View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Symbolic Logic for Complexity-theoretic Model of Security
Protocols
Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov
Mathieu Turuani
May 5, 2005
Security Protocols
Security Protocol• Distributed program• Uses cryptography to accomplish goal• Network controlled by adversary
Examples • Internet Engineering Task Force (IETF), IEEE
Working Group Standards– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication– 802.11i - wireless security
Engineering practice
Identify requirements Design protocol Think hard Think some more Can’t find attack protocol
“secure” Implement Deploy
Protocol flaws
IEEE 802.11i wireless authentication
IPSec’s IKE key exchange IETF GDOI secure group
communication IETF Mobile IPv6 security …many more
These are protocols designed for real networks
Engineering Practice (Cycle 2)
Someone else thinks hard and finds attack
Go back to cycle 1:• Fix protocol• Reimplement• Redeploy
This is Theory Lunch…
We like to do rigorous proofs But prove what? What does “secure” mean? What is the model of protocol
execution and attack?
Problem Statement
Cryptographers and logicians working in computer security don’t talk to each other
(Disclaimer: Examples not representative)
Symbolic model[NS78,DY84,…]
Complexity-theoretic model [GM84,…]
Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)
+ Any probabilistic poly-time computation
Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)
+ Fine-grained, e.g., secret message = no partial information about bitstring representation
Analysis methods + Successful array of tools and techniques; automation
- Hand-proofs are difficult, error-prone; no automation
Can we get the best of both worlds?
Two worlds
Logic 101 (Recall)
Logic• Syntax Formulas
– p, p q, (p q), p q
• Semantics Truth– Model, M = {p = true, q = false}
M |= p q
Proof System• Axioms and proof rules Provability
– p (q p) p p q q
• Soundness Theorem– Provability implies truth
Our Approach
Protocol Composition Logic (PCL)
•Syntax
•Proof System
Symbolic “Dolev-Yao” model
•Semantics
Computational PCL
•Syntax ±
•Proof System ±
Complexity-theoretic model
•SemanticsPhD Oral
May 10, 11AM
Right here
Main Result
Computational PCL: A symbolic logic for proving security properties of network protocols that use public-key encryption
Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.+ Symbolic proofs+ Complexity-theoretic model
Computational PCL
Syntax• Expressing security properties
Proof System• Proving security properties• Soundness Theorem
Semantics• Complexity-theoretic Model
– Attacker – any PPT algorithm– Meaning of security properties
Example 1
A BA, B, {n, A}B
B, A, n
Security Property - authentication [Initiator Program]A Honest(B)
ActionsInOrder( send(A, msg1), receive(B, msg1), send(B, msg2), receive(A, msg2 ) )
Example 2
A BA, B, {n, A}B
Security Property - secrecy [Initiator Program]A Honest(B)
(X (X A,B) Indistinguishable(X,n)
Soundness of proof system
Information-theoretic reasoning[new u]X (Y X) Indistinguishable(Y, u)
Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)
Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)
Asymptotic calculations
Sum of two negligible functions is a negligible function
Reduction to IND-CCA2-secure encryption scheme
Big picture
Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure
encryption)
Crypto constructions satisfying definitions (e.g., Cramer-Shoup
encryption scheme)
Axiom in proof system
Protocol security proofs using proof system
Semantics and soundness theorem
Complexity-theoretic semantics
Q |= if A D f negligible n0 n > n0 function s.t.
• Fix protocol Q, PPT adversary A, security parameter n
• Vary random bits used by all programs
• Obtain set of equi-probable traces, T(Q,A,n)
T()
T(Q,A,n)
|T()|/|T(Q,A,n)| > 1 –f(n)
Represents probability
Inductive Semantics
Consider set of traces T(Q,A,n)
• T(1 2) = T(1)T(2)
• T(1 2) = T(1) T(2)
• T( ) = T()
Semantics of formulas are transformers on probability distribution over traces
Future Work
Investigate nature of logic• Propositional fragment not classical represents conditional probability
– complexity-theoretic reductions– connections with probabilistic logics (e.g. Nilsson86)
Generalize reasoning about secrecy • Probability close to ½ instead of 1• Not a trace property
Extend logic• More primitives: signature, hash functions,…• Remove current syntactic restrictions on formulas
Information-theoretic semantics• Only probability; no complexity