52 Things: Number 30: Roughly outline the BR security definition for key agreement
52 Things: Number 30: Roughly outline the BR security definition for key agreement
52 Things: Number 30: Roughly outline the BR security definition for key agreement
52件事:第30件:大致概述密鑰協(xié)議的BR安全定義
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. In this week we look at a security definition for authenticated key exchange.
這是一系列博客文章中的最新一篇,旨在解決“每個(gè)博士生在做密碼學(xué)時(shí)應(yīng)該知道的52件事”:這是一組問(wèn)題,旨在讓博士生在第一年結(jié)束時(shí)了解他們應(yīng)該知道什么。在本周中,我們將研究經(jīng)過(guò)身份驗(yàn)證的密鑰交換的安全定義。
Establishing a shared key between two parties is one of the oldest problems in cryptography, and turns out to be much harder than standard encryption, even when just considering definitions. Although the classic Diffie-Hellman protocol from 1976 seems to solve the problem, it provides no authenticity guarantee - i.e. that a key has been agreed with the right person - since a man-in-the-middle attack can easily be performed.
在雙方之間建立共享密鑰是密碼學(xué)中最古老的問(wèn)題之一,即使只考慮定義,也比標(biāo)準(zhǔn)加密困難得多。盡管1976年的經(jīng)典Diffie-Hellman協(xié)議似乎解決了這個(gè)問(wèn)題,但它沒(méi)有提供真實(shí)性保證,即密鑰已經(jīng)與正確的人達(dá)成一致,因?yàn)榭梢院苋菀椎貓?zhí)行中間人攻擊。
To model this kind of attack, and others, we need a security definition. There are two main approaches when defining the security of a key exchange protocol, namely those based on a symbolic model and those using a computational model. In the symbolic model, which become popular in the '90s after the classic paper on BAN logic, techniques from formal methods are used to model and analyse a protocol. The symbolic model is good for identifying attacks, but it is difficult for the underlying logic to capture all classes of attacks, so analysis in this model does not provide great security guarantees, but can be semi-automated using theorem provers.
為了模擬這種攻擊和其他攻擊,我們需要一個(gè)安全定義。在定義密鑰交換協(xié)議的安全性時(shí),有兩種主要方法,即基于符號(hào)模型的方法和使用計(jì)算模型的方法。在90年代BAN邏輯的經(jīng)典論文之后流行起來(lái)的符號(hào)模型中,使用形式化方法中的技術(shù)來(lái)建模和分析協(xié)議。符號(hào)模型有利于識(shí)別攻擊,但底層邏輯很難捕獲所有類型的攻擊,因此該模型中的分析不能提供很大的安全保證,但可以使用定理證明器實(shí)現(xiàn)半自動(dòng)化。
In their seminal 1993 paper, Bellare and Rogaway instead created a game-based security definition for authenticated key exchange in a computational model, similar to the IND-CPA and IND-CCA definitions for encryption. In this model, cryptographic primitives are not assumed to be unbreakable, but instead we attempt to quantify the success probability of an adversary by computing their 'advantage' in a security game. The main feature of an adversary that we wish to encompass is that all communication is under the adversary's control: they can read, modify, delay and replay messages. They can also run any number of instances of the protocol simultaneously with other parties. The intuition behind the AKA security game is that the only way an adversary can get a party to accept an agreed key is by forwarding honest messages from a genuine protocol run, in which case they cannot possibly learn anything new.
Bellare和Rogaway在1993年的開(kāi)創(chuàng)性論文中,為計(jì)算模型中的認(rèn)證密鑰交換創(chuàng)建了一個(gè)基于游戲的安全定義,類似于加密的IND-CPA和IND-CCA定義。在這個(gè)模型中,加密原語(yǔ)并不是不可破解的,而是我們?cè)噲D通過(guò)計(jì)算對(duì)手在安全游戲中的“優(yōu)勢(shì)”來(lái)量化對(duì)手的成功概率。我們希望包含的對(duì)手的主要特征是,所有通信都在對(duì)手的控制之下:他們可以讀取、修改、延遲和重放消息。他們還可以與其他各方同時(shí)運(yùn)行任意數(shù)量的協(xié)議實(shí)例。AKA安全游戲背后的直覺(jué)是,對(duì)手讓一方接受商定密鑰的唯一方法是轉(zhuǎn)發(fā)來(lái)自真正協(xié)議運(yùn)行的誠(chéng)實(shí)消息,在這種情況下,他們不可能學(xué)到任何新東西。
The security game consists of a number of different oracles that an adversary can query. The three main oracles are the corruption oracle, which allows the adversary to take control of a chosen party, the key registration oracle, which registers a public key for any chosen user, and the message oracle, which is the main oracle used for passing messages. Note that messages are not sent directly between the participants, instead the adversary does this using the message oracle.
安全游戲由許多不同的神諭組成,對(duì)手可以查詢這些神諭。三個(gè)主要的預(yù)言機(jī)是腐敗預(yù)言機(jī),它允許對(duì)手控制選定的一方,密鑰注冊(cè)預(yù)言機(jī),為任何選定的用戶注冊(cè)公鑰,以及消息預(yù)言機(jī),這是用于傳遞消息的主要預(yù)言機(jī)。請(qǐng)注意,消息不是直接在參與者之間發(fā)送的,而是由對(duì)手使用消息預(yù)言機(jī)發(fā)送的。
The message oracle is the main oracle allowing the adversary to create protocol sessions with parties (where they aim to establish a short-term, or ephemeral, shared key) and send messages. When querying the oracle, they can take one of the following actions:
消息預(yù)言機(jī)是主要的預(yù)言機(jī),允許對(duì)手與各方創(chuàng)建協(xié)議會(huì)話(他們的目標(biāo)是建立短期或短暫的共享密鑰)并發(fā)送消息。在查詢oracle時(shí),他們可以采取以下操作之一:
安全游戲遵循真實(shí)或隨機(jī)的范式,類似于加密的標(biāo)準(zhǔn)定義,通過(guò)選擇秘密比特 b ;如果 b=0 ,那么對(duì)手將獲得一個(gè)隨機(jī)密鑰來(lái)進(jìn)行挑戰(zhàn),否則它將獲得真正的密鑰。在與神諭交互后,對(duì)手選擇一個(gè)已終止的會(huì)話,在該會(huì)話中,雙方都沒(méi)有損壞,并且沒(méi)有密鑰已被泄露的“匹配”會(huì)話(以防止瑣碎的中斷),并接收該會(huì)話的質(zhì)詢密鑰。如果他們猜對(duì)了#2,他們就會(huì)贏得比賽。
A protocol is said to be a secure authenticated key exchange protocol if it is correct, and any adversary's strategy is the above game is no better than random guessing. The above outline is only a rough sketch, of course, and there are many further details in the paper.
如果一個(gè)協(xié)議是正確的,那么它就是一個(gè)安全的認(rèn)證密鑰交換協(xié)議,而任何對(duì)手的策略都是,上述游戲并不比隨機(jī)猜測(cè)更好。當(dāng)然,上面的大綱只是一個(gè)粗略的草圖,論文中還有許多進(jìn)一步的細(xì)節(jié)。
這是一系列博客文章中的最新一篇,旨在解決“每個(gè)博士生在做密碼學(xué)時(shí)應(yīng)該知道的52件事”:這是一組問(wèn)題,旨在讓博士生在第一年結(jié)束時(shí)了解他們應(yīng)該知道什么。在本周中,我們將研究經(jīng)過(guò)身份驗(yàn)證的密鑰交換的安全定義。
Establishing a shared key between two parties is one of the oldest problems in cryptography, and turns out to be much harder than standard encryption, even when just considering definitions. Although the classic Diffie-Hellman protocol from 1976 seems to solve the problem, it provides no authenticity guarantee - i.e. that a key has been agreed with the right person - since a man-in-the-middle attack can easily be performed.
在雙方之間建立共享密鑰是密碼學(xué)中最古老的問(wèn)題之一,即使只考慮定義,也比標(biāo)準(zhǔn)加密困難得多。盡管1976年的經(jīng)典Diffie-Hellman協(xié)議似乎解決了這個(gè)問(wèn)題,但它沒(méi)有提供真實(shí)性保證,即密鑰已經(jīng)與正確的人達(dá)成一致,因?yàn)榭梢院苋菀椎貓?zhí)行中間人攻擊。
To model this kind of attack, and others, we need a security definition. There are two main approaches when defining the security of a key exchange protocol, namely those based on a symbolic model and those using a computational model. In the symbolic model, which become popular in the '90s after the classic paper on BAN logic, techniques from formal methods are used to model and analyse a protocol. The symbolic model is good for identifying attacks, but it is difficult for the underlying logic to capture all classes of attacks, so analysis in this model does not provide great security guarantees, but can be semi-automated using theorem provers.
為了模擬這種攻擊和其他攻擊,我們需要一個(gè)安全定義。在定義密鑰交換協(xié)議的安全性時(shí),有兩種主要方法,即基于符號(hào)模型的方法和使用計(jì)算模型的方法。在90年代BAN邏輯的經(jīng)典論文之后流行起來(lái)的符號(hào)模型中,使用形式化方法中的技術(shù)來(lái)建模和分析協(xié)議。符號(hào)模型有利于識(shí)別攻擊,但底層邏輯很難捕獲所有類型的攻擊,因此該模型中的分析不能提供很大的安全保證,但可以使用定理證明器實(shí)現(xiàn)半自動(dòng)化。
In their seminal 1993 paper, Bellare and Rogaway instead created a game-based security definition for authenticated key exchange in a computational model, similar to the IND-CPA and IND-CCA definitions for encryption. In this model, cryptographic primitives are not assumed to be unbreakable, but instead we attempt to quantify the success probability of an adversary by computing their 'advantage' in a security game. The main feature of an adversary that we wish to encompass is that all communication is under the adversary's control: they can read, modify, delay and replay messages. They can also run any number of instances of the protocol simultaneously with other parties. The intuition behind the AKA security game is that the only way an adversary can get a party to accept an agreed key is by forwarding honest messages from a genuine protocol run, in which case they cannot possibly learn anything new.
Bellare和Rogaway在1993年的開(kāi)創(chuàng)性論文中,為計(jì)算模型中的認(rèn)證密鑰交換創(chuàng)建了一個(gè)基于游戲的安全定義,類似于加密的IND-CPA和IND-CCA定義。在這個(gè)模型中,加密原語(yǔ)并不是不可破解的,而是我們?cè)噲D通過(guò)計(jì)算對(duì)手在安全游戲中的“優(yōu)勢(shì)”來(lái)量化對(duì)手的成功概率。我們希望包含的對(duì)手的主要特征是,所有通信都在對(duì)手的控制之下:他們可以讀取、修改、延遲和重放消息。他們還可以與其他各方同時(shí)運(yùn)行任意數(shù)量的協(xié)議實(shí)例。AKA安全游戲背后的直覺(jué)是,對(duì)手讓一方接受商定密鑰的唯一方法是轉(zhuǎn)發(fā)來(lái)自真正協(xié)議運(yùn)行的誠(chéng)實(shí)消息,在這種情況下,他們不可能學(xué)到任何新東西。
The security game consists of a number of different oracles that an adversary can query. The three main oracles are the corruption oracle, which allows the adversary to take control of a chosen party, the key registration oracle, which registers a public key for any chosen user, and the message oracle, which is the main oracle used for passing messages. Note that messages are not sent directly between the participants, instead the adversary does this using the message oracle.
安全游戲由許多不同的神諭組成,對(duì)手可以查詢這些神諭。三個(gè)主要的預(yù)言機(jī)是腐敗預(yù)言機(jī),它允許對(duì)手控制選定的一方,密鑰注冊(cè)預(yù)言機(jī),為任何選定的用戶注冊(cè)公鑰,以及消息預(yù)言機(jī),這是用于傳遞消息的主要預(yù)言機(jī)。請(qǐng)注意,消息不是直接在參與者之間發(fā)送的,而是由對(duì)手使用消息預(yù)言機(jī)發(fā)送的。
The message oracle is the main oracle allowing the adversary to create protocol sessions with parties (where they aim to establish a short-term, or ephemeral, shared key) and send messages. When querying the oracle, they can take one of the following actions:
消息預(yù)言機(jī)是主要的預(yù)言機(jī),允許對(duì)手與各方創(chuàng)建協(xié)議會(huì)話(他們的目標(biāo)是建立短期或短暫的共享密鑰)并發(fā)送消息。在查詢oracle時(shí),他們可以采取以下操作之一:
- Start a new session between two users
在兩個(gè)用戶之間啟動(dòng)新會(huì)話 - Learn the secret key of any terminated session
了解任何終止會(huì)話的密鑰 - Send a message in an existing session and receive the response
在現(xiàn)有會(huì)話中發(fā)送消息并接收響應(yīng)
安全游戲遵循真實(shí)或隨機(jī)的范式,類似于加密的標(biāo)準(zhǔn)定義,通過(guò)選擇秘密比特 b ;如果 b=0 ,那么對(duì)手將獲得一個(gè)隨機(jī)密鑰來(lái)進(jìn)行挑戰(zhàn),否則它將獲得真正的密鑰。在與神諭交互后,對(duì)手選擇一個(gè)已終止的會(huì)話,在該會(huì)話中,雙方都沒(méi)有損壞,并且沒(méi)有密鑰已被泄露的“匹配”會(huì)話(以防止瑣碎的中斷),并接收該會(huì)話的質(zhì)詢密鑰。如果他們猜對(duì)了#2,他們就會(huì)贏得比賽。
A protocol is said to be a secure authenticated key exchange protocol if it is correct, and any adversary's strategy is the above game is no better than random guessing. The above outline is only a rough sketch, of course, and there are many further details in the paper.
如果一個(gè)協(xié)議是正確的,那么它就是一個(gè)安全的認(rèn)證密鑰交換協(xié)議,而任何對(duì)手的策略都是,上述游戲并不比隨機(jī)猜測(cè)更好。當(dāng)然,上面的大綱只是一個(gè)粗略的草圖,論文中還有許多進(jìn)一步的細(xì)節(jié)。
The Working Class Must Lead!
浙公網(wǎng)安備 33010602011771號(hào)