Message Equivalence and Imperfect Cryptography in a Formal Model

advertisement
Message Equivalence and
Imperfect Cryptography
in a Formal Model
Angelo Troina1, Alessandro Aldini2 and Roberto Gorrieri3
1
Dipartimento di Informatica, University of Pisa
troina@di.unipi.it
2
3
Istituto STI, University of Urbino
aldini@sti.uniurb.it
Dipartimento di Scienze dell'Informazione, University of Bologna
gorrieri@cs.unibo.it
DIMACS Workshop on Security Analysis of Protocols
- Piscataway (NJ) June 9, 2004
Introduction
Increasing interest towards the compatibility
problem between the computational approach
and the Dolev-Yao model for the analysis of
security protocols.
Introduction
Dolev-Yao model:
•
•
Provides abstractions that allow mechanical proofs of
protocol properties.
Requires stronger assumptions such as perfect cryptography
and the restricted expressive power of the adversaries.
Computational model:
•
•
Detailed view of cryptosystems - deals with probabilities and
computational power.
Models adversaries resources and relaxes the perfect
encryption assumption.
Introduction
A recent formal view of cryptography introduced by Abadi and
Rogaway [AR00] defines formal algebraic cryptographic
expressions and a related notion of equivalence.
Such an approach relates the formal view and the computational
model of cryptography by proving the soundness of the formal
world with respect to the computational world.
Under particular assumptions Micciancio and Warinschi
[MW02] present a completeness result.
Introduction
A similar approach is also followed by Herzog [Her03],
showing that if there's no good Dolev-Yao strategy in breaking a
protocol, there's also no good PPT adversary strategy that can do
it (given ideal encryption).
Zunino and Degano [ZD04] compare the classical Dolev-Yao
adversary with an enhanced computational adversary which can
guess the key for decrypting an intercepted message (albeit only
with negligible probability).
Introduction
The robustness of a ciphertext may be jeopardized by clever
attackers that may succeed in retrieving information, by:
 randomly guessing data
 analyzing a large amount of ciphertext
 employing a partial knowledge of the plaintext
 breaking weak keys
 breaking too simple, foreseeable cryptographic algorithms
Introduction
We present a novel equivalence for cryptographic expressions
that overcomes the two limitations of classical security models:
 perfect cryptography
 nondeterministic adversary.
We take into account the probability for a polynomial
time adversary of attacking with success a message
encrypted with a secret key.
Metodology
A classical formal logic for
cryptographic expressions
Formal model for cryptographic
expressions in an imperfect
criptography scenario
Indistinguishability with
-tolerance
Metodology
A classical formal logic for
cryptographic expressions
Based on the Dolev-Yao encryption model
defined by Abadi and Rogaway [AR00]
Formal model for cryptographic
expressions in an imperfect
criptography scenario
Indistinguishability with
-tolerance
Expressions
String finite set of binary strings of a fixed length.
Keys is a finite set of Keys {K,K’,…,K1,K2,…}.
Exp is the set of expressions, defined by the grammar:
M, N :: =
K
m
(M, N)
{M}K
expressions
key, KKeys
string, mString
pair
encryption
Entailment
The entailment relation MN specifies the expressions N
that can be derived form M. Such a relation is the least
relation satisfying the following properties:
MM

MN1  MN2

MN  MK

M{N}K  MK 
M(N1, N2)
MN1  MN2
M(N1, N2)
M{N}K
MN
Patterns
Function p, given a set of keys T and an expression M, computes
the pattern that an attacker can obtain from M if the initial
knowledge is the set of keys T.
p(K, T) = K
p(m, T) = m
p((M, N), T) = (p(M, T), p(N, T))
p({M}K, T) = {p(M, T)}K
M}, T) =

KKeys
mString
if K  T
otherwise
Patterns
Function p, given a set of keys T and an expression M, computes
the pattern that an attacker can obtain from M if the initial
knowledge is the set of keys T.
p(K, T) = K
p(m, T) = m
p((M, N), T) = (p(M, T), p(N, T))
p({M}K, T) = {p(M, T)
M}, T) =

KKeys
mString
if K  T
otherwise
Expression Equivalence
Two expressions are equivalent if they yield the same pattern:
MN

pattern(M) = pattern(N)
({{K}K1}K2, K2)  ({{m}K1}K2, K2)
(, K2)
Metodology
A classical formal logic for
cryptographic expressions
Formal model for cryptographic
expressions in an imperfect
criptography scenario
Indistinguishability with
-tolerance
Metodology
A classical formal logic for
cryptographic expressions
Formal model for cryptographic
expressions in an imperfect
criptography scenario
Indistinguishability with
-tolerance
Imperfect cryptography
scenario
We take into account the possibility for an adversary of
obtaining meaningful information from a ciphertext {M}K
without knowing the key K.
We give a new definition for patterns, which were used to
denote the information (associated to a ciphertext)
employed to decide the equivalence between expressions.
We propose a new equivalence relation for expressions that
captures when two expressions contain information that an
adversary can obtain with the same probability.
Probabilistic Patterns
A probabilistic pattern P.p represents an expression P that does not
contain ciphered blocks and is associated with a parameter p]0,1],
modeling the probability of getting the plaintext contained in P.
Formally, we define the set pPat of probabilistic patterns with the
grammar:
P.p, Q.p :: =
probabilistic patterns
K.p
key, KKeys
m.p
string, mString
(P.p, Q.p).p
pair
Imperfect cryptography
scenario
A probabilistic pattern associated to an expression is obtained by
substituting every ciphered block with the corresponding plaintext
in clear associated with the probability of obtaining information
about it.
probabilistic pattern ( {m}K ) = m.p
Value p depends on many factors, such as the cryptosystem used
for encryptions, the computational power of (and the information
collected by) the adversary, the expected robustness of the key K
against guesses or attacks.
pdec
Given a computational polynomial time adversary A, an initial
knowledge G, and a ciphered expression {N}K, we assume a
function pdec to return the probability of obtaining meanigful
information from the ciphertext {N}K by exploiting the initial
knowledge G.
Any adversary A with polynomially timed resources and
knowledge G has probability at most pdec({N}K, G) of rerieving K
from {N}K:
Pr [K  A({N}K,G) ]  pdec({N}K, G) for all A
Imperfect cryptography
scenario
The outcome of pdec represents the starting point for estimating the
probability of cracking a ciphered block.
({{m}K1}K2, {(K1, K2)}K)
What is the probability of getting the string m in clear?
Imperfect cryptography
scenario
The outcome of pdec represents the starting point for estimating the
probability of cracking a ciphered block.
({{m}K1}K2, {(K1, K2)}K)
pdec({{m}K1}K2, G)  pdec({m}K1, G’)
Imperfect cryptography
scenario
The outcome of pdec represents the starting point for estimating the
probability of cracking a ciphered block.
({{m}K1}K2, {(K1, K2)}K)
pdec({(K1, K2)}K, G)
Imperfect cryptography
scenario
The outcome of pdec represents the starting point for estimating the
probability of cracking a ciphered block.
({{m}K1}K2, {(K1, K2)}K)
The probability of breaking a block may vary
according to the strategy an attacker uses when
he tries to cryptanalyze an expression.
Probabilistic Equivalence
Given the expressions M and N, we say that M and N are
probabilistically equivalent (M  N) if they yield the same
probabilistic pattern.
MN

pPM = pPN
Example
M = ( {{m}K1}K2, {(K1, K2)}K )
p1 = pGuess({K1, K2})
p2 = pGuess({K})
pPM = ( m.p1, (K1.p2, K2.p2).p2 )
N = ( {m}K1, {(K1, K2)}K )
If pdec ({m}K1)  pdec ({(K1, K2)}K) = p‘  p1 = p2 = p’
pPM = pPN = ( m.p', (K1.p', K2.p').p' )
MN
Metodology
A classical formal logic for
cryptographic expressions
Formal model for cryptographic
expressions in an imperfect
criptography scenario
Indistinguishability with
-tolerance
Metodology
A classical formal logic for
cryptographic expressions
Formal model for cryptographic
expressions in an imperfect
criptography scenario
Indistinguishability with
-tolerance
Approximating Probabilistic
Equivalence
The notion of probabilistic equivalence is extremely strict:
 Ciphered blocks have to be decrypted with exactly the same
probabilities.
 Considers also those blocks that can be decrypted with
negligible probabilities.
We relax the notion of probabilistic equivalence by introducing a
new compatibility relation, called -probabilistic similarity ().
Approximating Probabilistic
Equivalence
-probabilistic similarity ():
 approximates the equivalence by introducing a tolerance to
small differences (up to ) of the probabilistic parameters
associated with the probabilistic patterns.
 allows for equating those ciphertexts that can be decrypted with
small probabilities (< ).
Example
M = {m}K
N = {m}K'
p2 = pdec ({m}K')
p1 = pdec ({m}K)
pPM = m.p1
pPN = m.p2
If p1  p2 and | p1 - p2 |   then:
MN
M  N
Example
M = {m}K
p1 = pdec ({m}K)
pPM = m.p1
N = {m'}K'
p2 = pdec ({m’}K')
pPN = m'.p2
If p1, p2 <  then:
MN
M  N
Ideal Encryption
It should be hard for the adversary to decrypt a message ciphered
with an unknown key.
The probability of breaking an encrypted message that cannot be
derived in the classical Dolev-Yao model should be negligible.
A function f: N  R is negligible if for any polynomial q 0 :
f (  )  1 / q (  )   > 0
An encryption scheme is ideal  pdec is a negligible function
Main results
M, N  Exp.
Similarity relation
M  N  M  N
MN  MN
Given ideal encryption
M  N  M  N
Equivalence relation
A Secrecy Property
Inspired by Abadi and Gordon [AG99], we observe that a certain
secret a is private in M if the expression N obtained by
substituting every occurrence of a with a'a is probabilistically
similar to M.
Given a parameter ]0,1[ and an expression MExp such that
a occurs in M, we say that a is -secret in M iff M  N, where
N is obtained by substituting every occurrence of a in M with a'
a.
A Secrecy Property
M = (m, {K}K2)
pPM = (m.1, K.p)

pPN = (m’.1, K.p)
m is not -secret in M
p = pdec({K}K2)
pPM = (m.1, K.p )
= if p< 
pPN = (m.1, K’.p)
K is -secret in M
An Application of Secrecy
A server S waits for requests from clients, generates a secret key
and sends it back to the client.
A  S : {request, A, S, t}KSA
S  A : {K, S, A, t}KSA
request, A, S, t  String and K, KSA  Keys.
In G the server keeps track of the messages exchanged in the
network.
An Application of Secrecy
A  S : {request, A, S, t}KSA
S  A : {K, S, A, t}KSA
We want to check whether the expression {K, S, A, t}KSA ensures a
given degree  of secrecy for K.
The server verifies whether K is G-secret in {K, S, A, t}KSA.
As the traffic of information within the network increases and the
amount of messages ciphered with KSA gets larger, the server may
not guarantee the G-secrecy anymore.
Conclusions & Future work
We have shown a novel framework in order to offer the means
for defining a formal cryptographic language where:
• i) information leakage due to cryptanalysis can be estimated by
employing  and conditional statements
• ii) probabilistic covert channels can be studied by verifying
non-interference security properties.
The similarity relation  can be used, in combination with an
approximated definition of non-interference, to verify whether
the privacy of cryptographic protocols can be guaranteed at a
reasonable level.
Bibliography
[AG99] M. Abadi, A.D. Gordon. A Calculus for Cryptographic Protocols: The Spi Calculus.
Information and Computation, 148(1):1-70,1999.
[AR00] M. Abadi, P. Rogaway. Reconciling Two Views of Cryptography (The Computational
Soundness of Formal Encryption). In Proc. Int. Conf. Theoretical Computer Science, LNCS
1872:3-22, 2000.
[DY83] D. Dolev, A. Yao. On the Security of Publik-key Protocols. IEEE Transactions on
Information Theory, 29:198-208, 1983.
[Her03] J. Herzog. A Computational Interpretation of Dolev-Yao Adversaries. In Proc. of
Workshop on Issues in the Theory of Security (WITS'03), 2003.
[MW02] D. Micciancio, B. Warinschi. Completeness Theorems for the Abadi-Rogaway
Language of Encrypted Expressions. In Proc. of Workshop on Issues in the Theory of Security
(WITS'02), 2002.
[ZD04] R. Zunino, P. Degano. A Note on the Perfect Encryption Assumption in a Process
Calculus. In Proc. of Foundations of Software Science and Computation Structures
(FOSSACS'04).
Example
AR patterns:
New semantics
pattern:
M = ({m}K, K)
N = (m, K)
({m}K, K)
(m, K)
(m, K)
Download