Low-Level Ideal Signatures and General Integrity Idealization [chapter]

Michael Backes, Birgit Pfitzmann, Michael Waidner
2004 Lecture Notes in Computer Science  
Recently we showed how to justify a Dolev-Yao type model of cryptography as used in virtually all automated protocol provers under active attacks and in arbitrary protocol environments. The justification was done by defining an ideal system handling Dolev-Yao-style terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This holds the standard model of cryptography and under
more » ... standard assumptions of adaptively secure primitives. While treating a term algebra is the point of that paper, a natural question is whether the proof could be more modular, e.g., by using a low-level idealization of signature schemes similar to the treatment of encryption. We present a low-level ideal signature system that we tried to use as a lower layer in prior versions of the library proof. It may be of independent interest for cryptography because idealizing signature schemes has proved surprisingly error-prone. However, we also explain why using it makes the overall proof of the justification of the Dolev-Yao type model more complicated instead of simpler. We further present a technique, integrity idealization, for mechanically constructing composable low-level ideal systems for other cryptographic primitives that have "normal" cryptographic integrity definitions. the method for protocols proved in the literature were found so far. Further, the overall approach of abstracting from cryptographic primitives once with rigorous hand-proofs, and then using tools for proving protocols using such primitives, is highly attractive: Besides the cryptographic aspects, protocol proofs have many distributed-systems aspects, which make proofs tedious and error-prone even if they weren't interlinked with the cryptographic aspects. To use existing efficient automated proof tools for security protocols, cryptography must indeed be abstracted into simple, deterministic ideal systems. The closer one can stay to the Dolev-Yao model, the easier the adaptation of the proof tools will be. 1 Cryptographic underpinnings of a Dolev-Yao model were first addressed by Abadi and Rogaway in [2] . However, they only handled passive adversaries and symmetric encryption. The protocol language and security properties handled where extended in [1, 23], but still only for passive adversaries. This excludes most of the typical ways of attacking protocols, e.g., man-in-the-middle attacks and attacks by reusing a message part in a different place or concurrent protocol run. A full cryptographic justification for a Dolev-Yao model, i.e., for arbitrary active attacks and within the context of arbitrary surrounding interactive protocols, was first given recently in [5] . Based on the specific Dolev-Yao model whose soundness was proven in [5] and called the cryptographic library there, the well-known Needham-Schroeder-Lowe protocol was proved in [3] . This shows that in spite of adding certain operators and rules compared with simpler Dolev-Yao models (in order to be able to use arbitrary cryptographically secure primitives without too many changes in the cryptographic realization), such a proof is possible in the style already used in automated tools, only now with a sound cryptographic basis. It was also shown how the cryptographic library, in other words the term algebra and rules, can be modularly extended by additional cryptographic primitives, using the example of symmetric authentication [8] and symmetric encryption [4] . Subsequent to the work of [5] , several papers presented cryptographic underpinnings of Dolev-Yao models under active attacks for specific primitives, e.g., [24] for symmetric encryption and [20, 21, 27] for public-key encryption. The full version of [5] with its rigorous proofs is of considerable length. This is not too surprising compared with, e.g., the length of [2]. Nevertheless, it seems an interesting question whether the cryptographic library, in other words the precise Dolev-Yao model used, as well as its proof could not be presented in a more modular way. There are several aspects to this question. We will discuss easy ones first and then come to the question of a more modular proof, which is the main motivation for this paper. The trivial answer is that we could have left out some operators and then added them again in a separate paper as in [8] . Clearly the text would be much shorter if only encryption, application data, and lists would be retained as a minimum repertoire for building nested encryption terms of the Dolev-Yao style, or similarly for signatures. This would
doi:10.1007/978-3-540-30144-8_4 fatcat:y7evy3l6inbjjauxix7e7wjpf4