On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu (joint work with Madeline González Muñiz)
Message recognition protocols Alice Bob Never met before Know nothing about each other Authentic channel Eve Later wants to send messages in an authentic manner How can we extend authenticity? Bob does not accept a that Eve has not sent This setup corresponds to certain trust models in ad hoc networks
A simple solution ● During the initialization phase, Alice generates signing key and verification key ● Alice sends verification key to Bob ● During the main phase, Alice signs the messages using the newly generated key ● Bob can verify the signatures
Another simple solution ● During the initialization phase, Alice and Bob perform a Diffie-Hellman key exchange ● They agree on a secret ● During the main phase, Alice sends to Bob
What if public-key cryptography is too expensive?
Using hash chains ● During initialization, Alice generates secret and defines ● Alice sends to Bob ● Main phase: the i-th send by Alice (of some M): ● Bob already knows and can verify Hash chains are not cheap, either. Need one of ● time ● memory or a combination of both
Problems: robustness ● Eve can cause Alice and Bob to go “out of sync” ● In the Jane Doe protocol, Bob sends back acknowledgments ● authenticated in the same way – Bob also creates a hash chain ● Alice and Bob do not move forward as long as they have not received the ACK for the previous message ● If Eve stops interfering, the messages from Alice will be accepted by Bob
Perenniality ● What if Eve goes away only after Alice and Bob have consumed their hash chains? ● A message recognition protocol is perennial if the number of rounds Alice and Bob can participate in is not limited during the initialization phase ● Perenniality — if Eve stops interfering then all messages sent by Alice will be accepted by Bob. ● Alice and Bob do not know if/when Eve stops
Authentic and perennial MRP-s ● Are there any authentic and perennial MRP-s that use only symmetric cryptography? ● symmetric encryption, hash functions, MAC-s, random numbers, one-way functions or permutations,... ● not too well defined – not signatures or Diffie-Hellman... ● Some have been proposed, all have been broken. ● We show that the answer is: No
Perfect cryptography model ● Messages — elements of a term algebra ● a given set of constructors ● given set of rules for message construction and taking apart – also applies to the adversary ● possibly: a congruence relation over messages – to model primitives like XOR
Synchronous communication ● Protocol proceeds in rounds ● In a round: Alice and Bob compute Eve computes accept
Communication rounds ● Both initialization and main phase can be modeled like this ● In the initialization phase: ● Alice decides when main phase starts ● Eve decides when to leave ● Payloads that Alice sends to Bob are determined by Eve
Message constructors ● Constants, nonces, payloads are messages ● If are messages then is a message ● If and are messages then is a message ● The congruence on messages expresses the properties of XOR ● there is a constant 0 ● Alice and Bob send sequences of messages to each other
Symmetric cryptography ● Hash functions and XOR capture symmetric cryptography ● is a random function ● Random permutation can be constructed from a random function using the Luby-Rackoff construction
Memories of Alice and Bob ● Alice and Bob have some internal state ● We do not care about its structure ● They also have message stores ● Sequence of messages, containing – nonces generated by him-/herself, – messages (presumably) received from the other party, – for Alice: payloads received from Eve ● Messages received from the network are added to the end of the message stores ● Messages to send to the other party are computed from the message stores
Common secrets ● A message s is a common secret for Alice and Bob, if ● it can be computed from Alice's message store ● it can be computed from Bob's message store ● it cannot be computed from Eve's view ● Proposition. Alice and Bob have no common secrets. ● Proof depends on properties of h and
Attacking the main phase ● There is a finite set of messages Z, such that ● As long as no message from Z “is sent” between Alice and Bob, Eve can simulate the traffic – Authenticity means: before Bob accepts a payload, a message in Z must be sent from Alice to Bob. ● Eve cannot simulate the step containing messages from Z, but can continue simulation after that – these messages are removed from Z ● Perenniality means: while Eve is not noticeable, Alice and Bob must work towards Bob accepting payloads ● Eventually Z will be empty and Eve can masquerade Alice
Simulation: more details ● Z is the set of submessages of messages changed during the initialization phase ● as long as XORs are not used ● Eve rewrites messages by replacing ● elements of Z ● new nonces generated by Alice or Bob ● with new nonces of her own ● if Alice [Bob] sends a message to Bob [Alice], such that an element z ∈ Z can be found then Eve removes z from Z and continues.
Simulation: considering XOR-s ● The set Z also contains the XOR-s of all submessages of messages sent during the initialization phase ● remove from Z the messages that Eve knows ● Now it is possible to learn an element of Z without this element actually being sent as a message
Simulation: about the proof ● A homomorphism of messages is a homomorphism of the underlying algebra ● A party cannot notice a monomorphism applied to its message store ● Eve's translation defines a mapping φ on ● Alice's nonces – φ(r)=r for all nonces r ● messages received from Bob ● We must show φ can be extended to a monomorphism
Conclusions ● We have shown that authentication cannot be extended to infinity using just the primitives of symmetric cryptography. ● The proof had two parts ● no common secrets ● possibility of simulation ● Both parts depended on the choice of primitives
But in the computational model... ● Signature schemes can be constructed from hash functions ● Some constructions do not a priori bound the number of signatures possible – [Merkle, CRYPTO'87] ● MRP-s can be constructed from signature schemes ● If number of signatures is unbounded, then MRP is perennial
No common secrets ● Let be two sets of messages corresponding to how Alice and Bob could compute during the initialization phase ● The set is closed wrt. submessages ● If then or ● same when we swap Alice and Bob ● Let be such, that ● Those conditions keep holding when we apply a single computational step to messages in or and add the result back to this set.
Example: Mashatan-Stinson MRP ● Initialization phase: ● Alice generates nonces and sends to Bob ● Bob generates nonces and sends to Alice ● Note that the protocol uses only hash functions. ● Here the set Z is
Example: Mashatan-Stinson MRP ● Main phase: Alice must transmit a payload generat e check generat e check Increment the indices
Eve's simulation generate remember Bob does not notice a change
Eve's simulation generat e Elements of Z are sent now generate remember Alice does not notice a change
Eve's simulation generat e Bob compares and sees a problem
Resynchronization generate
Eve's simulation: Alice's resynchronization generat e At this point, Eve can masquerade Alice