300 likes | 402 Views
Cryptographic Protocol Models and Free Algebras. Chris Lynch and Cathy Meadows Naval Research Laboratory. Idea. Cryptographic Protocol Analysis usually ignores properties of algorithms (Free Algebra Approach)
E N D
Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory
Idea • Cryptographic Protocol Analysis usually ignores properties of algorithms (Free Algebra Approach) • NRL Protocol Analyzer uses equational theories to model some algorithm properties (Equational Approach) • Under what conditions, do the two approaches find the same attacks?
Why Study This (reason 1) • Equational Approach finds attacks that Free Algebra approach does not • However, equational unification can have higher complexity that syntactic unification • So an Analyzer would like to know what conditions require Equational Approach
Why Study This (reason 2) • A Protocol Developer can use our conditions as guidelines for developing protocols Our conditions are simple and sensible • Then the Protocol Developer can be assured that no attacks will be caused by these algorithm properties
Our Results • Millen gave conditions to guarantee that Free Algebra approach is equivalent to Equational Approach (Cancellation Rules) for Shared Key Cryptography • He left Public Key Cryptography as an Open Problem. We solve that and generalize his results for shared key
Guidelines • Assume received encrypted/signed messages are structured because any message can be viewed as the encryption of a decrypted message • Only send structured encrypted messages to avoid intruder attacking you with a decrypted message • Must trust that keys are of proper type (encryption and signed keys are distinguished)
Alternative Guidelines • All encrypted/signed messages are structured • Do not directly encrypt/sign an encrypted/signed message • Easy to do, e.g., send encrypted messages with another piece of data • Don’t need to trust keys, and keys don’t need to be distinguished
Contents of Talk • Derivations for Cryptographic Protocol Analysis • Conditions where Free Algebra approach equals Equational Approach • Soundness Theorems • Conclusions and Future Work
Representing Keys • Key represented as pk(N,P,E), where • N = name of key • P = pub or priv • E = enc or sig • e.g. pk(a,pub,enc) is a key for public encryption for principal A • pe(pk(a,priv,sig),m) represents message m signed with A’s private key
Pure Protocols • In a protocol, we assume the second and third arguments to pk are not variables • A protocol is pure if it does not contain private encryption or public signature
Dolev Yao Model • Intruder can see all sent messages • Intruder can create and modify and send messages • We use derivation rules to model messages that Intruder can construct
Free Algebra • [X,Y]├ X • [X,Y]├ Y • X,Y├ [X,Y] • X, pk(K,pub,enc)├ pe(pk(K,pub,enc),X) • X, pk(K,priv,sig)├ pe(pk(K,priv,sig),X) • pe(pk(K,pub,enc),X), pk(K,priv,enc)├ X • pe(pk(K,priv,sig),X), pk(K,pub,sig)├ X
Equational Theory • pe(pk(K,pub,enc),pe(pk(K,priv,enc),X) = X • pe(pk(K,priv,enc),pe(pk(K,pub,enc),X) = X • pe(pk(K,pub,sig),pe(pk(K,priv,sig),X) = X • pe(pk(K,priv,sig),pe(pk(K,pub,sig),X) = X • Can be expressed as Confluent Rewrite System R
Additional Derivation Rules • X, pk(K,priv,enc)├ pe(pk(K,priv,enc),X) • X, pk(K,pub,sig)├ pe(pk(K,pub,sig),X) • Everything is reduced by R • Need to compare Original Derivation Rules with Extended Set (reducing by R)
Example 1 • Protocol: If A receives pe(pk(k,pub,enc),X) then A sends s • Attack: Send m to A • X = pe(pk(k,priv,enc),m) so A will send s • This cannot be detected by Free Algebra
Example 2 (Millen) • Protocol: A sends pe(pk(k,pub,enc),s) • If B receives pe(pk(k,pub,enc),pe(pk(c,pub,enc),X)) then B sends X • Attack: I sends pe(pk(k,pub,enc),s) to B • X = pe(pk(c,priv,enc),s) so B sends pe(pk(c,priv,enc),s) • If I knows pk(c,pub,enc) then I knows s
Example 3 • Protocol: If A receives X then A sends pe(pk(a,priv,sig),pe(pk(c,pub,enc),X)) • Attack: I sends pe(pk(c,priv,enc),s) to A • So A sends pe(pk(a,priv,sig),s)
Example 4 • Protocol: If A receives keys X and Y then A sends pe(X,pe(Y,s)) • Attack: I sends pk(c,pub,enc) and pk(c,priv,enc) to A • So A sends s
Finding Attacks • Millen and Shmatikov show that any reachability problem can be converted into a constraint problem • Given set of terms T and term t find σ such that Tσ ├ tσ • T represents sent messages • t represents received messages or secret
Setting up Constraint Problem • Interleave finitely many instances of protocol with terms Intruder wants to find • If constraint set has a simultaneous solution then terms are found by Intruder
Constraint Example • A sends t0 = pe(pk(c,pub,enc),pe(pk(k,pub,enc),s)) • If B receives pe(X,Y) then B sends Y • I knows c and I wants to know s • T1 = {c,t0} t1 = pe(X,Y) • T2 = {c,t0,Y} t2 = s • Solution is X=pe(pk(k,pub,enc),s), Y=s
PEV-free • A protocol is PEV-free if pe never has a variable for an argument • Theorem: If a protocol is pure and PEV-free, then any attack using Equational Approach can be converted to an attack in Free Algebra
Purification • Rewrite System P: • pe(pk(K,priv,enc),X) → X • pe(pk(K,pub,sig),X) → X • We actually show that the Equational attack can be converted into a purified attack in Free Algebra
Main Theorem • Suppose s1 …snirreducible by R and s1 …sn ├ s in Equational Derivation • Then either s1↓P …sn↓P ├ s↓P in Free Algebra Derivation or si↓P =s↓P for some i • Also, s is irreducible by R
Main Lemmas • If t is pure and PEV-free and t and σ are irreducible by R then tσ is irreducible by R • If t and σ are pure then tσ is pure
Limitations of Approach • Encryption and Signature keys must be distinguished • Principals must trust that they receive a key of expected type (Trusted Server) • Approach only deals with pure protocols
Structured Protocols • Second argument of pe cannot be a variable or a pe-term could just pair with constant • First argument is allowed to be variable implies that Principals do not need to trust key types or distinguish keys • Results also apply to non-pure protocols
Structured Theorem • If a protocol is structured, then any attack in Equational Approach has a corresponding Free Algebra attack • In the non-pure case, the Free Algebra Derivation rules are same as Equational Derivation rules (except equational theory)
Conclusion • We now have a better understanding of relationship between Free Algebra and Equational Approach • We have guidelines for Protocol Developers If they follow our guidelines, there is a guarantee that Cancellation Properties won’t cause attacks We can easily tell if they are not followed, then use Equational Approach to analyze
Future Work • Other Equational Theories for other algorithms • Currently working on Diffie-Hellman, and have some conjectures xab = xba • Cathy will talk about more future work