2 research outputs found
Invisible Adaptive Attacks
We introduce the concept of an \emph{invisible adaptive attack} (IAA) against
cryptographic protocols. Or rather, it is a class of attacks, where the protocol itself
is the attack, and where this cannot be seen by the security model. As an
example, assume that we have some cryptographic security \emph{model} and
assume that we have a current setting of the \emph{real world} with some cryptographic
infrastructure in place, like a PKI. Select some object from this real world infrastructure,
like the
public key, , of some root certificate authority (CA). Now design a protocol ,
which is secure in . Then massage it into ,
which runs exactly like ,
except that if the public key of the root CA happens to be , then it will
be completely insecure.
Of course should be considered insecure. However, in
current security models existing infrastructure is modelled by generating it at
random in the experiment defining security. Therefore, \emph{in the model}, the root CA will
have a fresh,
random public key . Hence , except with negligible probability,
and thus will typically deem secure.
The problem is that to notice the above
attack in a security model, we need to properly model the correlation between
and . However, this correlation was made by the \emph{adversary} and
it is naïve to believe that he will report this correlation correctly to the security model.
It is the protocol itself and how
to model it which
is the attack. Furthermore, since a model cannot see a real world
object, like the current infrastructure , the correlation is invisible to the model
when not reported by the adversary.
Besides introducing the new concept of an invisible adaptive attack,
we have the following contributions:
\begin{enumerate}
\item
We show that a popular security model,
the generalized universal composability (GUC) model introduced by
Canetti, Dodis, Pass and Walfish in 2007\cite{CDPW07GUC}, allows an IAA,
along the lines of the attack
sketched above. This is not a problem specific to the GUC model, but it is
more interesting to demonstrate this for the GUC model, as it was exactly
developed
to model security for protocols running with a common infrastructure which has been
set up once and for all before the protocols are run.
\item
We show how to modify the GUC model to catch invisible adaptive attacks
relative to existing infrastructure, introducing the \emph{strong externalized
universal composability (SEUC)} model.
Conceptually, when given a protocol to analyse, we will assume the
\emph{worst case correlation} to the existing infrastructure, and
we will deem it secure if it is secure in presence of this worst case correlation.
I.e., a protocol is deemed insecure if there could \emph{exist} an IAA which is using
the given protocol.
We consider this new way to define security
a main conceptual contribution of the paper.
Properly modelling this conceptual idea is
technical challenging and requires completely novel ideas.
We consider this the main
technical contribution of the paper. We prove that the new model has secure
modular composition as the UC and the GUC model.
\item
We show that in the SEUC model any well-formed ideal functionality can be
realised securely under
standard
computational assumptions and using an infrastructure, or setup assumption,
known as an augmented common reference string. We do that by slightly
modifying a
protocol from \cite{CDPW07GUC}
and reproving its security
in the SEUC model.
\end{enumerate}
Our techniques seem specific to modelling IAAs relative to
\emph{existing infrastructure}. One can, however, imagine more general IAAs,
relative, for instance, to values being dynamically generated by secure
protocols currently running
in practice, like a broadcast service or a cloud service.
We do not know how to model IAAs in general and hence open up a new
venue of investigation
Universally Composable Authentication and Key-exchange with Global PKI
Message authentication and key exchange are two of the most basic tasks of
cryptography. Solutions based on public-key infrastructure (PKI) are
prevalent. Still, the state of the art in composable security analysis of
PKI-based authentication and key exchange is somewhat unsatisfactory.
Specifically, existing treatments either (a)~make the unrealistic assumption
that the PKI is accessible only within the confines of the protocol itself,
thus failing to capture real-world PKI-based authentication, or (b)~impose
often-unnecessary requirements---such as strong on-line
non-transferability---on candidate protocols, thus ruling out natural
candidates.
We give a modular and universally composable analytical framework for PKI-based
message authentication and key exchange protocols. This framework guarantees
security even when the PKI is pre-existing and globally available, without
being unnecessarily restrictive. Specifically, we model PKI as a global set-up
functionality within the \emph{Global~UC} security model [Canetti \etal, TCC
2007] and relax the ideal authentication and key exchange functionalities
accordingly. We then demonstrate the security of basic signature-based
authentication and key exchange protocols. Our modeling makes minimal security
assumptions on the PKI in use; in particular, ``knowledge of the secret key\u27\u27
is not needed