Protocoles cryptographiques II

1
Protocoles cryptographiques (II)

• Cédric FournetMicrosoft Research

2
This lecture

• An overview of the applied pi calculus
• Motivation, syntax, semantics,
• Some cryptographic primitives and protocols
• Observational equivalences
• A simple Diffie-Hellman key exchange protocol
• A real-world protocol Just Fast Keying
• Session establishment in IPSEC
• An overview of JFK its design goals
• Modelling JFK in applied pi calculus
• Main security properties

3
The applied pi calculus

• Based on joint work with Martin AbadiMobile
  Values, New Names, and Secure Communications

4
A case for impurity

• In foundational calculi (pi, lambda), purity
  often comes before convenience faithfulness.
• In applications, ad hoc extensions are often
  required integers, strings, , I/O, ,
  cryptography,
• Extensions can sometimes be encoded, at some cost
  (complicated reasoning, ugly properties).
• Many results are first stated and proved in a
  pure setting, then proved again and again for
  extensions.

5
Security in the pi calculus ?

• Domain security protocols,with interactions
  between cryptographic computations, controlled
  usage of secrets, and communications.
• Process calculi are useful for such protocols,
  e.g.,
• Pi calculus, to reason on high-level security
  properties.
• Spi calculus AbadiGordon, to tackle some
  cryptography.
• Still, there is a gap between typical security
  specifications(e.g. RFCs) and what can be
  represented in those calculi.

6
The applied pi calculus

• Parameterise the pi calculus with computations on
  values.
• Keep communications and scopes!
• Uniformly develop equivalences and proof
  techniques.

7
Syntax for processes

• Processes are those of the plain pi calculus.
• Communicated values are terms, rather than names.
• The calculus is parameterized by an equational
  theory for terms.

8
Syntax for terms

• We assume given
• a signature a set of function symbols with an
  arity
• a sort system
• an equational theory
• an equivalence relation () on terms
• closed by substitutions of terms for variables
• closed by one-to-one substitutions on names.
• We distinguish three similar notions constants,
  names, variables.

9
Example pairs

• A constructor function cons, written (M,N)
• Two selector functions, written fst(M) and snd(M)
• The equations
• all equations obtained by reflexivity,
  symmetry, transitivity, and substitutions.
• Similarly, we can model tuples, arrays, lists,
  

10
Shared-key cryptography

• To model shared-key cryptography, we can use two
  binary functions related with
• We can use restricted names as keys (or not)
• This is much as the spi calculus.
• For each variant of the spi calculus, one can
  select an equational theory that yields an
  applied pi calculus with the same reductions.

11
Operational semantics

• We use a standard chemical-style semantics
• reduction step (!) contains the rules
• closed by structural equivalence application
  of evaluation contexts.
• structural equivalence () is defined as usual,
  and also closed by equality on terms.

12
Token-based authentication

• The name s in the pair acts as a capability for
  the forwarding.
• Expected behaviour
• using the equations

13
Token-based authentication ?

• The name s in the pair acts as a capability for
  the forwarding.
• Expected behaviour
• The token is not protected we can representan
  (obvious) interception attack as the context I

14
Cryptographic hash

• A one-way, collision-free hash functionis
  modelled as a constructor h with no equation.
• Example message authentication code (MAC)
• A sends a hash code that depends on the
  secret.(The secret is not communicated.)
• B checks the authenticity of the received
  messageby recomputing its hash code.
• Attackers cannot produce another valid hash code.

15
Scope restriction for terms

• In the plain pi calculus,
• new restricted names can be created
• scope restrictions nicely disappear when those
  names are passed to the environment (scope
  extrusion).

16
Scope restriction for terms

• In the plain pi calculus,
• With terms instead of names, scope restriction
  gets more interesting
• How to represent the result of sending an opaque
  term?
• The environment can accumulate partial knowledge
  on restricted names, and use it later.
• The problem already occurs in the spi
  calculus,when sending messages encrypted with a
  restricted key.Abadi Gordon, Boreale deNicola
  Pugliese

17
Scope restriction for terms

• In the plain pi calculus,
• With terms instead of names, scope restriction
  gets more interesting
• How to represent the result of sending an opaque
  term?
• We extend processes with active substitutions
  that keep track of the values passed to the
  environment.

18
Substitutions as processes

• Active substitutions map distinct variables to
  terms
• They may appear under restrictions (not under
  guards)
• They operate on the environment.
• They represent terms passed to the
  environmentby reference, much as a floating
  let x M in
• (There are well-formed conditions for extended
  processes.)

19
Operational semantics

• Structural equivalence is extended with rules
  for active substitutions (reduction is defined
  as before).

20
Substitutions as processes (2)

• Every closed extended process can be put in a
  normal form that separates its static and dynamic
  parts
• The static part operates only on the environment
• The dynamic part P is an ordinary processthat
  describes communications
• These two parts can share some restricted names
• (However, flattening processes is not
  necessarily a good idea.)

21
Cryptographic hash, again

• Using active substitutions, we can represent a
  processthat has MACed several messages using the
  secret s
• What an attacker can effectively do with x and y
  depends on the equational theory being
  considered.

22
More encryption primitives

• To model shared-key cryptography, we used two
  binary functions related with
• There are many variants of encryption
  primitives,with diverse properties
• Symmetric or not?
• Detection of decryption errors?
• Which-key concealing?
• We can select equations accordingly

23
Asymmetric encryption

• To model public-key cryptography, we generate
  public- and private-keys from a seed
• Using active substitutions, we can write a
  process that exports the public key and keeps the
  private key secret
• We can add troublesome equations for security
  protocols,for instance reflecting a typical
  weakness of RSA encryption

24
Non-deterministic encryption

• To model probabilistic cryptography,we may add a
  third argument to the encryption function
• With this variant, consider the protocol
• Without access to the decryption key, an
  attacker cannotdetect whether the underlying
  plaintexts are identical

25
Observational Equivalence

• How to compare applied pi processes?

26
Observational equivalence

• Our basic observation predicate, written Aa ,
  tests whetherthe process A can send a message on
  the free channel a.
• Barbed Congruence (¼) is the largest symmetric
  relation between closed extended processes
  defining the same variables such that A ¼ B
  implies
• if Aa , then Ba
• if A ! A then B ! B and A ¼ B
• for all evaluation contexts C_, we have CA ¼
  CB
• Many security properties can be expressed
  usingobservational equivalences (attackers
  evaluation contexts).
• How to prove such properties?

27
Secrecy by equivalence

• With symmetric encryption,consider the
  simplistic protocol
• The attacker observes a fresh, opaque
  message,apparently unrelated to the term M
• The process on the right is simpler more
  abstract

28
Secrecy by equivalence (2)

• With asymmetric encryption, this doesnt work!
• The attacker can guess the term M, then verify
  it
• If M is a weak secret, such as a
  password,then this reflects a dictionary attack

29
Secrecy by equivalence (3)

• With non-deterministic encryption,we do have
  strong secrecy properties, e.g.
• The attacker observes two unrelated fresh values
• The attacker learns nothing on M ,and
  cannot detect that x is an encryption

30
Equivalence for frames ?

• Frames are extended processes that only consist
  ofactive substitutions and restrictions.What is
  equivalence for frames?
• Consider two functions f and g, no equations, and
  frames
• ?0 and ?1 have the same observable behaviour
  they provide two fresh, apparently independent
  values
• ?2 is visibly different y f(x) with ?2 only.

31
Static equivalence (definition)

• We write when the terms and
  areequal in the theory after
  alpha-conversion and substitution.
• Two frames are statically equivalentwhen they
  agree for all term comparisons
• Two extended processes are statically
  equivalentwhen their frames are equivalent.

32
Static equivalence (properties)

• Static equivalence is closed by , !, C_.
• For extended processes,observational equivalence
  is finer than static equivalence.
• For frames, static equivalence and observational
  equivalence coincide.
• Hence, we can uniformly lift equational
  propertiesfrom (restricted) terms to (extended)
  processes.
• We use special evaluation contexts instead of
  frame comparisons

33
Labelled semantics

• Can we characterize observational semanticsusing
  labelled transitions?
• A good technical test for the calculus
• Standard, effective proof techniques
• No quantification over all contexts.
• Proofs up to active substitutions
• We have two such labelled semanticsthat refine
  static equivalence.
• Theorem for any equational theory,the labelled
  and observational semantics coincide.
• However, the generalization of the pi calculus
  LTS with scope extrusion (exporting terms instead
  of names) yields a labelled semantics that sees
  through all term constructors and discriminates
  too much.

34
A labelled semantics

• In addition to ! and , we adopt the following
  rules

35
Example transitions

• Labelled transitions systematically pass values
  by aliasing them to fresh variables.
• The environment can use these values
  indirectly,by forming terms that contain these
  variables.

36
Diffie-Hellman key exchange

• a classic protocol example

37
Diffie-Hellman

• A cryptographic protocol for creating a shared
  secret between two parties, e.g. establishing a
  session key.
• The two parties communicate over a public
  network,in the presence of a passive attacker
• The protocol relies on large exponentials,with
  the associative equation

38
Diffie-Hellman exchange
i
r
exponentials
encryptedmessages

• We get perfect forward secrecythe values
  are unrelated

39
Diffie-Hellman in applied pi
i
r
exponentials
encryptedmessages
40
Diffie-Hellman in applied pi

• Processes Ai, Ar represent the initial state.
• Processes Pi, Pr represent the final statewith
  free variable for the shared key.
• Auxiliary substitutions account for the
  messagesbeing exchanged and the shared key .

41
Diffie-Hellman in applied pi

• A normal run consists of two reduction steps
• A passive attacker intercepts both messages and
  forwards those messages unchanged, leading to the
  final state
• We use an auxiliary frame that records messages
  and computations

42
A correctness property

• Specification
• 1. The final processes share a pure secret a
  fresh name
• 2. Intercepted messages are pure noise fresh
  names
• Theorem

43
Perfect forward secrecy

• We can forget about the key establishment
  protocolthe key freshness secrecy do not
  depend on its use
• Examples
• Send a first message
• Reveal the keyto the environment

44
Summary (on applied pi)

• We develop a pi calculus parameterised by an
  equational theory for values.
• We obtain an expressive and flexible framework
  for reasoning on security protocols, which
  typically mix
• creations of fresh values new scope
  extrusions
• various cryptographic operations various
  equational theories
• communications pi calculus
• We uniformly build tools to state and prove their
  properties (inspired by concurrency theory).

45
Many related works

• Complexity-theoretical analyses,focusing on the
  cryptographic operations.
• Higher-level presentations with black box
  cryptography, focusing on their usage in
  protocols.
• Trace models
• Process calculi
• the spi calculus Abadi Gordon
• Labelled bisimilarity for cryptographic protocols
  Boreale De Nicola
• Specific type systems for security
• Information control flow Honda
• Syntactic containment Abadi, Blanchet
• Correspondence assertions Gordon, Jeffrey

46
Just Fast Keying ?

• Application to a real-world protocol

47
Session establishment

• Two parties want to open a secure session
• Telnet (SSH)
• Web connection (SSL, TLS)
• IP tunnel (VPN)
• Wireless network
• They need to
• Generate a shared secret (the session key)
• Agree on many parameters
• Verify each others identity
• Attackers might eavesdrop, delete, and insert
  messages, may impersonate principals, in order
  to
• gain information
• confuse or hinder the participants
• This is a classical setting for cryptographic
  protocols

48
Building blocks (review)

• Shared-key encryption
• Cryptographic hash (HMAC)
• Tokens (or cookies)
• Diffie-Hellman computation
• Public-key signature

49
Two-round Diffie-Hellman
i
r
exponentials
signatures
encryptedmessages

• Against active attackers,first create a shared
  key, then authenticate

50
Some authentication
i
r

• The private key is a long-term secret used for
  signing
• The public key can be used by anyone to verify a
  signature

51
Complications

• Configuration
• Different security needs according to the
  application
• Many cryptographic algorithms to choose from
• Many flavours of authentication (PKIs)
• Different modes
• Concurrency
• Parallel sessions
• Various principals using several shared proxies
• Efficiency concerns
• Round-trips are expensive
• Cryptography can be expensive
• Session management
• Key derivation
• Rekeying
• Dead peer detection

52
IKE and its successors

• IKE (Internet Key Exchange)
• Session management for IPSEC
• Quite secure
• Some concerns
• Too complicated
• Inefficient (too many messages expensive
  operations)
• Poor resistance against denial of service
• The IETF is considering a successor for IKE,(now
  merging the different proposals into IKEv2)
• JFK (Just Fast Keying) is a simple proposal that
  incorporates several new mechanisms.http//www.ie
  tf.org/internet-drafts/draft-ietf-ipsec-jfk-04.txt
  

53
Design goals for JFK

• Security
• The key should be cryptographically secure,
  according to standard measures of cryptographic
  security for key exchange
• Simplicity
• Resistance to Memory DoS
• Resistance to CPU DoS
• Privacy
• Identity protection for some parties,against
  some classes of attacks
• Efficiency
• Non-negotiated
• Flexible perfect forward secrecy
• With reuse of exponentials
• Plausible deniability
• These goals are (sometimes) contradictory.

54
Using JFK
a
initiator
responder
b
listen(A)
init(B,b)
accept(a,k)
connect(b,k)
local
local
IP
55
The JFK protocol
56
The JFK protocol
The pair of nonces is unique to this session
Many keys can be derivedfrom the same
exponentialsfor different usages
57
The JFK protocol
The responder uses an authenticator against DoS
The responder can check thatthe contents of msg
3 matches the contents of msg 1 2
58
The JFK protocol
Identities are always encrypted
Identities are never signed
59
Some minor problems
60
Identity protection?

• Two flavours
• JFKi protects id_i against active attacks
• JFKr protects id_r against active attacksand
  protects id_i against passive attacks
• What is guaranteed? Does it make sense for the
  responder?This depends on relations between
  principals and roles
• Various leaks
• An active attacker can get the initiators hint
• A passive attacker can perform traffic analysis
• A passive attacker can observe shared
  exponentials
• if exponentials are re-used by a single
  principal,all these sessions involve the same
  principal
• an active attacker (or an insider) may obtainthe
  identity for one of these sessions
• An active attacker can test the equality
  ofresponder authenticator keys
• arguably a passive attack
• fix MAC the initiator exponential too

61
Non-negotiated?

• Usually, the cryptographic algorithms are
  negotiatedhash, encryption, certificates,
  compression, Some algorithms are weak (legacy,
  legal), or even nil.
• The protocol must (at least) authenticate the
  negotiation, and also relies on these operations
  for authentication! Cf. SSL
• JFK is non-negotiated the responder demands
  specific algorithms, the initiator takes it or
  leaves it. Still
• If the responder demands weak algorithms, no
  guarantees at all.
• What if the attacker modifies the responders
  demands?
• The session will fail, either immediately (the
  initiator rejects the demand) or after message 3
  (the server detects the mismatch). Bad denial of
  service.
• If the initiator accepts a bad demand, her
  message 3 is not protected, and may reveal her
  identity.Bad identity protection (in JFKi)
• Fix in JFKi sign the algorithm demand Keromytis

62
Caching message 3?

• The responder caches answers to identical message
  3s
• More precisely, the responder should answer just
  oncefor every valid token received in a message
  3.
• Otherwise, several attacks appear
• There is a blind DOS attack that defeats the
  purpose of the authentication
• There is a (small) security failurethe same key
  may be used in many established sessions

63
A model of JFK in applied pi
a
initiator
responder
b
local
local
IP
64
Public key signature

• To model public-key signature, we construct the
  public verification key form the private signing
  key
• Using active substitutions, we can write a
  process that exports the public key, and keeps
  the signing key secret.
• We can also add equations for the attacker,
  rather than the protocol, e.g. key- and
  message-recovery

65
Control actions

• We distinguish between
• principals (signers)
• JFK roles initiator, responder (exponentials)
• We provide an API for using JFK

a
initiator
responder
b
local
local
IP
66
Providing more context

• We distinguish between
• principals (signers)
• JFK roles initiator, responder (exponentials)
• We provide an API for using JFK

a
initiator
responder
b
local
local
IP
67
Providing more context (2)

• We distinguish between
• principals (signers)
• JFK roles initiator, responder (exponentials)
• We provide an API for using JFK

a
initiator
responder
b
local
local
IP
68
Grammar for terms
69
Equations on terms
70
JFK configuration initiator responder
71
JFK configuration initiator responder
72
JFK configuration initiator responder
73
Security properties ?

• Main results
• In any state, the protocol can establish a secure
  session between compliant principals
• There are causality relations between control
  actions(aka authentication)
• When both protocols are compliant, the key is
  secure
• Stated independently of low-level messages
• Compliant principals are also part of the
  attacker
• Additional results
• Some identity protection
• Some DOS properties
• Some plausible deniability

74
Operational correctness

• The protocol uses internal steps
• low-level communications
• tests after receiving messages

At the end of the protocol,we can use an
observational equivalence to simplify the
established keys.
We start from any reachable configuration of the
protocol (past running sessions)
Each party gets the others identity
parameters, plus a shared key.
We end up exactly in the original configuration
!In particular, kv is a perfect key.
75
Operational correctness

• We have a similar, more precise result for an
  attackerthat is temporarily passive on the
  network
• We model a passive attacker as an environment
  that gets messages and immediately put them back

76
Operational correctness with eavesdropping
In addition, the environment can observe
mostly-opaque messages, still unrelated to the
session key.
77
Correspondence properties
78
Denial of service

• We characterize round-trip communication as a
  trace property
• and show an injective correspondence property
  from expensive responder steps to round-trips.
• The use of a token is a refinement, modelled as
  an equivalence
• The basic model uses local responder state after
  message 1 2
• The refined model uses the token instead
• This is much like the parallel law for CCS

79
Plausible deniability

• What gets signed ?
• Authentication for an active party
• Deniability from some (data) evidence
• Example
• a opens a session with e (which may not comply
  with JFK)
• Later, e tries to prove that a opened the
  session,from collected data.
• To refute es evidence, a must exhibit a trace
  where
• a never tries to open a session with e
• a complies with JFK
• e can still produce the same evidence
• Some plausible trace
• a opens a session with a compliant b ? e
• e is an active attacker that impersonates b
• as session fails, because e cannot produce bs
  signature
• e can use the intercepted messages to build the
  same messages 1 and 3, so it can produce the same
  evidence too.

80
Plausible deniability

• Can be expressed as the existence of another
  tracewith the same outcome, up to static
  equivalence

81
Conclusions

• JFK
• is a rather nice protocol (well-written)
• is message-centric
• is often imprecise
• We had to interpret the specand supplement it
  with a service API
• We found several minor issues
• Writing down a precise definition for the
  intendedproperties of the protocol is difficult
• The applied pi calculus
• is a rather nice process calculus for network
  protocols
• represents powerful attackers as contexts
• Parallel session
• Both low-level and high-level (aka insider
  attacks)
• can be used to express a variety of security
  properties
• and to prove them compositionally

82
Questions?
See also http//research.microsoft.com/fournet/
83
References

• Mobile Values, New Names, and Secure
  Communication (.ps) (.pdf), with Martín Abadi.
  Proceedings of the 28th ACM Symposium on
  Principles of Programming Languages (POPL'01),
  pages 104-115. January 2001.
• Authentication Primitives and their Compilation
  (.ps) (.pdf), with Martín Abadi and Georges
  Gonthier. Proceedings of the 27th ACM Symposium
  on Principles of Programming Languages (POPL'00),
  pages 302-315. January 2000.
• Secure Implementation of Channel Abstractions,
  with Martín Abadi and Georges Gonthier. To appear
  in Information and Computation. May 1999.
• See also http//research.microsoft.com/fournet/

84
Diffie-Hellman in the pi calculus

• A normal run consists of two reduction steps

85
Substitutions as processes (2)

• Locally, active substitutions and ordinary
  substitutionson processes are related by
  structural equivalence

86
Labelled bisimilarity

• Labelled bisimilarity (¼l) is defined almost as
  usual the largest symmetric relation such that
  A ¼ l B implies
• A ¼ s B
• if A ??? A , then B ??? B and A ¼ l B for
  some B
• if A ?a?? A and a has free variables in
  dom(A), and a has no bound names that
  are free in B,
• then B ????a?? ??? B and A ¼ l B for some
  B.
• Labelled bisimilarity is observational
  equivalence ¼l ¼
• Labelled bisimilarity has nice technical
  properties(e.g. proofs up to frame
  simplification).

87
Symbolic bisimulations (1/2)

• Message Output active substitutions rely on
  partial extrusion, to deal with opaque terms.
• Message Input the environment can supply
  arbitrary terms
• Infinite-branching transition systems
• Unbounded nesting of functions
• Infinite number of names
• Many different terms are uniformly handled by the
  protocol
• Symbolic inputs (and symbolic bisimulations) use
  insteadabstract environment variables for
  input terms Huimin Hennessy Boreale.

88
Symbolic bisimulations (2/2)

• Symbolic inputs (and symbolic bisimulations) use
  instead abstract environment variables for
  input terms.
• Symbolic reductions introduce constraints on
  those variables.
• Equality between open terms
• Occur-checks on output variables (no causality
  loop)
• Constraints must be solvable to obtain concrete
  reductions.

89
A correctness property (3/3)

• Sketch of the proof
• Static equivalence (not so easy for all M and
  N)
• Hence the process equivalence
• Apply an evaluation context structural
  equivalence