Presentation is loading. Please wait.

Presentation is loading. Please wait.

© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group

Published byCharles Wilcox Modified over 9 years ago

Similar presentations

Presentation on theme: "© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group"— Presentation transcript:

1 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group http://www.uclcrypto.org

2 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption2 Outline Definition of the “Perfect Encryption Assumption” Example of an attack on a protocol using CBC “New” attack on a protocol using RSA Description of a model taking into account some properties of RSA Conclusions

3 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption3 Perfect Encryption Assumption Is part of almost all formal models May be expressed as follows: –« You need to possess the good key in order to extract any information from a given ciphertext » –« The only way to compute the message {m} K is by encrypting the message m with the key K »

4 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption4 Perfect Encryption is not true ! First Example : Cipher Block Chaining (C.B.C.) PlainText : P 1 P 2 …P n CipherText : C 0 C 1 C 2 …C n Where C 0 = IV, C i = {C i-1  P i } K For this scheme : If C 0 C 1 C 2 …C i C i+1 …C n = {P 1 P 2 …P i P i+1 …P n } K Then C 0 C 1 C 2 …C i = {P 1 P 2 …P i } K  Opposition with the second part of the perfect encryption assumption! In the Real World... K PiPi C i-1 CiCi

5 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption5 Needham-Schroeder Symmetric Key Protocol Aim of the protocol : –establish K ab as shared secret key with the help of Server S –prove each the good reception of the key 1. A  S : A.B.N a 2. S  A : {N a.B.K ab.{K ab.A} Kbs } Kas 3. A  B : {K ab.A} Kbs 4. B  A : {N b } Kab 5. A  B : {N b -1} Kab

6 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption6 (Known) Attack on Needham-Schroeder (SK) 2. S  A : {N a.B.K ab.{K ab.A} Kbs } Kas 3. A  B : {K ab.A} Kbs From 2. you can compute {Na.B} Kas  if size(N a ) = size(K ab ) then you can fool A into accepting the publicly known N a as a shared key with B ! 3’. C(B)  A : {N a.B} Kas 4’. A  C(B) : {N c } Na 5’. C(B)  A : {N c -1} Na

7 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption7 Weaknesses of Block Ciphers Often sensitive to –Chosen-Plaintext Attacks –Chosen-Ciphertext Attacks –Known-Pair Attacks (due to the Risk of Dictionary Attacks, …) Recent works of Stubblebine and Meadows in order to automatically detect the risk of such problems

8 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption8 Another Example : RSA let K=(e,n) –{m 1 } K = m 1 e mod n = c 1 –{m 2 } K = m 2 e mod n = c 2  Knowing {m 1 } K and {m 2 } K, you can compute {m 1* m 2 } K =c 1.c 2 without knowing m 1* m 2 nor K ! c 1.c 2 = (m 1* m 2 ) e mod n

9 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption9 Needham-Schroeder-Lowe’s Public-Key Protocol Everyone has the (fresh) public key of the other principals Aim of the protocol : –prove each other recent presence –establish N a and N b as shared secrets A  B : {N a.A} Kb B  A : {N a.N b.B} Ka A  B : {N b } Kb

10 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption10 Use of RSA We suppose : –RSA Modulus is 1024 bits long –Nonces are 64 bits long –Identifiers are 32 bits long –Null padding is used –At reception, principals check only the bits needed for protocol’s use –C  1 mod 8 (C is the identifier of the intruder) –A is one of the four identifiers such that A 2 mod 2 32 = C

11 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption11 Resulting Flaw 11 A  C(B) :{N a.A} Kb 11 C  B :{N c1.C} Kb = ({N a.A} Kb ) 2 mod n b 22 B  C :{N c1.N b.B} Kc 22 C(B)  A :{N a.N c2.B} Kc (computed from N c1 ) 33 A  C(B) :{N c2 } Kc

12 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption12 How to compute N a from N c1 ? {N c1.C} = {N a.A} 2 mod n b = (2 32 * N a +A) 2 mod n b = 2 64 * N a 2 + 2 33 * N a* A+A 2 (n b is 1024 bits long) …0000… NaNa Na2Na2 N a.A A A2A2 = 32 bits

13 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption13 How to compute N a from N c ? (II) It can be checked that : –The identifier read by B will be A 2 mod 2 32 = C –N c1 is the sum of The 32 most significant bits of A 2 The 64 least significant bits of 2 * N a* A 2 32 times the 32 least significant bits of N a 2 The choice between the different solutions of this problem can be done by recomputing {Na.A} Kb …0000… NaNa Na2Na2 N a.A A A2A2

14 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption14 Remarks An increase of the size of the RSA modulus make such attacks easier rather than the opposite The following protocol does not permit this attack… A  B : {A.Na} Kb B  A : {B.Na.Nb} Ka A  B : {Nb} Kb Instead of squaring messages, it is possible to multiply them by small encrypted factors

15 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption15 Our Model Classical atomic types: –Identifiers (A, B, …) –Nonces (N a, N b, …) –Keys (K a, K b, …) New atomic type: –Small multiplicative factors (f 1, f 2, …) Distributivity of product on concatenation –f*(m 1.m 2 ) = (f*m 1 ).(f*m 2 )

16 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption16 Our Model (II) Assumptions: –Distributivity: f *(m 1.m 2 ) = (f *m 1 ).(f *m 2 ) (for small f only) –The Intruder possesses identifiers C 1 and C 2 such that C 1 =f *A and C 2 =f *B (and the corresponding keys) Checking : –We define a bounded system and check it with a standard model checker : SPIN

17 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption17 Limiting our state space Definition of a system –number of honest users –number of concurrent sessions –number of « small factors »

18 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption18 Specificity of the Model In other systems, Authors use –« Normalized derivations » (Marrero & al.) –« Unique readability axioms » (Guttman & al.) –... We have to deal with –Distributivity of « * » on «. » –…  Several ways to obtain and read messages!

19 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption19 SPIN Model Checker developed at Bell Labs Its input language (ProMeLa) allows the use of the integer type (with the basic operations)  Modelling of a unique factor: f =2  Definition of a range of values for each atomic type (A=11, B=12, C 1 =22, C 2 =24,...)  Properties of multiplication naturally taken into account !

20 © UCL Crypto group oct.-15 On the Perfect Encryption Assumption20 Conclusions With this model, we found two similar flaws in the Needham-Schroeder-Lowe Protocol in a few seconds A solution to this problem is the adding of redundancies in the messages The definition of efficient redundancies is however difficult (see Grieu’s attack on ISO/IEC 9796-1 signature scheme with redundancy for instance (eurocrypt 2000)) Another solution is the use of distinct cryptographic primitives in order to prevent the exploitation of such properties

Download ppt "© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group"

Similar presentations

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Public Key Encryption Algorithm

Public Key Encryption Algorithm
By Claudia Fiorini, Enrico Martinelli, Fabio Massacci

By Claudia Fiorini, Enrico Martinelli, Fabio Massacci
7. Asymmetric encryption-

7. Asymmetric encryption-
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
G22.3250-001 Robert Grimm New York University Using Encryption for Authentication in Computer Networks.

G Robert Grimm New York University Using Encryption for Authentication in Computer Networks.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Similar presentations

Ads by Google