Abstract
Symbolic analysis of cryptographic protocols is dramatically simpler than full-fledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how Dolev-Yao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties.
More specifically, we concentrate on mutual authentication and key-exchange protocols. We restrict attention to protocols that use public-key encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to Dolev-Yao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UC-secure. For mutual authentication, our symbolic criterion is similar to the traditional Dolev-Yao criterion. For key exchange, we demonstrate that the traditional Dolev-Yao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion.
Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent key-exchange protocols are UC-secure.
This work was first presented at the DIMACS workshop on protocol security analysis, June 2004. Most of the research was done while both authors were at CSAIL, MIT.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-32732-5_32
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abadi, M., Blanchet, B.: Analyzing security protocols with secrecy types and logic programs. In: Conference Record of POPL 2002: The 2pth SIGPLANSIGACT Symposium on Principles of Programming Languages, January 2002, pp. 33–44 (2002)
Abadi, M., Gordon, A.: A calculus for cryptographic protocols: the SPI calculus. Information and Computation 148(1), 1–70 (1999)
Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, pp. 82–94. Springer, Heidelberg (2001)
Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology 15(2), 103–127 (2002)
Adão, P., Bana, G., Herzog, J.C., Scedrov, A.: Soundness of formal encryption in the presence of key-cycles. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 374–396. Springer, Heidelberg (2005)
Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proceedings of the 10th ACM conference on computer and communications security (CCS) (October 2003), Full version available at, http://eprint.iacr.org/2003/015/
Backes, M., Pfitzmann, B.: A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 140–152. Springer, Heidelberg (2003)
Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic secrecy. Cryptology ePrint Archive, Report 2004/300 (November 2004), http://eprint.iacr.org/
Beaver, D.: Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority. Journal of Cryptology 4(2), 75–122 (1991)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994), Full version of paper available at, http://www-cse.ucsd.edu/users/mihir/
Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, May 2004. IEEE, Los Alamitos (2004)
Blanchet, B.: ProVerif automatic cryptographic protocol verifier user manual (November 2004), Available at, http://www.di.ens.fr/blanchet/crypto-eng.html
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo random bits. In: Proceedings of the 22th Annual Syposium on Foundations of Computer Science (FOCS 1982), pp. 112–117 (1982)
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal on Computing 13(4), 850–864 (1984)
Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Transactions in Computer Systems 8(1), 18–36 (February 1990)
Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 13(1), 143–202 (2000)
Canetti, R.: Universal composable security: A new paradigm for cryptographic protocols. In: 42nd Annual Syposium on Foundations of Computer Science (FOCS 2001), October 2001, pp. 136–145. IEEE Computer Society, Los Alamitos (2001)
Canetti, R.: Universally composable signature, certification, and authentication. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW 16), June 2004, pp. 219–233. IEEE Computer Society, Los Alamitos (2004)
Canetti, R., Herzog, J.: Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). Cryptology ePrint Archive, Report 2004/334 (2004)
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)
Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)
Cervesato, I., Durgin, N.A., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: A metanotion for protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12), June 1999. IEEE Computer Society, Los Alamitos (1999)
Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM Journal of Computing 30(2), 391–437 (2000)
Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Transactions on Information Theory 29, 198–208 (1983)
Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)
Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM Journal on Computing 18(1), 186–208 (1989)
Goldwasser, S., Micali, S., Rivest, R.L.: A digital-signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing 17(2), 281–308 (April 1988)
Herzog, J.: A computational interpretation of dolev-yao adversaries. Theoretical Computer Science 340, 57–81 (June 2005)
Herzog, J., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Heidelberg (2003)
Horvitz, O., Gligor, V.: Weak key authenticity and the computational completeness of formal encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 530–547. Springer, Heidelberg (2003)
Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, May 2004. IEEE, Los Alamitos (2004)
Lincoln, P.D., Mitchell, J.C., Mitchell, M., Scedrov, A.: A probabilistic polytime framework for protocol analysis. In: Proceedings of the 5th ACM Conference on Computer and Communication Security (CCS 1998), November 1998, pp. 112–121 (1998)
Lincoln, P.D., Mitchell, J.C., Mitchell, M., Scedrov, A.: Probabilistic polynomial-time equivalence and security protocols. In: Wing, J.M., Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 776–793. Springer, Heidelberg (1999)
Lowe, G.: An attack on the Needham–Schroeder public-key authentication protocol. Information Processing Letters 56, 131–133 (1995)
Lowe, G.: Breaking and fixing the Needham–Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)
Lynch, N.: I/O automaton models and proofs for shared-key communication systems. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12). IEEE Computer Society, Los Alamitos (June 1999)
Maggi, P., Sisto, R.: Using SPIN to verify security protocols. In: Bošnački, D., Leue, S. (eds.) SPIN 2002. LNCS, vol. 2318, pp. 187–204. Springer, Heidelberg (2002)
Meadows, C.: Applying formal methods to the analysis of a key management protocol. The Journal of Computer Security 1(1) (January 1992)
Meadows, C.: The nrl protocol analyzer: An overview. J. Log. Program. 26(2), 113–131 (1996)
Micali, S., Rackoff, C., Sloan, B.: The notion of security for probabilistic cryptosystems. SIAM Journal on Computing 17(2), 412–426 (April 1988)
Micali, S., Rogaway, P.: Secure computation (abstract). In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)
Micciancio, D., Panjwani, S.: Adaptive security of symbolic encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 169–187. Springer, Heidelberg (2005)
Micciancio, D., Warinschi, B.: Completeness theorems for the Abadi- Rogaway logic of encrypted expressions. In: Workshop on Issues in the Theory of Security (WITS 2002) (January 2002)
Micciancio, D., Warinschi, B.: Completeness theorems for the Abadi- Rogaway logic of encrypted expressions. Journal of Computer Security 12(1), 99–129 (2004)
Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using Murϕ. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 141–153. IEEE Computer Society Press, Los Alamitos (1997)
Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)
Patil, A.: On symbolic analysis of cryptographic protocols. Master’s thesis, Massachusetts Institute of Technology (May 2005)
Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Proceedings of the 7th ACM Conference on Computer and Communication Security (CCS 2000), November 2000, pp. 245–254. ACM Press, New York (2000)
Rackoff, C.: Personal communication (1995)
Rackoff, C., Simon, D.: Noninteractive zero-knowledge proof of knowledge and the chosen-ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)
Sagiv, M. (ed.): ESOP 2005. LNCS, vol. 3444. Springer, Heidelberg (2005)
Song, D.: Athena, an automatic checker for security protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW 12), June 1999. IEEE Computer Society, Los Alamitos (1999)
Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(2/3), 191–230 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Canetti, R., Herzog, J. (2006). Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols. In: Halevi, S., Rabin, T. (eds) Theory of Cryptography. TCC 2006. Lecture Notes in Computer Science, vol 3876. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11681878_20
Download citation
DOI: https://doi.org/10.1007/11681878_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-32731-8
Online ISBN: 978-3-540-32732-5
eBook Packages: Computer ScienceComputer Science (R0)