200 likes | 205 Views
Explore the perfect encryption assumption, attacks on protocols, RSA vulnerabilities, and models for enhancing security in this detailed study. Learn about weaknesses in block ciphers, Needham-Schroeder protocols, and effective RSA usage.
E N D
On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group http://www.uclcrypto.org
Outline • Definition of the “Perfect Encryption Assumption” • Example of an attack on a protocol using CBC • “New” attack on a protocol using RSA • Description of a model taking into account some properties of RSA • Conclusions
Perfect Encryption Assumption • Is part of almost all formal models • May be expressed as follows: • « You need to possess the good key in order to extract any information from a given ciphertext » • « The only way to compute the message {m}K is by encrypting the message m with the key K »
In the Real World... • Perfect Encryption is not true ! • First Example : Cipher Block Chaining (C.B.C.) PlainText : P1P2…Pn CipherText : C0C1C2…Cn Where C0 = IV, Ci = {Ci-1Pi}K For this scheme : If C0C1C2…CiCi+1…Cn = {P1P2…PiPi+1…Pn}K Then C0C1C2…Ci = {P1P2…Pi}K Opposition with the second part of the perfect encryption assumption! Ci-1 Ci Pi K
Needham-Schroeder Symmetric Key Protocol • Aim of the protocol : • establish Kab as shared secret key with the help of Server S • prove each the good reception of the key 1.AS : A.B.Na 2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas 3. AB : {Kab.A}Kbs 4. BA : {Nb}Kab 5. AB : {Nb-1}Kab
(Known) Attack on Needham-Schroeder (SK) 2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas 3. AB : {Kab.A}Kbs From 2. you can compute {Na.B}Kas if size(Na) = size(Kab) then you can fool A into accepting the publicly known Na as a shared key with B ! 3’. C(B)A : {Na.B}Kas 4’. AC(B) : {Nc}Na 5’. C(B)A : {Nc-1} Na
Weaknesses of Block Ciphers • Often sensitive to • Chosen-Plaintext Attacks • Chosen-Ciphertext Attacks • Known-Pair Attacks (due to the Risk of Dictionary Attacks, …) • Recent works of Stubblebine and Meadows in order to automatically detect the risk of such problems
Another Example : RSA • let K=(e,n) • {m1}K= m1e mod n = c1 • {m2}K= m2e mod n = c2 • Knowing {m1}K and {m2}K, you can compute {m1*m2}K=c1.c2 without knowing m1*m2 nor K ! c1.c2 = (m1*m2)e mod n
Needham-Schroeder-Lowe’s Public-Key Protocol Everyone has the (fresh) public key of the other principals Aim of the protocol : • prove each other recent presence • establish Na and Nb as shared secrets AB : {Na.A}Kb BA : {Na.Nb.B}Ka AB : {Nb}Kb
Use of RSA • We suppose : • RSA Modulus is 1024 bits long • Nonces are 64 bits long • Identifiers are 32 bits long • Null padding is used • At reception, principals check only the bits needed for protocol’s use • C 1 mod 8 (C is the identifier of the intruder) • A is one of the four identifiers such that A2 mod 232 = C
How to compute Na from Nc1 ? …0000… Na A …0000… Na2 A2 Na.A = 32 bits {Nc1.C} = {Na.A}2 mod nb = (232*Na+A)2mod nb = 264*Na2 + 233*Na*A+A2(nb is 1024 bits long)
How to compute Na from Nc ? (II) …0000… Na A …0000… Na2 A2 Na.A It can be checked that : • The identifier read by B will be A2 mod 232 = C • Nc1 is the sum of • The 32 most significant bits of A2 • The 64 least significant bits of 2*Na*A • 232 times the 32 least significant bits of Na2 The choice between the different solutions of this problem can be done by recomputing {Na.A}Kb
Remarks • An increase of the size of the RSA modulus make such attacks easier rather than the opposite • The following protocol does not permit this attack… AB : {A.Na}Kb BA : {B.Na.Nb}Ka AB : {Nb}Kb • Instead of squaring messages, it is possible to multiply them by small encrypted factors
Our Model • Classical atomic types: • Identifiers (A, B, …) • Nonces (Na, Nb, …) • Keys (Ka, Kb, …) • New atomic type: • Small multiplicative factors (f1, f2, …) • Distributivity of product on concatenation • f*(m1.m2) = (f*m1).(f*m2)
Our Model (II) • Assumptions: • Distributivity: f *(m1.m2) = (f *m1).(f *m2) (for small f only) • The Intruder possesses identifiers C1 and C2 such that C1=f *A and C2=f *B (and the corresponding keys) • Checking : • We define a bounded system and check it with a standard model checker : SPIN
Limiting our state space • Definition of a system • number of honest users • number of concurrent sessions • number of « small factors »
Specificity of the Model • In other systems, Authors use • « Normalized derivations » (Marrero & al.) • « Unique readability axioms » (Guttman & al.) • ... • We have to deal with • Distributivity of « * » on « . » • … Several ways to obtain and read messages!
SPIN • Model Checker developed at Bell Labs • Its input language (ProMeLa) allows the use of the integer type (with the basic operations) Modelling of a unique factor: f =2 Definition of a range of values for each atomic type (A=11, B=12, C1=22, C2=24, ...) • Properties of multiplication naturally taken into account !
Conclusions • With this model, we found two similar flaws in the Needham-Schroeder-Lowe Protocol in a few seconds • A solution to this problem is the adding of redundancies in the messages • The definition of efficient redundancies is however difficult (see Grieu’s attack on ISO/IEC 9796-1 signature scheme with redundancy for instance (eurocrypt 2000)) • Another solution is the use of distinct cryptographic primitives in order to prevent the exploitation of such properties