cap unification: application to protocol security modulo homomorphic encryption
DESCRIPTION
Cap Unification: Application to Protocol Security modulo Homomorphic Encryption. Siva Anantharaman, Hai Lin, Chris Lynch, Paliath Narendran, Michael Rusinowitch. Contents. Cryptographic Protocol Analysis Cap Unification Modulo Homomorphic Encryption (HE) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/1.jpg)
Cap Unification: Application to Protocol Security modulo Homomorphic Encryption
Siva Anantharaman, Hai Lin, Chris Lynch, Paliath Narendran,
Michael Rusinowitch
![Page 2: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/2.jpg)
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification
![Page 3: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/3.jpg)
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification
![Page 4: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/4.jpg)
First some syntax
• e(m,k): message m encrypted with key k
• p(x,y): pair (concatenation) of x and y
![Page 5: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/5.jpg)
Next some vocabulary
• Nonce: number used once (random number) for freshness
• Long term key: secure key shared by principals
• Session key: less secure key established for session
![Page 6: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/6.jpg)
Key authentication protocol
• Protocol used to establish a session key
• In my example, one principal creates a key and sends it to the other principal
![Page 7: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/7.jpg)
My example protocol
1. A B: e(p(k,na), k’)
2. B A: e(p(na,nb),k’)
3. A B: nb• Alice sends Bob new session key k and nonce
na encrypted with long term key k’• Bob sends na along with new nonce nb to
Alice indicating Bob got the session key• Alice sends nonce nb back to Bob to indicate
she got Bob’s message
![Page 8: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/8.jpg)
Cryptographic Protocol security problem
• We assume an all powerful intruder who can read all messages, send messages, and pretend to be someone else
• Can the intruder learn a secret (key k)?
• Dolev Yao model: An intruder can learn an encrypted message if and only if he knows the encryption key
![Page 9: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/9.jpg)
Dolev Yao theory
• d(e(x,y),y) = x
• fst(p(x,y)) = x
• snd(p(x,y)) = y
![Page 10: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/10.jpg)
Decision procedure for security problem
• Undecidable in general
• NP-complete for bounded number of protocol sessions
• In this talk, we only consider bounded number of sessions
![Page 11: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/11.jpg)
Extending Dolev Yao
• Some cryptographic algorithms have properties giving intruder more power
• For example, properties of exclusive OR allow intruder more attacks– Security problem also NP-complete for XOR
• What other properties are interesting?
• We consider Homomorphic Encryption– Security problem was open for HE
![Page 12: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/12.jpg)
Homomorphic Encryption
• ECB algorithm breaks message into blocks and encrypts each block independently
• e(p(x,y),k) = p(e(x,k),e(y,k))
• This property gives an attack on my example protocol
![Page 13: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/13.jpg)
Recall example protocol
1. A B: e(p(k,na), k’)
2. B A: e(p(na,nb),k’)
3. A B: nb
• Step 2 from Bob’s POV: – Receive: e(p(x,y),k’) Send: e(p(y,nb),k’)
• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z
• Use variables for attack
![Page 14: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/14.jpg)
Attack on Example Protocol
1. A I(B): e(p(k,na), k’)
2. I(B) A: e(p(na,k), k’)
3. A I(B): k
• Intruder took message 1 apart and put it back together backwards
• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z
![Page 15: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/15.jpg)
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-HE Unif– First solve HE-unification– Then solve Cap-HE-unification
![Page 16: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/16.jpg)
E-Unification
• Given terms s and t and a theory E, find a substitution µ such that sµ and tµ are the same modulo E
• Theory E = AC of symbol f
• Problem: f(a,y) = f(b,x)
• Solution: [x = a, y = b]
![Page 17: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/17.jpg)
Cap
• Let S be a set of terms
• Cap(S) is defined resursively so that– S is a subset of Cap(S)– If t1,…,tn in Cap(S) then f(t1,…,tn) in Cap(S)– Constants not considered as function symbols
• Example: S = {a,fb}– a fb g(a,fb) g(a,a) fa g(fb,fa) ffb are in Cap(S)– b c fc, g(a,c) g(b,a) are not in Cap(S)
![Page 18: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/18.jpg)
Cap E-Unification
• Given set S, term t, and theory E, find a substitution µ and term s in Cap(S) such that sµ and tµ are the same modulo E
• Example: {p(fa,b)} |> fx – where E={fst(p(x,y)) = x, snd(p(x,y)) = y}
• Solution: [x = a] because fst(p(fa,b)) = fa
![Page 19: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/19.jpg)
Another Example
• Example: {p(a,b),p(c,d)} |> p(x,y) – where E={fst(p(x,y)) = x, snd(p(x,y)) = y}
• One solution is [x = d, y = a] because p(snd(p(c,d)),fst(p(a,b))) = p(d,a)
![Page 20: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/20.jpg)
Cap Unification in Protocol Analysis
• Suppose we have malicious intruder trying to learn secret
• Constraint S |> t
• S represents current intruder knowledge
• t is a term intruder needs to learn
• Set of constraints represents possible attack: real attack if Cap E-unif solvable
![Page 21: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/21.jpg)
Theory DYHE
• DY– d(e(x,y),y) = x– fst(p(x,y)) = x– snd(p(x,y)) = y
• HE– e(p(x,y),z) = p(e(x,z),e(y,z))
• We will consider CAP unification modulo DYHE
![Page 22: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/22.jpg)
Recall Attack on Example Protocol
1. A I(B): e(p(k,na), k’)
2. I(B) A: e(p(na,k), k’)
3. A I(B): k
• Intruder took message 1 apart and put it back together backwards
• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z
![Page 23: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/23.jpg)
Finding attack with Cap Unification
Let t be first message e(p(k,na),k’)
• {t} |> e(p(na,z),k’)
• {t,z} |> {k}
• Solution is [z = k]
• Cap for first one: p(snd(t),fst(t))
• Cap for second one: z
![Page 24: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/24.jpg)
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-HE Unif– First solve HE-unification– Then solve Cap-HE-unification
![Page 25: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/25.jpg)
HE Unification
• No caps yet
• No DY yet – only HE = {e(p(x,y),z) = p(e(x,z),e(y,z))}
• This will be a procedure used in inference rules for Cap Unification
• Consider signature: e,p and constants
![Page 26: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/26.jpg)
Syntactic part of HE unification
• Trivial: C, (t=t) C
• Decomposition:– C,(f(s1,..,sn)=f(t1,…,tn))C,(s1=t1),..,(sn=tn)
• Orient: C, (t=x) C, (x=t)
• Apply: C, (x=t) C[x |-> t], (x=t) if …
• Clash: C,(f(…)=g(…)) Fail– Unless {f,g} = {e,p}
• OccurCheck: C,(x = t[x]) Fail if t is not x
![Page 27: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/27.jpg)
HE part of HE unification
• How do we solve e(…) = p(…)?
• We will use some abbrevations
• Pv(t1,…,tn) represents p-term where ti are terms not labeled with p, with only p’s on top, and v is vector of associated positions
• E(t,k1,…,kn) represents e-term where ki are terms not labeled with e, with only e’s on top
![Page 28: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/28.jpg)
P11,121,122,21,22(e(a,k),a,b,c,a)
p
d
p
e p
a ka b
c a
![Page 29: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/29.jpg)
E(a,k1,k2,k3)e
e
e
a k1
k2
k3
![Page 30: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/30.jpg)
P11,12,2(E(a,k),E(b),E(b,k,k))
p
p
e
a k
b
e
e
b k
k
![Page 31: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/31.jpg)
Solving e(…) = p(…)
• Assume all terms in normal form– e’s on top, p’s on the bottom– i.e., apply rewriting but not narrowing
• We will apply substitution to make p(…) be normal form of e(…)
• Pv(…,E(ti,k1,…,kn),…) is normal form of E(Pv(t1,…,tm),k1,…,kn))
![Page 32: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/32.jpg)
Homomorphic Encryptionp
e e
e
p
x k yk x y
k
![Page 33: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/33.jpg)
Shaping inference rule
E(t,k1,…,kn) = Pv(…,E(x,k1’,…,km’),…)
-------------------------------------------------- m<n
Apply substitution [x |-> E(x’,k1,…,kn-m)]
The point is to extend the number of keys in E arguments of P, so that rhs can look like normal form of lhs
Fail if t = x, also fail if x was constant
![Page 34: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/34.jpg)
Parsing inference rule
E(t,k1,…,kn) = Pv(E(s1,…,k1’),…,E(sm,…,km’))
----------------------------------------------------
E(t,k1,…) = Pv(E(s1,…),…,E(sm,…)), kn=k1’=…=km’
The rhs is the normal form of the lhs only if the final keys are the same
![Page 35: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/35.jpg)
Result of HE-unification
• Rules are deterministic, so theory is unitary
• Does not increase variables– Decreases variables if instantiation– This is important for termination
• Note: HE-unification = DYHE-unification on terms not containing d, fst, snd– Terms in protocols do not contain d, fst, snd
![Page 36: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/36.jpg)
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification
![Page 37: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/37.jpg)
Solving Cap-DYHE-unification
• We have constraints of the form S |> t
• Want to find a term s in cap(S) that unifies with t modulo DYHE
• We give a nondeterministic set of inference rules
• All equalities generated are solved with the HE-unification algorithm
![Page 38: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/38.jpg)
Cap Decomposition
S |> f(t1,…,tn)
-------------------
S|> t1 … S |> tn
• Justification: we may put f on top as cap
![Page 39: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/39.jpg)
Degeneracy
S U {s} |> t
----------------
s = t
• Justification: There may be no cap
![Page 40: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/40.jpg)
Projection
S U {p(r,s)} |> t
----------------------
S U {r,s} |> t
• The cap symbol might be fst, it also might be snd
• This is a simplification
![Page 41: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/41.jpg)
Decryption
S U {e(s,k)} |> t
----------------------
S U {s} |> t, S |> k
• The cap symbol might be d
![Page 42: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/42.jpg)
Homomorphic Deduction
S U {e(t1,k1),…,e(tn,kn)} |> e(t,k)
----------------------------------------------
S U {t1,…,tn} |> t, k1=k, …, kn=k
• The cap might be p, and HE is applicable, where t is some pairing of t1,…,tn
• Note: The signature in the conclusion is only {p,fst,snd}
![Page 43: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/43.jpg)
Variable Substitution
…
---
…, x = Pv(t1,…,tn)
where x is a variable in the constraints, t1,…,tn are distinct terms in the lhs of the constraints, with x not in ti
• Nondeterministic guess of the value of x
![Page 44: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/44.jpg)
Result of Cap-DYHE-unification
• The rules are nondeterministic
• They are guaranteed to halt with a complete set of unifiers or fail
![Page 45: Cap Unification: Application to Protocol Security modulo Homomorphic Encryption](https://reader035.vdocuments.site/reader035/viewer/2022070418/5681587d550346895dc5dce4/html5/thumbnails/45.jpg)
Conclusion
• Cap unification modulo equality for cryptographic protocol analysis
• First decision procedure for insecurity problem modulo HE with bounded number of protocol sessions
• Future work: Equational theory for definition of CBC algorithm, not just properties of it