Part II Bellare-Rogaway Model (Active Adversaries)

Transcription

1 Part II Bellare-Rogaway Model (Active Adversaries) 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1

2 Active Attacks Adversary may tamper, drop, or inject messages in executions Marc Fischlin BIU Winter School

3 Marc Fischlin Real World Crypto SS Identities

4 Identities? or In the passive security model both scenarios are identical from server s view need identities to distinguish good and bad cases in active model Marc Fischlin BIU Winter School

5 Identities! certified pk C (via cert C ) certified pk S (via cert S ) sk C sk S both parties also output intended partner identity pid Warning: We do not consider revocation nor registering adversarial keys here! Marc Fischlin BIU Winter School

6 Implications for Security Model Users are assigned user id uid uid 1 uid 2 uid 3 Each party with identity uid receives (pk uid, sk uid, cert uid ) Adversary may recover sk uid from pk uid pk uid sk uid Marc Fischlin BIU Winter School

7 Adding Corruption {pk uid } uid C, uid S (transcript id, id) id K b EXEC TEST b pick id key K id transcript key K secret random bit b: return K 0 =K (if b=0) or K 1 =$ (if b=1) id id id id a K id REVEAL uid sk uid COR- RUPT Marc Fischlin BIU Winter School

8 New Attack Surfaces certified pk C (via cert C ) sk C key K key K 1. Corrupt client to learn sk C 2. impersonate client to derive Key K 3. TEST server key (intended parter is C) Marc Fischlin BIU Winter School

9 Attacks via false Identities not via corruption, but through rogue certificates Marc Fischlin BIU Winter School

10 Extensions: Corruption State sk C state? Adversary learns sk C but also state (randomness,...)? ( weak vs. strong corruption) Complete take-over? x Can client still run executions after corruption? Here: Adversary only gets sk C and corrupt party can still be active Marc Fischlin BIU Winter School

11 Authenticating the Partner Anonymous Unilateral pk S intended parter is S pk C Mutual pk S intended parter is S intended parter is C Marc Fischlin BIU Winter School

12 Marc Fischlin Real World Crypto SS Sessions

13 Conceptual Change: Sessions Passive adversaries: honest parties run execution Active adversaries: unclear if there is partner at all Session? Marc Fischlin BIU Winter School

14 Adding SEND {pk uid } (id, msg) next-msg SEND also: initiate session id id session key K id K b TEST b a id K id uid sk uid REVEAL COR- RUPT Marc Fischlin BIU Winter School

15 Replacing EXEC with SEND EXEC SEND/INIT SEND SEND SEND SEND Warning: for forward secrecy later it is advantageous to also use EXEC Marc Fischlin BIU Winter School

16 Freshness Condition? Adversary should not be allowed to TEST one party and REVEAL other party in the following scenario: SEND/INIT SEND SEND SEND SEND need a notion that sessions belong together Active but somewhat passive attack: Client and Server derive same key Marc Fischlin BIU Winter School

17 Session Matching or Partnering Bellare-Rogaway (BR93) Matching conversations Crypto `93 Bellare-Rogaway (BR95) Partnering Function STOC `95 Bellare-Pointcheval- Rogaway (BPR00) Session identifiers Eurocrypt 2000 Marc Fischlin BIU Winter School

18 Matching Conversations Sessions are partnered if identical transcripts and in chronological order Sometimes defined without chronological order: Marc Fischlin BIU Winter School

19 Partnering Functions Uses notion of (not necessarily efficiently computable) partnering function f: {transcripts} {id} Sessions are partnered if f(transcript) = f(transcript ) Not used anywhere anymore Marc Fischlin BIU Winter School

20 Session Identifiers specify session identifier sid Sessions are partnered if sid = sid sid usually defined through (partial) transcript Marc Fischlin BIU Winter School

21 Restrictions Apply 1. Session identifiers should be unique: Prob[ three honest parties with same sid ] 0 sid sid sid 2. Same sid in genuine execution between two honest parties sid sid 3. Same sid, same key sid K sid K Marc Fischlin BIU Winter School

22 Uniqueness is not hard nonce N C nonce N S sid = (N C, N S, ) sid = (N C, N S, ) Common example: TLS Marc Fischlin BIU Winter School

23 Freshness Mutual Authentication Unilateral Authentication Anonymous neither TEST session nor partner session REVEALED neither party in TEST nor intended partner pid CORRUPT + if unauthenticated partner then there is honest partner session + there is honest partner session Marc Fischlin BIU Winter School

24 Authenticated Key Exchange {pk uid } (id, msg) next-msg SEND also: initiate session id id session key K id K b TEST b a Adversary wins if a=b and freshness condition satisfied id K id uid sk uid REVEAL COR- RUPT (assuming conditions for session matching are satisfied) KE is BR-secure against active adversaries if for any efficient adversary: Pr[A wins] ½ +neg Marc Fischlin BIU Winter School

25 Authenticated? At most one other party ( 1) holds the session key (and for authenticated cases, if intended partner is honest then it is that party) Do you see why it cannot be three parties? Key confirmation ( 1): Another party holds the key see also: Fischlin, Günther, Schmidt, Warinschi: Key Confirmation in Key Exchange, S&P 2016 Marc Fischlin BIU Winter School

26 Teaser for the Break We have defined security for single TEST query: id K b TEST b Is it equivalent if adversary has multiple TEST queries? id K b TEST b Hint: consider first how you need to change the TEST oracle and then how you could ensure this in a reduction to the single-query case Marc Fischlin BIU Winter School