|
 |
Combining cryptographic and formal proof techniques
|
Cryptographic protocols are a tricky issue. Even seemingly simple
protocols Such as the exchange of secret keys using public keys
have often turned out to be wrong. Hence it is essential to prove
their security.
|
|
|
| |
|
|
| |
|
|
Cryptography provides precise and realistic definitions
of the security of cryptographic primitives (like encryption and
signatures) and protocols (like secure channels or fair exchange).
However, these definitions are long and difficult to grasp because
they are full of details. One has to model all active attacks that
adversaries might carry out, most primitives are probabilistic,
and most properties have some error probability. Further, computational
restrictions are considered. Consequently, it is not easy to see
if a cryptographic definition captures reality well, and many proofs
are rather sketchy and some have, for this reason, not been correct.
Formal methods, on the other hand, have well-defined protocol
languages, which support a systematic presentation of protocols
and properties. Most importantly, they provide tool support for
proofs, such as model checking or theorem proving. Such tools are
particularly useful for distributed protocols, which are particularly
tedious and error-prone if proved by hand. Hence it was natural
to try to apply formal methods also to distributed cryptographic
protocols.
However, almost all formal methods abstract from cryptography using
the Dolev-Yao model, and for many years there was no justification
at all for this abstraction. The Dolev-Yao model represents cryptographic
objects as terms (not bit strings). For instance, the term D_x(E_x(E_x(m)))
represents a message encrypted twice with key x and then decrypted
once. Then there are cancellation rules, e.g. D_x E_x = i,
where i is the identity function. This identity is indeed
true for real cryptosystems. However, in security proofs one assumes
that no cancellation rule ever holds unless one has
specified it explicitly. This property is not justified in any easy
way by cryptographic definitions, and indeed not true in general
and for unmodified cryptographic systems.
|
|
|
| |
|
|
| |
|
Cryptographically justifying
a Dolev-Yao model: slides
with speaker/reader notes. We have also symbolically proved protocols
over this model, see below. This was the first result on justifying
a Dolev-Yao model while including active attacks, and thus for a realistic
scenario. Compared with later results by others, it proves by far
the strongest properties: We allow multiple primitives, an arbitrary
protocol environment, and prove reactive simulatability of the entire
Dolev-Yao model, from which almost arbitrary property preservation
can be derived. Later results are best described as attempting to
find out how much one can simplify by giving up some of these properties,
e.g., by restricting the protocol language or the desired properties.
|
|
|
| |
|
|
| |
|
| · |
A general system model for cryptographic protocols,
including a model of what adversaries and honest users can
do. There is both a synchronous and an asynchronous case.
The main differences to normal distributed system models stem
from computational aspects, e.g., a feasible distributed scheduling
system and possibilities to ignore certain inputs [(PSW00),
PW00, PW01, B03,
BPW04c].
Different variants of such definitions are discussed in particular
in [PSW00].
|
| · |
General definitions of goals or desirable properties.
|
| |
The most important one is reactive simulatability.
This defines what it means that a system A is as secure as
a system B. Typically system B is a specification by a single,
trusted machine, while A is a real distributed cryptographic
implementation. There are perfect, statistic and computational
versions of this definition, as well as variants with respect
to several other parameters [(PSW00),
PW00, PW01].
This notion also became later known as universal composability
(UC) because of the composition theorems it allows.
|
| |
Integrity properties mean that if something happens,
it must fulfill a certain constraint. We defined what this
means perfectly, statistically and computationally [PW00,
BJ03].
|
| |
We also did this for absence of information flow [BP02,
BP03, BP04b,
Back05] and liveness [BPSW02,
BPSW03].
|
| |
Secrecy of payload messages in protocols and exchanged
keys can be defined and treated generally, but more important
here is a direct relation to secrecy notions from formal methods,
typically represented by a set of terms modeling the adversary
knowledge [BP05, BP05a].
|
| · |
Composition theorem. This states that if A is as secure
as B, then one can safely design larger systems based on B,
and then replace A into them. In other words, one can design
using a specification of a cryptographic submodule, and later
use the real implementation [PW00, PW01,
BPW04]. |
| · |
Security theorems. They state that if A is as secure
as B, then properties proved for B (integrity, information-flow
etc.) also hold for A [PW00, BJ03,
BP02, BP03, BPSW02,
BPSW03, BP04b,
BP04e]. |
| · |
Base systems. We developed simple, deterministic abstractions
of secure channels, as a relatively simple example, and certified
mail and group key exchange as larger ones. Our emphasis lies
on developing rigorous proof techniques within the model; sketches
of similar systems and proofs were known [PSW00,
PW01, PSW00a,
S02].
The most important base system is a Dolev-Yao-style cryptographic
library with a rigorous proof. I.e., it contains deterministic,
term-like abstractions of cryptographic operators, and all
operators can be composed [BPW03, BPW03c,
BPW04b, BP04,
BPS05].
|
| · |
Symbolic proofs over the Dolev-Yao-style cryptographic
library. As examples, we proved the Needham-Schroeder-Lowe
protocol (asymmetric) [BP04a], the Otway-Rees
protocol (symmetric) [B04], the strengthened
Yahalom protocol (real secrecy) [BP05c],
as well as a payment system [BD05] in
a symbolic way over the provably secure Dolev-Yao style abstraction
(by hand). |
| · |
Tool-supported proofs. We have small examples of actual
tool-supported proofs in this model, with secure channels as
the base primitive. One is a simulatability proof and the other
an integrity proof [BJP02, BJ03],
both with the theorem prover PVS. |
| · |
Impossibility results. Modern Dolev-Yao models typically
include operators with algebraic properties such as XOR together
with the cryptographic operators. We show that it is impossible
to extend the general as-secure-as results (as expressed by
reactive simulatability between the real library and the abstract
one) from the Dolev-Yao model with only cryptographic operators
to XOR in a natural way (discussing precisely what we mean by
natural) [BP05b]. |
|
|
|
| Miscellaneous. We discussed
the application in the context of business processes [BPW03a],
made observations on signature security in a reactive setting [BPW03b,
BPW04d, BPW04a, BH04],
and considered information flow in a quantitative way [B05]. |
|
|
| |
|
 |
| |
|
|
Without research reports essentially superseded by publications.
(For other publications of the authors see the group publications
page.)
|
|
|
| |
|
|
| Journals |
|
|
| [1] |
M. Backes, B. Pfitzmann: Relating
Symbolic and Cryptographic Secrecy; IEEE Transactions on
Dependable and Secure Computing 2/2 (2005) 109-123.
Journal version of [BP05]. |
| [2] |
M. Backes: Unifying Simulatability
Definitions in Cryptographic Systems under Different Timing
Assumptions; to appear in Journal of Logic and Algebraic
Programming (JLAP) (Elsevier), accepted 2004.
Journal version of [B03]. |
| [3] |
M. Backes, B. Pfitzmann, M. Waidner:
Reactively
Secure Signature Schemes; International Journal of Information
Security (IJIS) 4/4 (2005) 242-252.
Journal version of [BPW03c]. |
| [4] |
M. Backes, B. Pfitzmann, M. Waidner:
Symmetric
Authentication Within a Simulatable Cryptographic Library;
International Journal of Information Security (Springer) 4/3
(2005) 135-154.
Journal version of [BPW03f]. |
| [5] |
M. Backes, B. Pfitzmann:
A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe
Public-Key Protocol; IEEE Journal on Selected Areas
in Communication (JSAC) 22/10 (2004) 2075-2086.
Journal version of [BP03a]. |
| [6] |
M. Backes, B. Pfitzmann, M. Steiner,
M. Waidner: Polynomial Liveness; Journal of Computer
Security (JCS) 12/3-4 (2004) 589-618.
Journal version of [BPSW02]. |
| [7] |
M. Backes, B. Pfitzmann: Computational
Probabilistic Noninterference; International Journal of
Information Security (Springer) 3/1 (2004) 42-60.
Journal version of [BP02]. |
|
|
|
| |
|
|
| Conferences |
|
|
| [1] |
M. Backes, B. Pfitzmann, M. Waidner:
Formal Methods and Cryptography; to appear at Formal
Methods (FM) 2006 (invited for Industry Day), LNCS, Springer-Verlag
2006. |
| [2] |
M. Backes, B. Pfitzmann, M. Waidner:
Limits of the Reactive Simulatability/UC of Dolev-Yao Models
with Hashes; accepted for 11th European Symposium on Research
in Computer Security (ESORICS 2006), Sept. 2006, proceedings
to appear in Springer-Verlag.
Earlier, longer version Cryptology ePrint Archive, Report
2006/068/, Feb. 2006. |
| [3] |
Ch. Sprenger, M. Backes, D. Basin, B.
Pfitzmann, M. Waidner: Cryptographically Sound Theorem Proving;
to appear at 19th IEEE Computer Security Foundations Workshop
(CSFW), IEEE Computer Society Press, Venice, July 2006. |
| [4] |
M. Backes, B. Pfitzmann: Cryptographic
Key Secrecy of the Strengthened Yahalom Protocol via a Symbolic
Security Proof; to appear at 21st IFIP TC-11 International
Information Security Conference (SEC'2006), Karlstad, May 2006.
Preliminary version IBM
Research Report RZ 3601, April 2005. |
| [5] |
M. Backes, S. Mödersheim, B. Pfitzmann,
L. Viganò: Symbolic and Cryptographic Analysis of
the Secure WS-ReliableMessaging Scenario; Foundations of
Software Science and Computation Structures (FOSSACS), LNCS
3921, Springer-Verlag, Berlin 2006, 428-445. |
| [6] |
M. Backes, B. Pfitzmann: Limits
of the Cryptographic Realization of Dolev-Yao-style XOR;
10th European Symposium on Research in Computer Security (ESORICS
2005), Sept. 2005, LNCS 3679, Springer-Verlag, Berlin 2005,
178-196.
Long version Cryptology ePrint Archive, Report
2005/220/, July 2005. |
| [7] |
M. Backes: Quantifying
Probabilistic Information Flow in Computational Reactive Systems;
10th European Symposium on Research in Computer Security (ESORICS
2005), Sept. 2005, LNCS 3679, Springer-Verlag, Berlin 2005,
336-354. |
| [8] |
M. Backes, B. Pfitzmann, M. Waidner:
Justifying a Dolev-Yao Model under Active Attacks; Foundations
of Security Analysis and Design III: FOSAD 2004/2005 Tutorial
Lectures, LNCS 3655, Springer-Verlag, 2005, 1-41.
(Tutorial version of prior results.) |
| [9] |
M. Backes, B. Pfitzmann: Relating
Symbolic and Cryptographic Secrecy; IEEE Symposium on Security
and Privacy 2005, 171-182. (© IEEE Computer Society, 2005).
Preliminary version Cryptology ePrint Archive, Report
2004/300/, Nov. 2004.
Journal version: [BP05a]. |
| [10] |
M. Backes, M. Dürmuth: A Cryptographically
Sound Dolev-Yao Style Security Proof of an Electronic Payment
System; 18th IEEE Computer Security Foundations Workshop
(CSFW), IEEE 2005, 78-93. (© IEEE Computer Society, 2005;
preliminary version.) |
| [11] |
M. Backes: A Cryptographically Sound
Dolev-Yao Style Security Proof of the Otway-Rees Protocol;
9th European Symposium on Research in Computer Security (ESORICS
2004), LNCS 3193, Springer-Verlag, Berlin 2004, 89-108. (©
Springer-Verlag, 2004;
personal version.) |
| [12] |
M. Backes, B. Pfitzmann, M. Waidner:
Low-level Ideal Signatures and General Integrity Idealization;
7th Information Security Conference (ISC), LNCS 3225, Springer-Verlag,
Berlin 2004, 39-51. (© Springer-Verlag, 2004.) (©
Springer-Verlag, 2004;
personal version.) |
| [13] |
M. Backes, D. Hofheinz: How to Break
and Repair a Universally Composable Signature Functionality;
7th Information Security Conference (ISC), LNCS 3225, Springer-Verlag,
2004, 61-72. (© Springer-Verlag, 2004.) |
| [14] |
M. Backes, B. Pfitzmann: Symmetric
Encryption in a Simulatable Dolev-Yao Style Cryptographic Library;
17th IEEE Computer Security Foundations Workshop (CSFW), IEEE
2004, 204-218. (© IEEE Computer Society, 2004;
personal version.)
Long version: Cryptology ePrint Archive, Report
2004/059, February 2004. |
| [15] |
M. Backes, B. Pfitzmann, M. Waidner:
A General Composition Theorem for Secure Reactive Systems;
1st Theory of Cryptography Conference (TCC), LNCS 2951, Springer-Verlag,
Berlin 2004, 336-354. (© Springer-Verlag, 2004;
personal version.) |
| [16] |
M. Backes, B. Pfitzmann: A Cryptographically
Sound Security Proof of the Needham-Schroeder-Lowe Public-Key
Protocol; Foundations of Software Technology and Theoretical
Computer Science (FSTTCS 03), LNCS 2914, Springer-Verlag, Berlin
2003, 1-12. (© Springer-Verlag, 2003;
personal version.)
Long version: Cryptology ePrint Archive, Report
2003/121, June 2003.
Journal version: [BP04c]. |
| [17] |
B. Pfitzmann: Sound Idealizations
of Cryptography for Tool-Supported Proofs (Position statement
for panel discussion); ACM Workshop on Formal Methods in
Security Engineering (FMSE 2003), Oct 2003, 64-65. |
| [18] |
M. Backes, B. Pfitzmann, M. Waidner:
A Composable Cryptographic Library with Nested Operations;
10th ACM Conference on Computer and Communications Security
(CCS), Oct 2003, 220-230. (© ACM, 2003;
personal version.)
Long version: IACR ePrint Archive, Report
2003/015, Jan. 2003. |
| [19] |
M. Backes, B. Pfitzmann, M. Waidner:
Symmetric Authentication Within a Simulatable Cryptographic
Library; 8th European Symposium on Research in Computer
Security (ESORICS 2003), LNCS 2808, Springer-Verlag, Berlin
2003, 271-290. (© Springer-Verlag, 2003;
personal version.)
Full version: Cryptology ePrint Archive, Report
2003/145, July 2003. |
| [20] |
M. Backes, B. Pfitzmann, M. Waidner:
Reactively Secure Signature Schemes; 6th Information
Security Conference (ISC), LNCS 2851, Springer-Verlag, Berlin
2003, 84-95. (© Springer-Verlag, 2003;
personal version.) |
| [21] |
M. Backes: Unifying Simulatability
Definitions in Cryptographic Systems under Different Timing
Assumptions; 14th International Conference on Concurrency
Theory (CONCUR), LNCS 2761, Springer-Verlag, Berlin 2003, 350-365.
(© Springer-Verlag, 2003;
personal version.)
Full version: Cryptology ePrint Archive, Report
2003/114, June 2003. |
| [22] |
M. Backes, M. Schunter: From Absence
of Certain Vulnerabilities towards Security Proofs --- Pushing
the Limits of Formal Verification; 10th ACM Workshop on
New Security Paradigms (NSPW), Ascona, Switzerland, August 2003.
(To appear.) |
| [23] |
M. Backes, B. Pfitzmann, M. Waidner:
Security in Business Process Engineering; International
Conference on Business Process Management (BPM ’03), LNCS 2678,
Springer-Verlag, Berlin 2003, 168-183. (© Springer-Verlag,
2003;
personal version.) |
| [24] |
M. Backes, B. Pfitzmann: Intransitive
Non-Interference for Cryptographic Purposes; IEEE Symposium
on Security and Privacy 2003, 140-152. (© IEEE Computer
Society, 2003;
personal version.) |
| [25] |
M. Backes, C. Jacobi: Cryptographically
Sound and Machine-Assisted Verification of Security Protocols;
20th International Symposium on Theoretical Aspects of Computer
Science (STACS '03), LNCS 2607, Springer-Verlag, Berlin 2003,
675-686. (© Springer-Verlag, 2003;
personal version.) |
| [26] |
M. Backes, B. Pfitzmann, M. Steiner,
M. Waidner: Polynomial Fairness and Liveness; IEEE Computer
Security Foundations Workshop (CSFW), IEEE 2002, 160-174. (©
IEEE Computer Society, 2002;
personal version.) |
| [27] |
M. Backes, C. Jacobi, B. Pfitzmann:
Deriving Cryptographically Sound Implementations Using Composition
and Formally Verified Bisimulation; Formal Methods Europe,
Springer 2002, 310-329. (© Springer-Verlag, 2002;
personal version.) |
| [28] |
M. Backes, B. Pfitzmann: Computational
Probabilistic Non-Interference; 7th European Symposium on
Research in Computer Security, Springer 2002, 1-23. (©
Springer-Verlag, 2002;
personal version.)
Journal version: [BP04b]. |
| [29] |
B. Pfitzmann, M. Waidner: A Model
for Asynchronous Reactive Systems and its Application to Secure
Message Transmission; IEEE Symposium on Security and Privacy,
IEEE 2001, 184-200. (© IEEE Computer Society, 2001;
personal version.)
Earlier, longer version: IACR ePrint Archive, Report
2000/066, Dec. 2000. First part extended and improved in
[BPW04c] |
| [30] |
B. Pfitzmann, M. Waidner: Composition
and Integrity Preservation of Secure Reactive Systems; 7th
ACM Conference on Computer and Communications Security, ACM
2000, 245-254. (© ACM, 2000;
personal version.) |
|
|
|
| |
|
|
| Others |
|
|
| [1] |
M. Backes, B. Pfitzmann, M. Waidner:
Soundness Limits of Dolev-Yao Models; Workshop on Formal
and Computational Cryptography (FCC 2006), Venice, July 2006.
|
| [2] |
B. Pfitzmann, M. Schunter, M. Waidner:
Reactively Simulatable Certified Mail; Cryptology ePrint
Archive, Report 2006/041,
http://eprint.iacr.org/,
Feb. 2006.
(Strong revision from 2004 of [PSW00b],
which is still a journal submission from 2000.) |
| [3] |
M. Backes, B. Pfitzmann, M. Waidner:
Secure Asynchronous Reactive Systems; Cryptology ePrint
Archive, Report 2004/082,
http://eprint.iacr.org/,
March 2004.
Significantly extended first part of [PW01].
|
| [4] |
M. Steiner: Secure Group Key Agreement;
Dissertation, Saarland University, March 2002 (pdf).
|
| [5] |
B. Pfitzmann, M. Schunter, M. Waidner:
Provably Secure Certified Mail; IBM Research Report RZ
3207, August 2000 (ps.gz).
|
| [6] |
B. Pfitzmann, M. Schunter, M. Waidner:
Cryptographic Security of Reactive Systems; Workshop
on Secure Architectures and Information Flow, Royal Holloway,
Univ. of London, Dec. 1999; Electronic Notes in Theoretical
Computer Science (ENTCS) 32 (2000). (ps).
Later, much longer version: Secure Reactive Systems;
IBM
Research Report RZ 3206, IBM Research Division, Zurich,
May 2000.
|
|
|
|
| |
|
|
|
