Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author. If captured, MITRE will disavow any knowledge of your activities. Void where prohibited by law. No warrantee expressed or implied.
33
Embed
Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Universally ComposableSymbolic Analysis of
Key-Exchange Protocols
Jonathan Herzog(Joint work with Ran Canetti)
21 September 2004
The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author. If captured, MITRE will disavow any knowledge of your activities. Void
where prohibited by law. No warrantee expressed or implied.
Introduction
This talk: symbolic (Dolev-Yao) analysis can guarantee concrete (Universally Composable) security UC security: strongest known definition of security in
computational model Therefore: automated formal analysis as strong as
strongest concrete, hand-crafted proof
Previous work: AR, MW, BPW, Gergi, others Computational soundness for Dolev-Yao assumptions Only relates proof-steps of formal analysis to proof-
steps of computational analysis Are the two models trying to prove the same goal?
Our Results
Same security goals? Yes and no. Mutual authentication: Yes
DY-MA, UC-MA achieved by same protocols UC analog to MW04
Last mention of mutual authentication All interesting details in KE case, anyway
Key-Exchange (KE): No DY-KE is strictly weaker than UC-KE Why? DY notion of secrecy weaker than UC notion DY-KE and UC-KE equivalent, however, under “real-or-
random” notion of secrecy
Universally composable security
Strongest known computational definition of security [C, BPW] Definition phrased in terms of single execution Implies secure even when composed with
cannot make party P1 (locally) output (finished P1 P2)
before P2 outputs (starting P1 P2)
and vice-versa UC: FMA only sends (success P1 P2) to participants
after both submit (start P1 P2) Theorem: let be a simple protocol. Then achieves
DY-MA iff securely realizes FMA (Note: UC analog to MW04)
“Simple” protocols
Recall goal: equate DY and UC security Need protocols to be meaningful in both models
Efficient implementations (needed by UC) Messages with DY-like parse trees
Consider programs from a “programming language” Equality testing, branching Standard DY adversary actions
Uses UC-secure asymmetric encryption Will probably be replaced by CPPL
UC Key-Exchange Functionality
FKE
(P1 P2)
k {0,1}n
Key P2
P1
(P1 P2)
Key k
P2
(P2 P1)
Key k
(P1 P2)
A
Key P1
(P2 P1)
Key P2
(P2 P1)
Mapping lemma Let be a simple protocol Every concrete execution of protocol (with any
concrete adversary) has valid Dolev-Yao interpretation Lemma: such interpretations could almost always be
generated by Dolev-Yao adversary in purely Dolev-Yao setting Similar result to MW04
Cor: To prove that simple protocol securely realizes F, need only show that it achieves Dolev-Yao goal G If F and G are equivalent over traces Note: traces now includes input/output
Protocol security
Intuition: A protocol securely realizes a functionality F if running is “just like” using F
F
P’ P’
A
P P
A
=
Implications of definition
Purpose of protocol: jointly calculate the outputs specified by description of F
Security: No one learns more from than would be revealed by F
However: definition (in particular) requires that no adversary can distinguish the two situations Can this definition be realized?