420 likes | 435 Views
Sound Approximations to Diffie-Hellman using Rewrite Rules. Christopher Lynch Catherine Meadows Naval Research Lab. Example: DH Protocol. A ! B: x nA B ! A: x nB A ! B: e(h(exp(x,n B ¢ n A )),m) B ! A: e(h(exp(x,n A ¢ n B )),m’). Cryptographic Protocol Analysis.
E N D
Sound Approximations to Diffie-Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab
Example: DH Protocol • A ! B: xnA • B ! A: xnB • A ! B: e(h(exp(x,nB¢ nA)),m) • B ! A: e(h(exp(x,nA¢ nB)),m’)
Cryptographic Protocol Analysis • Formal Methods Approach usually ignores properties of algorithm • But Algebraic Properties of Algorithm can be modeled as Equational Theory (by using Equational Unification)
DH uses Commutativity (C) • exp(x,nB nA) = exp(x,nA¢ nB) • This can lead to attacks • Analysis using C-unification finds these attacks
C-Unification • exp(b,X ¢ Y) = exp(b,nA,nB) has two solutions • Solution 1: [X nA, Y nB] • Solution 2: [X nB, Y nA]
C-unification is Exponential • exp(b,X1 Xn) = exp(b,c1 cn) has 2n solutions • Let d1,,dn be a permutation of c1,,cn (2n permutations exist) • Then [X1 d1,,Xn dn] is a solution
Goal of Paper • Find an efficient theory H to approximate C soundly • i.e., an attack modulo H is an attack modulo C • But what about vice versa (that’s the hard part)
Our Results • We found an efficient theory H which approximates C soundly • We gave simple properties for a DH protocol to satisfy • We showed that if a protocol has these properties then a C-attack can be converted to an H-attack
Basic Properties • hashed symmetric keys are of the form h(exp(x,nA¢ nB)) • An honest principal can send exp(x,nA) • h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else
Properties preventing Role Confusion Attacks • Messages encrypted with DH-key from Initiator and Responder must be of different form • Messages encrypted with DH-key must contain a unique strand id
Intruder • As usual, the intruder can see all messages, and modify, delete and create messages • Of course, the intruder does not have to obey any of these rules
About the Properties • Most DH-protocols for two principals satisfy these properties • They are syntactic, so it is easy to check if a protocol meets them
Who Cares? • A Protocol Developer: A protocol with these properties will have no attack based on commutativity • A Protocol Analyzer: If a protocol has these properties, analyze it using efficient H-theory. Only if it does not, then use C.
Contents of Talk • Representation of Protocol • Derivation Rules • Properties and Proof Techniques
Example of DH Protocol • A ! B: [exp(x,nA), nonce] • B ! A: [exp(x,nB), e(h(exp(x,nB¢ nA)),exp(x,nA))] • A ! B: e(h(exp(x,nA¢ nB)),ok)
Specification of Protocol Rules • A: ! [exp(x,nA), nonce] • B: [Y, nonce] ! [exp(x,nB), e(h(Y,nB),Y)] • A: [Z, e(h(exp(Z,nA),exp(x,nA))] ! e(h(exp(Z,nA),ok)
Instantiation of Specification • A: ! [exp(x,nA), nonce] • B: [exp(x,nA), nonce] ! [exp(x,nB), e(h(exp(x,nA¢ nB)),exp(x,nA))] • A:[exp(x,nB), e(h(exp(x,nB¢ nA)),exp(x,nA))] ! e(h(exp(x,nB¢ nA),ok)
Equation needed in Protocol • Need to know that: h(exp(x,nA¢ nB)) = h(exp(x,nB¢ nA)) • That’s where C is needed, but is there a more efficient H • h(exp(X,Y ¢ Z)) = h(exp(X,Z ¢ Y)) will work, but we can be more efficient
Mofification of DH Protocol • Assume inititiator uses has function h1 and responder uses h2 • A ! B: [exp(x,nA), nonce] • B ! A: [exp(x,nB), e(h2(exp(x,nB¢ nA)),exp(x,nA))] • A ! B: e(h1(exp(x,nA¢ nB)),ok)
New Specification • A: ! [exp(x,nA), nonce] • B: [Y, nonce] ! • [exp(x,nB), e(h2(Y,nB),Y)] • A: [Z, e(h2(exp(Z,nA),exp(x,nA))] ! e(h1(exp(Z,nA),ok)
New Instantiation • A: ! [exp(x,nA), nonce] • B: [exp(x,nA), nonce] ! [exp(x,nB), e(h2(exp(x,nA¢ nB)),exp(x,nA))] • A:[exp(x,nB), e(h2(exp(x,nB¢ nA)),exp(x,nA))] ! e(h1(exp(x,nB¢ nA),ok)
Equation we now need • h1(exp(x,nA¢ nB)) = h2(exp(x,nB¢ nA)) • So theory H will be h1(exp(X,Y ¢ Z)) = h2(exp(X,Z ¢ Y))
How Efficient is H Using results from [LM01], we see that: • In H, all unifiable terms have a most general unifier • Complexity of H-unification is quadratic (usually linear in practice)
Completeness Theorem • Start with attack modulo C on h-protocol • Convert to attack modulo CH on (h1,h2)-protocol • Convert to attack modulo H on (h1,h2)-protocol
Differences between H and CH • h1(exp(x, n1¢ n2)) equals h2(exp(x,n1¢ n2)) modulo CH but not modulo C • h1(exp(x, n1¢ n2)) equals h1(exp(x, n2¢ n1)) modulo CH but not modulo C • h1(exp(x, n1¢ n2¢ n3)) equals h2(exp(x, n3¢ n2¢ n1)) modulo CH but not modulo C
Protocol Instance A Protocol Instance has 2 parts • Protocol Rules • Derivation Rules to represent Intruder
Derivation Rules • [X,Y] ` X • [X,Y] ` Y • X, Y ` [X,Y] • privkey(A), enc(pubkey(A), X) ` X • Pubkey(A), enc(privkey(A), X) ` X
More Derivation Rules • X, Y ` enc(X,Y) • X, Y ` e(X,Y) • X ` hi(X) • X, e(X,Y) ` Y • X,Y ` exp(X,Y)
Derivation modulo CH • Recall rule X, e(X,Y) ` Y • Derivation modulo CH: • X1 e(X2,Y) `CH Y if X1 =CH X2
Example • h1(exp(x,nB¢ nI¢ nA)), e(h2(exp(x,nA¢ nI¢ nB)),m) `CH m • But not h1(exp(x,nB¢ nI¢ nA)), e(h2(exp(x,nA¢ nI¢ nB)),m) `H m
How to convert from `CH to `H • Requires Certain Properties • Use Rewrite System RN so that S `CH m implies S+RN`H m+RN • RN: exp(X,Y) ! X if Y is not an honest principal nonce
How to convert from `C to `CH • Again Certain Properties • Conversion function TWO so that S `C m implies TWO(S) `CH TWO(m) • TWO converts some occurrences of h to h1 and others to h2
What We Show Under Certain Properties • S `C m implies TWO(S) `CH TWO(m) implies TWO(S)+RN`H TWO(m)+RN
Properties of Protocol • hashed symmetric keys are of the form h(exp(X ¢ n)), where X eventually unifies with a term exp(b,n’) • h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else
More Interesting Properties • A message encrypted with h1-term on RHS of protocol cannot unify with message encrypted with h2-term on LHS • Avoids role confusion attacks • Messages encrypted with hashed term must include a strand id in message • Avoids attacks involving different instances of same protocol or different protocols
Properties of Derivable Terms • Honest Principals follow Protocol Rules • But Intruder can use derivation rules to create terms which disobey properties • Nevertheless, we show that there are certain properties that are preserved by derivation and protocol rules
Example Properties of Derivable Terms • There is a set N (honest principal nonces) • Elements of N only appear as exponent • If a term exp(x,t1 tn) is derivable • t1 and tn are in N or are derivable • t2,,tn-1 are derivable • if term is not a key, then tn derivable
More Properties • There are many more properties • Some quite complicated • And may lemmas and theorems to prove them
Properties Imply • Every term will reduce by RN to a term with at most two exponents (all exponents not in N are removed by rewrite rules) • This and other properties imply that if s and t CH-unify then s+RN and t+RN} H-unify
Summary • Suppose a DH-protocol obeys simple (easy to check) properties • Then it’s possible to discover attacks based on commutativity, using an efficient equational theory
Related Work • Properties so that attacks modeling cancellation of encryption/decryption rules are found with free algebra • Symmetric Key [Millen 03] • Public Key [LM 04]
Future Work • Other DH work • Don’t assume base is known • What about inverses? • Group DH-protocols • Hierarchy of Protocol Models [Meadows 03]