By Ronald Rodriguez,2014-06-19 03:52
8 views 0
Compositionality Compositionality Compositionality

CS 395T

Formal Model for

Secure Key Exchange

    Main Idea: Compositionality;Protocols don’t run in a vacuum



    ;A protocol can be “correct” when used in

    standalone mode, but completely broken when

    used as a building block in a larger system;Objective: modular, composable definitions of

    protocol security

    “Compositional” Definition of Security

    [Shoup ’99]Read and understand this paper!

    ;Definition should describe guarantees provided by

    a key exchange protocol to higher-level protocols


    ;Different types of attack



    Learns either the long-term secret, or all of user’s internal data;Support anonymous (password-only) users

    Station-to-Station Protocol

    [Diffie et al. ’92]

    x gmod p xyxyk=gk=gy xygmod p, enc(sig(g,g))kB



    This encryption is critical.Interleaving attack:xyWithout it, adversary can send sig(g,g).CAdversary replays B’s own

    Result: B thinks he is talking to C, whileencryption back to B.

     sharing a key with A, who thinksResult: B thinks he is talking

     to himself, A thinks he is talking to B.

     he is talking to B.

    Protocol Interference Attack;What if, in addition to STS, A executes some

    protocol where this interaction takes place:

    xyAdversary picks sig(g,g) as m, andCRandom challenge m

    xylearns enc(sig(g,g)) , which he kC

    Apasses to B in the STS protocol,enc(m)k

    convincing B that B is talking to C.

    ;Problem: challenge-response protocols may be

    used as encryption oracles by the adversary;Problem: “hijacking” of honest user’s public key



    ;Security is indistinguishability between the ideal

    world and the real world

    ;In the ideal world, the protocol is secure by design


    ;The real protocol is secure if it can be simulated in

    the ideal world



Ideal World

    ;Adversary creates and connects user instances




    ;No cryptography, no certificates, no messages;Pure abstraction of the service that key exchange

    protocol provides to higher-level protocols

Adversary and Ring Master

    ;Define a game between the adversary and the

    “ring master”



    ;Operations allow the adversary to set up a secure

    session in the ideal world




    Ideal World: User InstancesInitializeUser(i, ID);i



    Recall that session keys will be created magicallyInitializeUserInstance(i, j, role, PID);ijij



    Adversary creates an instance

    of user i who will be talking to an instance of user j.

    Ideal World: Session Key Generation;StartSession(i, j, , [adversaryKey])

     Create: ring master generates K as random bit stringij

     Connect(i’,j’): ring master sets K equal to Kiji’j’

     Compromise: ring master sets K equal to adversaryKeyij

    “Create” models creation of a brand-new session key to be

    ththused between the i and j user

    “Connect” models establishment of this session (the key

    magically becomes known to both user instances)

    “Compromise” models adversary’s corruption of a user


    ;AbortSession(i, j)


Report this document

For any questions or suggestions please email