cryptographic protocol models and free algebras chris lynch and cathy meadows naval research...
Post on 22-Dec-2015
221 views
TRANSCRIPT
![Page 1: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/1.jpg)
Cryptographic Protocol Models and Free Algebras
Chris Lynch and Cathy Meadows
Naval Research Laboratory
![Page 2: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/2.jpg)
Idea
• Cryptographic Protocol Analysis usually ignores properties of algorithms (Free Algebra Approach)
• NRL Protocol Analyzer uses equational theories to model some algorithm properties (Equational Approach)
• Under what conditions, do the two approaches find the same attacks?
![Page 3: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/3.jpg)
Why Study This (reason 1)
• Equational Approach finds attacks that Free Algebra approach does not
• However, equational unification can have higher complexity that syntactic unification
• So an Analyzer would like to know what conditions require Equational Approach
![Page 4: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/4.jpg)
Why Study This (reason 2)
• A Protocol Developer can use our conditions as guidelines for developing protocols
Our conditions are simple and sensible
• Then the Protocol Developer can be assured that no attacks will be caused by these algorithm properties
![Page 5: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/5.jpg)
Our Results
• Millen gave conditions to guarantee that Free Algebra approach is equivalent to Equational Approach (Cancellation Rules) for Shared Key Cryptography
• He left Public Key Cryptography as an Open Problem. We solve that and generalize his results for shared key
![Page 6: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/6.jpg)
Guidelines
• Assume received encrypted/signed messages are structured
because any message can be viewed as the encryption of a decrypted message
• Only send structured encrypted messages
to avoid intruder attacking you with a decrypted message
• Must trust that keys are of proper type (encryption and signed keys are distinguished)
![Page 7: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/7.jpg)
Alternative Guidelines
• All encrypted/signed messages are structured
• Do not directly encrypt/sign an encrypted/signed message
• Easy to do, e.g., send encrypted messages with another piece of data
• Don’t need to trust keys, and keys don’t need to be distinguished
![Page 8: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/8.jpg)
Contents of Talk
1. Derivations for Cryptographic Protocol Analysis
2. Conditions where Free Algebra approach equals Equational Approach
3. Soundness Theorems
4. Conclusions and Future Work
![Page 9: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/9.jpg)
Representing Keys
• Key represented as pk(N,P,E), where
• N = name of key
• P = pub or priv
• E = enc or sig
• e.g. pk(a,pub,enc) is a key for public encryption for principal A
• pe(pk(a,priv,sig),m) represents message m signed with A’s private key
![Page 10: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/10.jpg)
Pure Protocols
• In a protocol, we assume the second and third arguments to pk are not variables
• A protocol is pure if it does not contain private encryption or public signature
![Page 11: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/11.jpg)
Dolev Yao Model
• Intruder can see all sent messages
• Intruder can create and modify and send messages
• We use derivation rules to model messages that Intruder can construct
![Page 12: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/12.jpg)
Free Algebra
• [X,Y]├ X
• [X,Y]├ Y
• X,Y├ [X,Y]
• X, pk(K,pub,enc)├ pe(pk(K,pub,enc),X)
• X, pk(K,priv,sig)├ pe(pk(K,priv,sig),X)
• pe(pk(K,pub,enc),X), pk(K,priv,enc)├ X
• pe(pk(K,priv,sig),X), pk(K,pub,sig)├ X
![Page 13: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/13.jpg)
Equational Theory
• pe(pk(K,pub,enc),pe(pk(K,priv,enc),X) = X• pe(pk(K,priv,enc),pe(pk(K,pub,enc),X) = X• pe(pk(K,pub,sig),pe(pk(K,priv,sig),X) = X• pe(pk(K,priv,sig),pe(pk(K,pub,sig),X) = X
• Can be expressed as Confluent Rewrite System R
![Page 14: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/14.jpg)
Additional Derivation Rules
• X, pk(K,priv,enc)├ pe(pk(K,priv,enc),X)
• X, pk(K,pub,sig)├ pe(pk(K,pub,sig),X)
• Everything is reduced by R
• Need to compare Original Derivation Rules with Extended Set (reducing by R)
![Page 15: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/15.jpg)
Example 1
• Protocol: If A receives pe(pk(k,pub,enc),X) then A sends s
• Attack: Send m to A
• X = pe(pk(k,priv,enc),m) so A will send s
• This cannot be detected by Free Algebra
![Page 16: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/16.jpg)
Example 2 (Millen)
• Protocol: A sends pe(pk(k,pub,enc),s)• If B receives
pe(pk(k,pub,enc),pe(pk(c,pub,enc),X)) then B sends X
• Attack: I sends pe(pk(k,pub,enc),s) to B• X = pe(pk(c,priv,enc),s) so B sends
pe(pk(c,priv,enc),s)• If I knows pk(c,pub,enc) then I knows s
![Page 17: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/17.jpg)
Example 3
• Protocol: If A receives X then A sends pe(pk(a,priv,sig),pe(pk(c,pub,enc),X))
• Attack: I sends pe(pk(c,priv,enc),s) to A
• So A sends pe(pk(a,priv,sig),s)
![Page 18: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/18.jpg)
Example 4
• Protocol: If A receives keys X and Y then A sends pe(X,pe(Y,s))
• Attack: I sends pk(c,pub,enc) and pk(c,priv,enc) to A
• So A sends s
![Page 19: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/19.jpg)
Finding Attacks
• Millen and Shmatikov show that any reachability problem can be converted into a constraint problem
• Given set of terms T and term t find σ such that Tσ ├ tσ
• T represents sent messages
• t represents received messages or secret
![Page 20: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/20.jpg)
Setting up Constraint Problem
• Interleave finitely many instances of protocol with terms Intruder wants to find
• If constraint set has a simultaneous solution then terms are found by Intruder
![Page 21: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/21.jpg)
Constraint Example
• A sends t0 = pe(pk(c,pub,enc),pe(pk(k,pub,enc),s))
• If B receives pe(X,Y) then B sends Y
• I knows c and I wants to know s
• T1 = {c,t0} t1 = pe(X,Y)
• T2 = {c,t0,Y} t2 = s
• Solution is X=pe(pk(k,pub,enc),s), Y=s
![Page 22: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/22.jpg)
PEV-free
• A protocol is PEV-free if pe never has a variable for an argument
• Theorem: If a protocol is pure and PEV-free, then any attack using Equational Approach can be converted to an attack in Free Algebra
![Page 23: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/23.jpg)
Purification
• Rewrite System P:
• pe(pk(K,priv,enc),X) → X
• pe(pk(K,pub,sig),X) → X
• We actually show that the Equational attack can be converted into a purified attack in Free Algebra
![Page 24: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/24.jpg)
Main Theorem
• Suppose s1 …sn irreducible by R and s1
…sn ├ s in Equational Derivation
• Then either s1↓P …sn↓P ├ s↓P in Free Algebra Derivation or si↓P = s↓P for some i
• Also, s is irreducible by R
![Page 25: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/25.jpg)
Main Lemmas
1. If t is pure and PEV-free and t and σ are irreducible by R then tσ is irreducible by R
2. If t and σ are pure then tσ is pure
![Page 26: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/26.jpg)
Limitations of Approach
• Encryption and Signature keys must be distinguished
• Principals must trust that they receive a key of expected type (Trusted Server)
• Approach only deals with pure protocols
![Page 27: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/27.jpg)
Structured Protocols
• Second argument of pe cannot be a variable or a pe-term
could just pair with constant
• First argument is allowed to be variable
implies that Principals do not need to trust key types or distinguish keys
• Results also apply to non-pure protocols
![Page 28: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/28.jpg)
Structured Theorem
• If a protocol is structured, then any attack in Equational Approach has a corresponding Free Algebra attack
• In the non-pure case, the Free Algebra Derivation rules are same as Equational Derivation rules (except equational theory)
![Page 29: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/29.jpg)
Conclusion
• We now have a better understanding of relationship between Free Algebra and Equational Approach
• We have guidelines for Protocol Developers
If they follow our guidelines, there is a guarantee that Cancellation Properties won’t cause attacks
We can easily tell if they are not followed, then use Equational Approach to analyze
![Page 30: Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d7f5503460f94a62c2d/html5/thumbnails/30.jpg)
Future Work
• Other Equational Theories for other algorithms
• Currently working on Diffie-Hellman, and have some conjectures
xab = xba
• Cathy will talk about more future work