Big Picture
But can we justify
given
?
3 © IBM, 2003-2004
Limits of Automation
• Full arithmetic is out
• Probability theory just developing
So how do current tools handle
cryptography?
4 © IBM, 2003-2004
Dolev-Yao Model
• Idea [DY81]
• Abstraction as term algebras, e.g., Dx(Ex(Ex(m)))
• Cancelation Rules, e.g., DxEx = e
• Well-developed proof theories
• Abstract data types
• Equational 1st-order logic
• Important for security proofs
• Inequalities! (Everything that cannot be derived.)
• Known as “initial model”
Important goal: Justify or replace
5 © IBM, 2003-2004
Dolev-Yao Model – Variants [Ours]
• Operators and equations
[EG82, M83, EGS85...]
• sym enc, pub enc, nonce,
payload, pairing, sigs, ...
• Inequalities assumed across
operators!
• Untyped or typed
• Destructors explicit or implicit
• Abstraction from probabilism
• Finite selection, counting,
multisets
• Surrounding protocol language
• Special-purpose, CSP, picalculus, ... [any]
sign
pk’
E
pk
(,)
N
m
6 © IBM, 2003-2004
Overview of Our Approach
• Precise system model allowing cryptographic and
abstract operations
• “As secure as” with composition theorem
• Preservation theorems for security properties
• Concrete pairs of idealizations and secure
realizations
• In particular: Dolev-Yao style cryptographic library
• Detailed Proofs
• Poly-time, cryptographic bisimulations with static
information flow analysis, …
7 © IBM, 2003-2004
Other Work on DY Justification
• [AR00, AJ01, L01]: symmetric encryption, passive
• [HLM03]: public-key encryption, passive
• [MW04]: public-key encryption, much more
restricted, slightly more efficient
• [L04]: Active symmetric encryption (earlier than
ours).
8 © IBM, 2003-2004
Reactive Simulatability


H
M1
M2
A

H

TH
A’
Real system
Ideal system
Idea: Whatever happens with real system
viewreal(H)
viewideal
(H)
could also happen
with ideal
system.
Indistinguishability of
random variables
[Y82, GMW87, GM95, LMMS98, HM00, PW00, PW01, C01, …]
9 © IBM, 2003-2004
Composition
Given:

Does this hold?

And transitivity



10 © IBM, 2003-2004
Cryptographic Idealization Layers
Larger
abstractions
Small real
abstractions
VSS
Certified
mail
Credentials
[GM95]
[PSW00]
[CL01]
Secure
channels
[PW00, PW01,
CK02, BJP02,...]
Low-level crypto
(not abstract)
...
Auth/sigs as
statement database
...
[BPW03 ...]
Related: [SM93,P93]
Encryption
as E(pk, 1len(m))
Real auth/sig’s +
integrity lookup
[LMMS98, PW00,
C01,...]
[LMMS98, C01,...]
Normal cryptographic definitions
...
11 © IBM, 2003-2004
Dolev-Yao-style Crypto Abstractions
• Recall: Term algebra, inequalities
• Major tasks:
• Represent ideal and real library in the same way
to higher protocols
• Prevent honest users from stupidity with real
crypto objects, but don’t restrict adversary
• E.g., sending a bitstring that’s almost a signature
• What imperfections are tolerable / must be
allowed?
12 © IBM, 2003-2004
Ideal Cryptographic Library
U
V
Commands,
payloads,
terms? handles
Term 1
For U:
For V:
For A:
Term 2
Tu,1
-
Payloads / test results,
terms? handles
Term 3
Tu,2
Tv,1
Ta,1
No crypto outputs!
Deterministic!
Tu,3
-
Not globally
known
A
E
pk
pk
E
m
pk
TH
m
13 © IBM, 2003-2004
Ideal Cryptographic Library (2)
U
V
Tu,4  encrypt(Tu,1, Tu,3)
received(U, Tv,2)
send(V, Tu,4)
Term 1
For U:
For V:
For A:
Term 2
Tu,1
-
Term 3
Tu,2
Tv,1
Ta,1
Tu,3
-
get_type(Tv,2)
Tv,3 := decrypt(...)
Term 4
...
E
A
E
pk
pk
E
m
pk
TH
pk
m
E
pk
m
14 © IBM, 2003-2004
Main Differences to Dolev-Yao
Tolerable imperfections:
• Lengths of encrypted messages cannot be kept
secret
• Adversary may include incorrect messages
inside encryptions
• Signature schemes can have memory
15 © IBM, 2003-2004
Real Cryptographic Library
U
V
Commands,
payloads,
handles
No crypto outputs!
Payloads / test results,
handles
pk
c1  E(pk, m)
c2  E(pk, m)
c1
A
Bitstrings
Real system
16 © IBM, 2003-2004
Main Additions to Given
Cryptosystems
Standard model, standard assumptions
• Type tags
• Tagging with keys
• Additional randomization (e.g., needed
when correct machines use A’s keys)
17 © IBM, 2003-2004
Proof of Correct Simulation (2)
H
SH
•••
Combined
system
CH
A
Probabilistic
bisimulations
H
SH
MH
• With error sets (of runs)
• With info-flow analysis
H
SH
•••
M'u
Reduction proofs
for collisions,
guesses, forgeries
M'v
A
•••
THH
THSimH
Encsim,H
SimH
A
18 © IBM, 2003-2004
Summary
•
•

Needham-Schroeder-Lowe
(hand-proved)
•
sometimes better
• TBD: Tool proof; more primitives & variants
Related documents
IBM China/Hong Kong Limited
IBM China/Hong Kong Limited
IBM - Satya College of Engineering and Technology
IBM - Satya College of Engineering and Technology
Lesson 1 - Computer Technology
Lesson 1 - Computer Technology
The Department of Mechanical Engineering Engineering Mechanics Mr. Ed Bryan
The Department of Mechanical Engineering Engineering Mechanics Mr. Ed Bryan
Download
advertisement