Abstract
Designers of modern IT networks face tremendous security challenges. As systems grow ever more complex and connected it is essential that they resist even previously-unknown attacks. Using formal models to analyse the security of cryptographic protocols is a well-established practice. However, the security of complex networks is often still evaluated in an ad-hoc fashion. We analyse the applicability of formal security models for complex networks and narrow the gap between security proofs for abstract cryptographic protocols and real-world systems. Specifically we use the Universal Composability framework together with Katz et al.’s extensions for synchronous computation and bounded-delay channels [15]. This allows us to model availability guarantees. We propose a 5-phase paradigm for specifying protocols in a clear representation. To capture redundant formalisms and simplify defining network topologies, we introduce two functionalities \(\mathcal {F}_{\mathsf {wrap}}\) and \(\mathcal {F}_{\mathsf {net}}\). Demonstrating the applicability of our approach, we re-prove Lamport et al.’s well-known solution to the Byzantine Generals Problem [16] with four parties. We further complete a result of Achenbach et al. [1], proving that a “firewall combiner” for three network firewalls is available.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Müller-Quade, J., Rill, J., Achenbach, D.: Universally Composable Firewall Architectures Using Trusted Hardware. In: Ors, B., Preneel, B. (eds.) BalkanCryptSec 2014. LNCS, vol. 9024, pp. 57–74. Springer, Heidelberg (2015). http://eprint.iacr.org/2015/099.pdf
Blum, M.: Coin flipping by telephone a protocol for solving impossible problems. ACM SIGACT News 15(1), 23–27 (1983)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd IEEE Symposium on Foundations of Computer Science, Proceedings, October 2001
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067. http://eprint.iacr.org/ (2013)
Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_2
Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of oauth v2. 0. IACR Cryptology ePrint Archive 2011, vol. 526 (2011)
Damgård, I., Dupont, K.: Universally composable disk encryption schemes. Cryptology ePrint Archive, Report 2005/333. http://eprint.iacr.org/2005/333 (2005)
Schwenk, J., Pereira, O., Sadeghi, A.-R., Manulis, M., Gajek, S.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)
Hofheinz, D., Müller-Quade, J.: A synchronous model for multi-party computation and the incompleteness of oblivious transfer. FCS’04 p. 117 (2004)
Hofheinz, D., Shoup, V.: Gnuc: A new universal composability framework. IACR Cryptology ePrint Archive2011, 303 (2011)
Huang, H., Kirchner, H.: Formal specification and verification of modular security policy based on colored petri nets. IEEE Trans. Dependable Secure Comput. 8(6), 852–865 (2011)
Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: Computer Security Applications Conference, 2009, Annual, ACSAC 2009, pp. 117–126. IEEE (2009)
Kalai, Y.T., Lindell, Y., Prabhakaran, M.: Concurrent general composition of secure protocols in the timing model. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 644–653. ACM (2005)
Kang, M.H., Moskowitz, I.S., Chincheck, S.: The pump: a decade of covert fun. In: 21st Annual Computer Security Applications Conference, p. 7. IEEE (2005)
Katz, J., Zikas, V., Maurer, U., Tackmann, B.: Universally composable synchronous computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 477–498. Springer, Heidelberg (2013)
Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401. http://doi.acm.org/10.1145/357172.357176 (1982)
Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012)
Maurer, U., Renner, R.: Abstract cryptography. In: Chazelle, B. (ed.) The Second Symposium in Innovations in Computer Science, ICS 2011, pp. 1–21. Tsinghua University Press, January 2011
Nielsen, J.B.: On protocol security in the cryptographic model. Ph.D. thesis, BRICS, Computer Science Department, University of Aarhus (2003)
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)
Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: 2001 IEEE Symposium on Security and Privacy, S&P 2001, Proceedings, pp. 184–200. IEEE (2001)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Firewalls Revisited
A Firewalls Revisited
We give the full proof for Theorem 2 here.
Theorem 2
\(\pi _{\mathsf {parallel}}\) realises \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) in the \(\mathcal {F}_{\mathsf {net}} ^{\mathsf {fw},\delta }\)-hybrid model.
Proof
We prove the lemma via game hopping, starting from the real model. In each step we will modify the ideal functionality and argue that the modification is indistinguishable. We will w.l.o.g. assume that \(\mathrm {fw}_3\) is corrupted. Encapsulate the network in a new machine \(\mathcal {S}\), introduce dummies for all \(\mathrm {fw}_i\) and \(\mathrm {hw}_i\), and construct a new machine \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) which connects the dummy machines with their counterparts in the (now simulated) real network. Modify \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) step-wise:
-
1.
Introduce variables to keep state for the firewalls. When receiving \((\mathsf {input},m)\) through \(\mathrm {hw}_k\), evaluate the firewall functionalities \(\mathrm {F}_{\mathrm {fw_1}}\) and \(\mathrm {F}_{\mathrm {fw_2}}\), update the respective firewall states and save the output packets \(p_1\) and \(p_2\) in a list \(\mathrm {Q}_k\) as \((\mathsf {in},1,p_1,2\delta )\) and \((\mathsf {in},2,p_2,2\delta )\). This modification stores additional information but does not alter the communication and is thus indistinguishable.
-
2.
When being advised to output a message p for a party \(\mathrm {hw}_k\) by the simulator, only do so if there is an entry \((\mathsf {in},i,p,d)\) in \(Q_k\) and delete that entry. Every message scheduled by the simulator in this manner was output by one of the firewalls in its simulation. Consequently, this message is also stored in \(Q_k\). The real protocol party \(\mathrm {fw}_k\) will internally delete all messages it outputs. Thus, this modification is indistinguishable.
-
3.
When a packet p is output based on any entry \((\dots ,i,p,d)\) in \(\mathsf {Q}_k\), check if there is another entry \((\dots ,j,p,d)\) with \(i \ne j\). If so, delete that entry as well. If not, add an entry \((\mathsf {missing},|i-3|,p,d)\) to \(\mathsf {Q}_k\). Further, when receiving \((\mathsf {input},m)\) through \(\mathrm {hw}_k\) and evaluating the firewall functionalities, before saving the resulting packets \(p_1\) and \(p_2\), check if there is an entry \((\mathsf {missing},1,p_1,2\delta )\) or \((\mathsf {missing},2,p_2,2\delta )\) in \(\mathsf {Q}_k\). If there is, remove that entry and do not save the resulting packet. This modification is indistinguishable as \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) now implements the exact behaviour of \(\mathrm {hw}_1\) and \(\mathrm {hw}_2\).
-
4.
Add \(\mathcal {F}_{\mathsf {wrap}}\) as a wrapper around \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\). When receiving \((\mathsf {RoundComplete})\) from \(\mathcal {F}_{\mathsf {wrap}}\), decrease the delay value d of each entry in \(\mathsf {Q}_1\) and \(\mathsf {Q}_2\) by 1. Send \((\mathsf {RoundComplete})\) to the simulator. When being advised to output a packet p for party \(\mathrm {hw}_k\) by the simulator, instead of outputting the packet immediately, replace the corresponding entry in \(\mathsf {Q}_k\) by \((\mathsf {deliver},i,p,d)\). When being asked to provide output for party \(\mathrm {hw}_j\) by \(\mathcal {F}_{\mathsf {wrap}}\), check if there is an entry in \(\mathsf {Q}_j\) with \(d=0\). If so, output that packet. If not, check if there is an entry marked for delivery. If so, output the corresponding packet. Always perform the output according to the mechanism described in Step 3.
The simulator’s simulation of the real network is not perfect after transformation step 4. Concretely, \(\mathcal {S}\) is not notified of the fourth activation (“output”) of honest protocol parties. However, as we argued in the proof of Theorem 1, the output decision is made during prior activations. Hence, by \(\mathcal {S}\) announcing output early to \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\), \(\mathcal {S}\) and \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) perfectly emulate the real protocol. (\(\mathcal {F}_{\mathsf {wrap}}\) delivers output after the fourth activation only.) \(\square \)
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Achenbach, D., Müller-Quade, J., Rill, J. (2016). Synchronous Universally Composable Computer Networks. In: Pasalic, E., Knudsen, L. (eds) Cryptography and Information Security in the Balkans. BalkanCryptSec 2015. Lecture Notes in Computer Science(), vol 9540. Springer, Cham. https://doi.org/10.1007/978-3-319-29172-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-29172-7_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29171-0
Online ISBN: 978-3-319-29172-7
eBook Packages: Computer ScienceComputer Science (R0)