Post on 31-Jan-2016
description
Cap Unification: Application to Protocol Security modulo Homomorphic Encryption
Siva Anantharaman, Hai Lin, Chris Lynch, Paliath Narendran,
Michael Rusinowitch
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification
First some syntax
• e(m,k): message m encrypted with key k
• p(x,y): pair (concatenation) of x and y
Next some vocabulary
• Nonce: number used once (random number) for freshness
• Long term key: secure key shared by principals
• Session key: less secure key established for session
Key authentication protocol
• Protocol used to establish a session key
• In my example, one principal creates a key and sends it to the other principal
My example protocol
1. A B: e(p(k,na), k’)
2. B A: e(p(na,nb),k’)
3. A B: nb• Alice sends Bob new session key k and nonce
na encrypted with long term key k’• Bob sends na along with new nonce nb to
Alice indicating Bob got the session key• Alice sends nonce nb back to Bob to indicate
she got Bob’s message
Cryptographic Protocol security problem
• We assume an all powerful intruder who can read all messages, send messages, and pretend to be someone else
• Can the intruder learn a secret (key k)?
• Dolev Yao model: An intruder can learn an encrypted message if and only if he knows the encryption key
Dolev Yao theory
• d(e(x,y),y) = x
• fst(p(x,y)) = x
• snd(p(x,y)) = y
Decision procedure for security problem
• Undecidable in general
• NP-complete for bounded number of protocol sessions
• In this talk, we only consider bounded number of sessions
Extending Dolev Yao
• Some cryptographic algorithms have properties giving intruder more power
• For example, properties of exclusive OR allow intruder more attacks– Security problem also NP-complete for XOR
• What other properties are interesting?
• We consider Homomorphic Encryption– Security problem was open for HE
Homomorphic Encryption
• ECB algorithm breaks message into blocks and encrypts each block independently
• e(p(x,y),k) = p(e(x,k),e(y,k))
• This property gives an attack on my example protocol
Recall example protocol
1. A B: e(p(k,na), k’)
2. B A: e(p(na,nb),k’)
3. A B: nb
• Step 2 from Bob’s POV: – Receive: e(p(x,y),k’) Send: e(p(y,nb),k’)
• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z
• Use variables for attack
Attack on Example Protocol
1. A I(B): e(p(k,na), k’)
2. I(B) A: e(p(na,k), k’)
3. A I(B): k
• Intruder took message 1 apart and put it back together backwards
• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-HE Unif– First solve HE-unification– Then solve Cap-HE-unification
E-Unification
• Given terms s and t and a theory E, find a substitution µ such that sµ and tµ are the same modulo E
• Theory E = AC of symbol f
• Problem: f(a,y) = f(b,x)
• Solution: [x = a, y = b]
Cap
• Let S be a set of terms
• Cap(S) is defined resursively so that– S is a subset of Cap(S)– If t1,…,tn in Cap(S) then f(t1,…,tn) in Cap(S)– Constants not considered as function symbols
• Example: S = {a,fb}– a fb g(a,fb) g(a,a) fa g(fb,fa) ffb are in Cap(S)– b c fc, g(a,c) g(b,a) are not in Cap(S)
Cap E-Unification
• Given set S, term t, and theory E, find a substitution µ and term s in Cap(S) such that sµ and tµ are the same modulo E
• Example: {p(fa,b)} |> fx – where E={fst(p(x,y)) = x, snd(p(x,y)) = y}
• Solution: [x = a] because fst(p(fa,b)) = fa
Another Example
• Example: {p(a,b),p(c,d)} |> p(x,y) – where E={fst(p(x,y)) = x, snd(p(x,y)) = y}
• One solution is [x = d, y = a] because p(snd(p(c,d)),fst(p(a,b))) = p(d,a)
Cap Unification in Protocol Analysis
• Suppose we have malicious intruder trying to learn secret
• Constraint S |> t
• S represents current intruder knowledge
• t is a term intruder needs to learn
• Set of constraints represents possible attack: real attack if Cap E-unif solvable
Theory DYHE
• DY– d(e(x,y),y) = x– fst(p(x,y)) = x– snd(p(x,y)) = y
• HE– e(p(x,y),z) = p(e(x,z),e(y,z))
• We will consider CAP unification modulo DYHE
Recall Attack on Example Protocol
1. A I(B): e(p(k,na), k’)
2. I(B) A: e(p(na,k), k’)
3. A I(B): k
• Intruder took message 1 apart and put it back together backwards
• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z
Finding attack with Cap Unification
Let t be first message e(p(k,na),k’)
• {t} |> e(p(na,z),k’)
• {t,z} |> {k}
• Solution is [z = k]
• Cap for first one: p(snd(t),fst(t))
• Cap for second one: z
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-HE Unif– First solve HE-unification– Then solve Cap-HE-unification
HE Unification
• No caps yet
• No DY yet – only HE = {e(p(x,y),z) = p(e(x,z),e(y,z))}
• This will be a procedure used in inference rules for Cap Unification
• Consider signature: e,p and constants
Syntactic part of HE unification
• Trivial: C, (t=t) C
• Decomposition:– C,(f(s1,..,sn)=f(t1,…,tn))C,(s1=t1),..,(sn=tn)
• Orient: C, (t=x) C, (x=t)
• Apply: C, (x=t) C[x |-> t], (x=t) if …
• Clash: C,(f(…)=g(…)) Fail– Unless {f,g} = {e,p}
• OccurCheck: C,(x = t[x]) Fail if t is not x
HE part of HE unification
• How do we solve e(…) = p(…)?
• We will use some abbrevations
• Pv(t1,…,tn) represents p-term where ti are terms not labeled with p, with only p’s on top, and v is vector of associated positions
• E(t,k1,…,kn) represents e-term where ki are terms not labeled with e, with only e’s on top
P11,121,122,21,22(e(a,k),a,b,c,a)
p
d
p
e p
a ka b
c a
E(a,k1,k2,k3)e
e
e
a k1
k2
k3
P11,12,2(E(a,k),E(b),E(b,k,k))
p
p
e
a k
b
e
e
b k
k
Solving e(…) = p(…)
• Assume all terms in normal form– e’s on top, p’s on the bottom– i.e., apply rewriting but not narrowing
• We will apply substitution to make p(…) be normal form of e(…)
• Pv(…,E(ti,k1,…,kn),…) is normal form of E(Pv(t1,…,tm),k1,…,kn))
Homomorphic Encryptionp
e e
e
p
x k yk x y
k
Shaping inference rule
E(t,k1,…,kn) = Pv(…,E(x,k1’,…,km’),…)
-------------------------------------------------- m<n
Apply substitution [x |-> E(x’,k1,…,kn-m)]
The point is to extend the number of keys in E arguments of P, so that rhs can look like normal form of lhs
Fail if t = x, also fail if x was constant
Parsing inference rule
E(t,k1,…,kn) = Pv(E(s1,…,k1’),…,E(sm,…,km’))
----------------------------------------------------
E(t,k1,…) = Pv(E(s1,…),…,E(sm,…)), kn=k1’=…=km’
The rhs is the normal form of the lhs only if the final keys are the same
Result of HE-unification
• Rules are deterministic, so theory is unitary
• Does not increase variables– Decreases variables if instantiation– This is important for termination
• Note: HE-unification = DYHE-unification on terms not containing d, fst, snd– Terms in protocols do not contain d, fst, snd
Contents
• Cryptographic Protocol Analysis
• Cap Unification– Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification
Solving Cap-DYHE-unification
• We have constraints of the form S |> t
• Want to find a term s in cap(S) that unifies with t modulo DYHE
• We give a nondeterministic set of inference rules
• All equalities generated are solved with the HE-unification algorithm
Cap Decomposition
S |> f(t1,…,tn)
-------------------
S|> t1 … S |> tn
• Justification: we may put f on top as cap
Degeneracy
S U {s} |> t
----------------
s = t
• Justification: There may be no cap
Projection
S U {p(r,s)} |> t
----------------------
S U {r,s} |> t
• The cap symbol might be fst, it also might be snd
• This is a simplification
Decryption
S U {e(s,k)} |> t
----------------------
S U {s} |> t, S |> k
• The cap symbol might be d
Homomorphic Deduction
S U {e(t1,k1),…,e(tn,kn)} |> e(t,k)
----------------------------------------------
S U {t1,…,tn} |> t, k1=k, …, kn=k
• The cap might be p, and HE is applicable, where t is some pairing of t1,…,tn
• Note: The signature in the conclusion is only {p,fst,snd}
Variable Substitution
…
---
…, x = Pv(t1,…,tn)
where x is a variable in the constraints, t1,…,tn are distinct terms in the lhs of the constraints, with x not in ti
• Nondeterministic guess of the value of x
Result of Cap-DYHE-unification
• The rules are nondeterministic
• They are guaranteed to halt with a complete set of unifiers or fail
Conclusion
• Cap unification modulo equality for cryptographic protocol analysis
• First decision procedure for insecurity problem modulo HE with bounded number of protocol sessions
• Future work: Equational theory for definition of CBC algorithm, not just properties of it