Title: Digital signature in automatic analyses for confidentiality against active adversaries
1Digital signature in automatic analyses for
confidentiality against active adversaries
- Ilja TÅ¡ahhirov,
- Peeter Laud
2Goal of the analysis
- Problem statement
- Given the protocol (set of programs making
calculations and exchanging messages) - It works with some secret data
- No active adversary should be able to learn
anything about the secret data - Automatically determine whether the protocol is
secure or not.
3Original technique
- Published in Peeter Laud. Symmetric encryption
in automatic analyses for confidentiality against
active adversaries. 2004 IEEE Symposium on
Security and Privacy, pages 71-85, May 2004. - Automatic analyzer present
- Programming language
- Single cryptographic primitive symmetric
encryption - Definition of the adversary
- Definition of the security
- Protocol transformations
4Programming language
- Instruction set
- P kgen_key y(x1,,xm) x pim(y)
- xencrk(y) ydecrk(x) xrandom
- send(x) xreceivel check(xy)
- xconstant(b) xy
- kpgen_key_pair pkpublic_key(kp)
- smsignkp(m) testpk(sm)
- mget_signed_message(sm)
- The only cryptographic primitive in original
analysis symmetric encryption - Our contribution is adding the digital signature
primitive support (commands in bold) to the
language.
5Adversary
- Adversary is active - it schedules the
participants and relays messages between them - Can modify, create new, or not deliver sent
messages
6Security definition
- The protocol is considered secure if the secret
message is computationally independent from the
adversarys view.
7Security against chosen-ciphertextattacks
- No PPT adversary should be able to distinguish
second black box from the first - Without querying the second algorithm with the
outputs from the first
8Protocol transformations - encryption
- During the analysis protocols are transformed
- Protocols working with the first black box can be
replaced to use the second (under certain
conditions)
9Information flow analysis
- If some participant of the protocol contains a
statement of the form xE(x1,,xn) there is an
information flow from the variable xi to the
variable x. - The protocol is deemed secure if M ? y holds
for no y affecting the adversarys view. - The protocol transformation described above
breaks some of those links.
10Unforgeability under adaptive chosen message
attack
- The property we require signature scheme to
satisfy - Adversary making queries to the signature oracle
should not be able to create a valid signature
for the message that has not previously been
signed by it
11Protocol transformations digital signature
- Signature operations are replaced with checking
whether the signed message being tested belongs
to the set of the actually signed messages.
12Running example
- Transmit the public key and signature from A to B
-
- A generates KPA
- A?? public_key(KPA)
- A?B enc(KAB public_key(KPA))
- A?B enc(KABsign(KPAM))
- B verifies the signature
- B ? OK
- KAB is a long-term key shared between A and B.
13Data dependencies
14Control dependencies
15Criterion for security
- No path from M to any Si ?
- ?
- The system is secure
16Security does not follow
17Encryptions replaced
18Security still does not follow
19Case handling Case 1
20Case 1 - Replacing the signature test
21Case 1 in statement handling.
22Case 1 check statement handling
Sub-protocol is secure (result of check can be
statically determined)
23Case 2
Sub-protocol is secure (test statement always
fails)
24Conclusions and future work
- Conclusions
- The presented technique can be used in automated
analysis of the cryptographic protocols - Technique is published in Nordsec 2005
proceedings, p 29-41. - Future work
- Implementation of the automated analyser
- Introducing the support for other cryptographic
primitives