S ecurit e des protocoles cryptographiques : aspects logiques et - - PowerPoint PPT Presentation
Introduction Symbolic analysis Constraint solving Computational justification Conclusion S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu Baudet Laboratoire Sp ecification et V erification
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Mathieu Baudet Laboratoire Sp´ ecification et V´ erification (INRIA Futurs, CNRS, ENS Cachan) Soutenance de th` ese – 16 jan. 2007
1 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
New technologies (Internet, Wifi, cell phones) allow cheap worldwide communications. Many services now available on the Internet:
Unfortunately, Internet was not designed for security.
2 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
3 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
– eavesdrop messages, – delete some of them, – send fake ones.
4 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
– eavesdrop messages, – delete some of them, – send fake ones.
attacker ≈ network → How to securely communicate anyway ?
5 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
... are concurrent programs
– symmetric encryption
K K M Enc. {M}K Dec. M
– asymmetric encryption
pk = pub(sk) sk M Enc. {M}pk Dec. M
– signatures
sk pk = pub(sk) M Sign [M]sk Check
– . . .
Unfortunately, designing secure protocols is not an easy task...
6 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Denning-Sacco protocol : 0. A → B : A, { [kAB]skA }pkB 1. B → A : {secrAB}kAB Active attacker :
messages).
7 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Denning-Sacco protocol : 0. A → B : A, { [kAB]skA }pkB 1. B → A : {secrAB}kAB An attack with 2 sessions: 0. A → I : A, { [kAI]skA }pkI 0′. I(A) → B : A, { [kAI]skA }pkB 1. B → I(A) : {secrAB}kAI
8 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
→ introduced by Needham-Schroeder (1978) and Dolev-Yao (1983)
– bounded number of sessions (exact, typically co-NP) → constraint solving & symbolic model-checking – unbounded number of sessions (approximate) → tree automata, Horn clauses, typing systems. . .
9 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Not surprisingly, difficulties come from
(1) more protocols We would like to handle (2) more properties (3) more attacks
10 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handling more protocols
e.g. pairing, encryption (with integrity checking), signature.
11 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handling more protocols
e.g. pairing, encryption (with integrity checking), signature.
– Exclusive OR : (Comon et al., Chevalier et al. in 2003) x ⊕ y = y ⊕ x (x ⊕ y) ⊕ z = x ⊕ (y ⊕ z) x ⊕ x = x ⊕ 0 = x – Surjective encryption (ciphers) : dec(enc(x, y), y) = x enc(dec(x, y), y) = x (Delaune-Jacquemard, among other primitives, in 2004)
12 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handling more security properties
simple secrecy and authentication.
13 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handling more security properties
simple secrecy and authentication.
and C. Fournet, is such a language, also featuring equational theories. → First decidability result for the passive case (i.e. static equivalence) in 2004 by M. Abadi and V. Cortier.
14 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handling more attacks
logical attacks
(efficient) adversary but require a priori hand-made, complex reduction proofs Ideally, symbolic tools should provide cryptographic proofs.
15 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handling more attacks
logical attacks
(efficient) adversary but require a priori hand-made, complex reduction proofs Ideally, symbolic tools should provide cryptographic proofs. → First computationally sound symbolic models:
(Abadi and Rogaway)
Waidner’s cryptographic library.
16 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
processes in presence of equational theories.
equivalence. Both results apply to dictionary attacks and contribute to clarify the “right” symbolic definition for it.
(1) more protocols (2) more properties (3) more attacks 17 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
1
Introduction
2
Symbolic analysis of protocols
3
Constraint solving
4
Computational justification for a passive adversary
5
Conclusion
18 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
(a.k.a. guessing attacks)
http://www.thc.org/thc-hydra/
19 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
(a.k.a. guessing attacks) Definition (Lowe WITS’02) Dictionary attacks = weak secret (password) → exhaustive search feasible + off-line verification test → “is this the right value?” where off-line = no interaction with the network On-line tests do not undermine security, but off-line ones do.
→ c.f. Unix’s shadow passwords
20 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handshake Protocol 0. A → B : {n}wAB 1. B → A : {n + 1}wAB Aims to authenticate principal B from A’s viewpoint.
21 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handshake Protocol 0. A → B : {n}wAB as m1 1. B → A : {n + 1}wAB as m2 Aims to authenticate principal B from A’s viewpoint. An off-line verif. test for shared password wAB: dec(m1, x) + 1 =? dec(m2, x) Note:
22 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
“Enhanced” Kerberos Protocol, Gong SAC’93 0. A → S : {A, B, n1, n2, {tA}wAS}a
pkS
1. S → A : {n1, k ⊕ n2}wAS , {A, k, tS}wBS 2. A → B : {A, k, tS}wBS
23 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
“Enhanced” Kerberos Protocol, Gong SAC’93 0. A → S : {A, B, n1, n2, {tA}wAS}a
pkS
1. S → A : {n1, k ⊕ n2}wAS , {A, k, tS}wBS 2. A → B : {A, k, tS}wBS 0. A → S : {A, B, n1, n2, {tA}wAS}a
pkS
as m1 1. S → A : {n1, k ⊕ n2}wAS , {A, k, tS}wBS as m2 0′. I(A) → S : {A, B, n1, n2, {tA}wAS}a
pkS
as m′
1
1′. S → I(A) : {n1, k′ ⊕ n2}wAS , {A, k′, t′
S}wBS
as m′
2
Off-line test for wAS: π1(dec(π1(m2), x)) =? π1(dec(π1(m′
2), x))
Off-line test for wBS: π1(dec(π2(m2), y)) =? A
24 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
→ distinguishes between two scenarios: wrong / right guess
Blanchet et al. [LICS’05] uses the observational equivalence of the applied pi-calculus.
bi-processes suffices to characterize guessing attacks.
25 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Handshake Protocol 0. A → B : {n}kAB 1. B → A : {n + 1}kAB Is the following trace a feasible one ? 0. A → I(B) : {n}kAB 1. I(B) → A : {n + 1}kAB If yes → attack on authentication
26 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
0. A → I(B) : {n}kAB 1. I(B) → A : {n + 1}kAB → I’s computation X1 must satisfy the constraints: ∃x1, X1[{n}kAB] =? x1 and dec(x1, kAB) =? n + 1 without I’s “knowing” n nor kAB.
27 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
0. A → I(B) : {n}kAB 1. I(B) → A : {n + 1}kAB → I’s computation X1 must satisfy the constraints: ∃x1, X1[{n}kAB] =? x1 and dec(x1, kAB) =?
E n + 1
where n, kAB cannot occur in X1. Equations interpreted modulo the theory E of ciphers:
dec({x}y, y) = x { dec(x, y) }y = x
The previous constraint system is unsatisfiable (i.e. has no solutions) ⇒ this interleaving infeasible ⇒ no attack.
28 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
More generally, a finite number of sessions entails a finite number of interleavings, thus of constraint systems to verify. Trace properties correspond to (un)satisfiability problems on constraint systems. This works for any equational theory — as long as we can solve the constraint systems. . . → Can we do the same for equivalence properties ?
29 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
1
Introduction
2
Symbolic analysis of protocols
3
Constraint solving
4
Computational justification for a passive adversary
5
Conclusion
30 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Each interleaving is mapped to a system Σ(X1 . . . Xn): ∃x1 . . . xm, X1[t1 . . . ta1] =? x1 . . . Xm[t1 . . . tam] =? xm u1 =?
E
u′
1
. . . un =?
E
u′
n
with several “cryptographic” regularity conditions:
31 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Each interleaving is mapped to a system Σ(X1 . . . Xn, X, Y ): ∃x1 . . . xm, x, y, X1[t1 . . . ta1] =? x1 . . . Xm[t1 . . . tam] =? xm X[t1 . . . tam] =? x Y [t1 . . . tam] =? y u1 =?
E
u′
1
. . . un =?
E
u′
n
x =?
E
y Let X, Y , x, y be fresh variables. → the extra equation models an off-line test of the intruder.
32 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Let s0 and s1 model the right and the wrong value of the weak secret. For each interleaving, let Σi(X1 . . . Xn, X, Y ) be ∃ xn, x, y, X1[t1 . . . ta1] =? x1 . . . Xm[t1 . . . tam] =? xm X[t1 . . . tam, si] =? x Y [t1 . . . tam, si] =? y u1 =?
E
u′
1
. . . un =?
E
u′
n
x =?
E
y
33 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Let s0 and s1 model the right and the wrong value of the weak secret.
∃ xn, x, y, X1[t1 . . . ta1] =? x1 . . . Xm[t1 . . . tam] =? xm X[t1 . . . tam, s0] =? x Y [t1 . . . tam, s0] =? y u1 =?
E
u′
1
. . . un =?
E
u′
n
x =?
E
y
∃ xn, x, y, X1[t1 . . . ta1] =? x1 . . . Xm[t1 . . . tam] =? xm X[t1 . . . tam, s1] =? x Y [t1 . . . tam, s1] =? y u1 =?
E
u′
1
. . . un =?
E
u′
n
x =?
E
y
For each interleaving, we must check that the two augmented systems Σi have the same sets of solutions. → Equivalence between two second-order E-unification problems.
34 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
E is convergent subterm iff it is generated by a convergent rewriting system R such that for every rule l → r in R, either (1) r is a subterm of l, or (2) r is an R-reduced term (say a constant). Examples:
pdec(penc(x, pub(y), z), y) = x
check(sig(x, y, z), pub(y)) = ok
(no equation)
f(f(x)) = f(x)
i(i(x)) = x
35 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Our problem boils down to generalizing previous work of
Satisfiability (DJ’04) Equivalence
standard systems ? Deducibility Static equivalence (AC’04)
+ equivalence + active case
36 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
constraint systems.
terms and visible equations to handle the 2nd-order part.
37 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Example: (passive case and syntactic equality) X[k, h(0, k)] =? u where k is a secret and u is any ground term.
Fact Let θ0 be any solution: (Xθ){w1 → k, w2 → h(0, k)} =? u. The set of all solutions is {θ | θ =Ψ θ0}
38 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Theorem (Baudet [CCS’05]) For every convergent subterm theory E, the satisfiability of intruder constraint systems is NP-decidable. So is the non-equivalence of standard intruder constraint systems.
39 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Corollary For a bounded number of sessions, the security of protocols modeled by a convergent subterm theory E, with respect to
is co-NP-decidable. Adding disequality tests is harmless as far as trace properties are concerned. We prove the whole biprocess-based equivalence decidable → useful for strong secrecy.
40 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
1
Introduction
2
Symbolic analysis of protocols
3
Constraint solving
4
Computational justification for a passive adversary
5
Conclusion
41 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
An execution of the protocol corresponds to a system Σ(X, Y ): ∃x, y, X[t1 . . . tam] =? x Y [t1 . . . tam] =? y and x =?
E y
where for all 1 ≤ j ≤ ai, var(tj) = ∅. Notation We call [t1 . . . tam] a frame. A (more) standard notation is: ϕ = νk1 . . . kp. {x1 = t1, . . . , xam = tam} where k1 . . . kp are the private constants (“names”, modeling secret values) in t1 . . . tam.
42 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Definition (static equivalence) ϕ1 ≈E ϕ2 if for every valid test M =?
E N,
Mϕ1 =E Nϕ1 iff Mϕ2 =E Nϕ2 Two frames ϕ and ϕ′ correspond to equivalent intruder constraint systems iff they are statically equivalent. Example: νn.{x = {n}c0, y = {n+1}c0} ≈E νn.{x = {n}c1, y = {n+1}c1} because of dec(x, c0) + 1 =?
E dec(y, c0).
43 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
– a general soundness criterion, – deterministic surjective encryption, and – the case of pure exclusive Or.
44 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
symbol, and random generators for names.
[t] ]η
Definition (indistinguishability) [ [ϕ1] ] ≈ [ [ϕ2] ] if AdvIND(A, [ [ϕ1] ]η, [ [ϕ2] ]η)(η) = P [φ1 ← [ [ϕ1] ]η; A(η, φ1) = 1] − P [φ2 ← [ [ϕ2] ]η; A(η, φ2) = 1] is a negligible function of η.
45 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
τ ::= | SKey symmetric keys | EKey (public) encryption keys | DKey (private) decryption keys | Data passwords and other data | Coins coins for encryption | Pair[τ1, τ2] pairs of messages | SCipher[τ] symmetric encryptions | ACipher[τ] asymmetric encryptions
46 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
encτ : τ × Data → τ decτ : τ × Data → τ pencτ : τ × EKey × Coins → ACipher[τ] pdecτ : ACipher[τ] × DKey → τ pub : DKey → EKey pdec successτ : ACipher[τ] × DKey → Data sencτ : τ × SKey × Coins → SCipher[τ] sdecτ : SCipher[τ] × SKey → τ sdec successτ : SCipher[τ] × SKey → Data pairτ1,τ2 : τ1 × τ2 → Pair[τ1, τ2] fstτ1,τ2, sndτ1,τ2 : Pair[τ1, τ2] → τ2 0, 1, w, c0, c1 . . . : Data
47 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
dec(enc(x, y), y) = x enc(dec(x, y), y) = x pdec(penc(x, pub(y), z), y) = x pdec success(penc(x, pub(y), z), y) = 1 sdec(senc(x, y, z), y) = x sdec success(senc(x, y, z), y) = 1 fst(pair(x, y)) = x snd(pair(x, y)) = y pair(fst(x), snd(x)) = x (sorts omitted) (Note that this theory is subterm convergent.)
48 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
A reduced frame ϕ is well-formed if
w, c0, . . . nor subterms enc(S, 0), enc(S, 1). Theorem (Abadi, Baudet, Warinschi [FOSSACS’06]) In any secure implementation, for every well-formed frames ϕ1 and ϕ2, ϕ1 ≈E ϕ2 implies [ [ϕ1] ] ≈ [ [ϕ2] ].
49 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Corollary In any secure implementation, for every well-formed frame ϕ, ϕ{w → c0} ≈E ϕ{w → c1} implies that w is computationnally hidden in ϕ: for every (effective) sequences κ0 and κ1, [ [ϕ] ]w→κo ≈ [ [ϕ] ]w→κ1 Generalizes to multiple passwords.
50 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
1
Introduction
2
Symbolic analysis of protocols
3
Constraint solving
4
Computational justification for a passive adversary
5
Conclusion
51 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
dictionary attacks based on constraint solving. → More generally we studied an equivalence of processes based on bi-processes.
convergent subterm theory E (e.g. encryptions + pair + signatures + hash...).
indistinguishability for several kinds of encryption.
52 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
signatures...)
barbed-congruence of the applied-pi calculus ⇒ on-going work by S. Delaune, S. Kremer and M. Ryan
53 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
54 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Let τ ∈ Tsenc, and A = (A1, A2) be 2-stage adversary.
R
← − Ks(η);
[τ] ]η together with some state information st;
R
← − {0, 1} is selected at random; if b = 0, we let c
R
← − “SCipher”τEs(m∗, k); otherwise, we let c
R
← − [ [SCipher[τ]] ]η;
Advτ
Πs,A(η) = Pr[A is successful] − 1
2
55 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Let τ ∈ Tpenc, and A = (A1, A2) be 2-stage adversary.
R
← − Ka(η);
[τ] ]η together with some state information st;
R
← − {0, 1} is selected at random; if b = 0, we let c
R
← − “ACipher”τEa(m∗, pk); otherwise, we let c
R
← − [ [ACipher[τ]] ]η;
Advτ
Πa,A(η) = Pr[A is successful] − 1
2
56 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
We require Tenc ∩ {Pair[τ1, τ2]} = ∅. Let τ ∈ Tenc, and A = (A1, A2) be 2-stage adversary.
R
← − K(η);
[τ] ]η together with some state information st;
R
← − {0, 1} is selected at random; if b = 0, we let c
R
← − E(m∗, k); otherwise, we let c
R
← − [ [τ] ]η;
different from all the messages m submitted by A to the encryption oracle.. Advτ
RoR,Π,A(η) = Pr[A is successful] − 1
2
57 / 58
Introduction Symbolic analysis Constraint solving Computational justification Conclusion
Let τ ∈ Tenc, and A = (A1, A2) be 2-stage adversary.
information st;
R
← − {0, 1} is selected at random; if b = 0, we let m
R
← − [ [τ] ]η and c = E(m, k); otherwise, we let c
R
← − [ [τ] ]η;
Advτ
Pwd,Π,A(η) = Pr[A is successful] − 1
2.
58 / 58