A formal analysis of exchange of digital signatures

1
A formal analysis of exchange of digital
signatures

• Rohit Chadha, John Mitchell, Andre Scedrov,
  Vitaly Shmatikov

2
Protocol security

• Cryptographic Protocol
• Program distributed over network
• Use cryptography to achieve goal
• Adversary
• Intercept, replace, remember messages
• Guess random numbers, some computation
• Correctness
• Adversary cannot learn protected secret or cause
  incorrect conclusion
• How powerful is the adversary?

3
Common adversary model

• Derived from positions taken in Needham-Schroeder
  1978 and Dolev-Yao 1983
• Idealization that makes protocol analysis
  tractable
• Adversary is nondeterministic process
• Adversary can
• Block network traffic
• Read any message, decompose into parts
• Decrypt if key is known to adversary
• Insert new message from data it has observed
• Adversary cannot
• Gain partial knowledge
• Guess part of a key
• Perform statistical tests
• Perfect cryptography

4
Needham-Schroeder key exchange

• A, Noncea
• Noncea, Nonceb
• Nonceb

Kb
A
B
Ka
Kb
Result A and B share two private numbers not
known to any observer without Ka-1, Kb -1
5
Anomaly in Needham-Schroeder
Lowe
A, Na
Ke
A
E
Na, Nb
Ka
Nb
Ke
A, Na
Na, Nb
Evil agent E tricks honest A into
revealing private key Nb from B.
Kb
Ka
B
Evil E can then fool B.
6
Signature exchange protocols

7
Exchange of digital signatures

• Two parties want to exchange digital signatures
  on pre-agreed text over the internet
• Each party has a private signature key and a
  public signature key
• A digital signature scheme consists of
• A signing algorithm only participants that
  possess Alices private signature key, can sign
  as Alice
• A verification algorithm anybody with Alices
  public signature key can verify if indeed it was
  generated with Alices private key
• Signature exchange can be used for electronic
  exchange of goods

8
Properties of exchange protocols

• Traditionally, they meet and exchange items
  simultaneously
• On the internet, somebody has to go first
• Resulting asymmetry
• Protocol participants are adversarial
• Want to ensure fairness
• If nothing goes wrong, signatures are exchanged
• At the end either both parties have signatures or
  none has
• Timeliness
• An honest signer is guaranteed to terminate,
  i.e., has recourse to prevent unbounded waiting
• What other properties are desirable?

9
Protocols with trusted third party

• Two categories of signature exchange protocols
• Gradual release protocols
• Fixed-round non-probabilistic protocols using a
  trusted third party
• Need for trusted third party(TTP)
• There is no deterministic(non-probabilistic),
  fair, two-party protocol to exchange Even 1980
• Trivial TTP protocol
• Both signers send signatures to TTP over private
  channels and then TTP exchanges signatures
• Makes TTP a bottleneck

10
Optimistic protocols

• Optimistic protocols signers contact TTP only
  for error recovery
• Several optimistic protocols have the message
  flow
• A -gt B commitment to sign
• B -gt A commitment to sign
• A -gt B As signature
• B -gt A Bs signature
• What if B never sends its commitment
• A may contact TTP to get the exchange aborted
• Either party may present TTP with the two
  commitments to get the exchange resolved
• This protocol is fair and timely. Is this enough?
  

11
Optimistic protocols issues

• Consider online stock trading with signed
  documents for each trade
• Broker starts by sending his commitment to sell
  stock to a buyer at a specific price
• Buyer responds with her commitment
• Buyer has committed her funds now and cannot use
  them for other purchases
• Buyer may prefer to wait for broker before
  contacting TTP to avoid extra cost

12
Optimistic protocols issues contd

• Now broker can wait to see if shares are
  available from a selling customer at a matching
  or lower price
• He may abort the protocol if he does not stand to
  profit
• Broker enjoys an advantage over the buyer he
  can unilaterally decide whether to abort or
  complete the exchange
• So the protocol may put participants who choose
  to wait before contacting TTP at a disadvantage
• We consider three kinds of participants
• Honest follow the steps of the protocol
• Interested honest participants who prefer to
  wait over aborting the protocol
• Optimistic honest participants who prefer to
  wait over contacting TTP

13
Advantage

• A participant is said to have an advantage if
• it can unilaterally decide the outcome against an
  honest counter party, or
• it can unilaterally decide the outcome against
  an interested counter party, or
• it can unilaterally decide the outcome against an
  optimistic counter party
• We are interested in all of the above cases since
• as seen in the stock trading example, players
  display certain natural bias
• there are more possibilities of taking advantage
  of interested or optimistic participants than
  honest participants
• Balance no participant has advantage

14
Abuse-freeness

• There are protocols that are balanced for honest
  participants
• However, we show that asymmetry of communication
  reappears in form of advantage
• There is a point in an optimistic protocol where
  a party enjoys an advantage over its optimistic
  counter party
• We state a precise form of this result later on
• How do we address this asymmetry?
• Require that no participant enjoys provable
  advantage participant should not be able to
  prove to an outside observer that it enjoys
  advantage
• Abuse-Freeness GJM, 1999
• No provable advantage

15
Related work

• Mitchell and Shmatikov (Financial Crypto 2000)
  used Mur?, a finite-state model checker, to
  analyze two signature exchange protocols
• Asokan-Shoup-Waidner (IEEE Symposium on Security
  and Privacy, 98)
• Garay-Jakobsson-Mackenzie Protocol(GJM) (Crypto
  1999)
• Chadha, Kanovich, Scedrov analyzed GJM
  protocol(CCS 2001)
• Found an anomaly and fixed
• Stated and proved formally that the fixed
  protocol is fair, timely and optimistic for
  multiple runs
• Defined and proved that the fixed protocol is
  balanced for honest participants using
  game-theoretic strategies
• Also showed that strategies can be represented as
  provability in linear logic
• Kremer and Raskin used model-checkers to study a
  version of abuse-freeness (CSFW 2002)

16
Goals of our work

• Study several protocols
• Garay, Jakobsson and Mackenzie, (CRYPTO 1999)
• Asokan, Shoup and Waidner, (IEEE Journal on
  Selected Areas in Communications 2000)
• Boyd and Foo, (ASIACRYPT 1998)
• Give formal definitions of fairness, timeliness
• Define interested and optimistic participants
• Define notions of advantage and describe the
  advantage flows in the above protocols
• Study relationships between various properties
• Define provable advantage and abuse-freeness

17
GJM protocol

18
Assumptions

• Two participants Originator, O and Responder, R
  exchange signatures on a previously agreed upon
  text, m
• Exchange signatures with the help of a
  Trusted-Third-Party, T
• Maintains a database of the protocol instances it
  has seen before
• Never misbehaves
• Identity of T agreed upon before the protocol
  begins
• A globally unique protocol identifier, n agreed
  upon before the protocol begins
• The network is in the control of a Dolev-Yao
  intruder

19
The protocol

• The protocol consists of three different
  subprotocols
• Exchange subprotocol
• Abort subprotocol
• Resolve subprotocol
• Abbreviate pd ltm,n,O,R,Tgt. pd identifies
  protocol uniquely.
• A participant is said be successful if
• It has either sigO(pd) or TP-sigO(pd), and
• It has either sigR(pd) or TP-sigR(pd)

20
Exchange subprotocol
O
R
may quit

may abort
may resolve
may resolve
21
Model

22
Assumptions

• Two Participants A and B exchange signatures
  with the help of trusted T on a pre-agreed upon
  text, m
• A and B agree on a globally unique identifier, n
• Channels to T are write-protected and
  transparent Nobody except the participant and T
  can insert, delete or block messages. B can
  however observe the traffic on the channel
  between A and T
• We consider just single runs of protocol
• A and B may be potentially dishonest, that is
  deviate from the protocol arbitrarily
• Participants use timers they tell the
  participants when to time-out waiting for
  response from the counter party and contact T

23
Multiset-rewriting formalism

• Choose a first-order vocabulary, fix it
• Facts
• F P(t1, , tn)
• t x c f(t1, , tn)
• States F1, ..., Fn
• Multiset of ground facts
• Includes network messages, private state
• Dishonest participants will see messages, not
  private state
• Multiset allows duplicated messages, states

Multi-sorted first-order atomic formulas
24
State transitions

• Transition rule
• F1, , Fk ?? ?x1 ?xm. G1, , Gn
• What this means
• If F1, , Fk in state S, then a next state S has
• Facts F1, , Fk removed
• G1, , Gn added, with x1 xm replaced by new
  symbols
• Other facts in state S carry over to S
• Free variables in rule universally quantified
• Pattern matching in F1, , Fk can invert functions

25
Protocol rules for O and timeout rules
O1 O 0 (pd), Zab (ko, unset) ? O1(pd, me1),
N1(me1), Zab (ko, set)
abort_timeout Zab(ko, set) ? Zab (ko,
timed_out)
26
Continuation trees, strategy

• Continuation tree at S, tr, is the full tree of
  traces after S in which A is honest
• Some edges in tr, are in control of B
• These depend on the nature of A different for
  honest, interested and optimistic A
• If E is a set of edges in control of B,
• tr\E is the tree obtained by deleting all the
  edges in E along with its descendants
• tr\E is a strategy of B

27
Strategy example
28
Strategy example
29
Player bias

30
Optimism, decision points and timers

• Optimistic protocols
• Signers can exchange signatures without
  involving third party optimistic flows
• Decision points in optimistic flows for error
  recovery A may ask T to abort or resolve
• Participants use timers at these decision points
  for error recovery
• Timers tell the participants when to time-out
  waiting for response from the counter party and
  contact T

31
Player bias interested participant

• Natural bias of honest A
• A is interested in completing the exchange, so A
  is likely to wait before asking T for an abort
• Honest A is said to be interested if,
• At decision points, where it is permitted by the
  protocol specification for A to contact T
  immediately with an abort request, A waits for a
  response from B for a reasonably long time
  before asking T to abort the exchange.

32
Player bias optimistic participant

• Honest A is said to be optimistic if,
• At decision points, where is permitted by the
  protocol specification for A to contact T
  immediately, A waits for a response from B for a
  reasonably long time before contacting T.
• Please note that if an interested participant has
  the option of contacting T to resolve the
  exchange, it will rush to T for resolving rather
  than wait for its counter party. An optimistic
  participant will however wait for the counter
  party.

33
Player bias summary
34
Edges in control of B
35
Advantage

36
Advantage

• B is said to have the power to abort against A
  in S
• if B has a strategy to prevent A from obtaining
  Bs signature in every node of tr\E, A does not
  have Bs signature
• B is said to have the power to resolve against A
  in S
• if B has a strategy to get As signature in
  every leaf node of tr\E, B has As signature
• B has advantage over A if B has both the power to
  abort and the power to resolve
• If the protocol does not give B any advantage
  over A, the protocol is balanced for A

37
Hierarchy

• Advantage against honest A
  H-adv
• ?
• Advantage against interested A
  I-adv
• ?
• Advantage against optimistic A
  O-adv

38
Exchange subprotocol in GJM
O
R
may quit

may abort
may resolve
may resolve
39
Advantage flow in GJM
O
R
I-adv
I-adv

O-adv
40
Impossibility of balance

41
Standard optimistic trace

• Let tr be an optimistic flow and S0,,Sn be the
  states in this flow
• We say that tr is in a standard form if
• the transition from S0 to S1 represents A sending
  a message intended for B
• the transition from S1 to S2 represents B
  reading that message from the network and sending
  a new message intended for A
• the transition from S2 to S3 represents A reading
  that message from the network and sending a new
  message intended for B, and so on.

42
Asymmetry of communication

• Theorem If a protocol is fair and optimistic,
  and has a standard optimistic flow then there is
  a state in the standard optimistic flow such that
  
• either (potentially dishonest) A has the power to
  abort
• against an honest B and (potentially
  dishonest) B
• does not have the power to abort
  against an honest A,
• or, (potentially dishonest) B has the power
  to abort
• against an honest A and (potentially
  dishonest) A
• does not have the power to abort
  against an honest B
• Asymmetry reappears in the form of some signer
  loosing the power to abort before the other does

43
Impossibility of balance

• Assume that the protocol participants are
• deterministic, i.e., use timers to resolve
  non-determinism at decision points, and
• reactive, i.e., advance only in response to
  time-outs or messages on the network or the
  channels to T
• Theorem If a protocol is fair and optimistic,
  and has a standard optimistic flow, then there is
  a state in the standard optimistic flow such that
  
• A enjoys an advantage over an optimistic B,
• or B enjoys an advantage over an optimistic A

44
Impossibility of balance contd

• Theorem If a protocol is fair, timely and
  optimistic, and has a standard optimistic flow,
  then there is a state in the standard optimistic
  flow such that
• A enjoys an advantage over an optimistic B
  but not over an interested B,
• or B enjoys an advantage over an optimistic A but
  not over an interested A
• Hence, we show that balance for biased players is
  impossible and a fair, optimistic signature
  exchange protocol must necessarily give an
  advantage to one of the signers

45
Successful and potentially successful states

• We use a 3-valued version of Evens proof.
• This may also be seen as a 3-valued version of
  the Fischer, Lynch and Patterson proof of
  impossibility of distributed consensus in
  presence of faults.
• Let tr be a standard optimistic flow and S0,,Sn
  be the states in this flow
• Si is said be successful for A if A has Bs
  signature
• Si is said be potentially successful for A if A
  may get Bs signature with the help of T

46
Proof outline

• Define two values, winA and winB
• winA(Si ) 2 if Si is successful for A,
• 1 if Si is potentially
  successful but not successful
• for A,
• 0 otherwise
• We shall assume that (winA(S0 ), winB(S0 ))(0,0)
• Clearly (winA(Sn ), winB(Sn))(2,2)
• If the protocol is fair, then (winA(Si ), winB(Si
  )) never takes the value (0,2) or (2,0)

47
Proof outline contd

• If winA (Si )0 or 1 and winA (Si1 )2, then
  the transition from Si to Si1 is a transition of
  A
• If winA (Si )0 and winA (Si1 )1, then the
  transition from Si to Si1 is a transition of B
  and not A
• Definition of potentially successful. If the
  transition was a transition of A then Si is
  potentially successful
• Now consider the smallest i such that
• (winA(Si ), winB(Si ))(0,0), but (winA(Si1 ),
  winB(Si1 ))?(0,0)
• We have (winA(Si1 ), winB(Si1 ))?(2,0), or
  (0,2)

48
Proof outline contd

• If (winA(Si1 ), winB(Si1 ))(1,1), then
• the transition from Si to Si1 is a transition of
  A, and
• the transition from Si to Si1 is a transition of
  B
• A contrdiction
• If (winA(Si1 ), winB(Si1 ))(1,2), then the
  transition from Si to Si1 is a transition of B
• Suppose in state Si, B dishonestly captures all
  the network messages and does not deposit any
  messages for A, then B would have As signature
  but A cannot
• Similarly (winA(Si1 ), winB(Si1 ) )?(1,2)
• Therefore (winA(Si1 ), winB(Si1 ))(1,0) or
  (0,1)
• If (winA(Si1 ), winB(Si1 ))(1,0), then at Si1
  
• A has the power to abort against an honest B
• B does not have the the power to abort against an
  honest A

49
Provable advantage and abuse-freeness

50
Abuse-FreenessGJM

• Assume fairness
• Abuse-freeness GJM
• It is impossible for any participant at any point
  in the protocol to be able to prove to an outside
  party that it (the participant) has the power to
  abort or complete the exchange
• In other words, no participants enjoys provable
  advantage

51
Provable advantage

• Use the notion of knowledge from epistemic
  knowledge
• Hintikka, Knowledge and belief, 1962
• Fagin, Halpern, Moses and Vardi, Reasoning about
  knowledge, 1975
• B has provable advantage over A in state S, if
• B has advantage over A
• B can provide evidence of As participation to an
  outside observer, C
• Evidence what does C know
• C knows fact P in state S if
• P is true in any state consistent with Cs
  observations in S
• The protocol is abuse-free for A, if for all
  reachable states S, B does not have provable
  advantage over A
• GJM is abuse-free

52
Conclusions

• Consider several signature exchange protocols
• Use MSR framework to model protocols
• Used timers to reflect real-world behavior
• Formal definitions of fairness and timeliness
  were given
• Reflect natural bias interested and optimistic
  participants defined
• Give game-theoretic definitions of advantage and
  balance

53
Conclusions

• Describe the advantage flows in several signature
  protocols
• Show that the addition of the third party does
  not guarantee balance
• Define abuse-freeness precisely using epistemic
  logic
• Show that GJM, ASW2000, BF are abuse-free
• Give an example of a non abuse-free
  non-optimistic protocol

54
Current and further Work

• Relaxing the conditions of determinism and
  reactivity for our impossibility results work in
  progress
• Other properties like trusted-third party
  accountability to be investigated
• Multiparty signature exchange protocols to be
  investigated
• Use of automated theorem provers based on
  rewriting techniques
• Maude developed by Denker, Lincoln, Meseguer,
  Eker, Clavel, etc.

55
What we achieved..

• Studied several protocols
• Garay, Jakobsson and Mackenzie, 1999
• Asokan, Shoup and Waidner, 2000
• Boyd and Foo, 1998
• Give formal definitions of fairness, progress
• Define interested and optimistic participants
• Define notions of advantage and describe the
  advantage flows in the above protocols
• Show that asymmetry of communication reappears in
  form of advantage
• Define abuse-freeness using epistemic logic
• Show that the above protocols are abuse-free