Contraints and Security

David Chaum, 1988 ... Agents. A , B ::= c | A B | x (c A) | x (A). Page 20. Operational semantics. Structural congruence. A B B A x (A) B x (A B) if x not free in B.
Télécharger le PDF
345KB taille 8 téléchargements 376 vues
commentaire
Report
Contraints and Security Catuscia Palamidessi and Frank Valencia INRIA and LIX, Ecole Polytechnique

Plan of the talk Concurrent constraint programming (ccp) and verification of security protocs Focus on Anonymity Nondeterministic approach vs probabilistic approach Probabilistic ccp Applications to verification of Anonimity

ccp - the origins Concurrent constraint programming was proposed by Saraswat, Rinard and Panangaden [POPL 91] combination of two traditions: Constraint logic programming Concurrency theory (in particular CCS) Elegant and simple denotational semantics based on closure operator

ccp and verification of security protocols There have been various proposals to apply constraints-based frameworks to security. The use of ccp, however, derives mainly from the Concurrency Theory approach Seminal work by Gavin lowe: found a bug in the NS protocol and fixed it by using TCSP [Hoare et al, 83] automatic verif. via model checking (FDR)

ccp and verification of security protocols spi-calculus [Abadi and Gordon, mid 90s] variant of the pi-calculus [Milner et al. 89] security systems as spi-calculus terms verification based on bisimulation

In recent years, people have started simplify the spi-calculus framework Abadi, Amadio, Boreale, among others, have proposed versions of the spi-calculus accounting for: the knowledge of the agents involved in the system can only grow monotonic store in the style of ccp traces (reachability) instead of bisimulation simpler semantic in the ccp style SPL [Crazzolara and Winskel, 2002] is practically a ccp formalism

Anonymity Goal: To ensure that the identity of the agent performing a certain action remains secret. Examples of situations in which anonymity may be desirable: Electronic elections Delation Donations File sharing

Anonymity Some systems: Crowds [Reiter and Rubin,1998], anonymous communication (anon. sender) Onion Routing [Syverson et al. 1997] anonymous communication Freenet [Clarke et al. 2001] anonymous info storage and retrieval



All these systems use randomized primitives

Formalizing Anonymity We must specify: ! The action(s) wrt which we want anonymity ! The agents that we want anonymous ! The capabilities of the observer

 B

A

Actions divided in 3 parts: A = {a(i) | i is to be anonymous } C

B = the observables C = all the other actions

Nondeterministic approach Schneider and Sidiropoulos, 1996 randomized mechanisms represented as nondeterministic Consider the traces on B U A. Definition: The system P is anonymous if its set of traces is invariant w.r.t. any permutation ρ of the actions in A, namely ρ(Traces(P)) = Traces(P)

for any ρ

Example: The dining cryptographers David Chaum, 1988 Three cryptographers share a meal The meal is paid either by the organization (master) or by one of them. Each of the cryptographers is informed by the master whether or not he is has to pay GOAL: To know whether one of them is paying, but without knowing whom exactly

Crypt(0) Notpays(0)

Pays(0)

Master Crypt(1)

Crypt(2)

DC: A solution A coin between each two cryptographers Each coin is tossed. Result visible only to the adjacent cryptographers Each cryptographer does the following: If he is not paying, he announces “agree” if the results are the same, and “disagree” otherwise. If he is paying, he says the opposite

Crypt(0)

Coin(1)

Coin(0) Master Crypt(2)

Crypt(1) agree1 / disagree1

Coin(2)

DC: Properties of the solution If the number of “disagree” is even, then the master is paying. Otherwise, one of them is paying. (Anonymity): In the latter case, if the coins are not biased, then an external observer (and the non paying cryptographers) will not be able to deduce who is paying The nondeterministic definition of Schneider and Sidiropoulus can be proved to hold

Motivation for a probabilistic approach

Assume that we get ``almost always’’ one of the following results

a

p

H

H

H

H

d

d

T

p

d

a

a

T

p

H

H a

d

d T

These are 3 of the 4 possible results when the payer is one of the cryptographers what can we deduce?

What we have learnt from the example the probability distribution of random devices can be inferred by statistical information from the knowledge of the probabilistic distribution, we can deduce probabilistic information about the identity of the user this leakage of probabilistic information is not captured by the nondeterministic definition (in such definition anonymity still holds as long as the fourth configuration occasionally occurs)

Deterministic ccp Constraints (information system with cilindrification operators) c , d ::= e | c

d |

x (c)

Agents A , B ::= c | A

B |

x (c

A) |

x (A)

Operational semantics Structural congruence A

B x (A)

B B

A x (A

B)

if x not free in B

... Reduction relation if

c |= d[y/x] then c x (d A) ➝ c if A ➝ A’ then A ...

x (d B ➝ A’

A) B

c➝

x (A’

A[y/x]

Input-output function: A(c) =

x (d)

iff

A

d) −⁄➝

Denotational semantics Closure operator: a function on constraints monotonic: if c |= d then f(c) |= f(d) increasing: f(c) |= c idempotent: f(f(c)) = f(c) A closure operator can be represented by the set of its fixpoints f(c) = min(f

↑c)

Denotational semantics Semantic: [[.]] : Agents ➝ Closure operators [[c]] = ↑c [[A B]] = [[A]] ...

[[B]]

The relation between the denotational and the operational semantics: A(c) = min( [[A]]

↑c)

Probabilistic ccp Agents

A ::= ... | A p+ B

Reduction relation: A p+ B ➝p A

and

A p+ B ➝1-p B

Input-output relation: A(c) = {

x ( dp ) | A

c ➝p1 ... ➝pn

and p = p1 ... pn

x (A’

d) −⁄➝ }

Denotational semantics [[ ]] : Agents ➝ Prob(Closure operators) [[c]] = {(↑c)1 } [[A p+ B]] = {fpq |fq [[A ...

B]] = {(f

[[A]] }

g)pq | fp

{f(1-p)q |fq

[[B]] }

[[A]] and gq

[[B]] }

Relation with the operational semantics dp

A(c) iff there exist fp

[[A]] s.t. d = min(f

↑c)

Notation Events (sets of computations): a(i) : user i has performed a a = o = b1

i

a(i) : a has been performed …

bn (observable) : b1 ,…, bn have

been performed Probability on events defined as usual Conditional probability: p(x | y) = p(x and y) / p(y)

Formalization of strong anonymity an observation o does not change the a-priori probability of an user i to be the culprit p(a(i) | o) = p(a(i)) Example: in the case of the dining cryptographers we have p(pay(i)) | b0 b1 b2) = p(pay(i)) where bj

{agree, disagree} with #disagree odd

Conclusion A probabilistic extension of ccp simple denotational semantics still based on closure operators Applications to Anonymity formalization of a probabilistic notion of strong anonymity

Future work Combination of nondeterminism and probability Weaker notions of anonymity Automatic verification anonymous systems as ccp terms compute relevant probabilities (using the denotational semantic) check that anonymity formula is satisfied

Thank you !