Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory."— Presentation transcript:

1 Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory

2 Idea Cryptographic Protocol Analysis usually ignores properties of algorithms (Free Algebra Approach) NRL Protocol Analyzer uses equational theories to model some algorithm properties (Equational Approach) Under what conditions, do the two approaches find the same attacks?

3 Why Study This (reason 1) Equational Approach finds attacks that Free Algebra approach does not However, equational unification can have higher complexity that syntactic unification So an Analyzer would like to know what conditions require Equational Approach

4 Why Study This (reason 2) A Protocol Developer can use our conditions as guidelines for developing protocols Our conditions are simple and sensible Then the Protocol Developer can be assured that no attacks will be caused by these algorithm properties

5 Our Results Millen gave conditions to guarantee that Free Algebra approach is equivalent to Equational Approach (Cancellation Rules) for Shared Key Cryptography He left Public Key Cryptography as an Open Problem. We solve that and generalize his results for shared key

6 Guidelines Assume received encrypted/signed messages are structured because any message can be viewed as the encryption of a decrypted message Only send structured encrypted messages to avoid intruder attacking you with a decrypted message Must trust that keys are of proper type (encryption and signed keys are distinguished)

7 Alternative Guidelines All encrypted/signed messages are structured Do not directly encrypt/sign an encrypted/signed message Easy to do, e.g., send encrypted messages with another piece of data Don’t need to trust keys, and keys don’t need to be distinguished

8 Contents of Talk 1.Derivations for Cryptographic Protocol Analysis 2.Conditions where Free Algebra approach equals Equational Approach 3.Soundness Theorems 4.Conclusions and Future Work

9 Representing Keys Key represented as pk(N,P,E), where N = name of key P = pub or priv E = enc or sig e.g. pk(a,pub,enc) is a key for public encryption for principal A pe(pk(a,priv,sig),m) represents message m signed with A’s private key

10 Pure Protocols In a protocol, we assume the second and third arguments to pk are not variables A protocol is pure if it does not contain private encryption or public signature

11 Dolev Yao Model Intruder can see all sent messages Intruder can create and modify and send messages We use derivation rules to model messages that Intruder can construct

12 Free Algebra [X,Y]├ X [X,Y]├ Y X,Y├ [X,Y] X, pk(K,pub,enc)├ pe(pk(K,pub,enc),X) X, pk(K,priv,sig)├ pe(pk(K,priv,sig),X) pe(pk(K,pub,enc),X), pk(K,priv,enc)├ X pe(pk(K,priv,sig),X), pk(K,pub,sig)├ X

13 Equational Theory pe(pk(K,pub,enc),pe(pk(K,priv,enc),X) = X pe(pk(K,priv,enc),pe(pk(K,pub,enc),X) = X pe(pk(K,pub,sig),pe(pk(K,priv,sig),X) = X pe(pk(K,priv,sig),pe(pk(K,pub,sig),X) = X Can be expressed as Confluent Rewrite System R

14 Additional Derivation Rules X, pk(K,priv,enc)├ pe(pk(K,priv,enc),X) X, pk(K,pub,sig)├ pe(pk(K,pub,sig),X) Everything is reduced by R Need to compare Original Derivation Rules with Extended Set (reducing by R)

15 Example 1 Protocol: If A receives pe(pk(k,pub,enc),X) then A sends s Attack: Send m to A X = pe(pk(k,priv,enc),m) so A will send s This cannot be detected by Free Algebra

16 Example 2 (Millen) Protocol: A sends pe(pk(k,pub,enc),s) If B receives pe(pk(k,pub,enc),pe(pk(c,pub,enc),X)) then B sends X Attack: I sends pe(pk(k,pub,enc),s) to B X = pe(pk(c,priv,enc),s) so B sends pe(pk(c,priv,enc),s) If I knows pk(c,pub,enc) then I knows s

17 Example 3 Protocol: If A receives X then A sends pe(pk(a,priv,sig),pe(pk(c,pub,enc),X)) Attack: I sends pe(pk(c,priv,enc),s) to A So A sends pe(pk(a,priv,sig),s)

18 Example 4 Protocol: If A receives keys X and Y then A sends pe(X,pe(Y,s)) Attack: I sends pk(c,pub,enc) and pk(c,priv,enc) to A So A sends s

19 Finding Attacks Millen and Shmatikov show that any reachability problem can be converted into a constraint problem Given set of terms T and term t find σ such that Tσ ├ tσ T represents sent messages t represents received messages or secret

20 Setting up Constraint Problem Interleave finitely many instances of protocol with terms Intruder wants to find If constraint set has a simultaneous solution then terms are found by Intruder

21 Constraint Example A sends t 0 = pe(pk(c,pub,enc),pe(pk(k,pub,enc),s)) If B receives pe(X,Y) then B sends Y I knows c and I wants to know s T 1 = {c,t0}t 1 = pe(X,Y) T 2 = {c,t0,Y}t 2 = s Solution is X=pe(pk(k,pub,enc),s), Y=s

22 PEV-free A protocol is PEV-free if pe never has a variable for an argument Theorem: If a protocol is pure and PEV- free, then any attack using Equational Approach can be converted to an attack in Free Algebra

23 Purification Rewrite System P: pe(pk(K,priv,enc),X) → X pe(pk(K,pub,sig),X) → X We actually show that the Equational attack can be converted into a purified attack in Free Algebra

24 Main Theorem Suppose s 1 …s n irreducible by R and s 1 …s n ├ s in Equational Derivation Then either s 1 ↓ P …s n ↓ P ├ s↓ P in Free Algebra Derivation or s i ↓ P = s↓ P for some i Also, s is irreducible by R

25 Main Lemmas 1.If t is pure and PEV-free and t and σ are irreducible by R then tσ is irreducible by R 2.If t and σ are pure then tσ is pure

26 Limitations of Approach Encryption and Signature keys must be distinguished Principals must trust that they receive a key of expected type (Trusted Server) Approach only deals with pure protocols

27 Structured Protocols Second argument of pe cannot be a variable or a pe-term could just pair with constant First argument is allowed to be variable implies that Principals do not need to trust key types or distinguish keys Results also apply to non-pure protocols

28 Structured Theorem If a protocol is structured, then any attack in Equational Approach has a corresponding Free Algebra attack In the non-pure case, the Free Algebra Derivation rules are same as Equational Derivation rules (except equational theory)

29 Conclusion We now have a better understanding of relationship between Free Algebra and Equational Approach We have guidelines for Protocol Developers If they follow our guidelines, there is a guarantee that Cancellation Properties won’t cause attacks We can easily tell if they are not followed, then use Equational Approach to analyze

30 Future Work Other Equational Theories for other algorithms Currently working on Diffie-Hellman, and have some conjectures x a b = x b a Cathy will talk about more future work

Download ppt "Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory."

Similar presentations

A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.

A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL.

1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.

Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.
1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375

1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.

Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cap Unification: Application to Protocol Security modulo Homomorphic Encryption Siva Anantharaman, Hai Lin, Chris Lynch, Paliath Narendran, Michael Rusinowitch.

Cap Unification: Application to Protocol Security modulo Homomorphic Encryption Siva Anantharaman, Hai Lin, Chris Lynch, Paliath Narendran, Michael Rusinowitch.
Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 12 By Herbert I. Gross and Richard A. Medeiros next.

Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 12 By Herbert I. Gross and Richard A. Medeiros next.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.

Similar presentations

Ads by Google