Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange

Canetti and Herzog (TCC’06) show how to efficiently perform fully automated, computationally sound security analysis of key exchange protocols with an unbounded number of sessions. A key tool in their analysis is composability, which allows deducing security of the multi-session case from the security of a single session. However, their framework only captures protocols that use public key encryption as the only cryptographic primitive, and only handles static corruptions. We extend the [CH’06] modeling in two ways. First, we handle also protocols that use digital signatures and Diffie-Hellman exchange. Second, we handle also forward secrecy under fully adaptive party corruptions. This allows us to automatically analyze systems that use an unbounded number of sessions of realistic key exchange protocols such as the ISO 9798-3 or TLS protocol. A central tool in our treatment is a new abstract modeling of plain Diffie-Hellman key exchange. Specifically, we show that plain Diffie-Hellman securely realizes an idealized version of Key Encapsulation.

[1]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[2]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[3]  John C. Mitchell,et al.  Computationally sound compositional logic for key exchange protocols , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[4]  Ralf Küsters,et al.  Conditional reactive simulatability , 2006, International Journal of Information Security.

[5]  Stéphanie Delaune,et al.  Simulation based security in the applied pi calculus , 2009, FSTTCS.

[6]  John C. Mitchell,et al.  Secure protocol composition , 2003, FMSE '03.

[7]  Jörn Müller-Quade,et al.  Initiator-Resilient Universally Composable Key Exchange , 2003, ESORICS.

[8]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[9]  David Pointcheval,et al.  Automated Security Proofs with Sequences of Games , 2006, CRYPTO.

[10]  Véronique Cortier,et al.  Computationally Sound, Automated Proofs for Security Protocols , 2005, ESOP.

[11]  Ralf Küsters,et al.  Computational soundness for key exchange protocols with symmetric encryption , 2009, CCS.

[12]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[13]  Ralf Küsters,et al.  Joint State Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[14]  Vitaly Shmatikov,et al.  Towards computationally sound symbolic analysis of key exchange protocols , 2005, FMSE '05.

[15]  David A. Basin,et al.  From Dolev-Yao to Strong Adaptive Corruption: Analyzing Security in the Presence of Compromising Adversaries , 2009, IACR Cryptol. ePrint Arch..

[16]  Shai Halevi,et al.  A plausible approach to computer-aided cryptographic proofs , 2005, IACR Cryptol. ePrint Arch..

[17]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[18]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[19]  Paul Youn,et al.  The analysis of cryptographic APIs using the theorem prover Otter , 2004 .

[20]  J. Davenport Editor , 1960 .

[21]  Birgit Pfitzmann,et al.  A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol , 2003, FSTTCS.

[22]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[23]  Yassine Lakhnech,et al.  Completing the Picture: Soundness of Formal Encryption in the Presence of Active Adversaries , 2005, ESOP.

[24]  John C. Mitchell,et al.  Multiset rewriting and the complexity of bounded security protocols , 2004, J. Comput. Secur..

[25]  Lawrence C. Paulson,et al.  Isabelle - A Generic Theorem Prover (with a contribution by T. Nipkow) , 1994, Lecture Notes in Computer Science.

[26]  Véronique Cortier,et al.  Computational soundness of observational equivalence , 2008, CCS.

[27]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[28]  Birgit Pfitzmann,et al.  Relating symbolic and cryptographic secrecy , 2005, IEEE Transactions on Dependable and Secure Computing.

[29]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[30]  Shai Halevi,et al.  Enforcing Confinement in Distributed Storage and a Cryptographic Model for Access Control , 2005, IACR Cryptol. ePrint Arch..

[31]  Akshay Patil On symbolic analysis of cryptographic protocols , 2005 .

[32]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[33]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[34]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[35]  Michael Backes,et al.  How to Break and Repair a Universally Composable Signature Functionality , 2004, ISC.

[36]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[37]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols , 2006, TCC.

[38]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[39]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[40]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[41]  Oded Goldreich,et al.  On the security of multi-party ping-pong protocols , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[42]  Michael Backes,et al.  Cryptographically sound security proofs for basic and public-key Kerberos , 2006, International Journal of Information Security.