Modelling and Analysing of Security Protocol: Lecture 2 Cryptology for Protocols Analysis Tom Chothia CWI

Today You just saw: –Simple notation for protocols –Modelling “rules” –Needham-Schroeder and Kerberos protocols Now: –The different uses of encryption –Symmetric key encryption, public key encryptions and signing –Abstract equation for modelling encryption

Encryption Encryption has many uses in security protocol: not just hiding information. A high level “equational” view of cryptography is best for analysis protocol.

Caesar Cipher One of the first codes was used by Julius Caesar. The Caesar Cipher replaces each letter of the alphabet with one three to the right, i.e. –a becomes d, –b becomes e, –.... –z becomes c.

ROT13 The Caesar Cipher is in use today as ROT13, which rotates the letters 13 places. It is used to make information hard to read i.e., –“What happens in the last Harry Potter book? Urezvbar qvrf ng gur raq.” New Paradigm Resources Group mistakenly used it to encrypt their e-books worth $3000.

Using a Key These ciphers are easy to break because as soon as you know the scheme you can decrypt the message. Modern encryption schemes use a “key”. The scheme is public but it produces different results for each key.

Using a Key For instance we can use the Caesar cipher rotating “n” rotations. But only 26 possible keys so you can just try them all (breaking the cipher is 26 times harder without the key). A better scheme replaces each letter with an other letter. Here there are 26! ≈ 4 x 10 26

Frequency analysis While hard to break by brute force, replacing each letter with another is each to break using frequency analysis. Frequency analysis counts the number of times each symbol occurs and tries to draw conclusions.

Frequency Analysis picture for wikipedia GNU

The Enigma Machine Encryption got serious in the run up to World War 2. The Enigma Machine is better demonstrated than described.

Block Ciphers Modern ciphers work on blocks of plain text, not just a single symbol. They are made up of a series of permutations and substitutions repeated on each block. The key controls the exact nature of the permutations and substitutions.

Advanced Encryption Standard ( AES ) AES is a state-of-the-art block cipher. It works on blocks of 128-bits. It generates 10 round keys from a single 128- bit key. It uses one permutation: ShiftRows and three substitutions SubBytes, MixColumns, AddRoundKey.

Modulo Arithmetic Arithmetic modulo “n” means that you count up to “n” then loop back to 0 i.e., 0,1,2,...,n,0,1,2,...,n,0,1,2,... a mod b = r for largest whole number k such that a = b.k + r e.g. 9 mod 4 = 1 because 9 =

SubBytes The “SubByte” is a fixed substitution based on matrix multiplication, one byte at a type. a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 b 0,0 b 1,0 b 2,0 b 3,0 b 0,1 b 1,1 b 2,1 b 3,1 b 0,2 b 1,2 b 2,2 b 3,2 b 0,3 b 1,3 b 2,3 b 3,3 a 1,2 b 1,2

ShiftRows “ShiftRows” moves the –2nd row one byte to the left, –the 3rd row two bytes –and the 4th row 3 bytes. a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 b 0,0 b 1,0 b 2,0 b 3,0 b 0,1 b 1,1 b 2,1 b 3,1 b 0,2 b 1,2 b 2,2 b 3,2 b 0,3 b 1,3 b 2,3 b 3,3 a 1,2 a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,3 a 1,2 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 no change 1 to the left 2 to the left 3 to the left

MixColumn “MixColumn” is a substitution of each column such that: (a 0.x 3 +a 1.x 2 + a 2.x + a 3 ) x (a 0.x 3 +a 1.x 2 +a 2.x+a 3 ) mod (x 4 +1) = ( b 0.x 3 + b 1.x 2 + b 2.x + b 3 ) a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,3 a 1,3 a 2,3 a 3,3 b 0,0 b 1,0 b 2,0 b 3,0 b 0,1 b 1,1 b 2,1 b 3,1 b 0,2 b 1,2 b 2,2 b 3,2 b 0,3 b 1,3 b 2,3 b 3,3 a 0,2 a 2,2 a 3,2 a 1,2 b 0,2 b 2,2 b 3,2 b 1,2

AddRoundKey “AddRoundKey” xor’s the block with the 128- bit round key (which was generated from the main key). – b i,j = a i,j xor k i,j a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 b 0,0 b 1,0 b 2,0 b 3,0 b 0,1 b 1,1 b 2,1 b 3,1 b 0,2 b 1,2 b 2,2 b 3,2 b 0,3 b 1,3 b 2,3 b 3,3 a 1,2 xor with key

AES AES encrypts data by first generating the round keys from the main key Then 9 rounds of: 1.SubBytes 2.ShiftRows 3.MixColumns 4.AddRoundKey Finally: 1.SubBytes 2.ShiftRows 3.AddRoundKey

Equations Including the details of AES in our model would make it impossible to work with so we assume that the encryption scheme just works. When analysing protocols we need a formal way of writing down how it works. We use constructor and destructor functions. –Constructor build up data structures. –Destructor functions break down data structures that are build with the constructors.

Equations For example we can mode AES encryption with two functions: encrypt(m,k) decrypt(m,k) The constructor function “encrypt(m,k)” is the same as writing { m } k. The destructor function “decrypt(m,k)” can return the data m if the keys match: decrypt( encrypt(m,k), k ) = m

Probabilistic Encryption These equations tell us that you cannot find “m” without the key “k” but: encrypt(m,k) = encrypt(m’,k’) iff m=m’ /\ k=k’ Probabilistic encryption schemes use random elements to make every encryption different. We model this with: { m }k means encrypt(m,r,k) for random r decrypt( encrypt(m,r,k), k ) = m

The Key Problem These encryption schemes work well. AES is effectively unbreakable with a “long enough key”. The problem is how do you get the key in the first place?

Public Key Encryption Public key encryption helps (but doesn’t solve) this problem. The idea of public key encryption is that you have two keys: –one for encryption –and another for decryption. The encryption key is made public, the decryption key is always secret.

RSA RSA is the most popular public key cipher. It uses two large primes p & q. We set n = p.q and o(n) = (p-1)(q-1) And we pick random –e such that 1 ≤ e ≤ o(n) and e and o(n) are co-prime. –d such that d.e mod o(n) = 1 The public key is (e,n) and the private key is (d,n)

RSA To encrypt a message, turn it into numbers “m” that are less than “n” The encrypt as cipher text c do: c = m e mod n To decrypt a cipher text c as a message m do: m = c d mod n

Public Key Equations We can formulate this using the functions: pub(sk) encrypt(m,sk) decrypt(m,pk) decrypt( encrypt (m, pub(sk)), sk) = m This tells us everything we need to know about public key encryption for checking protocols.

Public Key Equations Another formulation could be: pub(seed) pri(seed) encrypt(m,sk) decrypt(m,pk) decrypt( encrypt (m, pub(seed) ), pri(seed) ) = m decrypt( encrypt (m, pri(seed) ), pub(seed) ) = m Now you cannot learn the public key from the private key and either key can decrypt the other.

Signatures Encrypting with a private key can work as signing. Anyone that has my public key can check that it was me that signed a message. Treating encryption and signing in the same way can lead to confusion, so authentication is handled separately, using the functions “auth”, “sign”, “pub” and “value”: auth ( sign (m, k), pub(k) ) = m message ( sign(m, k) ) = m

Secure Hash A hash is a short “unique” code generated from a message. It is very hard to find a message with the same hash as another message. We model this with a singe function hash(m). –hash(m) = hash(m’) iff m = m’ So given “m” and a hash “h” we can test is “hash(m) = h”

The Uses of Encryption 1)Keep data secret –Only the holders of the key can read the encrypted data 2) Authentication –The encrypted message must have come from someone who had the key. 3) Binding: –The attacker cannot break up an encrypted message

The Uses of Encryption in Kerberos 1.A  S : A,B,N A 2.S  A : {K AB,B,L,N A } K AS,{K AB,A,L} K BS 3.A  B : {A,T A } K AB,{K AB,A,L} K BS 4.B  A : {T A +1 } K AB Keeping data secret: encryption keeps K AB secret from an outside observer.

The Uses of Encryption in Kerberos 1.A  S : A,B,N A 2.S  A : {K AB,B,L,N A } K AS, {K AB,A,L} K BS 3.A  B : {A,T A } K AB, {K AB,A,L} K BS 4.B  A : {T A +1 } K AB Authentication: encryption with the key K BS lets B know that the message came from S

The Uses of Encryption in Kerberos 1.A  S : A,B,N A 2.S  A : {K AB,B,L,N A } K AS, {K AB,A,L} K BS 3.A  B : {A,T A } K AB, {K AB,A,L} K BS 4.B  A : {T A +1 } K AB Binding: encryption bind the key K AB to the nonce N A therefore A knows that K AB is fresh.

Encryption: Conclusion We assume encryption always works but we still need to know some details e.g. –Does the same message encrypted twice look the same both times? Simple equations are good at doing this. You should keep them in mind when designing / analysing protocol. It is very, very important to know exactly why encryption is used.

Next Time Different types of attacks on protocols The goals a protocol might have. Good design principles.