Composable Formal Security Analysis: Juggling Soundness, Simplicity and Efficiency

A security property of a protocol is composableif it remains intact even when the protocol runs alongside other protocols in the same system. We describe a method for asserting composable security properties, and demonstrate its usefulness. In particular, we show how this method can be used to provide security analysis that is formal, relatively simple, and still does not make unjustified abstractions of the underlying cryptographic algorithms in use. It can also greatly enhance the feasibility of automatedsecurity analysis of systems of realistic size.

[1]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[2]  Birgit Pfitzmann,et al.  On the Cryptographic Key Secrecy of the Strengthened Yahalom Protocol , 2006, SEC.

[3]  Lawrence C. Paulson,et al.  Isabelle: The Next Seven Hundred Theorem Provers , 1988, CADE.

[4]  Donald Beaver,et al.  Foundations of Secure Interactive Computing , 1991, CRYPTO.

[5]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[6]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[7]  Bruno Blanchet,et al.  Automatic proof of strong secrecy for security protocols , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[8]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[9]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[10]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[11]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[12]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[13]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[14]  Dieter Gollmann,et al.  Computer Security - ESORICS 2006, 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings , 2006, ESORICS.

[15]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[16]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[17]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[18]  Michael Backes,et al.  Cryptographically Sound Security Proofs for Basic and Public-Key Kerberos , 2006, ESORICS.

[19]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[20]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[21]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[22]  Michael Backes,et al.  A Cryptographically Sound Dolev-Yao Style Security Proof of the Otway-Rees Protocol , 2004, ESORICS.

[23]  Michael Backes,et al.  A cryptographically sound Dolev-Yao style security proof of an electronic payment system , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[24]  Ueli Maurer,et al.  Player Simulation and General Adversary Structures in Perfect Multiparty Computation , 2000, Journal of Cryptology.

[25]  Silvio Micali,et al.  Parallel Reducibility for Information-Theoretically Secure Computation , 2000, CRYPTO.

[26]  Dieter Gollmann,et al.  Computer Security – ESORICS 2004 , 2004, Lecture Notes in Computer Science.

[27]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[28]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[29]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[30]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[31]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[32]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[33]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[34]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[35]  John C. Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[36]  Oded Goldreich,et al.  On the security of multi-party ping-pong protocols , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[37]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[38]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[39]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[40]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[41]  Birgit Pfitzmann,et al.  A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol , 2003, IEEE Journal on Selected Areas in Communications.

[42]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[43]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[44]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Cryptographic Protocols (The case of encryption-based mutual authentication and key exchange) , 2004, IACR Cryptol. ePrint Arch..

[45]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[46]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[47]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[48]  Michael Backes,et al.  Real-or-random Key Secrecy of the Otway-Rees Protocol via a Symbolic Security Proof , 2006, MFPS.

[49]  John C. Mitchell,et al.  Composition of Cryptographic Protocols in a Probabilistic Polynomial-Time Process Calculus , 2003, CONCUR.

[50]  Kevin S. McCurley,et al.  Advances in Cryptology 1981 – 1997 , 2001, Lecture Notes in Computer Science.

[51]  Birgit Pfitzmann,et al.  Cryptographically sound theorem proving , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[52]  Ueli Maurer,et al.  Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract) , 1997, PODC '97.

[53]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[54]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[55]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[56]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[57]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.