Interpretation of formal proof for Cryptographic Protocols into Computational Model

Transcription

1 Interpretation of formal proof for Cryptographic Protocols into Computational Model Sanjay Kumar Sonkar 1, Darmendra Lal Gupta 2, Dr. Anil Kumar Malviya 3, Ganesh Chandra 4, Vinod Kumar Yadav 5 1,4,5 M. Tech. Student, Department of Computer Science & Engineering, Kamla Nehru Institute of Technology, Sultanpur, (U.P.) India 2 Assistant Professor, Department of Computer Science & Engineering, Kamla Nehru Institute of Technology, Sultanpur, (U.P.) India 3 Associate Professor, Department of Computer Science & Engineering, Kamla Nehru Institute of Technology, Sultanpur, (U.P.) India { 1 kumarsanjaysonkar@gmail.com, 2 dlgupta2002@gmail.com, 3 anilkmalviya@yahoo.com, 4 ganesh.iiscgate@gmail.com, 5 vinodrockcsit@gmail.com } Abstract Cryptography is the spinal cord for all security measures involved in computing field so a lot of emphasis is required to be given to make it strong enough to deal all the transition of the security industry. We present a general method to prove security properties of multiple cryptographic protocols in an execution model where clients exchange messages using multiple protocols against active adversaries. The method discussed here allows to interpret the logical formal proofs of cryptographic systems into their computational equivalent. The security properties are expressed in terms of logics, which are then interpreted in a computational setup. Also, we further show that if the statement is true for any symbolic execution then the corresponding computational interpretation is widely accepted in all forms. The messages between clients are expressed in syntax form and do not require dealing with asymptotic notations and probability distribution. This paper provides a basic framework and edifice for extending the protocol specification language with other cryptographic primitives. Keywords: Cryptographic protocols, Symbolic analysis, Protocol logic, formal methods for security protocols. I. Introduction Cryptographic protocols are fundamental tool in the design of secure distributed computing systems [3][4][7], but they are also extremely hard to design and validate. The difficulty of designing valid cryptographic protocols[1][5] stems mostly from the fact that security properties[2] should remain valid even when the protocol is executed in an unpredictable adversarial environment, where some of the clients (or an external entity) are maliciously attempting to make the protocol deviate from its prescribed behavior. Basically, Cryptographic protocols are coined in one of two ways: [9][11][15] A. Computational Model: The computational model consists of following models: Messages are considered as bit-strings[17]; The encryption operation[19] of message is a concrete arithmetic; Security is defined in terms of that a computationally bounded[20][23] adversary can only attack successfully with negligible probability; Analysis of security is done by reduction. B. Formal Model ( Dolev-Yao model ): The formal model comprises of: Abstracts cryptographic concepts into an algebra of symbolic messages[9][12]; Messages are considered as formal expressions; The encryption operation is only an abstract function; Security is modeled by formal formulas[14]; Analysis of security is done by formal reasoning. This paper is divided into six parts. Starting with introduction (Section-I), next section covers theoretical experiment (Section-II). Moving ahead analysis model (Section-III), related work has been described in (Section-IV) and finally conclusion & future work has been described in (Section-V & VI). II. Theoretical Experiment Example: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh A sends to B a fresh key x k encrypted under authenticated encryption [22][23], implemented as encrypt-then-mac. x k should remain secret. Step 1: Initialization: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh Q 0 = start(); new x r : keyseed; let x k : key= kgen(x r ) in new xˋr : mkeyseed; let x mk : mkey = mkgen(xˋr) in α(); (Q A Q B ) Initialization of keys: The process Q 0 waits for a message on channel start. The adversary triggers this process. 525

2 Q 0 generates encryption and MAC keys, x k and x mk [2][6] respectively, using the key generation algorithms kgen and mkgen. Q 0 returns control to the adversary by the output α(). Q A and Q B represent the actions of A and B. Step 2: a) Role of A: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh Q A = β i n C A (); new xˋk : key; new x r :coins; Let xm : bitstring = enc(k2b(xˋk), x k, x r ) in C A <x m, mac(x m, x mk )> β i n represents n copies, indexes by i ϵ [1,n] The protocol can be run n times (polynomial in the security parameter [4]). The process is triggered when a message is sent on C A by the adversary. The process chooses a fresh key xˋk and sends the message on channel C A. We obtain a sequence of games G 0 G 1 G m, which implies G 0 G m. If some equivalence or trace property hold with overwhelming probability in G m, then it also hold with overwhelming probability in G 0. Step 5: Security definition [1][2][9]: A MAC scheme: (Randomized) key generation function mkgen. MAC function mac (m, k) takes as input a message m and a key k. Verification function verify(m, k, t) such that Verify (m, k, mac (m, k)) = true. A MAC guarantees the integrity and authenticity [26] of the message because only someone who knows the secret key can build the mac. More formally, an adversary A that has oracle access to mac and verify has a negligible probability to forge a MAC: b) Role of B: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh Q B = β i n C B (xˋm : bitstring, x ma : macstring); if veriry (xˋm, x mk, x ma ) than let i (k2b(x k )) = dec (xˋm, x k ) in C B () n copies, as for Q A. The process Q B waits for the message on channel C B. It verifies the MAC, decrypts and stores the key in x k. Step 3: Indistinguishability as observational equivalence: Two processes Q1, Q2 are observationally equivalent where the adversary has a negligible probability of distinguishing them: Q 1 Q 2 In the formal definition, the adversary is represented by an acceptable evaluation context C:: = C Q & Q C new Channel c; C. Observation equivalence is an equivalence relation. It is contextual: Q 1 Q 2 implies C[Q] C[Q] where C is any acceptable evaluation context. Step 4: Proof Technique: We transform a Game G 0 into an observationally equivalent [27][28] on using: Observational equivalences: L R given as axioms and that come from security assumptions on primitives. These equivalences are used inside a context: G1 C[L] C[R] G2 Syntactic transformations: Simplification, expansion of assignments, max Pr[verify (m, k, t) k mkgen; (m, t) A mac (., k), verify(., k,.) ] A is negligible, when the adversary A has not called the mac oracle on message m. Step 6: Intuitive Implementation: By the previous definition, up to neglible probability, The adversary cannot forge a correct MAC. So when verifying a MAC with verify (m, k, t) and k mkgen is used only for generating and verifying MACs, the verification can succeed only if m is in the list (array) of message whose mac has been computed by the protocol. So we can replace a call to verify with an array lookup: If the call to mac is mac (x, k), we replace verify (m, k, t) with find j N such that defined (x[j]) (m = x[j]) verify (m, k, t) then true else false. Step 7: Formal implementation (1) [15]: Verify (m, mkgen(r), mac(m, mkgen(r))) = true β N new r : mkeyseed; (β N (x : bitstring) mac(x, mkgen(r)), β Nˋ(m : bitstring, t : macstring) verify(m, mkgen(r), t)) β N new r : mkeyseed; (β N (x : bitstring) mac(x, mkgen(r)), β Nˋ(m : bitstring, t : macstring) find j N such that defined(x[j]) (m = x[j]) verify(m, mkgen(r), t) then true else false. Formal implementation (2): Verify (m, mkgen(r), mac(m, mkgen(r))) = true β N new r : mkeyseed; (β N (x : bitstring) mac(x, mkgen(r)), β Nˋ(m : bitstring, t : macstring) verify(m, mkgen(r), t)) 526

3 β N new r : mkeyseed; (β N (x : bitstring) macˋ(x, mkgenˋ(r)), β Nˋ(m : bitstring, t : macstring) find j N such that defined(x[j]) (m = x[j]) verifyˋ(m, mkgenˋ(r), t) then true else false. The prover applies the previous rule automatically in any (polynomial-time) context, perhaps containing several occurrences of mac and verify following: prove the source of the message to a third party. A practical secure deniable authentication protocol should have the following properties: Completeness or authentication, strong deniability, weak deniability, security of forgery attack, security of impersonate attack, security of compromising session secret attack, security of man-in-the-middle attack. Each occurrence of mac is replaced with macˋ. Each occurrence of verify is replaced with a message key and find that looks in all arrays of computed MACs. Step 8: Proof of security properties: a. One-session secrecy: The adversary cannot distinguish any of the secretes from a random number with one test query. Criterion for proving one-session secrecy [19][21] of x: X is defined by new x[i] : T and there is a set of variables S such that only variables in S depend on x. The output messages and the control-flow do not depend on x. b. Secrecy: The adversary cannot distinguish the secrets from independent random numbers with several test queries. Criterion for proving secrecy of x: Same as one-session secrecy, plus x[i] and x[iˋ] do not come from the same copy of the same restriction when i iˋ. Step 9: Result: In most cases, the prover succeeds in proving the desired properties when they hold and obviously it always fails to prove them when they do not hold. Only cases in which the prover fails although the property holds: Needham-Schroeder [9][11] public-key when the exchanged key is the nonce N A. Needham-Schroeder shared-key: fails to prove that N B [i] N B [iˋ]-1 with overwhelming probability, where N B is a nonce. III. Analysis Model Deniable authentication protocols allow a Sender to authenticate a message for a receiver, in a way that the receiver cannot convince a third party that such authentication (or any authentication) ever took place. Deniable authentication has two characteristics that differ from traditional authentication: One is that only the intended receiver can authenticate the true source of a given message; the other is that the receiver cannot provide the evidences to Figure 1: Analysis model of deniable authentication protocols with Blanchet calculus Generally deniable authentication protocol includes three roles, Sender which is initiator, receiver which is responder and third party, represented by Sender, Receiver and Third party, respectively. We assume that Sender plays only on the role of the initiator; Receiver plays only the role of responder, Third party play only on the prover. The deniable authentication protocol consists of a sequence of messages exchanged between the Sender and the Receiver & the Receiver and Third party. In deniable authentication protocol Sender can authenticate a message for Receiver, in a way that they cannot Receiver convince a Third party that such authentication (or any authentication) ever took place. Deniable authentication protocol has two characteristics that differ from traditional authentication protocol. One is that only the intended Receiver can authenticate the true source of a given message. The other is that the Sender cannot provide the evidences to prove the source of the message to a third party at some condition and the Receiver can provide the evidences to prove the source of the message to a third party. The ability of adversary is defined in the previous section. It can control the channel SR between Sender and Receiver. It cannot control the channels: Channel ST and channel RT. At the same time the adversary is a probabilistic polynomial-time attacker. Strong deniability: The purpose of strong deniability is to protect the privacy of Sender. After execution of the deniable authentication protocol the Sender can deny to have ever authenticated anything to Receiver. If the prover (Receiver or the any other party) wants to prove that the Sender have authenticated messages to Receiver, they must provide all the relevant evidence. The Sender can provide his secret information to the Third party. A adversary model in strong deniability: we suppose that the Sender and the Receiver cooperate with the judge or the prover or the any other party 527

4 which means that the Sender and the Receiver provide all the transcripts of the message in the deniable authentication protocol to them. If DAP satisfies the condition one and four in: Inj-event (whole sender (Receiver, x)) = inj-event(whole Receiver (Sender, x) ) Inj-event (whole Thirdparty (Receiver, x)) = inj-event(whole Thirdparty (Sender, x) ) Definition DAP and DAP satisfies the correspondence and with public variables V = φ, then DAP is a secure deniable authentication protocol with session in a adversary model in strong deniability. In the above definition of DAP the injective correspondence can be instead by non-injective correspondence. Weak deniability: The purpose of weak deniability is to protect the privacy of Sender. After execution of the deniable authentication protocol the Receiver can prove to have spoken to Sender but not the content of what the Sender authenticated in a way that the Receiver cannot convince a third party. Deniable Authentication Protocol Security Properties Active Adversary Model Relating the Two Models: Meng & Shao Mechnized Model Automated Verification In order to prove any relationship between the formal and computational worlds, we need to define the interpretation of expressions [8] and patterns. Once an encryption scheme is depicted, we can define the interpretation function α, which assigns to each expression or pattern M a family of random variables {α η (M)} η N such that each α η (M) takes values in strings. For expressions: Blocks are interpreted as strings, Each key is interpreted by running the key generation algorithm, Pairs are translated into computational pairs, Formal encryptions terms are interpreted by running the encryption algorithm. Difference between Formal approach and Computational approach [15]: Formal approach Computational approach Message Terms Bits-strings Encryption Idealized Algorithm Adversary Idealized Any polynomial algorithm Secrecy Reach ability-based Indistingability property property Guarantees Unclear Strong Proof Automatic By hand and errorprone Balnchet Calculus Computational Model Crypto Verification Figure 2: Model of automatic verification of deniable authentication protocols If the Receiver want to prove that the Sender have authenticated messages to Receiver, he must provide the evidence related to the thing. An adversary model in weak deniability: When discussing the weak deniability, in addition the adversary has the ability in previous section; we always suppose that only the Receiver generates the evidence that the Sender have authenticated messages to Receiver. Receiver cannot get the secret information of the Sender, for example the private key of Sender. Receiver can provide his secret information to the Third party. If DAP satisfies the condition one in definition DAP and DAP satisfies the correspondence: Inj-event (whole sender (Receiver, x)) = inj-event(whole Receiver (Sender, x) ) Inj-event (whole Thirdparty (Receiver, x)) = inj-event(whole Thirdparty (Sender, x) ) and with public variables V = φ, then DAP is a secure deniable authentication protocol with session functions in a adversary model in weak deniability. In the above definition of DAP the injective correspondence can be instead by noninjective correspondence. Our Contribution: The primary contribution of this paper is that it tried to bring about various concepts which are requisite for concrete development in proofs of cryptography protocols and remove the bottleneck reason for its failure. In particular, we define the equivalence between formal messages in the presence of both key cycles and secret shares, and then prove the computational soundness [13][16] about formal encryption in this setting. 1. First computational analysis of an industrial protocol: Consider authentication[29] and secrecy properties[26], Analyzed Basic Kerberos 5 and public-key Kerberos[22], Kerberos is complex (e.g. PKINIT uses both public-key and symmetric). Cryptographic primitives (Encryption, Signatures, MACs). 2. Proofs were carried out symbolically in the BPW model: Proofs in Dolev-Yao style model are cryptographically sound, Proofs can be automated. 528

5 IV. Related Work Early work on linking Dolev-Yao models and cryptography only considered passive attacks, and therefore cannot make general statements about protocols. A Cryptographic justification for a Dolev-Yao model in the sense of under active attacks and within arbitrary surrounding interactive protocols [29][30]. Diminishing the distance between the computational and logic treatment of Cryptography has been the subject of many recent research efforts. The works which are more closely related to our paper, which present a simple logic for reasoning about the security protocols written in a language similar to ours, but only for the case of passive adversaries. Other approaches to bridging the logic and computational models of cryptography have also been considered in the literature, but they all seem considerably more complex. The notions of probability, polynomial bounded computation, and computational in distinguish ability are incorporated in a process calculus, and security is defined in terms of observational equivalence on processes. Work is in progress regarding formulation of mathematical model for syntactic approach dealing with probability and polynomial-time [14] considerations and encoding them into proof tools, in particular. This is equivalent to the work of justifying Dolev-Yao models, which offer a higher level of abstractions and thus much simpler proofs where applicable, so that proofs of larger systems can be automated. V. Conclusion On the macroscopic view, we come across the various security measures involved in security protocol proofs. This paper properly deals with all the computational technique which can overcome all the day by day new developments in cryptographic field. This paper reflects logical formal proofs of security protocols into the computational model. The formal proofs are easy with respect to computational model as we don t have to consider the probabilistic distribution and asymptotic notations. The security properties are expressed in terms simple logic based language using syntactic expressions and are then interpreted in a computational setup. Also these formal proof are sound as any active adversaries can extract information from messages if the statement hold true for any symbolic execution. Therefore, we need such a framework for the interpretation of formal proof into cryptographic system so as to develop more and more secure communication systems. VI. Future Work 1. Considering execution models in which we can extend instances not of a single but of a set of protocols if they are developed in future. 2. Developing a more general execution model involving reactive clients. 3. Generalize our abstract definition of security notions to capture secrecy properties. 4. Augmenting the BPW model with tailored protocol logics to further simplify modular reasoning. 5. Understanding the relation of correctness proofs of (commercial) protocols in MSR and in the BPW model. VII. References [1] E. S. Cohen, Information transmission in computational systems, ACM SIGOPS Operating Systems Review, vol. 11, no. 5, pp , [2] J. McLean, Security models and information flow, in Proc. IEEE Symp. on Security and Privacy, May 1990, pp [3] Focardi and R. Gorrieri, A classification of security properties for process algebras, J. Computer Security, vol. 3, no. 1, pp. 5 33, [4] D. Song. An automatic checker for security protocol analysis. In 12th IEEE Computer Security Foundations Workshop, June [5] D. Kozen, Language-based security, in Proc. Mathematical Foundations of Computer Science. Sept. 1999, vol of LNCS, pp , Springer-Verlag. [6] Aldini, Probabilistic information flow in process algebra, in Proc. CONCUR 01. Aug. 2001, vol of LNCS, pp , Springer-Verlag. [7] Michele Boreale. Symbolic trace analysis of cryptographic protocols. In 28th Colloquium on Automata, Languages and Programming (ICALP), LNCS. Springer, July [8] M. Zanotti, Security typings by abstract interpretation, in Proc.Symposium on Static Analysis. Sept. 2002, vol of LNCS, pp , Springer-Verlag. [9] M. Backes and B. Pfitzmann. A cryptographically sound security proof of the Needham-Schroeder- Lowe public-key protocol. Available as Cryptology eprint Archive, Report 2003/121. [10] M. Backes, B. Pfitzmann, and M. Waidner. A universally composable cryptographic library. Available as Cryptology eprint Archive, Report 2003/015. [11] M. Backes and B. Pfitzmann. Symmetric Encryption in a simulatable Dolev-Yao style cryptographic library. In Proceedings of the 17th Computer Security Foundations Workshop, pages 204{218. IEEE Computer Society, June [12] Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Christopher Walstad. Specifying Kerberos 5 Cross-Realm Authentication. In Proc. WITS 05, pages ACM Digital Lib., [13] V`eronique Cortier and Bogdan Warinschi. Computationally sound, automated proofs for security protocols. In Proc. 14th European 529

6 Symposium on Programming (ESOP), pages , [14] Anupam Datta, Ante Derek, John Mitchell, Vitalij Shmatikov, and Matthieu Turuani. Probabilistic polynomial-time semantics for protocol security logic. In Proc. 32nd International Colloquium on Automata, Languages and Programming (ICALP), volume 3580 of Lecture Notes in Computer Science, pages Springer, [15] Laud, P. Formal analysis of crypto protocols: Secrecy types for a simulatable cryptographic library. In Proc. ACM Conf. on Computer and Communication Security (ACM CCS 2005) (2005), ACM Press, pp &org=11 [16] C. He and J. C. Mitchell. Security Analysis and Improvements for IEEE i. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 05), February [17] Ran Canetti and Jonathan Herzog. Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). In Proc. 3rd Theory of Cryptography Conference (TCC), [18] Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, Joe-Kai Tsay, and Chris Walstad. Breaking and fixing public-key Kerberos. In Proc. WITS 06, pages 55 70, [19] Anupam Datta, Ante Derek, John Mitchell, and Bogdan Warinschi. Key exchange protocols: Security definition, proof method, and applications. In 19th IEEE Computer Security Foundations Workshop (CSFW 19), Venice, Italy, IEEE Press. [20] Tsudik, G. YA-TRAP: Yet another trivial RFID authentication protocol. In Proc. IEEE Intern. Conf. on Pervasive Computing and Communications (PerCom 2006) (2006), IEEE Press. [21] Oren, Y., and Shamir, A. Power analysis of RFID tags. Appeared in the rump session of Advances in Cryptology, CRYPTO Available online at Weizmann Institute, [22] Burmester, M., van Le, T., and de Medeiros, B. Provably secure ubiquitous systems: Universally composable RFID authentication protocols. E-print report 2006/131, International Association for Cryptological Research, [23] IETF. Public Key Cryptography for Initial Authentication in Kerberos, Sequence of Internet drafts available from [24] F. Wang and Y. Zhang, A new provably secure authentication and key agreement mechanism for SIP using certificateless public-key cryptography, Cryptology eprint Archive, Report 2007/220, [25] Tarjei K. Mandt and Chik How Tan, Certificateless authenticated two-party key agreement protocol, ASIAN 2006, LNCS 4435, pp.37-44, [26] Y. Sun, F. Zhang, and J. Baek, Strongly Secure Certificate less Public Key Encryption without Pairing, CANS 2007, LNCS 4856, pp , [27] X. Liang, SH. Wang, J. Shen and G. Xu, Breaking and Repairing the Certificate less key agreement protocol from ASIAN 2006, Wuhan University Journal of Natural Sciences,vol. 13, no. 5, pp , [28] Dario Fiore and Rosario Gennaro, Making the Diffie-Hellman Protocol Identity-Based, [29] Georg Lippold, Colin Boyd and Juan Gonzalez Nieto, Strongly Secure Certificate less Key Agreement, [30] Cas J.F. Cremers, Formally and Practically Relating the CK, CK-HMQV, and eck Security Models for Authenticated Key Exchange, Bibliographies: Sanjay Kumar Sonkar was born at Varanasi, (U.P.), in India. He received the B. Tech degree in Computer Science & Engineering in 2010 from Radha Govind Engineering College, Meerut, India. Presently, he is an M.Tech student in Computer Science & Engineering from Kamla Nehru Institute of Technology, Sultanpur, U.P., India. Dharmendra Lal Gupta is currently working as an Assistant Professor in the Department of Computer Science & Engineering at KNIT, Sultanpur (U.P.) India. And he is also pursuing his Ph.D. in Computer Science & Engineering from Mewar University, Chittorgarh (Rajasthan). He received B.Tech.(1999) from Kamla Nehru Institute of Technology (KNIT) Sultanpur, in Computer Science & Engineering, M.Tech. Hon s (2003) in Digital Electronics and Systems from Kamla Nehru Institute of Technology (KNIT) Sultanpur. His research interests are Cryptography and Network Security, Software Quality Engineering, and Software Engineering. Dr. Anil Kumar Malviya is an Associate Professor in the Computer Science & Engineeering. Department at Kamla Nehru Institute of Technology, (KNIT), Sultanpur. He received his B.Sc. & M.Sc. both in Computer Science from Banaras Hindu University, Varanasi respectively in 1991 and 1993 and Ph.D. degree in Computer Science from 530

7 Dr. B.R. Ambedkar University; Agra in 2006.He is Life Member of CSI, India. He has published about 31papers in International/National Journals, conferences and seminars. His research interests are Data mining, Software Engineering, Cryptography & Network Security. Ganesh Chandra was born at Kanpur, India. He received the B. Tech. Degree in Computer Science and Engineering in 2009 from Dr. Ambedkar Institute of Technology for Handicapped, Kanpur, India. He is currently pursuing M. Tech in Computer Science and Engineering from Kamla Nehru Institute of Technology, Sultanpur, U.P, India. Vinod Kumar Yadav was born in Jaunpur, India. He received the B.Tech. Degree in Computer Science and Information Technology in 2008 from I.E.T., M.J.P. Rohilkhand University Bareilly, India. He is currently pursuing M.Tech in Computer Science and Engineering from Kamla Nehru Institute of Technology, Sultanpur, U.P., India. 531