# Sound Approximations to Diffie-Hellman using Rewrite Rules - PowerPoint PPT Presentation  Download Presentation Sound Approximations to Diffie-Hellman using Rewrite Rules

Sound Approximations to Diffie-Hellman using Rewrite Rules
Download Presentation ## Sound Approximations to Diffie-Hellman using Rewrite Rules

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Sound Approximations to Diffie-Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab

2. Cryptographic Protocol Analysis • Formal Methods Approach usually ignores properties of algorithm • But Algebraic Properties of Algorithm can be modeled as Equational Theory

3. Example: DH Protocol • A ! B: gnA • B ! A: gnB • A ! B: e(h(exp(g,nB¢ nA)),m) • B ! A: e(h(exp(g,nA¢ nB)),m’)

4. DH uses Commutativity (C) • exp(g,nB¢ nA) = exp(g,nA¢ nB) • This can lead to attacks • Analysis using C-unification finds these attacks

5. C-Unification • exp(g,X ¢ Y) = exp(g,nA¢ nB) has two solutions • Solution 1: [X  nA, Y  nB] • Solution 2: [X  nB, Y  nA]

6. C-unification is Exponential • exp(g,X1 Xn) = exp(g,c1 cn) has 2n solutions • Let d1,,dn be a permutation of c1,,cn • 2n permutations exist • Then [X1 d1,,Xn dn] is a solution

7. Goal of Paper • Find an efficient theory H to approximate C soundly • i.e., an attack modulo H is an attack modulo C • But what about vice versa (that’s the hard part)

8. Our Results • We found an efficient theory H which approximates C soundly • We gave simple properties for a DH protocol to satisfy • We showed that if a protocol has these properties then a C-attack can be converted to an H-attack

9. Basic Properties • symmetric keys of form h(exp(g,nA¢ nB)) • An honest principal can send exp(g,n) • h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else

10. Properties preventing Role Confusion Attacks • Messages encrypted with DH-key from Initiator and Responder must be of different form • Messages encrypted with DH-key must contain a unique strand id

11. Intruder • As usual, the intruder can see all messages, and modify, delete and create messages • Of course, the intruder does not have to obey any of these rules

12. About the Properties • Most DH-protocols for two principals satisfy these properties • They are syntactic, so it is easy to check if a protocol meets them

13. Who Cares? • A Protocol Developer: A protocol with these properties will have no attack based on commutativity • A Protocol Analyzer: If a protocol has these properties, analyze it using efficient H-theory. Only if it does not, then use C.

14. Contents of Talk • Representation of Protocol • Derivation Rules • Properties and Proof Techniques

15. Example of DH Protocol • A ! B: [exp(g,nA), nonce] • B ! A: [exp(g,nB), e(h(exp(g,nB¢ nA)),exp(g,nA))] • A ! B: e(h(exp(g,nA¢ nB)),ok)

16. Specification of Protocol Rules • A: ! [exp(g,nA), nonce] • B: [Y, nonce] ! [exp(g,nB), e(h(Y,nB),Y)] • A: [Z, e(h(exp(Z,nA),exp(g,nA))] ! e(h(exp(Z,nA),ok)

17. Instantiation of Specification • A: ! [exp(g,nA), nonce] • B: [exp(g,nA), nonce] ! [exp(g,nB), e(h(exp(g,nA¢ nB)),exp(g,nA))] • A:[exp(g,nB), e(h(exp(g,nB¢ nA)),exp(g,nA))] ! e(h(exp(g,nB¢ nA),ok)

18. Equation needed in Protocol • Need to know that: h(exp(g,nA¢ nB)) = h(exp(g,nB¢ nA)) • That’s where C is needed, but is there a more efficient H • h(exp(X,Y ¢ Z)) = h(exp(X,Z ¢ Y)) will work, but still not good enough

19. Modification of DH Protocol • Assume inititiator uses function h1 and responder uses h2 • A ! B: [exp(g,nA), nonce] • B ! A: [exp(g,nB), e(h2(exp(g,nB¢ nA)),exp(g,nA))] • A ! B: e(h1(exp(g,nA¢ nB)),ok)

20. New Specification • A: ! [exp(g,nA), nonce] • B: [Y, nonce] ! • [exp(g,nB), e(h2(Y,nB),Y)] • A: [Z, e(h1(exp(Z,nA),exp(g,nA))] ! e(h1(exp(Z,nA),ok)

21. New Instantiation • A: ! [exp(g,nA), nonce] • B: [exp(g,nA), nonce] ! [exp(g,nB), e(h2(exp(g,nA¢ nB)),exp(g,nA))] • A:[exp(g,nB), e(h1(exp(g,nB¢ nA)),exp(g,nA))] ! e(h1(exp(g,nB¢ nA),ok)

22. Equation we now need • h2(exp(x,nA¢ nB)) = h1(exp(x,nB¢ nA)) • So theory H will be h2(exp(X,Y ¢ Z)) = h1(exp(X,Z ¢ Y))

23. How Efficient is H Using results from [LM01], we see that: • In H, all unifiable terms have a most general unifier • Complexity of H-unification is quadratic (usually linear in practice)

24. Completeness Theorem • C theory is now exp(X,Y ¢ Z) = exp(X, Z ¢ Y) and h1(X) = h2(X) • Show that any attack modulo C can be converted to attack modulo H

25. Differences between H and C • h1(exp(g, n1¢ n2)) equals h2(exp(g,n1¢ n2)) modulo H but not modulo C • h1(exp(g, n1¢ n2)) equals h1(exp(g, n2¢ n1)) modulo H but not modulo C • h1(exp(x, n1¢ n2¢ n3)) equals h2(exp(x, n3¢ n2¢ n1)) modulo H but not modulo C

26. Protocol Instance A Protocol Instance has 2 parts • Protocol Rules • Derivation Rules to represent Intruder

27. Derivation Rules • [X,Y] ` X • [X,Y] ` Y • X, Y ` [X,Y] • privkey(A), enc(pubkey(A), X) ` X • pubkey(A), enc(privkey(A), X) ` X

28. More Derivation Rules • X, Y ` enc(X,Y) • X, Y ` e(X,Y) • X ` hi(X) • X, e(X,Y) ` Y • X,Y ` exp(X,Y)

29. Derivation modulo C • Recall rule X, e(X,Y) ` Y • Derivation modulo C: • X1 e(X2,Y) `CH Y if X1 =C X2

30. Example • h1(exp(x,nB¢ nI¢ nA)), e(h2(exp(x,nA¢ nI¢ nB)),m) `C m • But not h1(exp(x,nB¢ nI¢ nA)), e(h2(exp(x,nA¢ nI¢ nB)),m) `H m

31. How to convert from `C to `H • Requires Certain Properties • Use Rewrite System R so that S `C m implies S+R`H m+R • R: exp(X,Y) ! X if Y is not an honest principal nonce

32. Properties of Protocol • hashed symmetric keys are of the form h(exp(X ¢ n)), where X eventually unifies with a term exp(g,n’) • h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else

33. More Interesting Properties • A message encrypted with h1-term on RHS of protocol cannot unify with message encrypted with h2-term on LHS • Avoids role confusion attacks • Messages encrypted with hashed term must include a strand id in message • Avoids attacks involving different instances of same protocol or different protocols

34. Properties of Derivable Terms • Honest Principals follow Protocol Rules • But Intruder can use derivation rules to create terms which disobey properties • Nevertheless, we show that there are certain properties that are preserved by derivation and protocol rules

35. Example Properties of Derivable Terms • There is a set N (honest principal nonces) • Elements of N only appear as exponent • If a term exp(g,t1 tn) is derivable • t1 and tn are in N or are derivable • t2,,tn-1 are derivable • if term is not a key, then tn derivable

36. More Properties • There are many more properties • Some quite complicated • And many lemmas and theorems to prove them

37. Properties Imply • Every term will reduce by R to a term with at most two exponents (all exponents not in N are removed by rewrite rules) • This and other properties imply that if s and t C-unify then s+R and t+R H-unify

38. Summary • Suppose a DH-protocol obeys simple (easy to check) properties • Then it’s possible to discover attacks based on commutativity, using an efficient equational theory

39. Related Work • Properties so that attacks modeling cancellation of encryption/decryption rules are found with free algebra • Symmetric Key [Millen 03] • Public Key [LM 04]

40. Future Work • Other DH work • Don’t assume base is known • What about inverses? • Group DH-protocols • Hierarchy of Protocol Models [Meadows 03]