• Aucun résultat trouvé

A foul adversary: bribery, extortion and blackmail (Abstract)

N/A
N/A
Info
Télécharger
Protected

Academic year: 2021

Partager "A foul adversary: bribery, extortion and blackmail (Abstract)"

Copied!
2
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

A Foul Adversary: Bribery, Extortion and Blackmail (Extended Abstract)

Naipeng Dong and Tim Muller University of Luxembourg

To analyze security protocols, we need to know the power of the adversary.

Usually, it is assumed that the adversary has full control of the Internet. The adversary can also apply cryptographic functions, and even reason about all the information he accumulates in this way. Such an adversary is called a Dolev-Yao adversary. Still, we believe there are adversaries that have even more power.

The adversary can apply foul play, in particular, the foul adversary may bribe or extort participants. He can gain knowledge of their secret information, with a wallet, a gun or a compromising document in his hand.

Bribery, extortion and blackmail are different, not only in effectiveness (as a threat may be more convincing than money), but also in degree of cooperation of the victim. A bribe will usually cause a more active cooperation, whereas a threatened victim may cooperate more reluctantly. However, all various ways of coercion are essentially the same in the perspective of a security analyst: If there is a way for the foul adversary to verify that the victim is cooperating, then the victim must cooperate. If, however, the victim can pretend to cooperate but in reality does not, the victim probably will not cooperate. It does not really matter whether the victim is bribed, extorted or blackmailed.

For example, we have a security property, namely the secrecy of an email e.

The sender sends an email {e}k, and the receiver is able to open the email with key k. The adversary controls the internet, and can therefore see {e}k. He can reason about this message, he can apply keys to it, but it is ineffective. If the foul adversary coerces the sender or the receiver to provide the key, can he can do better? If e is a readable text, then the foul adversary can apply the key k that was provided by a victim, and decrypt {e}k with it. Only if k = k will the decryption yield a readable text, so the foul adversary can verify that the victim is cooperating, and hence the victim must cooperate. If e appears like random data, the foul adversary cannot verify whether k = k, and therefore cannot distinguish a cooperating victim from a cheating victim, and the victim thus has no reason to provide the real key k.

Nowadays, the Dolev-Yao adversary is used often in security analysis. It can, in a way, be considered as the strongest adversary, such that, if you are secure against a Dolev-Yao adversary, you are secure against any adversary. It is not, however, obvious what it means to be secure, as it depends on the security property in question. There are simple questions, such as: ‘Does the adversary know my secret information?’ or ‘Does the adversary know who I am?’, but one can compose more complex questions, such as: ‘Even though the adversary does not know who I am, can he figure out that I am the same person as yesterday?’

There is a particular type of compound property, which we will refer to as an

(2)

enforced property, that states that a property holds under the foul adversary.

These enforced properties are a hot topic, due to relevance in emerging areas in security, but also due to the complexity of the compound properties involved.

The ability of the adversary to force users is effectively modeled in the security property. Usually this is formulated as the lack of existence of a way for users to cheat the adversary.

In contrast to the classical approach, we propose to strengthen the adversary to a foul adversary, and keeping the security properties simple. This implies that we need to model the ability to force users to provide information as a part of the foul adversaries abilities. As mentioned earlier, the information provided by the user is true, only when the adversary can verify its correctness. Doing so models coercion for information only. However, we are also interested in the foul adversary’s ability to force users to perform actions (or make choices, have strategies, etc). We note that, if (and only if) the actions of users in question are private, the foul adversary cannot verify their actions, hence the users will generally not cooperate. The matter of coercing for actions can therefore be reduced to the matter of coercing for information.

There are two reasons to prefer our approach. Firstly, a properly modeled foul adversary can simplify manual and automated security protocol analysis.

In the current formalization of security properties, the protocol analyzer needs to explicitly specify a coerced user’s behavior in a certain context, which is inherently difficult. Furthermore, checking for the lack of existence of a way for a coerced user to cheat, is a hard problem. Secondly, on a more abstract level, one can wonder where the notion of coercion belongs. Intuitively, it makes more sense to encode coercion as an ability of the adversary, than as a strengthening of a security property.

The method we use to formulate a foul adversary is similar to the method Dolev and Yao used, in the sense that we take the best case scenario for the adversary. If there exists any way for a user A to make the foul adversary know a certain piece of information, then the strategy for A of giving all the infor- mation, all the time, is a valid strategy to make the foul adversary know that piece of information. We can turn that statement around, to see that; if A is fully cooperating with the adversary and the foul adversary still does not know a certain piece of information, that information is secret under a foul adversary.

Instead of modeling all coerced users sending all pieces of information all the time, it makes more sense to allow the foul adversary to reason using the infor- mation. It is, however, important to note that he will still need to verify this information before it becomes his knowledge. Therefore, the foul adversary will learn exactly all verifiable information that the coerced users have. A common way to model the ability of the adversary, is to provide a set of derivation rules, to define the knowledge of the adversary. To model a foul adversary, we take all the derivations of a Dolev-Yao adversary, and add rules for the aforementioned reasoning. The additional reasoning can now be formulated in a single rule; if a coerced agent has information, and the foul adversary can verify this information for correctness, then he has the information too.

Références

Télécharger maintenant ( PDF - 2 Page - 32.98 KB )

Documents relatifs

Model the system from adversary viewpoint: Threats identification and modeling

Although, with integration of ontology classes and subclasses into the SysML Attack Tree diagram, we already provided the partial reasoning capabilities to reason about

a) At T = T C there’s only one extremum that is a saddle point, so we can conclude that

An infinitesimal increase of the volume ∆v brings an increase in p int , so that the piston moves until another equilibrium point with a bigger volume. On the other hand, a

a) Assume that the number N = a n − 1 is prime. Show that N is a Mersenne prime, that is a = 2 and n is prime.

We define a partition of the set of integers k in the range [1, m−1] prime to m into two or three subsets, where one subset consists of those integers k which are < m/2,

Adversary lower bounds for nonadaptive quantum algorithms

Interestingly, the lower bound that we obtain is very closely related to the lower bounds on adaptive probabilistic query complexity due to Aaronson [1], and to Laplante and

We are supposed to believe that consciousness is a byproduct of the brain so that when the brain ceases to function, then so does consciousness

Using her mind power to zoom in, Maria saw that the object was actually a tennis shoe, and a little more zooming revealed that the shoe was well worn and the laces were tucked under

a the statement that other a The los a rcs the Silicon

The SSI32R21 OOR is a BiCMOS monolithic integrated circuit designed for use with two-terminal recording heads. It is intended for use in hard disk drive designs which require

that If that that

IOMATCH() must be disabled to prevent a read from terminating prematurely when the binary data appears as a decimal 10 (ie.. The format of the data stream into the Logic

We know that the Middle East is one of the areas of the world that is particularly threatened by the abuse of a variety of legal and illegal substances

Aware of the grave consequences of substance abuse, the United Nations system, including the World Health Organization, has been deeply involved in many aspects of prevention,