Modular Security Analysis for Key Exchange and Authentication Protocols

Slide Note
Embed
Share

Explore the modular security analysis approach used to examine the security of key exchange and authentication protocols, focusing on the universally composable authentication with a global Public Key Infrastructure. The analysis involves splitting the system into smaller components, separately analyzing the security of each, and ensuring secure composition for overall system security. The results showcase the rigorous security definitions and realistic security models employed in evaluating commonly deployed protocols.


Uploaded on Oct 10, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Universally Composable Authentication and Key-exchange with Global PKI Ran Canetti (TAU and BU) Daniel Shahaf (TAU) Margarita Vald(TAU) PKC2016 Taipei, Taiwan

  2. Goal: Analyze security of protocols in use. Need: Realistic security model Rigorous security definition Security proofs for systems in use

  3. Modular Security Analysis 1. Split the system into smaller components 2. Separately analyze security of each component 3. Need secure composition to argue security of the system Advantages: Essential for analysis due to protocols complexity Security guarantee holds for any environment

  4. Focus: security of key-exchange and authentication Our result: Modular analysis of commonly deployed key-exchange and authentication protocols.

  5. Authentication Authentication binds message to some long-term entity If R receives a message from S then S actually sent the message to R Authentication can be based on: Pre-shared key Shared password Biometrics Public-key [Diffie-Hellman76]

  6. Public-key Authentication (?,???) Public-key infrastructure ?,?,? To verify message ? from S: Verify ???(???,( ?,?,? ,?))=1 To auth. message ? to R: Compute = ????(?,?,?) ??????? Commonly used: Chip-and-pin debit cards, email authentication, TLS Is ??????? secure authentication protocol?

  7. Analysis of Public-key Authentication Game based: [Canetti-Krawczyk01, Brzuska-Fischlin-Smart-Warinschi-Williams13] Easy and natural Limited composition definition Auth. game( ) is secure auth. if no adversary can win the game Win/Lose Simulation based: Universal Composability and Abstract Cryptography [Canetti-Krawczyk02, Canetti04, Maurer-Tackmann-Coretti13, Kohlweiss-Maurer-Onete-Tackmann-Venturi14] General composition is secure auth. if Exec. indistinguishable from Ideal auth. Exec. Ideal auth.

  8. Model vs. Reality Discrepancy Observation: Analysis treats the PKI as local to the protocol In reality Long-lived PKI Joint State Universal Composability Same key for all sessions fresh key per session globally accessible PKI accessible only by the session participants Is this an issue? Yes!

  9. Example: Transferability ??????? Authentication IDEAL Authentication Public-key infrastructure ?,?,? ?,?,? ???? ?,?,????(?,?,?) Guarantees: Authentication Transferable! Non-transferable Guarantees: Authentication Non-transferable How to overcome this gap? ??????? is distinguishable from IDEAL Authentication

  10. Approach #1 Find new protocols: [Dodis-Katz-Smith-Walfish09] Realize non-transferable authentication with globally available setup Additional cost: assumptions, communication, rounds What about the security of ??????? ? Is it insecure? Is it insecure as a plain authentication protocol?

  11. This Work Avoid extra properties in definition of authentication: Framework for analysis of authentication and KE with globally accessible PKI Analyze the existing protocols ??????? ISO 9798-3 Key-exchange

  12. Secure UC Authentication Exec. IDEAL Authentication Certificate authority Certificate authority Eliminates non- transferability authentication Still provides ????(?,?,?,???) ?,?,? ?,?,? ???? ?? ? ?????? ??? .???????? ??: ????. ?????

  13. Secure GUC Authentication REAL REAL* IDEAL Authentication New composition theorem ??????? Authentication Certificate authority Public-key infrastructure Certificate authority ?,?,? ?,?,? ?,?,????(?,?,?) ?,?,????(?,?,?) ???? Theorem: ??????? ?? ? ?????? ??? ?????????? ????????

  14. Conclusion Framework for analysis of authentication and key-exchange Realistic modeling of protocol execution Allows modular analysis Future directions: Analyze other authentication and KE protocols with globally available PKI e.g. PKI modes of TLS Realistic modeling of other tasks e.g. secure channels

Related


More Related Content