INSE: 6150
SECURITY EVALUATION METHODOLOGY
If someone handed you the crypto and they wanted to know whether the crypto works correctly or
not. That is known as evaluation of the cryptography but it is difficult to evaluate any crypto without
knowing the possible attacks and also you should know that how crypto help you to mitigate these
attacks.
Attacks
Crypto
Mitigation
Lucky 13
SFE
Evaluation
Garbled circuits (FHE)
Security Proofs
This lecture is more about Evaluation of crypto protocols known as security proofs.
There are three types of security proofs:
1) Heuristical: No proofs, decades of study.
Heuristical means there is a security because there is no proof of breaking of protocol or
many people are doing study on it from decades but they didn’t find anything. So we assume
that it is secure.
2) Game based: proves primitive / protocol is secure in isolation.
When we run protocol one time it is secure but it doesn’t prove anything how it interacts
with other protocols.
3) Simulation based: proves primitive / protocol is secure and maintains security when
combined (composed) with other primitives / protocols.
Simulation based is most secure because it is hard to prove simple thing only complex
constructions.
Heuristical and Game based are less secure, easier to prove and have simple direct constructions.
Key component of Game based and Simulation based
Security reduction
Breaking this primitive/protocol is at least as (or equivalent = “tight”) to solving
this well-established math problem
( Heurisitical )
Game –Based Sketch
Encryption
C=EnCk (m)
Ciphertext
Key
message
We can define the security of the above encryption as follows:
Definition: - Security intercepts C, don’t know k, can’t find m.
This definition is too weak so we need something stronger and it also has two problems:i)
We cannot say can’t because it’s not true, it is possible to find m by guessing attack or in
some different ways by the attacker. So to make the security definition stronger, Instead
of can’t use the word “infeasible to”.
ii) Second problem is the word find m, it means can’t find the whole m but he can find some
parts of m which is not secure anymore. So to make it more secure we should write find
any (not even a single bit) information about m instead of find m.
Good Security Definition: Game based
Chosen ciphertext attack (CCA) game
Game
challenger
Encrypter
There are two participants in the game, challenger and encrypter.
Game is:Challenger chooses two messages M0 & M1 and sends to encrypter.
Encrypter randomly chooses one encrypts and sends it back to challenger and say which was
encrypted.
In addition challenger can also ask for the encryption of any message at any time and the decryption
of any message* at any time.
* Except the challenge ciphertext.
Definition: For encryption to be secure, challenger shouldn’t be right more than ~50% of the time.
If this definition is true then encryption scheme is secure under this definition.
How do we prove that this definition is true?
By Security Proof:
Proof by contradiction (we are going to assume that our protocol is not secure and we going
to show that leads to contradiction)
Winning the game implies some hard math problem is actually easy.
Primitive/Protocol: P
Security Property: Computation Cp is prohibited by P (e.g. winning the game=Cp)
Cp is some algorithm that wins the game for you.
Security Assumption: Computation Cu is prohibited universally} = Cu
Goal: Prove Cp is true. (Trying to prove that security property is not true means we can win the game)
Aside: Logic
If Alice is a woman she is a human
P
If p then q
True
If q then p
False
q
If Alice is human she is a woman
If Alice is not a woman she is not a human
p then q, p then q
If Alice is not a human then she is not
woman
q then p
False
True
If “P then q” is True then it is good.
Proof Sketch (By contradiction)
1. Assume P allow Cp
………………(P is not secure)
2. Shows that such a P also allows Cu
3. If P allows Cp, then P allows Cu
………….. (security reduction)
4. Cu
…………. (security assumption)
5. P does not allow Cu
6. P does not allow Cp
3) Simulation based
Two Environments
Real World
C=ENCk (m)
Ideal World
B
A
A
M
TTP
M
B
r <- random no.
M,K
Adversary
Adversary where|c|=|r|=|m|
Length of c = length of r
We want to prove that these two protocols are the same (equivalent)?
Idea: You play the role of adversary but you don’t know (infeasible to tell) if you are in the real world
or the ideal world.
If true, primitive/protocol realizes the ideal functionality.
In ideal world there is something to adversary. So, TTP send the random number to Adversary.
Proof doesn’t go through ≠ insecure
E.g. Can CCA-secure encryption scheme protect its own key? C= ENCk(K) ……… Secure?
Can’t prove it
Secure? We don’t know
Human Procedures
Methodologies for evaluating the security of procedures (involving humans) are immature.
Fallible (mistakes)
Social engineering
Limited Computational abilities
Can’t do complex tasks
Bad random no. generator
Example: Airport Security
What we must need to fly {ID (passport), ticket (pass)}
Must not have {prohibited}
Must not be on {no fly} list
i.
Purchase : {ID}
ii.
Checking : {ID}
iii.
Security : {ID,Pass}
iv.
Boarding: {ID}
Who checks?
Purchase : {ID}
Airline
No fly check
Checking : {ID}
Airline
Skip Print your own boarding pass
Security : {ID,Pass}
Government
Boarding: {ID}
Airline
Can we ensure these steps suffice?
Adversary
Assumptions
Can’t forge {ID}
Can forge a boarding pass
Change name, upgrade to priority screening
Procedure is not secure against such an adversary.
Fly if on No fly list
Adversary can do the following things:Purchase: Pass real: fake name (different credit card)
Fabricate a fake boarding pass: real name: ID real name
Check in ………. Skip
Security: {pass_fake , ID}
Gate: Pass_real
Same name? Yes! Pass
booked? Yes!
And you are on the plane!!!!
How we can fix this problem?
In step (ii) fix can’t forge boarding passes.
Crypto signature
Use of special paper for boarding pass
Won’t be implemented
pass no fly check