Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab."— Presentation transcript:

1 Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab

2 Example: DH Protocol A ! B: x nA B ! A: x nB A ! B: e(h(exp(x,n B ¢ n A )),m) B ! A: e(h(exp(x,n A ¢ n B )),m’)

3 Cryptographic Protocol Analysis Formal Methods Approach usually ignores properties of algorithm But Algebraic Properties of Algorithm can be modeled as Equational Theory (by using Equational Unification)

4 DH uses Commutativity (C) exp(x,n B  n A ) = exp(x,n A ¢ n B ) This can lead to attacks Analysis using C-unification finds these attacks

5 C-Unification exp(b,X ¢ Y) = exp(b,n A,n B ) has two solutions Solution 1: [X  n A, Y  n B ] Solution 2: [X  n B, Y  n A ]

6 C-unification is Exponential exp(b,X 1  X n ) = exp(b,c 1  c n ) has 2 n solutions Let d 1, ,d n be a permutation of c 1, ,c n (2 n permutations exist) Then [X 1  d 1, ,X n  d n ] is a solution

7 Goal of Paper Find an efficient theory H to approximate C soundly i.e., an attack modulo H is an attack modulo C But what about vice versa (that’s the hard part)

8 Our Results We found an efficient theory H which approximates C soundly We gave simple properties for a DH protocol to satisfy We showed that if a protocol has these properties then a C-attack can be converted to an H-attack

9 Basic Properties hashed symmetric keys are of the form h(exp(x,n A ¢ n B )) An honest principal can send exp(x,n A ) h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else

10 Properties preventing Role Confusion Attacks Messages encrypted with DH-key from Initiator and Responder must be of different form Messages encrypted with DH-key must contain a unique strand id

11 Intruder As usual, the intruder can see all messages, and modify, delete and create messages Of course, the intruder does not have to obey any of these rules

12 About the Properties Most DH-protocols for two principals satisfy these properties They are syntactic, so it is easy to check if a protocol meets them

13 Who Cares? A Protocol Developer: A protocol with these properties will have no attack based on commutativity A Protocol Analyzer: If a protocol has these properties, analyze it using efficient H- theory. Only if it does not, then use C.

14 Contents of Talk Representation of Protocol Derivation Rules Properties and Proof Techniques

15 Example of DH Protocol A ! B: [exp(x,n A ), nonce] B ! A: [exp(x,n B ), e(h(exp(x,n B ¢ n A )),exp(x,n A ))] A ! B: e(h(exp(x,n A ¢ n B )),ok)

16 Specification of Protocol Rules A: ! [exp(x,n A ), nonce] B: [Y, nonce] ! [exp(x,n B ), e(h(Y,n B ),Y)] A: [Z, e(h(exp(Z,n A ),exp(x,n A ))] ! e(h(exp(Z,n A ),ok)

17 Instantiation of Specification A: ! [exp(x,n A ), nonce] B: [exp(x,n A ), nonce] ! [exp(x,n B ), e(h(exp(x,n A ¢ n B )),exp(x,n A ))] A:[exp(x,n B ), e(h(exp(x,n B ¢ n A )),exp(x,n A ))] ! e(h(exp(x,n B ¢ n A ),ok)

18 Equation needed in Protocol Need to know that: h(exp(x,n A ¢ n B )) = h(exp(x,n B ¢ n A )) That’s where C is needed, but is there a more efficient H h(exp(X,Y ¢ Z)) = h(exp(X,Z ¢ Y)) will work, but we can be more efficient

19 Mofification of DH Protocol Assume inititiator uses has function h 1 and responder uses h 2 A ! B: [exp(x,n A ), nonce] B ! A: [exp(x,n B ), e(h 2 (exp(x,n B ¢ n A )),exp(x,n A ))] A ! B: e(h 1 (exp(x,n A ¢ n B )),ok)

20 New Specification A: ! [exp(x,n A ), nonce] B: [Y, nonce] ! [exp(x,n B ), e(h 2 (Y,n B ),Y)] A: [Z, e(h 2 (exp(Z,n A ),exp(x,n A ))] ! e(h 1 (exp(Z,n A ),ok)

21 New Instantiation A: ! [exp(x,n A ), nonce] B: [exp(x,n A ), nonce] ! [exp(x,n B ), e(h 2 (exp(x,n A ¢ n B )),exp(x,n A ))] A:[exp(x,n B ), e(h 2 (exp(x,n B ¢ n A )),exp(x,n A ))] ! e(h 1 (exp(x,n B ¢ n A ),ok)

22 Equation we now need h 1 (exp(x,n A ¢ n B )) = h 2 (exp(x,n B ¢ n A )) So theory H will be h 1 (exp(X,Y ¢ Z)) = h 2 (exp(X,Z ¢ Y))

23 How Efficient is H Using results from [LM01], we see that: In H, all unifiable terms have a most general unifier Complexity of H-unification is quadratic (usually linear in practice)

24 Completeness Theorem Start with attack modulo C on h-protocol Convert to attack modulo CH on (h 1,h 2 )-protocol Convert to attack modulo H on (h 1,h 2 )-protocol

25 Differences between H and CH h 1 (exp(x, n 1 ¢ n 2 )) equals h 2 (exp(x,n 1 ¢ n 2 )) modulo CH but not modulo C h 1 (exp(x, n 1 ¢ n 2 )) equals h 1 (exp(x, n 2 ¢ n 1 )) modulo CH but not modulo C h 1 (exp(x, n 1 ¢ n 2 ¢ n 3 )) equals h 2 (exp(x, n 3 ¢ n 2 ¢ n 1 )) modulo CH but not modulo C

26 Protocol Instance A Protocol Instance has 2 parts 1.Protocol Rules 2.Derivation Rules to represent Intruder

27 Derivation Rules [X,Y] ` X [X,Y] ` Y X, Y ` [X,Y] privkey(A), enc(pubkey(A), X) ` X Pubkey(A), enc(privkey(A), X) ` X

28 More Derivation Rules X, Y ` enc(X,Y) X, Y ` e(X,Y) X ` h i (X) X, e(X,Y) ` Y X,Y ` exp(X,Y)

29 Derivation modulo CH Recall rule X, e(X,Y) ` Y Derivation modulo CH: –X 1 e(X 2,Y) ` CH Y if X 1 = CH X 2

30 Example h 1 (exp(x,n B ¢ n I ¢ n A )), e(h 2 (exp(x,n A ¢ n I ¢ n B )),m) ` CH m But not h 1 (exp(x,n B ¢ n I ¢ n A )), e(h 2 (exp(x,n A ¢ n I ¢ n B )),m) ` H m

31 How to convert from ` CH to ` H Requires Certain Properties Use Rewrite System R N so that S ` CH m implies S + RN ` H m + RN R N : exp(X,Y) ! X if Y is not an honest principal nonce

32 How to convert from ` C to ` CH Again Certain Properties Conversion function TWO so that S ` C m implies TWO(S) ` CH TWO(m) TWO converts some occurrences of h to h 1 and others to h 2

33 What We Show Under Certain Properties S ` C m implies TWO(S) ` CH TWO(m) implies TWO(S) + RN ` H TWO(m) + RN

34 Properties of Protocol hashed symmetric keys are of the form h(exp(X ¢ n)), where X eventually unifies with a term exp(b,n’) h-terms appear nowhere else, exponent nonces appear nowhere else, exp-terms appear nowhere else

35 More Interesting Properties A message encrypted with h 1 -term on RHS of protocol cannot unify with message encrypted with h 2 -term on LHS –Avoids role confusion attacks Messages encrypted with hashed term must include a strand id in message –Avoids attacks involving different instances of same protocol or different protocols

36 Properties of Derivable Terms Honest Principals follow Protocol Rules But Intruder can use derivation rules to create terms which disobey properties Nevertheless, we show that there are certain properties that are preserved by derivation and protocol rules

37 Example Properties of Derivable Terms There is a set N (honest principal nonces) Elements of N only appear as exponent If a term exp(x,t 1  t n ) is derivable –t 1 and t n are in N or are derivable –t 2, ,t n-1 are derivable – if term is not a key, then t n derivable

38 More Properties There are many more properties Some quite complicated And may lemmas and theorems to prove them

39 Properties Imply Every term will reduce by R N to a term with at most two exponents (all exponents not in N are removed by rewrite rules) This and other properties imply that if s and t CH-unify then s + RN and t + RN } H-unify

40 Summary Suppose a DH-protocol obeys simple (easy to check) properties Then it’s possible to discover attacks based on commutativity, using an efficient equational theory

41 Related Work Properties so that attacks modeling cancellation of encryption/decryption rules are found with free algebra –Symmetric Key [Millen 03] –Public Key [LM 04]

42 Future Work Other DH work –Don’t assume base is known –What about inverses? –Group DH-protocols Hierarchy of Protocol Models [Meadows 03]

Download ppt "Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab."

Similar presentations

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
From Quantum Mechanics to Lagrangian Densities

From Quantum Mechanics to Lagrangian Densities
General Linear Model With correlated error terms  =  2 V ≠  2 I.

General Linear Model With correlated error terms  =  2 V ≠  2 I.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL.

1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL.
Number Theory and Cryptography

Number Theory and Cryptography
1.  Detailed Study of groups is a fundamental concept in the study of abstract algebra. To define the notion of groups,we require the concept of binary.

1.  Detailed Study of groups is a fundamental concept in the study of abstract algebra. To define the notion of groups,we require the concept of binary.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375

1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.

Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Proof by Deduction. Deductions and Formal Proofs A deduction is a sequence of logic statements, each of which is known or assumed to be true A formal.

Proof by Deduction. Deductions and Formal Proofs A deduction is a sequence of logic statements, each of which is known or assumed to be true A formal.
Properties of Logarithms

Properties of Logarithms

Similar presentations

Ads by Google