Cap Unification: Application to Protocol Security modulo Homomorphic Encryption

Siva Anantharaman, Hai Lin, Chris Lynch, Paliath Narendran,

Michael Rusinowitch

Contents

• Cryptographic Protocol Analysis

• Cap Unification– Modulo Homomorphic Encryption (HE)

• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification

Contents

• Cryptographic Protocol Analysis

• Cap Unification– Modulo Homomorphic Encryption (HE)

• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification

First some syntax

• e(m,k): message m encrypted with key k

• p(x,y): pair (concatenation) of x and y

Next some vocabulary

• Nonce: number used once (random number) for freshness

• Long term key: secure key shared by principals

• Session key: less secure key established for session

Key authentication protocol

• Protocol used to establish a session key

• In my example, one principal creates a key and sends it to the other principal

My example protocol

1. A B: e(p(k,na), k’)

2. B A: e(p(na,nb),k’)

3. A B: nb• Alice sends Bob new session key k and nonce

na encrypted with long term key k’• Bob sends na along with new nonce nb to

Alice indicating Bob got the session key• Alice sends nonce nb back to Bob to indicate

she got Bob’s message

Cryptographic Protocol security problem

• We assume an all powerful intruder who can read all messages, send messages, and pretend to be someone else

• Can the intruder learn a secret (key k)?

• Dolev Yao model: An intruder can learn an encrypted message if and only if he knows the encryption key

Dolev Yao theory

• d(e(x,y),y) = x

• fst(p(x,y)) = x

• snd(p(x,y)) = y

Decision procedure for security problem

• Undecidable in general

• NP-complete for bounded number of protocol sessions

• In this talk, we only consider bounded number of sessions

Extending Dolev Yao

• Some cryptographic algorithms have properties giving intruder more power

• For example, properties of exclusive OR allow intruder more attacks– Security problem also NP-complete for XOR

• What other properties are interesting?

• We consider Homomorphic Encryption– Security problem was open for HE

Homomorphic Encryption

• ECB algorithm breaks message into blocks and encrypts each block independently

• e(p(x,y),k) = p(e(x,k),e(y,k))

• This property gives an attack on my example protocol

Recall example protocol

1. A B: e(p(k,na), k’)

2. B A: e(p(na,nb),k’)

3. A B: nb

• Step 2 from Bob’s POV: – Receive: e(p(x,y),k’) Send: e(p(y,nb),k’)

• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z

• Use variables for attack

Attack on Example Protocol

1. A I(B): e(p(k,na), k’)

2. I(B) A: e(p(na,k), k’)

3. A I(B): k

• Intruder took message 1 apart and put it back together backwards

• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z

Contents

• Cryptographic Protocol Analysis

• Cap Unification– Modulo Homomorphic Encryption (HE)

• Inference rules to solve Cap-HE Unif– First solve HE-unification– Then solve Cap-HE-unification

E-Unification

• Given terms s and t and a theory E, find a substitution µ such that sµ and tµ are the same modulo E

• Theory E = AC of symbol f

• Problem: f(a,y) = f(b,x)

• Solution: [x = a, y = b]

Cap

• Let S be a set of terms

• Cap(S) is defined resursively so that– S is a subset of Cap(S)– If t1,…,tn in Cap(S) then f(t1,…,tn) in Cap(S)– Constants not considered as function symbols

• Example: S = {a,fb}– a fb g(a,fb) g(a,a) fa g(fb,fa) ffb are in Cap(S)– b c fc, g(a,c) g(b,a) are not in Cap(S)

Cap E-Unification

• Given set S, term t, and theory E, find a substitution µ and term s in Cap(S) such that sµ and tµ are the same modulo E

• Example: {p(fa,b)} |> fx – where E={fst(p(x,y)) = x, snd(p(x,y)) = y}

• Solution: [x = a] because fst(p(fa,b)) = fa

Another Example

• Example: {p(a,b),p(c,d)} |> p(x,y) – where E={fst(p(x,y)) = x, snd(p(x,y)) = y}

• One solution is [x = d, y = a] because p(snd(p(c,d)),fst(p(a,b))) = p(d,a)

Cap Unification in Protocol Analysis

• Suppose we have malicious intruder trying to learn secret

• Constraint S |> t

• S represents current intruder knowledge

• t is a term intruder needs to learn

• Set of constraints represents possible attack: real attack if Cap E-unif solvable

Theory DYHE

• DY– d(e(x,y),y) = x– fst(p(x,y)) = x– snd(p(x,y)) = y

• HE– e(p(x,y),z) = p(e(x,z),e(y,z))

• We will consider CAP unification modulo DYHE

Recall Attack on Example Protocol

1. A I(B): e(p(k,na), k’)

2. I(B) A: e(p(na,k), k’)

3. A I(B): k

• Intruder took message 1 apart and put it back together backwards

• Step 3 from Alice’s POV:– Receive: e(p(na,z),k’) Send: z

Finding attack with Cap Unification

Let t be first message e(p(k,na),k’)

• {t} |> e(p(na,z),k’)

• {t,z} |> {k}

• Solution is [z = k]

• Cap for first one: p(snd(t),fst(t))

• Cap for second one: z

Contents

• Cryptographic Protocol Analysis

• Cap Unification– Modulo Homomorphic Encryption (HE)

• Inference rules to solve Cap-HE Unif– First solve HE-unification– Then solve Cap-HE-unification

HE Unification

• No caps yet

• No DY yet – only HE = {e(p(x,y),z) = p(e(x,z),e(y,z))}

• This will be a procedure used in inference rules for Cap Unification

• Consider signature: e,p and constants

Syntactic part of HE unification

• Trivial: C, (t=t) C

• Decomposition:– C,(f(s1,..,sn)=f(t1,…,tn))C,(s1=t1),..,(sn=tn)

• Orient: C, (t=x) C, (x=t)

• Apply: C, (x=t) C[x |-> t], (x=t) if …

• Clash: C,(f(…)=g(…)) Fail– Unless {f,g} = {e,p}

• OccurCheck: C,(x = t[x]) Fail if t is not x

HE part of HE unification

• How do we solve e(…) = p(…)?

• We will use some abbrevations

• Pv(t1,…,tn) represents p-term where ti are terms not labeled with p, with only p’s on top, and v is vector of associated positions

• E(t,k1,…,kn) represents e-term where ki are terms not labeled with e, with only e’s on top

P11,121,122,21,22(e(a,k),a,b,c,a)

p

d

p

e p

a ka b

c a

E(a,k1,k2,k3)e

e

e

a k1

k2

k3

P11,12,2(E(a,k),E(b),E(b,k,k))

p

p

e

a k

b

e

e

b k

k

Solving e(…) = p(…)

• Assume all terms in normal form– e’s on top, p’s on the bottom– i.e., apply rewriting but not narrowing

• We will apply substitution to make p(…) be normal form of e(…)

• Pv(…,E(ti,k1,…,kn),…) is normal form of E(Pv(t1,…,tm),k1,…,kn))

Homomorphic Encryptionp

e e

e

p

x k yk x y

k

Shaping inference rule

E(t,k1,…,kn) = Pv(…,E(x,k1’,…,km’),…)

-------------------------------------------------- m<n

Apply substitution [x |-> E(x’,k1,…,kn-m)]

The point is to extend the number of keys in E arguments of P, so that rhs can look like normal form of lhs

Fail if t = x, also fail if x was constant

Parsing inference rule

E(t,k1,…,kn) = Pv(E(s1,…,k1’),…,E(sm,…,km’))

----------------------------------------------------

E(t,k1,…) = Pv(E(s1,…),…,E(sm,…)), kn=k1’=…=km’

The rhs is the normal form of the lhs only if the final keys are the same

Result of HE-unification

• Rules are deterministic, so theory is unitary

• Does not increase variables– Decreases variables if instantiation– This is important for termination

• Note: HE-unification = DYHE-unification on terms not containing d, fst, snd– Terms in protocols do not contain d, fst, snd

Contents

• Cryptographic Protocol Analysis

• Cap Unification– Modulo Homomorphic Encryption (HE)

• Inference rules to solve Cap-DYHE Unif– First solve HE-unification– Then solve Cap-DYHE-unification

Solving Cap-DYHE-unification

• We have constraints of the form S |> t

• Want to find a term s in cap(S) that unifies with t modulo DYHE

• We give a nondeterministic set of inference rules

• All equalities generated are solved with the HE-unification algorithm

Cap Decomposition

S |> f(t1,…,tn)

-------------------

S|> t1 … S |> tn

• Justification: we may put f on top as cap

Degeneracy

S U {s} |> t

----------------

s = t

• Justification: There may be no cap

Projection

S U {p(r,s)} |> t

----------------------

S U {r,s} |> t

• The cap symbol might be fst, it also might be snd

• This is a simplification

Decryption

S U {e(s,k)} |> t

----------------------

S U {s} |> t, S |> k

• The cap symbol might be d

Homomorphic Deduction

S U {e(t1,k1),…,e(tn,kn)} |> e(t,k)

----------------------------------------------

S U {t1,…,tn} |> t, k1=k, …, kn=k

• The cap might be p, and HE is applicable, where t is some pairing of t1,…,tn

• Note: The signature in the conclusion is only {p,fst,snd}

Variable Substitution

…

---

…, x = Pv(t1,…,tn)

where x is a variable in the constraints, t1,…,tn are distinct terms in the lhs of the constraints, with x not in ti

• Nondeterministic guess of the value of x

Result of Cap-DYHE-unification

• The rules are nondeterministic

• They are guaranteed to halt with a complete set of unifiers or fail

Conclusion

• Cap unification modulo equality for cryptographic protocol analysis

• First decision procedure for insecurity problem modulo HE with bounded number of protocol sessions

• Future work: Equational theory for definition of CBC algorithm, not just properties of it