Professional Documents
Culture Documents
Steve Kremer
(based on joint work with S. Delaune, M. Ryan and B. Smyth)
INRIA Nancy - Grand Est
S. Kremer (INRIA)
18/11/2011
1 / 30
S. Kremer (INRIA)
18/11/2011
2 / 30
FEVAD
78% of French people use remote selling 82% of remote selling over the Internet online transactions: 25 billion of euros
S. Kremer (INRIA)
18/11/2011
2 / 30
S. Kremer (INRIA)
18/11/2011
2 / 30
Bob
Question: When Bob (thinks he) executes the protocol with Alice is k shared only between Bob and Alice?
S. Kremer (INRIA)
18/11/2011
3 / 30
Alice
aenc(sign(k, ska), pk(dki))
Intruder
aenc(sign(k, ska), pk(dkb))
Bob
senc(s, k)
Question: When Bob (thinks he) executes the protocol with Alice is k shared only between Bob and Alice? NO! There is a man-in-the-middle attack.
S. Kremer (INRIA)
18/11/2011
3 / 30
the protocol
satisfy
a security property?
|=
S. Kremer (INRIA)
18/11/2011
4 / 30
the protocol
satisfy
a security property?
|=
protocol is executed in adversarial environment in this talk: protocols are modelled in the applied pi calculus attackers are any process which can be written in the applied pi calculus partial automation using the verication tool ProVerif
S. Kremer (INRIA)
18/11/2011
4 / 30
Symbolic analysis
Symbolic techniques (going back to [Dolev&Yao82]) have been widely used to nd errors in protocols prove their correctness (in the given abstract model) Main ingredients of symbolic models messages = terms enc pair s1 s2 k
perfect cryptography (deduction rules, rewrite systems/equational theories) dec(enc(x, y ), y ) = x fst(pair(x, y )) = x snd(pair(x, y )) = y unbounded adversary (no computational restrictions) the network is the attacker
S. Kremer (INRIA)
18/11/2011
5 / 30
State-of-the-art
Protocols for condentiality and authentication have been well studied. In general, secrecy and authentication preservation is undecidable
S. Kremer (INRIA)
18/11/2011
6 / 30
State-of-the-art
Protocols for condentiality and authentication have been well studied. In general, secrecy and authentication preservation is undecidable But decidable for restricted classes For a bounded number of sessions, secrecy is co-NP-complete [RusinowitchTuruani01] several tools for detecting attacks (Casper, Avispa, . . . ) small system theorems: security for bounded number of sessions implies security for unbounded number of sessions [Lowe98], [Arapinis,K.,Delaune07] For an unbounded number of sessions
for one-copy protocols, secrecy is DEXPTIME-complete [Cortier,Comon03] [Seidl,Verma04] for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al.99] [Chevalier et al.03]
Why care about decidability? ProVerif [Blanchet] is an ecient tool, that has been used for analyzing industrial-scale protocols: no termination guarantee, false attacks possible
S. Kremer (INRIA)
18/11/2011
6 / 30
State-of-the-art
Protocols for condentiality and authentication have been well studied. In general, secrecy and authentication preservation is undecidable But decidable for restricted classes For a bounded number of sessions, secrecy is co-NP-complete [RusinowitchTuruani01] several tools for detecting attacks (Casper, Avispa, . . . ) small system theorems: security for techniques of the implies Our aim: apply such formalbounded number tosessionsanalysis of security for unbounded number electronic voting protocolsof sessions [Lowe98], [Arapinis,K.,Delaune07] For an unbounded number of sessions
for one-copy protocols, secrecy is DEXPTIME-complete [Cortier,Comon03] [Seidl,Verma04] for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al.99] [Chevalier et al.03]
Why care about decidability? ProVerif [Blanchet] is an ecient tool, that has been used for analyzing industrial-scale protocols: no termination guarantee, false attacks possible
S. Kremer (INRIA) Formal Analysis of Electronic Voting Protocols 18/11/2011 6 / 30
Electronic voting
Elections are a security-sensitive process which is the cornerstone of modern democracy Electronic voting promises Convenient, ecient and secure facility for recording and tallying votes for a variety of types of elections: from small committees or on-line communities through to full-scale national elections But: Risk of large scale, undetected fraud!
S. Kremer (INRIA)
18/11/2011
7 / 30
Electronic voting
Elections are a security-sensitive process which is the cornerstone of modern democracy Electronic voting promises Convenient, ecient and secure facility for recording and tallying votes for a variety of types of elections: from small committees or on-line communities through to full-scale national elections But: Risk of large scale, undetected fraud!
Our goal
precise denitions of security properties, which allow rigorous analysis of privacy properties veriability and to explicit trust assumptions
S. Kremer (INRIA) Formal Analysis of Electronic Voting Protocols 18/11/2011 7 / 30
A variety of properties
S. Kremer (INRIA)
18/11/2011
8 / 30
A variety of properties
Fairness: no early results can be obtained which could inuence the remaining
voters
S. Kremer (INRIA)
18/11/2011
9 / 30
A variety of properties
Fairness: no early results can be obtained which could inuence the remaining
voters
Eligibility: only legitimate voters can vote, and only once Privacy: the fact that a particular voted in a particular way is not revealed to
anyone
Receipt-freeness / Coercion-resistance: a voter cannot prove that she voted in a certain way (this is important to protect voters from coercion)
S. Kremer (INRIA)
18/11/2011
9 / 30
A variety of properties
Fairness: no early results can be obtained which could inuence the remaining
voters
Eligibility: only legitimate voters can vote, and only once Privacy: the fact that a particular voted in a particular way is not revealed to
anyone
Receipt-freeness / Coercion-resistance: a voter cannot prove that she voted in a certain way (this is important to protect voters from coercion) Individual veriability: a voter can verify that her vote was really counted Universal veriability: anyone can verify that the published outcome really is the
sum of all votes
Eligibility veriability: anyone can verify that all counted votes correspond to
elligible voters
S. Kremer (INRIA)
18/11/2011
9 / 30
S. Kremer (INRIA)
18/11/2011
10 / 30
Observational equivalence
automated proofs (not complete, termination not guaranteed) using ProVerif tool [Blanchet] powerful proof techniques for hand proofs
S. Kremer (INRIA)
18/11/2011
11 / 30
S. Kremer (INRIA)
18/11/2011
12 / 30
S. Kremer (INRIA)
18/11/2011
12 / 30
Example: P s, k.out(c2 , s)
S. Kremer (INRIA)
18/11/2011
12 / 30
Bob
S. Kremer (INRIA)
18/11/2011
13 / 30
Bob
m1 = aenc(sign(k, ska ), pkb ), pk(ska ) in(c, x, pka ). m2 = senc(s, xk )
let xs = adec(x, dkb ) in if check(xs , pka ) = then let xk = getmsg(xs , pka ) in new s. out(c, senc(s, xk ))
S. Kremer (INRIA)
18/11/2011
13 / 30
Condentiality (P s)
for all processes A we have that: if P | A Q then Q out(c, s).Q1 | Q2
S. Kremer (INRIA)
18/11/2011
14 / 30
Observational equivalence (P Q)
for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c.
S. Kremer (INRIA)
18/11/2011
14 / 30
Observational equivalence (P Q)
for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. out(a, s) out(a, s )
Example 1:
S. Kremer (INRIA)
18/11/2011
14 / 30
Observational equivalence (P Q)
for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. out(a, s) out(a, s ) A = in(a, x).if x = s then out(c, ok)
Example 1:
S. Kremer (INRIA)
18/11/2011
14 / 30
Observational equivalence (P Q)
for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. s.out(a, enc(s, k)).out(a, enc(s, k )) s, s .out(a, enc(s, k)).out(a, enc(s , k ))
Example 2:
S. Kremer (INRIA)
18/11/2011
14 / 30
Observational equivalence (P Q)
for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c. s.out(a, enc(s, k)).out(a, enc(s, k )) s, s .out(a, enc(s, k)).out(a, enc(s , k ))
Example 2:
S. Kremer (INRIA)
18/11/2011
14 / 30
Observational equivalence (P Q)
for all processes A, we have that: A | P c if, and only if, A | Q c P c when P can send a message on the channel c.
S. Kremer (INRIA)
18/11/2011
14 / 30
S. Kremer (INRIA)
18/11/2011
15 / 30
= = =
m ok sign(m,sk)
Blind signatures
unblind( sign( blind(m,r), sk ), r )
S. Kremer (INRIA)
18/11/2011
15 / 30
= = =
m ok sign(m,sk)
Blind signatures
unblind( sign( blind(m,r), sk ), r )
Designated verier proof of re-encryption The term dvp(x,rencrypt(x,r),r,pkv) represents a proof designated for the owner of pkv that x and rencrypt(x,r) have the same plaintext.
checkdvp(dvp(x,rencrypt(x,r),r,pkv),x,rencrypt(x,r),pkv) = ok checkdvp( dvp(x,y,z,skv), x, y, pk(skv) ) = ok.
S. Kremer (INRIA)
18/11/2011
15 / 30
S. Kremer (INRIA)
18/11/2011
15 / 30
processV = new b; new c; let bcv = blind(commit(v,c),b) in out(ch, (sign(bcv, skv))); in(ch,m2); if getMess(m2,pka)=bcv then let scv = unblind(m2,b) in phase 1; out(ch, scv); in(ch,(l, =scv)); phase 2; out(ch,(l,c)).
S. Kremer (INRIA)
18/11/2011
15 / 30
S. Kremer (INRIA)
Formalisation of privacy
Classically anonymity properties are modeled as observational equivalences between two slightly dierent processes P1 and P2 , but changing the identity does not work, as identities are revealed changing the vote does not work, as the votes are revealed at the end a correct protocol respecting privacy may in some situation reveal how a participant voted: the case of unanimity
S. Kremer (INRIA)
18/11/2011
16 / 30
Formalisation of privacy
Classically anonymity properties are modeled as observational equivalences between two slightly dierent processes P1 and P2 , but changing the identity does not work, as identities are revealed changing the vote does not work, as the votes are revealed at the end a correct protocol respecting privacy may in some situation reveal how a participant voted: the case of unanimity Solution: consider 2 honest voters and swap their votes
Vote privacy
A voting protocol respects privacy if S[VA {a /v } | VB {b /v }] S[VA {b /v } | VB {a /v }]
S. Kremer (INRIA)
18/11/2011
16 / 30
To model receipt-freeness we need to specify that a coerced voter cooperates with the coercer by leaking secrets on a channel ch P ::= 0 P|Q n.P in(u, x).P out(u, M).P if M = N then P else P ...
P ch in terms of P
0ch = 0 (P | Q)ch = P ch | Q ch (n.P)ch = n.out(ch, n).P ch (in(u, x).P)ch = in(u, x).out(ch, x).P ch (out(u, M).P)ch = out(u, M).P ch ...
S. Kremer (INRIA)
18/11/2011
17 / 30
Receipt-freeness
Intuition
There exists a process V which votes a, leaks (possibly fake) secrets to the coercer, and makes the coercer believe she voted c
Denition (Receipt-freeness)
A voting protocol is receipt-free if there exists a process V , satisfying V \out(chc,) VA {a /v }, S[VA {c /v }chc | VB {a /v }] S[V | VB {c /v }]. Case study: Lee et al. protocol We prove receipt-freeness by exhibiting V showing that V \out(chc,) VA {a /v } showing that S[VA {c /v }chc | VB {a /v }] S[V | VB {c /v }]
S. Kremer (INRIA)
18/11/2011
18 / 30
Coercion resistance
Like receipt-freeness, but: voter interacts with the coercer during the protocol (instead of just supplying data at the end).
Proposition
Let VP be a voting protocol. Then VP is coercion-resistant VP is receipt-free VP respects privacy [ChadhaDelauneKremer09]: a denition of privacy given in an epistemic logic shown to be equivalent.
S. Kremer (INRIA)
18/11/2011
19 / 30
Property Vote-privacy trusted authorities Receipt-freeness trusted authorities Coercion-resistance trusted authorities
Currently, proofs are done by hand (and some lemmas proved by ProVerif)
S. Kremer (INRIA)
18/11/2011
20 / 30
[Abadi, Blanchet, Fournet05] tries to prove a ner relation than observational equivalence unbounded number of sessions
relation not coarse enough for electronic voting protocols equational theories for electronic voting protocols not supported Design of a symbolic semantics for the nite applied-pi calculus
[Delaune, K., Ryan07] Correct: symbolic bisimilarity implies observational equivalence Holds for any equational theory (decidability for subterm convergent equational theories) Incomplete but sucient in practice Avoids innite branching
many more equational theories automated proof of privacy in the FOO protocol
Formal Analysis of Electronic Voting Protocols 18/11/2011 21 / 30
S. Kremer (INRIA)
S. Kremer (INRIA)
18/11/2011
22 / 30
End-to-end veriability
end-to-end
Election results can be fully veried by voters/observers The software provided by election authorities does not need to be trusted The software used to perform the verication can be sourced independently
veriability auditability
S. Kremer (INRIA)
18/11/2011
23 / 30
Election veriability
Verify the election, not the system! Avoid need to trust election software.
Individual veriability
A voter can check her own vote is included in the tally.
Universal veriability
Anyone can check that the declared outcome corresponds to the tally.
Eligibility veriability
Anyone can check that only eligible votes are included in the declared outcome.
Remarks Veriability = correctness What system components need to be trusted to achieve veriability?
S. Kremer (INRIA) Formal Analysis of Electronic Voting Protocols 18/11/2011 24 / 30
Election veriability
We suppose that the protocol involves Voter credentials (typically, a public part and a private part for each voter) A bulletin board, on which are placed entries corresponding to voters outputs.
Election veriability
A protocol satises election veriability if there are tests IV , UV and EV satisfying certain acceptability conditions.
S. Kremer (INRIA)
18/11/2011
25 / 30
Election veriability
We suppose that the protocol involves Voter credentials (typically, a public part and a private part for each voter) A bulletin board, on which are placed entries corresponding to voters outputs.
Election veriability
A protocol satises election veriability if there are tests IV , UV and EV satisfying certain acceptability conditions.
A voting protocol satises IV and UV if IV , UV s.t. Soundness. In all possible protocol runs (and resulting Bulletin Boards): a same BB entry cannot validate IV for two dierent voters UV can only validate one outcome if IV s hold on s1 , . . . , sn then UV only validates this outcome Eectiveness. There exists a successfull protocol run such that IV , UV hold
S. Kremer (INRIA)
18/11/2011
26 / 30
Example: FOO
What are the minimal parts of the protocol to be trusted? The voting process Vfoo = rnd .out(c, v ).out(c, rnd ) and
where rnd is intended to be the randomness used for the commitment Remark: Other properties need dierent trust assumptions! The expected BB entry should be r , commit(r , v ) Dene the tests IV = y =E r , commit(r , v ) UV =
1in vi
=E open(1 (y ), 2 (y ))
Theorem
Vfoo satises individual and universal veriability.
S. Kremer (INRIA)
18/11/2011
27 / 30
Election veriability
A voting protocol satises Election Veriability if IV , UV , EV s.t. additionally Soundness. In all possible protocol runs: given a set of ballots, EV holds for a unique list of credentials given a set of creds, EV holds only on these creds if IV s hold for creds c1 , . . . , cn then EV holds only for these creds Eectiveness.There exists a successfull protocol run such that IV , UV and EV hold
S. Kremer (INRIA)
18/11/2011
28 / 30
3 case studies: Fujioka et al. [FOO92]: IV, UV but not EV Helios 2.0 by Adida et al. [AdMPQ09] Juels et al. [JCJ05] (implemented as CIVITAS in [CCM08]): veries full EV, with several trust assumptions
S. Kremer (INRIA)
18/11/2011
29 / 30
decision procedures (more equational theories) combination: decidable for E1 and E2 decidable for E1 E2 composition k.P k.Q k.(P | R) k.(Q | R)
Analyse more protocols used in real Internet elections Similar properties in other applications, e.g.
receipt-freeness in auction protocols [Jonker et al.10] privacy properties in RFID protocols [Arapinis et al.10], [Brus et al.10]
S. Kremer (INRIA)
18/11/2011
30 / 30