1 / 20

On the Perfect Encryption Assumption in the Study of Security Protocols

On the Perfect Encryption Assumption in the Study of Security Protocols. O. Pereira and J.-J. Quisquater UCL Crypto Group http://www.uclcrypto.org. Outline. Definition of the “Perfect Encryption Assumption” Example of an attack on a protocol using CBC

cyrus-ray
Download Presentation

On the Perfect Encryption Assumption in the Study of Security Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group http://www.uclcrypto.org

  2. Outline • Definition of the “Perfect Encryption Assumption” • Example of an attack on a protocol using CBC • “New” attack on a protocol using RSA • Description of a model taking into account some properties of RSA • Conclusions

  3. Perfect Encryption Assumption • Is part of almost all formal models • May be expressed as follows: • « You need to possess the good key in order to extract any information from a given ciphertext » • « The only way to compute the message {m}K is by encrypting the message m with the key K »

  4. In the Real World... • Perfect Encryption is not true ! • First Example : Cipher Block Chaining (C.B.C.) PlainText : P1P2…Pn CipherText : C0C1C2…Cn Where C0 = IV, Ci = {Ci-1Pi}K For this scheme : If C0C1C2…CiCi+1…Cn = {P1P2…PiPi+1…Pn}K Then C0C1C2…Ci = {P1P2…Pi}K  Opposition with the second part of the perfect encryption assumption! Ci-1 Ci Pi K

  5. Needham-Schroeder Symmetric Key Protocol • Aim of the protocol : • establish Kab as shared secret key with the help of Server S • prove each the good reception of the key 1.AS : A.B.Na 2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas 3. AB : {Kab.A}Kbs 4. BA : {Nb}Kab 5. AB : {Nb-1}Kab

  6. (Known) Attack on Needham-Schroeder (SK) 2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas 3. AB : {Kab.A}Kbs From 2. you can compute {Na.B}Kas  if size(Na) = size(Kab) then you can fool A into accepting the publicly known Na as a shared key with B ! 3’. C(B)A : {Na.B}Kas 4’. AC(B) : {Nc}Na 5’. C(B)A : {Nc-1} Na

  7. Weaknesses of Block Ciphers • Often sensitive to • Chosen-Plaintext Attacks • Chosen-Ciphertext Attacks • Known-Pair Attacks (due to the Risk of Dictionary Attacks, …) • Recent works of Stubblebine and Meadows in order to automatically detect the risk of such problems

  8. Another Example : RSA • let K=(e,n) • {m1}K= m1e mod n = c1 • {m2}K= m2e mod n = c2 • Knowing {m1}K and {m2}K, you can compute {m1*m2}K=c1.c2 without knowing m1*m2 nor K ! c1.c2 = (m1*m2)e mod n

  9. Needham-Schroeder-Lowe’s Public-Key Protocol Everyone has the (fresh) public key of the other principals Aim of the protocol : • prove each other recent presence • establish Na and Nb as shared secrets AB : {Na.A}Kb BA : {Na.Nb.B}Ka AB : {Nb}Kb

  10. Use of RSA • We suppose : • RSA Modulus is 1024 bits long • Nonces are 64 bits long • Identifiers are 32 bits long • Null padding is used • At reception, principals check only the bits needed for protocol’s use • C  1 mod 8 (C is the identifier of the intruder) • A is one of the four identifiers such that A2 mod 232 = C

  11. Resulting Flaw

  12. How to compute Na from Nc1 ? …0000… Na A …0000… Na2 A2 Na.A = 32 bits {Nc1.C} = {Na.A}2 mod nb = (232*Na+A)2mod nb = 264*Na2 + 233*Na*A+A2(nb is 1024 bits long)

  13. How to compute Na from Nc ? (II) …0000… Na A …0000… Na2 A2 Na.A It can be checked that : • The identifier read by B will be A2 mod 232 = C • Nc1 is the sum of • The 32 most significant bits of A2 • The 64 least significant bits of 2*Na*A • 232 times the 32 least significant bits of Na2 The choice between the different solutions of this problem can be done by recomputing {Na.A}Kb

  14. Remarks • An increase of the size of the RSA modulus make such attacks easier rather than the opposite • The following protocol does not permit this attack… AB : {A.Na}Kb BA : {B.Na.Nb}Ka AB : {Nb}Kb • Instead of squaring messages, it is possible to multiply them by small encrypted factors

  15. Our Model • Classical atomic types: • Identifiers (A, B, …) • Nonces (Na, Nb, …) • Keys (Ka, Kb, …) • New atomic type: • Small multiplicative factors (f1, f2, …) • Distributivity of product on concatenation • f*(m1.m2) = (f*m1).(f*m2)

  16. Our Model (II) • Assumptions: • Distributivity: f *(m1.m2) = (f *m1).(f *m2) (for small f only) • The Intruder possesses identifiers C1 and C2 such that C1=f *A and C2=f *B (and the corresponding keys) • Checking : • We define a bounded system and check it with a standard model checker : SPIN

  17. Limiting our state space • Definition of a system • number of honest users • number of concurrent sessions • number of « small factors »

  18. Specificity of the Model • In other systems, Authors use • « Normalized derivations » (Marrero & al.) • « Unique readability axioms » (Guttman & al.) • ... • We have to deal with • Distributivity of « * » on « . » • …  Several ways to obtain and read messages!

  19. SPIN • Model Checker developed at Bell Labs • Its input language (ProMeLa) allows the use of the integer type (with the basic operations)  Modelling of a unique factor: f =2  Definition of a range of values for each atomic type (A=11, B=12, C1=22, C2=24, ...) • Properties of multiplication naturally taken into account !

  20. Conclusions • With this model, we found two similar flaws in the Needham-Schroeder-Lowe Protocol in a few seconds • A solution to this problem is the adding of redundancies in the messages • The definition of efficient redundancies is however difficult (see Grieu’s attack on ISO/IEC 9796-1 signature scheme with redundancy for instance (eurocrypt 2000)) • Another solution is the use of distinct cryptographic primitives in order to prevent the exploitation of such properties

More Related