1 / 30

Cryptographic Protocol Models and Free Algebras

Cryptographic Protocol Models and Free Algebras. Chris Lynch and Cathy Meadows Naval Research Laboratory. Idea. Cryptographic Protocol Analysis usually ignores properties of algorithms (Free Algebra Approach)

lahela
Download Presentation

Cryptographic Protocol Models and Free Algebras

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory

  2. Idea • Cryptographic Protocol Analysis usually ignores properties of algorithms (Free Algebra Approach) • NRL Protocol Analyzer uses equational theories to model some algorithm properties (Equational Approach) • Under what conditions, do the two approaches find the same attacks?

  3. Why Study This (reason 1) • Equational Approach finds attacks that Free Algebra approach does not • However, equational unification can have higher complexity than syntactic unification • So an Analyzer would like to know what conditions require Equational Approach

  4. Why Study This (reason 2) • A Protocol Developer can use our conditions as guidelines for developing protocols • Our conditions are simple and sensible • Then the Protocol Developer can be assured that no attacks will be caused by these algorithm properties

  5. Our Results • Millen gave conditions to guarantee that Free Algebra approach is equivalent to Equational Approach (Cancellation Rules) for Shared Key Cryptography • He left Public Key Cryptography as an Open Problem. We solve that and generalize his results for shared key

  6. Guidelines • Assume received encrypted/signed messages are structured • because any message can be viewed as the encryption of a decrypted message • Only send structured encrypted messages • to avoid intruder attacking you with a decrypted message • Must trust that keys are of proper type (encryption and signed keys are distinguished)

  7. Alternative Guidelines • All encrypted/signed messages are structured • Do not directly encrypt/sign an encrypted/signed message • Easy to do, e.g., send encrypted messages with another piece of data • Don’t need to trust keys, and keys don’t need to be distinguished

  8. Contents of Talk • Derivations for Cryptographic Protocol Analysis • Conditions where Free Algebra approach equals Equational Approach • Soundness Theorems • Conclusions and Future Work

  9. Representing Keys • Key represented as pk(N,P,E), where N = name of key P = pub or priv E = enc or sig • e.g. pk(a,pub,enc) is a key for public encryption for principal A • pe(pk(a,priv,sig),m) represents message m signed with A’s private key

  10. Pure Protocols • In a protocol, we assume the second and third arguments to pk are not variables • A protocol is pure if it does not contain private encryption or public signature

  11. Dolev Yao Model • Intruder can see all sent messages • Intruder can create and modify and send messages • We use derivation rules to model messages that Intruder can construct

  12. Free Algebra • [X,Y]├ X • [X,Y]├ Y • X,Y├ [X,Y] • X, pk(K,pub,enc)├ pe(pk(K,pub,enc),X) • X, pk(K,priv,sig)├ pe(pk(K,priv,sig),X) • pe(pk(K,pub,enc),X), pk(K,priv,enc)├ X • pe(pk(K,priv,sig),X), pk(K,pub,sig)├ X

  13. Equational Theory • pe(pk(K,pub,enc),pe(pk(K,priv,enc),X) = X • pe(pk(K,priv,enc),pe(pk(K,pub,enc),X) = X • pe(pk(K,pub,sig),pe(pk(K,priv,sig),X) = X • pe(pk(K,priv,sig),pe(pk(K,pub,sig),X) = X • Can be expressed as Confluent Rewrite System R

  14. Additional Derivation Rules • X, pk(K,priv,enc)├ pe(pk(K,priv,enc),X) • X, pk(K,pub,sig)├ pe(pk(K,pub,sig),X) • Everything is reduced by R • Need to compare Original Derivation Rules with Extended Set (reducing by R)

  15. Example 1 • Protocol: If A receives pe(pk(k,pub,enc),X) then A sends s • Attack: Send m to A • X = pe(pk(k,priv,enc),m) so A will send s • This cannot be detected by Free Algebra

  16. Example 2 (Millen) • Protocol: A sends pe(pk(k,pub,enc),s) • If B receives pe(pk(k,pub,enc),pe(pk(c,pub,enc),X)) then B sends X • Attack: I sends pe(pk(k,pub,enc),s) to B • X = pe(pk(c,priv,enc),s) so B sends pe(pk(c,priv,enc),s) • If I knows pk(c,pub,enc) then I knows s

  17. Example 3 • Protocol: If A receives X then A sends pe(pk(a,priv,sig),pe(pk(c,pub,enc),X)) • Attack: I sends pe(pk(c,priv,enc),s) to A • So A sends pe(pk(a,priv,sig),s)

  18. Example 4 • Protocol: If A receives keys X and Y then A sends pe(X,pe(Y,s)) • Attack: I sends pk(c,pub,enc) and pk(c,priv,enc) to A • So A sends s

  19. Finding Attacks • Millen and Shmatikov show that any reachability problem can be converted into a constraint problem • Given set of terms T and term t find σ such that Tσ ├ tσ • T represents sent messages • t represents received messages or secret

  20. Setting up Constraint Problem • Interleave finitely many instances of protocol with terms Intruder wants to find • If constraint set has a simultaneous solution then terms are found by Intruder

  21. Constraint Example • A sends t0 = pe(pk(c,pub,enc),pe(pk(k,pub,enc),s)) • If B receives pe(X,Y) then B sends Y • I knows c and I wants to know s • T1 = {c,t0} t1 = pe(X,Y) • T2 = {c,t0,Y} t2 = s • Solution is X=pe(pk(k,pub,enc),s), Y=s

  22. PEV-free • A protocol is PEV-free if pe never has a variable for an argument • Theorem: If a protocol is pure and PEV-free, then any attack using Equational Approach can be converted to an attack in Free Algebra

  23. Purification • Rewrite System P: • pe(pk(K,priv,enc),X) → X • pe(pk(K,pub,sig),X) → X • We actually show that the Equational attack can be converted into a purified attack in Free Algebra

  24. Main Theorem • Suppose s1 …snirreducible by R and s1 …sn ├ s in Equational Derivation • Then either s1↓P …sn↓P ├ s↓P in Free Algebra Derivation or si↓P =s↓P for some i • Also, s is irreducible by R

  25. Main Lemmas • If t is pure and PEV-free and t and σ are irreducible by R then tσ is irreducible by R • If t and σ are pure then tσ is pure

  26. Limitations of Approach • Encryption and Signature keys must be distinguished • Principals must trust that they receive a key of expected type (Trusted Server) • Approach only deals with pure protocols

  27. Structured Protocols • Second argument of pe cannot be a variable or a pe-term • could just pair with constant • First argument is allowed to be variable • implies that Principals do not need to trust key types or distinguish keys • Results also apply to non-pure protocols

  28. Structured Theorem • If a protocol is structured, then any attack in Equational Approach has a corresponding Free Algebra attack • In the non-pure case, the Free Algebra Derivation rules are same as Equational Derivation rules (except equational theory)

  29. Conclusion • We now have a better understanding of relationship between Free Algebra and Equational Approach • We have guidelines for Protocol Developers • If they follow our guidelines, there is a guarantee that Cancellation Properties won’t cause attacks • We can easily tell if they are not followed, then use Equational Approach to analyze

  30. Future Work • Other Equational Theories for other algorithms • We have similar result for Diffie-Hellman xab = xba • What else can we model?

More Related