Advertisement

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

(Extended Abstract)
  • Ran Canetti
  • Jonathan Herzog
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3876)

Abstract

Symbolic analysis of cryptographic protocols is dramatically simpler than full-fledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how Dolev-Yao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties.

More specifically, we concentrate on mutual authentication and key-exchange protocols. We restrict attention to protocols that use public-key encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to Dolev-Yao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UC-secure. For mutual authentication, our symbolic criterion is similar to the traditional Dolev-Yao criterion. For key exchange, we demonstrate that the traditional Dolev-Yao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion.

Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent key-exchange protocols are UC-secure.

Keywords

Mutual Authentication Symbolic Model Ideal Functionality Cryptographic Protocol Simple Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Abadi, M., Blanchet, B.: Analyzing security protocols with secrecy types and logic programs. In: Conference Record of POPL 2002: The 2pth SIGPLANSIGACT Symposium on Principles of Programming Languages, January 2002, pp. 33–44 (2002)Google Scholar
  2. 2.
    Abadi, M., Gordon, A.: A calculus for cryptographic protocols: the SPI calculus. Information and Computation 148(1), 1–70 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, pp. 82–94. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology 15(2), 103–127 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Adão, P., Bana, G., Herzog, J.C., Scedrov, A.: Soundness of formal encryption in the presence of key-cycles. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 374–396. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proceedings of the 10th ACM conference on computer and communications security (CCS) (October 2003), Full version available at, http://eprint.iacr.org/2003/015/
  7. 7.
    Backes, M., Pfitzmann, B.: A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 140–152. Springer, Heidelberg (2003)Google Scholar
  8. 8.
    Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic secrecy. Cryptology ePrint Archive, Report 2004/300 (November 2004), http://eprint.iacr.org/
  9. 9.
    Beaver, D.: Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority. Journal of Cryptology 4(2), 75–122 (1991)CrossRefzbMATHGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994), Full version of paper available at, http://www-cse.ucsd.edu/users/mihir/ CrossRefGoogle Scholar
  11. 11.
    Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, May 2004. IEEE, Los Alamitos (2004)Google Scholar
  12. 12.
    Blanchet, B.: ProVerif automatic cryptographic protocol verifier user manual (November 2004), Available at, http://www.di.ens.fr/blanchet/crypto-eng.html
  13. 13.
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo random bits. In: Proceedings of the 22th Annual Syposium on Foundations of Computer Science (FOCS 1982), pp. 112–117 (1982)Google Scholar
  14. 14.
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal on Computing 13(4), 850–864 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Transactions in Computer Systems 8(1), 18–36 (February 1990)CrossRefzbMATHGoogle Scholar
  16. 16.
    Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 13(1), 143–202 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Canetti, R.: Universal composable security: A new paradigm for cryptographic protocols. In: 42nd Annual Syposium on Foundations of Computer Science (FOCS 2001), October 2001, pp. 136–145. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  18. 18.
    Canetti, R.: Universally composable signature, certification, and authentication. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW 16), June 2004, pp. 219–233. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  19. 19.
    Canetti, R., Herzog, J.: Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). Cryptology ePrint Archive, Report 2004/334 (2004)Google Scholar
  20. 20.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Cervesato, I., Durgin, N.A., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: A metanotion for protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12), June 1999. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  23. 23.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM Journal of Computing 30(2), 391–437 (2000)CrossRefzbMATHGoogle Scholar
  24. 24.
    Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Transactions on Information Theory 29, 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)Google Scholar
  27. 27.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM Journal on Computing 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital-signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing 17(2), 281–308 (April 1988)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Herzog, J.: A computational interpretation of dolev-yao adversaries. Theoretical Computer Science 340, 57–81 (June 2005)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Herzog, J., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  31. 31.
    Horvitz, O., Gligor, V.: Weak key authenticity and the computational completeness of formal encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 530–547. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. 32.
    Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, May 2004. IEEE, Los Alamitos (2004)Google Scholar
  33. 33.
    Lincoln, P.D., Mitchell, J.C., Mitchell, M., Scedrov, A.: A probabilistic polytime framework for protocol analysis. In: Proceedings of the 5th ACM Conference on Computer and Communication Security (CCS 1998), November 1998, pp. 112–121 (1998)Google Scholar
  34. 34.
    Lincoln, P.D., Mitchell, J.C., Mitchell, M., Scedrov, A.: Probabilistic polynomial-time equivalence and security protocols. In: Wing, J.M., Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 776–793. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  35. 35.
    Lowe, G.: An attack on the Needham–Schroeder public-key authentication protocol. Information Processing Letters 56, 131–133 (1995)CrossRefzbMATHGoogle Scholar
  36. 36.
    Lowe, G.: Breaking and fixing the Needham–Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  37. 37.
    Lynch, N.: I/O automaton models and proofs for shared-key communication systems. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12). IEEE Computer Society, Los Alamitos (June 1999)Google Scholar
  38. 38.
    Maggi, P., Sisto, R.: Using SPIN to verify security protocols. In: Bošnački, D., Leue, S. (eds.) SPIN 2002. LNCS, vol. 2318, pp. 187–204. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  39. 39.
    Meadows, C.: Applying formal methods to the analysis of a key management protocol. The Journal of Computer Security 1(1) (January 1992)Google Scholar
  40. 40.
    Meadows, C.: The nrl protocol analyzer: An overview. J. Log. Program. 26(2), 113–131 (1996)CrossRefzbMATHGoogle Scholar
  41. 41.
    Micali, S., Rackoff, C., Sloan, B.: The notion of security for probabilistic cryptosystems. SIAM Journal on Computing 17(2), 412–426 (April 1988)MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Micali, S., Rogaway, P.: Secure computation (abstract). In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)Google Scholar
  43. 43.
    Micciancio, D., Panjwani, S.: Adaptive security of symbolic encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 169–187. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  44. 44.
    Micciancio, D., Warinschi, B.: Completeness theorems for the Abadi- Rogaway logic of encrypted expressions. In: Workshop on Issues in the Theory of Security (WITS 2002) (January 2002)Google Scholar
  45. 45.
    Micciancio, D., Warinschi, B.: Completeness theorems for the Abadi- Rogaway logic of encrypted expressions. Journal of Computer Security 12(1), 99–129 (2004)CrossRefGoogle Scholar
  46. 46.
    Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using Murϕ. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 141–153. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  47. 47.
    Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)CrossRefzbMATHGoogle Scholar
  48. 48.
    Patil, A.: On symbolic analysis of cryptographic protocols. Master’s thesis, Massachusetts Institute of Technology (May 2005)Google Scholar
  49. 49.
    Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Proceedings of the 7th ACM Conference on Computer and Communication Security (CCS 2000), November 2000, pp. 245–254. ACM Press, New York (2000)Google Scholar
  50. 50.
    Rackoff, C.: Personal communication (1995)Google Scholar
  51. 51.
    Rackoff, C., Simon, D.: Noninteractive zero-knowledge proof of knowledge and the chosen-ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  52. 52.
    Sagiv, M. (ed.): ESOP 2005. LNCS, vol. 3444. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  53. 53.
    Song, D.: Athena, an automatic checker for security protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12), June 1999. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  54. 54.
    Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(2/3), 191–230 (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ran Canetti
    • 1
  • Jonathan Herzog
    • 2
  1. 1.IBM ResearchUSA
  2. 2.The MITRE CorporationUSA

Personalised recommendations