Abstract
In light of the growing complexity of cryptographic protocols and applications, it becomes highly desirable to mechanize—and eventually automate—the security analysis of protocols. A natural step towards automation is to allow for symbolic security analysis. However, the complexity of mechanized symbolic analysis is typically exponential in the space and time complexities of the analyzed system. Thus, full automation via direct analysis of the entire given system has so far been impractical even for systems of modest complexity.
We propose an alternative route to fully automated and efficient security analysis of systems with no a priori bound on the complexity. We concentrate on systems that have an unbounded number of components, where each component is of small size. The idea is to perform symbolic analysis that guarantees composable security. This allows applying the automated analysis only to individual components, while still guaranteeing security of the overall system.
We exemplify the approach in the case of authentication and key-exchange protocols of a specific format. Specifically, we formulate and mechanically assert symbolic properties that correspond to concrete security properties formulated within the Universally Composable security framework. As an additional contribution, we demonstrate that the traditional symbolic secrecy criterion for key exchange provides an inadequate security guarantee (regardless of the complexity of verification) and propose a new symbolic criterion that guarantees composable concrete security.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
M. Abadi, B. Blanchet, Analyzing security protocols with secrecy types and logic programs, in Conference Record of POPL 2002: The 2pth SIGPLAN–SIGACT Symposium on Principles of Programming Languages, January 2002, pp. 33–44
M. Abadi, A. Gordon, A calculus for cryptographic protocols: the spi calculus. Inf. Comput. 148(1), 1–70 (1999)
M. Abadi, J. Jürjens, Formal eavesdropping and its computational interpretation, in Proceedings, 4th International Symposium on Theoretical Aspects of Computer Software TACS 2001, ed. by N. Kobayashi, B.C. Pierce. Lecture Notes in Computer Science, vol. 2215 (Springer, Berlin, 2001), pp. 82–94
M. Abadi, P. Rogaway, Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol. 15(2), 103–127 (2002)
P. Adão, G. Bana, J. Herzog, A. Scedrov, Soundness of Abadi–Rogaway logics in the presence of key-cycles, in Proceedings, 10th European Symposium on Research in Computer Security (ESORICS), ed. by S. De Capitani di Vimercati, P.F. Syverson, D. Gollmann. Lecture Notes in Computer Science, vol. 3679 (Springer, Berlin, 2005), pp. 374–396
M. Backes, B. Pfitzmann, A cryptographically sound security proof of the Needham–Schroeder–Lowe public-key protocol, in Proceedings of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science—FSTTCS. Lecture Notes in Computer Science, vol. 2914 (Springer, Berlin, 2003), pp. 140–152
M. Backes, B. Pfitzmann, Relating symbolic and cryptographic secrecy. IEEE Trans. Dependable Secure Comput. 2(2) (2005)
M. Backes, B. Pfitzmann, M. Waidner, A composable cryptographic library with nested operations (extended abstract), in Proceedings, 10th ACM Conference on Computer and Communications Security (CCS), ed. by S. Jajodia, V. Atluri, T. Jaeger (ACM, New York, 2003), pp. 220–230. Full version available at http://eprint.iacr.org/2003/015/
D. Beaver, Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority. J. Cryptol. 4(2), 75–122 (1991)
M. Bellare, P. Rogaway, Entity authentication and key distribution, in Advances in Cryptology—CRYPTO 1993, ed. by D. Stinson. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1993), pp. 232–249. Full version of paper available at http://www-cse.ucsd.edu/users/mihir/
B. Blanchet, An efficient cryptographic protocol verifier based on Prolog rules, in Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW 14) (IEEE Computer Society, Washington, 2001), pp. 82–96
B. Blanchet, Automatic proof of strong secrecy for security protocols, in Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P) (IEEE Computer Society, Washington, 2004), pp. 86–102
B. Blanchet, ProVerif automatic cryptographic protocol verifier user manual. Available at http://www.di.ens.fr/~blanchet/crypto-eng.html, November 2004
B. Blanchet, Computationally sound mechanized proofs of correspondence assertions, in Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSFW 20) (IEEE Computer Society, Washington, 2007), pp. 97–111
M. Blum, S. Micali, How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984)
M. Burrows, M. Abadi, R. Needham, A logic of authentication. ACM Trans. Comput. Syst. 8(1), 18–36 (1990)
R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)
R. Canetti, Universal composable security: A new paradigm for cryptographic protocols, in 42nd Annual Symposium on Foundations of Computer Science (FOCS 2001 (IEEE Computer Society, Washington, 2001), pp. 136–145. Full version available at eprint.iacr.org/2000/067
R. Canetti, Universally composable signatures, certification, and authentication. Cryptology ePrint Archive, http://eprint.iacr.org/2003/239, 2003
R. Canetti, Universally composable signature, certification, and authentication, in Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW 16) (IEEE Computer Society, Washington, 2004), pp. 219–233
R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—Eurocrypt 2001, ed. by B. Pfitzmann. Lecture Notes in Computer Science, vol. 2045 (Springer, Berlin, 2001), pp. 453–474
R. Canetti, T. Rabin, Universal composition with joint state, in Advances in Cryptology—CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 265–281
R. Canetti, H. Krawczyk, J.B. Nielsen, Relaxing chosen-ciphertext security, in Advances in Cryptology—CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 565–582
I. Cervesato, N.A. Durgin, P.D. Lincoln, J.C. Mitchell, A. Scedrov, A meta-notion for protocol analysis, in Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12) (IEEE Computer Society, Washington, 1999)
V. Cortier, B. Warinschi, Computationally sound, automated proofs for security protocols, in Proceedings, 14th European Symposium on Programming (ESOP2005), ed. by S. Sagiv. Lecture Notes in Computer Science, vol. 3444 (Springer, Berlin, 2005), pp. 157–171
D. Dolev, A. Yao, On the security of public-key protocols. IEEE Trans. Inf. Theory 29, 198–208 (1983)
D. Dolev, C. Dwork, M. Naor, Non-malleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)
N. Durgin, P. Lincoln, J. Mitchell, A. Scedrov, Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur. 12(2), 247–311 (2004)
S. Even, O. Goldreich, On the security of multi-party ping-pong protocols, in Proceedings, 24th Annual Symposium on Foundations of Computer Science (FOCS) (IEEE, New York, 1983), pp. 34–39
O. Goldreich, Foundations of Cryptography, vol. 1 (Cambridge University Press, Cambridge, 2001)
O. Goldreich, Y. Oren, Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994)
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing (STOC) (ACM, New York, 1987), pp. 218–229
O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(1), 691–729 (1991)
S. Goldwasser, L. Levin, Fair computation of general functions in presence of immoral majority, in Advances in Cryptology (CRYPTO ’90), ed. by A. Menezes, S.A. Vanstone. Lecture Notes in Computer Science, vol. 537 (Springer, Berlin, 1990), pp. 77–93
S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
S. Goldwasser, S. Micali, R.L. Rivest, A digital-signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
J.D. Guttman, J. Herzog, J.D. Ramsdell, B.T. Sniffen, Programming cryptographic protocols, in Trustworthy Global Computing (TGC 2005), ed. by R. Nicola, D. Sangiorgi. Lecture Notes in Computer Science, vol. 3702 (Springer, Berlin, 2005), pp. 116–145
J. Herzog, Computational soundness for standard assumptions of formal cryptography. PhD thesis, Massachusetts Institute of Technology, May 2004
J. Herzog, A computational interpretation of Dolev–Yao adversaries. Theor. Comput. Sci. 340, 57–81 (2005)
J. Herzog, M. Liskov, S. Micali, Plaintext awareness via key registration, in Advances in Cryptology—CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 548–564
O. Horvitz, V. Gligor, Weak key authenticity and the computational completeness of formal encryption, in Advances in Cryptology—CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 530–547
P. Laud, Symmetric encryption in automatic analyses for confidentiality against active adversaries, in Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P) (IEEE Computer Society, Washington, 2004), pp. 71–85
P.D. Lincoln, J.C. Mitchell, M. Mitchell, A. Scedrov, A probabilistic poly-time framework for protocol analysis, in Proceedings of the 5th ACM Conference on Computer and Communication Security (CCS ’98), November 1998, pp. 112–121
P.D. Lincoln, J.C. Mitchell, M. Mitchell, A. Scedrov, Probabilistic polynomial-time equivalence and security protocols, in World Congress on Formal Methods, ed. by J.M. Wing, J. Woodcock, J. Davies. Lecture Notes in Computer Science, vol. 1708 (Springer, Berlin, 1999), pp. 776–793
G. Lowe, An attack on the Needham–Schroeder public-key authentication protocol. Inf. Process. Lett. 56, 131–133 (1995)
G. Lowe, Breaking and fixing the Needham–Schroeder public-key protocol using FDR, in Tools and Algorithms for the Construction and Analysis of Systems, ed. by Margaria, Steffen. Lecture Notes in Computer Science, vol. 1055 (Springer, Berlin, 1996), pp. 147–166
N. Lynch, I/O automaton models and proofs for shared-key communication systems, in Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12) (IEEE Computer Society, Washington, 1999), pp. 14–29
C. Meadows, Applying formal methods to the analysis of a key management protocol. J. Comput. Secur. 1(1), 5–36 (1992)
S. Micali, P. Rogaway, Secure computation (abstract), in Advances in Cryptology (CRYPTO ’91), ed. by J. Feigenbaum. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 392–404
S. Micali, C. Rackoff, B. Sloan, The notion of security for probabilistic cryptosystems. SIAM J. Comput. 17(2), 412–426 (1988)
D. Micciancio, S. Panjwani, Adaptive security of symbolic encryption, in Proceedings, Second Theory of Cryptography Conference (TCC 2005), ed. by J. Kilian. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 169–187
D. Micciancio, B. Warinschi, Completeness theorems for the Abadi–Rogaway logic of encrypted expressions. J. Comput. Secur. 12(1), 99–129 (2004)
D. Micciancio, B. Warinschi, Soundness of formal encryption in the presence of active adversaries, in Proceedings, Theory of Cryptography Conference. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 133–151
J.C. Mitchell, M. Mitchell, U. Stern, Automated analysis of cryptographic protocols using Murφ, in Proceedings, 1997 IEEE Symposium on Security and Privacy (IEEE Computer Society, Washington, 1997), pp. 141–153
R. Needham, M. Schroeder, Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)
A. Patil, On symbolic analysis of cryptographic protocols. Master’s thesis, Massachusetts Institute of Technology, May 2005
L.C. Paulson, The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6, 85–128 (1998)
B. Pfitzmann, M. Waidner, Composition and integrity preservation of secure reactive systems, in Proceedings of the 7th ACM Conference on Computer and Communication Security (CCS 2000) (ACM Press, New York, 2000), pp. 245–254
C. Rackoff, D. Simon, Noninteractive zero-knowledge proof of knowledge and the chosen-ciphertext attack, in Advances in Cryptology—CRYPTO 91. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 433–444
D. Song, Athena, an automatic checker for security protocol analysis, in Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12) (IEEE Computer Society, Washington, 1999), pp. 192–202
C. Sprenger, M. Backes, D.A. Basin, B. Pfitzmann, M. Waidner, Cryptographically sound theorem proving, in CSFW (IEEE Computer Society, Washington, 2006), pp. 153–166
F.J. Thayer Fábrega, J.C. Herzog, J.D. Guttman, Strand spaces: Proving security protocols correct. J. Comput. Secur. 7(23), 191–230 (1999)
A. Yao, Theory and applications of trapdoor functions (extended abstract), in Proceedings, 22th Annual Symposium on Foundations of Computer Science (FOCS 1982), 1982, pp. 80–91
A.C.-C. Yao, How to generate and exchange secrets (extended abstract), in Proceedings, 27th Annual Symposium on Foundations of Computer Science (FOCS) (IEEE, New York, 1986), pp. 162–167
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Oded Goldreich
This work was first presented at the DIMACS workshop on protocol security analysis, June 2004. An extended abstract appears in the proceedings of the Theory of Cryptography Conference (TCC), March 2006. Most of the research was done while both authors were at CSAIL, MIT.
Rights and permissions
About this article
Cite this article
Canetti, R., Herzog, J. Universally Composable Symbolic Security Analysis. J Cryptol 24, 83–147 (2011). https://doi.org/10.1007/s00145-009-9055-0
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-009-9055-0