Sessions and Separability - WPIweb.cs.wpi.edu/~guttman/biss/sessions_8mar13.pdf · 8 March 2013 BiSS MC & JDG ( ITU, WPI ) Sessions Mar 2013 1 / 33. Why session behavior counts Customer

Sessions and Separabilityin Security Protocols

Marco CarboneJoshua D. Guttman

IT University of CopenhagenWorcester Polytechnic Institute

Thanks to: Danish Agency for Science, Technology and InnovationUS National Science Foundation

(Grants CNS-0952287, CNS-1116557).

8 March 2013BiSS

MC & JDG ( ITU, WPI ) Sessions Mar 2013 1 / 33

Why session behavior counts

Customer C buys from broker B with commission from manufacturer M

• //

��

•

��

•oo

��

•

��

•

��

oo

• // •

��• // •

C B M


Getting paid twice

Can the broker get paid twice?

• //

��

•

��

•oo

��

•

��

•��

oo

M ′ • //

pp

�~

wqlhd

•

��

•

mm

��•��•

•

--

m l j i h f e d b a ` _ ^ \ [

// •

C B M


Separating M ′

• //

��

•

��

•oo

��

•

��

•��

oo

M ′ • // •

��

•

mm

��

·

ll

xrmhc_[•

��· ''m i d _ Z U Q

•

• // •

C B M


Session Behavior, v. 1Relates local runs of participants to global session

A protocol Π has session behavior if, in every execution:

Any two complete local runs that interactbelong to the same global session homogeneity

Any two complete local runs of the same rolebelong to different global sessions exclusion

Even with active, malicious adversary

Whatever the adversary can do,he can do without confusing sessions









Goals of this hour

Define session behavior

Give syntactic criteria for a protocolto have session behavior

Develop proof methods “Separability theorem”

Free bonus:

Protocol independence results alsofollow from separability theorem


Goals of this hour




Free bonus:



Exclusion principle requires freshness

Each role ρ selects a fresh value aρ

aρ called ρ’s proper session parameter

Distinct strands of same roleI Choose different values for aρ, soI Belong to different global sessions

Identify global session using session parameters aρfor the various roles

Homogeneity principle requires:

Crypto units should identify their session


A Session-respecting protocolBrokered invitation Roles: Host, broker, guest

c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)

��

{|Hello ,C1,N1,N2|}K

• +3

OO

• +3 •OO

• +3 • +3

��•��

c11 ,C1,N1,

OO

{|[|c12 ,N1,N2,K |]sk(S)|}pk(C1) {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)

c21 ,C2,N2

• +3

��• +3 •

c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)

OO


OO

Session parameters N1,N2,K in red



c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)

��


• +3

OO

• +3 •OO

• +3 • +3

��•��

c11 ,C1,N1,

OO


c21 ,C2,N2

• +3

��• +3 •

c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)

OO


OO



So why is this hard?

Syntactic flexibility

I Session parameters may contribute to plaintext or keyI Participants may join late

Adversary model: Partial compromise

I Compliant participants get session behavior,despite compromised participants in session

double-commission problem

“Same session” is not an equivalence relation

I “May influence” is a preorder on nodes

I This is also an opportunity for generality:Reason about all may-influence relations



c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)

��


• +3

OO

• +3 •OO

• +3 • +3

��•��

c11 ,C1,N1,

OO


c21 ,C2,N2

• +3

��• +3 •

c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)

OO


OO




Syntactic flexibilityI Session parameters may contribute to plaintext or keyI Participants may join late

Adversary model: Partial compromise

I Compliant participants get session behavior,despite compromised participants in session

double-commission problem





Achieving session behavior

Contributive: Each encryption involves all session parameters acquired sofar

No ambiguity: Two encryptions that unify agree on session parameters

Early arrivals x are acquired on first reception or first transmission

Late arrivals y are acquired in encrypted form;fresh values acquired on same node are encrypted






















Adversary model: Partial compromiseI Compliant participants get session behavior,

despite compromised participants in sessiondouble-commission problem









“Same session” is not an equivalence relationI “May influence” is a preorder on nodes




c11 ,C1,N1 {|[|c12 ,N1,N2,K |]sk(S)|}pk(C1)

��


• +3

OO

• +3 •OO

• +3 • +3

��•��

c11 ,C1,N1,

OO


c21 ,C2,N2

• +3

��• +3 •

c21 ,C2,N2 {|[|c22 ,N1,N2,K |]sk(S)|}pk(C2)

OO


OO



What about this? Execution B“Bundle” formalizes execution

•

c11,N1,C1

++g f e c b a ` _ ^ ] \ [ Z X Wc11,N1,C1

//

��

S

��

•c21,N2,C2

ooc21,N2,C2

//_____

��

S ′

��•

��

•

��

oo •

��

{|[|c12,N2,N1,K ′|]sk(S)|}pk(C1)//

• // •

��

•{|[|c22,N2,N1,K ′|]sk(S)|}pk(C2)

//

•{|Hello,C1,N1,N2|}K

// •

This interactionis inessential


What about this? Execution B“Bundle” formalizes execution

•

c11,N1,C1

++g f e c b a ` _ ^ ] \ [ Z X Wc11,N1,C1

//

��

S

��

•c21,N2,C2

ooc21,N2,C2

//_____

��

S ′

��•

��

•

��

oo •

��

{|[|c12,N2,N1,K ′|]sk(S)|}pk(C1)//

• // •

��

•{|[|c22,N2,N1,K ′|]sk(S)|}pk(C2)

//


// •

This interactionis inessential


Uncoupling B into C via a renaming[N2 7→ N ′1, N1 7→ N ′2] on right

• c11,N1,C1 //

��

S

��

•c21,N2,C2oo

��

S ′

��

c11,N′1,C1,c21,N′2,C2oo_ _ _ _ _ _ _ _ _ _

•

��

•

��

oo •

��

{|[|c12,N′1,N′2,K ′|]sk(S)|}pk(C1)//

• // •

��

•{|[|c22,N′1,N′2,K ′|]sk(S)|}pk(C2)

//


// •

Actually, B results from this C via α =[N1 7→ N1, N2 7→ N2, N

′1 7→ N2, N

′2 7→ N1]


Uncoupling B into C via a renaming[N2 7→ N ′1, N1 7→ N ′2] on right

• c11,N1,C1 //

��

S

��

•c21,N2,C2oo

��

S ′

��

c11,N′1,C1,c21,N′2,C2oo_ _ _ _ _ _ _ _ _ _

•

��

•

��

oo •

��

{|[|c12,N′1,N′2,K ′|]sk(S)|}pk(C1)//

• // •

��

•{|[|c22,N′1,N′2,K ′|]sk(S)|}pk(C2)

//


// •

Actually, B results from this C via α =[N1 7→ N1, N2 7→ N2, N

′1 7→ N2, N

′2 7→ N1]


“Lies below”

We say that C lies below B via α

1 α is a “local renaming” relative to a partition of C2 B has all the edges of C and possibly more

Special kind of homomorphism C α→ B

C is lower in the “information ordering:”

Fewer arrows

Fewer identifications of parameters


“Lies below”





Fewer arrows



“Lies below”





Fewer arrows










May-influence relations

; is a “may-influence” relation if

preorder: ; is a preorder on nodes

progress: m⇒ n implies m ; n

no V s: When a uniquely originates at n1 and reaches n2:

n1 +++k+k+kn1 +++k+k+k��O

n3 implies n3n2

333s3s3sn2

333s3s3s


Session Behavior, v. 2

Π obeys ; if,for all bundles B, there exists a C lying below B s.t.

m �C n implies m ; n.

The session influence relation, m ;s n, holds, if

every session parameter aρalready defined on m is defined on n,

and takes the same value on n

Π has session behavior if

Π obeys ;s






“Same session” is not an equivalence relationI “May influence” is a preorder on nodesI This is also an opportunity for generality:

Reason about all may-influence relations


Reasoning about separability

Adversary transports information along paths

Progressively takes apartand reconstructs messages

If adversary breaks down to basic parts,can substitute new basic values

Assuming that results he deliversnever get back to original source




















Adversary actions

• a→

t1

��

t2

��

{|t1|}t2

• +3 • +3 •

OO

• +3 • +3 •��

{|t1|}t2

OO

t2−1

OO

t1

t1

��

t2

��

tag t1 , t2

• +3 • +3 •

OO

• +3 • +3

��

•��

tag t1 , t2

OO

t1 t2


Adversary paths

◦{|A ,Na|}pk(C) // •

��

•

��

•

��

•

��

•

pk(B)}}

•pk(C)−1

// •

��

•

��

A

66

•

��

•

��•

A ,Na

??

•Na

66

•

A ,Na

??

•{|A ,Na|}pk(B)// ◦


About Adversary Paths

Path p is direct1 if it has no key edges,except maybe the last step

Path p is normal ifany destruction precedes all construction

Bundle B is normal ifall its direct paths are normal

The bridge of a normal path is the message that follows alldestruction and precedes all construction

1This talk: only consider direct paths; applicable when protocols use basic keys.MC & JDG ( ITU, WPI ) Sessions Mar 2013 25 / 33



















A lemma

Lemma1 Every bundle is equivalent to a normal bundle

2 Let p be direct and normal.1 The bridge of p is a common ingredient

of the messages at the two ends

2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is


A lemma

Lemma1 Every bundle is equivalent to a normal bundle2 Let p be direct and normal.

1 The bridge of p is a common ingredientof the messages at the two ends

2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is


A lemma



2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is encryption-free


Adversary paths

◦{|A ,Na|}pk(C) // •

��

•

��

•

��

•

��

•

pk(B)}}

•pk(C)−1

// •

��

•

��

A

66

•

��

•

��•

A ,Na

??

•Na

66

•

A ,Na

??

•{|A ,Na|}pk(B)// ◦


A lemma



2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is encryption-free


A lemma



2 Either some encryption {|t|}K appears at both ends of p,or else the bridge of p is basic


Paths that cross sessions

Suppose in B1 All session parameters appear in every encryption {|t|}K2 p crosses from one session to another, i.e.

first(p) 6;s last(p)

Then

1 p has basic bridge term a

2 Adversary can omit edge andreplace a with some other a′

3 Resulting bundle C lies below B4 No-V s property implies change never affects later node





Then








Then



3 Resulting bundle C lies below B

4 No-V s property implies change never affects later node





Then





The Separability Theorem

Definition1 Path p is ;-critical if first(p) 6; last(p)

2 B is ;-reparable if every ;-critical path in B has a basic bridge

Theorem

For every ;-reparable B,there is a C lying below B such that C obeys ;

To prove separability, check:

1 m 6; n implies no common encryptions

2 ; satisfies no-V s may involve restrictions





Theorem









Theorem






Applications: Sessions

Session protocols: Π-bundles are ;s-reparable ifΠ has session parameters

No-V s property requires a restriction,that some keys uncompromised,

when Π allows late arrivals


Applications, 2

Protocol composition, I: Π1 ∪ Π2-bundles are ;C -reparable ifΠ1 and Π2 have no unifiable encryptions, anduse only basic keys

m ;C n iff m, n ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π1 6;C Π2, Π2 6;C Π1

Protocol composition, II: No unifiable encryptions suffices in I

Protocol composition, III: Π1 ∪ Π2-bundles are ;DE -reparable ifΠ2 generates no encryptions accepted on Π1 nodesΠ2 extracts nothing from Π1 encryptions

m ;DE n iff m ∈ nodes(Π1) or m, n ∈ nodes(Π2)Π2 6;C Π1 but Π1 ;C Π2


Applications, 2







Applications, 2







Goals of this hour




Free bonus:



Documents

Sessions and Separability - WPIweb.cs.wpi.edu/~guttman/biss/sessions_8mar13.pdf · 8 March 2013 BiSS MC & JDG ( ITU, WPI ) Sessions Mar 2013 1 / 33. Why session behavior counts Customer