52 Things: Number 30: Roughly outline the BR security definition for key agreement

52 Things: Number 30: Roughly outline the BR security definition for key agreement

52件事:第30件:大致概述密钥协议的BR安全定义

 
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. In this week we look at a security definition for authenticated key exchange.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。在本周中,我们将研究经过身份验证的密钥交换的安全定义。


Establishing a shared key between two parties is one of the oldest problems in cryptography, and turns out to be much harder than standard encryption, even when just considering definitions. Although the classic Diffie-Hellman protocol from 1976 seems to solve the problem, it provides no authenticity guarantee - i.e. that a key has been agreed with the right person - since a man-in-the-middle attack can easily be performed.
在双方之间建立共享密钥是密码学中最古老的问题之一,即使只考虑定义,也比标准加密困难得多。尽管1976年的经典Diffie-Hellman协议似乎解决了这个问题,但它没有提供真实性保证,即密钥已经与正确的人达成一致,因为可以很容易地执行中间人攻击。


To model this kind of attack, and others, we need a security definition. There are two main approaches when defining the security of a key exchange protocol, namely those based on a symbolic model and those using a computational model. In the symbolic model, which become popular in the '90s after the classic paper on BAN logic, techniques from formal methods are used to model and analyse a protocol. The symbolic model is good for identifying attacks, but it is difficult for the underlying logic to capture all classes of attacks, so analysis in this model does not provide great security guarantees, but can be semi-automated using theorem provers.
为了模拟这种攻击和其他攻击,我们需要一个安全定义。在定义密钥交换协议的安全性时,有两种主要方法,即基于符号模型的方法和使用计算模型的方法。在90年代BAN逻辑的经典论文之后流行起来的符号模型中,使用形式化方法中的技术来建模和分析协议。符号模型有利于识别攻击,但底层逻辑很难捕获所有类型的攻击,因此该模型中的分析不能提供很大的安全保证,但可以使用定理证明器实现半自动化。


In their seminal 1993 paper, Bellare and Rogaway instead created a game-based security definition for authenticated key exchange in a computational model, similar to the IND-CPA and IND-CCA definitions for encryption. In this model, cryptographic primitives are not assumed to be unbreakable, but instead we attempt to quantify the success probability of an adversary by computing their 'advantage' in a security game. The main feature of an adversary that we wish to encompass is that all communication is under the adversary's control: they can read, modify, delay and replay messages. They can also run any number of instances of the protocol simultaneously with other parties. The intuition behind the AKA security game is that the only way an adversary can get a party to accept an agreed key is by forwarding honest messages from a genuine protocol run, in which case they cannot possibly learn anything new.
Bellare和Rogaway在1993年的开创性论文中,为计算模型中的认证密钥交换创建了一个基于游戏的安全定义,类似于加密的IND-CPA和IND-CCA定义。在这个模型中,加密原语并不是不可破解的,而是我们试图通过计算对手在安全游戏中的“优势”来量化对手的成功概率。我们希望包含的对手的主要特征是,所有通信都在对手的控制之下:他们可以读取、修改、延迟和重放消息。他们还可以与其他各方同时运行任意数量的协议实例。AKA安全游戏背后的直觉是,对手让一方接受商定密钥的唯一方法是转发来自真正协议运行的诚实消息,在这种情况下,他们不可能学到任何新东西。


The security game consists of a number of different oracles that an adversary can query. The three main oracles are the corruption oracle, which allows the adversary to take control of a chosen party, the key registration oracle, which registers a public key for any chosen user, and the message oracle, which is the main oracle used for passing messages. Note that messages are not sent directly between the participants, instead the adversary does this using the message oracle.
安全游戏由许多不同的神谕组成,对手可以查询这些神谕。三个主要的预言机是腐败预言机,它允许对手控制选定的一方,密钥注册预言机,为任何选定的用户注册公钥,以及消息预言机,这是用于传递消息的主要预言机。请注意,消息不是直接在参与者之间发送的,而是由对手使用消息预言机发送的。


The message oracle is the main oracle allowing the adversary to create protocol sessions with parties (where they aim to establish a short-term, or ephemeral, shared key) and send messages. When querying the oracle, they can take one of the following actions:
消息预言机是主要的预言机,允许对手与各方创建协议会话(他们的目标是建立短期或短暂的共享密钥)并发送消息。在查询oracle时,他们可以采取以下操作之一:

  • Start a new session between two users
    在两个用户之间启动新会话
  • Learn the secret key of any terminated session
    了解任何终止会话的密钥
  • Send a message in an existing session and receive the response
    在现有会话中发送消息并接收响应
The security game follows the real-or-random paradigm, similarly to standard definitions of encryption, by choosing a secret bit b; if b=0 then the adversary is given a random key for its challenge, otherwise it gets the real key. After interacting with the oracles, the adversary chooses a single session that has terminated, in which both parties are not corrupted and there is no 'matching' conversation where the key has been revealed (to prevent a trivial break), and receives a challenge key for this session. They win the game if they correctly guess b.
安全游戏遵循真实或随机的范式,类似于加密的标准定义,通过选择秘密比特 b ;如果 b=0 ,那么对手将获得一个随机密钥来进行挑战,否则它将获得真正的密钥。在与神谕交互后,对手选择一个已终止的会话,在该会话中,双方都没有损坏,并且没有密钥已被泄露的“匹配”会话(以防止琐碎的中断),并接收该会话的质询密钥。如果他们猜对了#2,他们就会赢得比赛。


A protocol is said to be a secure authenticated key exchange protocol if it is correct, and any adversary's strategy is the above game is no better than random guessing. The above outline is only a rough sketch, of course, and there are many further details in the paper.
如果一个协议是正确的,那么它就是一个安全的认证密钥交换协议,而任何对手的策略都是,上述游戏并不比随机猜测更好。当然,上面的大纲只是一个粗略的草图,论文中还有许多进一步的细节。
posted @ 2024-04-12 21:30  3cH0_Nu1L  阅读(19)  评论(0编辑  收藏  举报