Sound approximations to diffie hellman using rewrite rules l.jpg
Advertisement
This presentation is the property of its rightful owner.
1 / 40

Sound Approximations to Diffie-Hellman using Rewrite Rules PowerPoint PPT Presentation

Sound Approximations to Diffie-Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab Cryptographic Protocol Analysis Formal Methods Approach usually ignores properties of algorithm But Algebraic Properties of Algorithm can be modeled as Equational Theory

Related searches for Sound Approximations to Diffie-Hellman using Rewrite Rules

Download Presentation

Sound Approximations to Diffie-Hellman using Rewrite Rules

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Sound approximations to diffie hellman using rewrite rules l.jpg

Sound Approximations to Diffie-Hellman using Rewrite Rules

Christopher Lynch

Catherine Meadows

Naval Research Lab


Cryptographic protocol analysis l.jpg

Cryptographic Protocol Analysis

  • Formal Methods Approach usually ignores properties of algorithm

  • But Algebraic Properties of Algorithm can be modeled as Equational Theory


Example dh protocol l.jpg

Example: DH Protocol

  • A ! B: gnA

  • B ! A: gnB

  • A ! B: e(h(exp(g,nB¢ nA)),m)

  • B ! A: e(h(exp(g,nA¢ nB)),m’)


Dh uses commutativity c l.jpg

DH uses Commutativity (C)

  • exp(g,nB¢ nA) = exp(g,nA¢ nB)

  • This can lead to attacks

  • Analysis using C-unification finds these attacks


C unification l.jpg

C-Unification

  • exp(g,X ¢ Y) = exp(g,nA¢ nB) has two solutions

  • Solution 1: [X  nA, Y  nB]

  • Solution 2: [X  nB, Y  nA]


C unification is exponential l.jpg

C-unification is Exponential

  • exp(g,X1 Xn) = exp(g,c1 cn) has 2n solutions

  • Let d1,,dn be a permutation of c1,,cn

    • 2n permutations exist

  • Then [X1 d1,,Xn dn] is a solution


Goal of paper l.jpg

Goal of Paper

  • Find an efficient theory H to approximate C soundly

  • i.e., an attack modulo H is an attack modulo C

  • But what about vice versa (that’s the hard part)


Our results l.jpg

Our Results

  • We found an efficient theory H which approximates C soundly

  • We gave simple properties for a DH protocol to satisfy

  • We showed that if a protocol has these properties then a C-attack can be converted to an H-attack


Basic properties l.jpg

Basic Properties

  • symmetric keys of form h(exp(g,nA¢ nB))

  • An honest principal can send exp(g,n)

  • h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else


Properties preventing role confusion attacks l.jpg

Properties preventing Role Confusion Attacks

  • Messages encrypted with DH-key from Initiator and Responder must be of different form

  • Messages encrypted with DH-key must contain a unique strand id


Intruder l.jpg

Intruder

  • As usual, the intruder can see all messages, and modify, delete and create messages

  • Of course, the intruder does not have to obey any of these rules


About the properties l.jpg

About the Properties

  • Most DH-protocols for two principals satisfy these properties

  • They are syntactic, so it is easy to check if a protocol meets them


Who cares l.jpg

Who Cares?

  • A Protocol Developer: A protocol with these properties will have no attack based on commutativity

  • A Protocol Analyzer: If a protocol has these properties, analyze it using efficient H-theory. Only if it does not, then use C.


Contents of talk l.jpg

Contents of Talk

  • Representation of Protocol

  • Derivation Rules

  • Properties and Proof Techniques


Example of dh protocol l.jpg

Example of DH Protocol

  • A ! B: [exp(g,nA), nonce]

  • B ! A: [exp(g,nB),

    e(h(exp(g,nB¢ nA)),exp(g,nA))]

  • A ! B: e(h(exp(g,nA¢ nB)),ok)


Specification of protocol rules l.jpg

Specification of Protocol Rules

  • A: ! [exp(g,nA), nonce]

  • B: [Y, nonce] !

    [exp(g,nB), e(h(Y,nB),Y)]

  • A: [Z, e(h(exp(Z,nA),exp(g,nA))]

    ! e(h(exp(Z,nA),ok)


Instantiation of specification l.jpg

Instantiation of Specification

  • A: ! [exp(g,nA), nonce]

  • B: [exp(g,nA), nonce] ! [exp(g,nB),

    e(h(exp(g,nA¢ nB)),exp(g,nA))]

  • A:[exp(g,nB),

    e(h(exp(g,nB¢ nA)),exp(g,nA))]

    ! e(h(exp(g,nB¢ nA),ok)


Equation needed in protocol l.jpg

Equation needed in Protocol

  • Need to know that:

    h(exp(g,nA¢ nB)) = h(exp(g,nB¢ nA))

  • That’s where C is needed, but is there a more efficient H

  • h(exp(X,Y ¢ Z)) = h(exp(X,Z ¢ Y)) will work, but still not good enough


Modification of dh protocol l.jpg

Modification of DH Protocol

  • Assume inititiator uses function h1 and responder uses h2

  • A ! B: [exp(g,nA), nonce]

  • B ! A: [exp(g,nB),

    e(h2(exp(g,nB¢ nA)),exp(g,nA))]

  • A ! B: e(h1(exp(g,nA¢ nB)),ok)


New specification l.jpg

New Specification

  • A: ! [exp(g,nA), nonce]

  • B: [Y, nonce] !

  • [exp(g,nB), e(h2(Y,nB),Y)]

  • A: [Z, e(h1(exp(Z,nA),exp(g,nA))]

    ! e(h1(exp(Z,nA),ok)


New instantiation l.jpg

New Instantiation

  • A: ! [exp(g,nA), nonce]

  • B: [exp(g,nA), nonce] ! [exp(g,nB),

    e(h2(exp(g,nA¢ nB)),exp(g,nA))]

  • A:[exp(g,nB),

    e(h1(exp(g,nB¢ nA)),exp(g,nA))]

    ! e(h1(exp(g,nB¢ nA),ok)


Equation we now need l.jpg

Equation we now need

  • h2(exp(x,nA¢ nB)) = h1(exp(x,nB¢ nA))

  • So theory H will be

    h2(exp(X,Y ¢ Z)) = h1(exp(X,Z ¢ Y))


How efficient is h l.jpg

How Efficient is H

Using results from [LM01], we see that:

  • In H, all unifiable terms have a most general unifier

  • Complexity of H-unification is quadratic (usually linear in practice)


Completeness theorem l.jpg

Completeness Theorem

  • C theory is now exp(X,Y ¢ Z) = exp(X, Z ¢ Y) and h1(X) = h2(X)

  • Show that any attack modulo C can be converted to attack modulo H


Differences between h and c l.jpg

Differences between H and C

  • h1(exp(g, n1¢ n2)) equals h2(exp(g,n1¢ n2)) modulo H but not modulo C

  • h1(exp(g, n1¢ n2)) equals h1(exp(g, n2¢ n1)) modulo H but not modulo C

  • h1(exp(x, n1¢ n2¢ n3)) equals h2(exp(x, n3¢ n2¢ n1)) modulo H but not modulo C


Protocol instance l.jpg

Protocol Instance

A Protocol Instance has 2 parts

  • Protocol Rules

  • Derivation Rules to represent Intruder


Derivation rules l.jpg

Derivation Rules

  • [X,Y] ` X

  • [X,Y] ` Y

  • X, Y ` [X,Y]

  • privkey(A), enc(pubkey(A), X) ` X

  • pubkey(A), enc(privkey(A), X) ` X


More derivation rules l.jpg

More Derivation Rules

  • X, Y ` enc(X,Y)

  • X, Y ` e(X,Y)

  • X ` hi(X)

  • X, e(X,Y) ` Y

  • X,Y ` exp(X,Y)


Derivation modulo c l.jpg

Derivation modulo C

  • Recall rule X, e(X,Y) ` Y

  • Derivation modulo C:

    • X1 e(X2,Y) `CH Y

      if X1 =C X2


Example l.jpg

Example

  • h1(exp(x,nB¢ nI¢ nA)),

    e(h2(exp(x,nA¢ nI¢ nB)),m) `C m

  • But not h1(exp(x,nB¢ nI¢ nA)),

    e(h2(exp(x,nA¢ nI¢ nB)),m) `H m


How to convert from c to h l.jpg

How to convert from `C to `H

  • Requires Certain Properties

  • Use Rewrite System R so that S `C m implies S+R`H m+R

  • R: exp(X,Y) ! X if Y is not an honest principal nonce


Properties of protocol l.jpg

Properties of Protocol

  • hashed symmetric keys are of the form h(exp(X ¢ n)), where X eventually unifies with a term exp(g,n’)

  • h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else


More interesting properties l.jpg

More Interesting Properties

  • A message encrypted with h1-term on RHS of protocol cannot unify with message encrypted with h2-term on LHS

    • Avoids role confusion attacks

  • Messages encrypted with hashed term must include a strand id in message

    • Avoids attacks involving different instances of same protocol or different protocols


Properties of derivable terms l.jpg

Properties of Derivable Terms

  • Honest Principals follow Protocol Rules

  • But Intruder can use derivation rules to create terms which disobey properties

  • Nevertheless, we show that there are certain properties that are preserved by derivation and protocol rules


Example properties of derivable terms l.jpg

Example Properties of Derivable Terms

  • There is a set N (honest principal nonces)

  • Elements of N only appear as exponent

  • If a term exp(g,t1 tn) is derivable

    • t1 and tn are in N or are derivable

    • t2,,tn-1 are derivable

    • if term is not a key, then tn derivable


More properties l.jpg

More Properties

  • There are many more properties

  • Some quite complicated

  • And many lemmas and theorems to prove them


Properties imply l.jpg

Properties Imply

  • Every term will reduce by R to a term with at most two exponents (all exponents not in N are removed by rewrite rules)

  • This and other properties imply that if s and t C-unify then s+R and t+R H-unify


Summary l.jpg

Summary

  • Suppose a DH-protocol obeys simple (easy to check) properties

  • Then it’s possible to discover attacks based on commutativity, using an efficient equational theory


Related work l.jpg

Related Work

  • Properties so that attacks modeling cancellation of encryption/decryption rules are found with free algebra

    • Symmetric Key [Millen 03]

    • Public Key [LM 04]


Future work l.jpg

Future Work

  • Other DH work

    • Don’t assume base is known

    • What about inverses?

    • Group DH-protocols

  • Hierarchy of Protocol Models [Meadows 03]


  • Login