Title: Cap%20Unification:%20Application%20to%20Protocol%20Security%20modulo%20Homomorphic%20Encryption
1Cap Unification Application to Protocol Security
modulo Homomorphic Encryption
- Siva Anantharaman, Hai Lin, Chris Lynch, Paliath
Narendran, Michael Rusinowitch
2Contents
- Cryptographic Protocol Analysis
- Cap Unification
- Modulo Homomorphic Encryption (HE)
- Inference rules to solve Cap-DYHE Unif
- First solve HE-unification
- Then solve Cap-DYHE-unification
3Contents
- Cryptographic Protocol Analysis
- Cap Unification
- Modulo Homomorphic Encryption (HE)
- Inference rules to solve Cap-DYHE Unif
- First solve HE-unification
- Then solve Cap-DYHE-unification
4First some syntax
- e(m,k) message m encrypted with key k
- p(x,y) pair (concatenation) of x and y
5Next some vocabulary
- Nonce number used once (random number) for
freshness - Long term key secure key shared by principals
- Session key less secure key established for
session
6Key authentication protocol
- Protocol used to establish a session key
- In my example, one principal creates a key and
sends it to the other principal
7My example protocol
- A ? B e(p(k,na), k)
- B ? A e(p(na,nb),k)
- A ? B nb
- Alice sends Bob new session key k and nonce na
encrypted with long term key k - Bob sends na along with new nonce nb to Alice
indicating Bob got the session key - Alice sends nonce nb back to Bob to indicate she
got Bobs message
8Cryptographic Protocol security problem
- We assume an all powerful intruder who can read
all messages, send messages, and pretend to be
someone else - Can the intruder learn a secret (key k)?
- Dolev Yao model An intruder can learn an
encrypted message if and only if he knows the
encryption key
9Dolev Yao theory
- d(e(x,y),y) x
- fst(p(x,y)) x
- snd(p(x,y)) y
10Decision procedure for security problem
- Undecidable in general
- NP-complete for bounded number of protocol
sessions - In this talk, we only consider bounded number of
sessions
11Extending Dolev Yao
- Some cryptographic algorithms have properties
giving intruder more power - For example, properties of exclusive OR allow
intruder more attacks - Security problem also NP-complete for XOR
- What other properties are interesting?
- We consider Homomorphic Encryption
- Security problem was open for HE
12Homomorphic Encryption
- ECB algorithm breaks message into blocks and
encrypts each block independently - e(p(x,y),k) p(e(x,k),e(y,k))
- This property gives an attack on my example
protocol
13Recall example protocol
- A ? B e(p(k,na), k)
- B ? A e(p(na,nb),k)
- A ? B nb
- Step 2 from Bobs POV
- Receive e(p(x,y),k) Send e(p(y,nb),k)
- Step 3 from Alices POV
- Receive e(p(na,z),k) Send z
- Use variables for attack
14Attack on Example Protocol
- A ? I(B) e(p(k,na), k)
- I(B) ? A e(p(na,k), k)
- A ? I(B) k
- Intruder took message 1 apart and put it back
together backwards - Step 3 from Alices POV
- Receive e(p(na,z),k) Send z
15Contents
- Cryptographic Protocol Analysis
- Cap Unification
- Modulo Homomorphic Encryption (HE)
- Inference rules to solve Cap-HE Unif
- First solve HE-unification
- Then solve Cap-HE-unification
16 E-Unification
- Given terms s and t and a theory E, find a
substitution µ such that sµ and tµ are the same
modulo E - Theory E AC of symbol f
- Problem f(a,y) f(b,x)
- Solution x a, y b
17 Cap
- Let S be a set of terms
- Cap(S) is defined resursively so that
- S is a subset of Cap(S)
- If t1,,tn in Cap(S) then f(t1,,tn) in Cap(S)
- Constants not considered as function symbols
- Example S a,fb
- a fb g(a,fb) g(a,a) fa g(fb,fa) ffb are in Cap(S)
- b c fc, g(a,c) g(b,a) are not in Cap(S)
18 Cap E-Unification
- Given set S, term t, and theory E, find a
substitution µ and term s in Cap(S) such that sµ
and tµ are the same modulo E - Example p(fa,b) gt fx
- where Efst(p(x,y)) x, snd(p(x,y)) y
- Solution x a because fst(p(fa,b)) fa
19Another Example
- Example p(a,b),p(c,d) gt p(x,y)
- where Efst(p(x,y)) x, snd(p(x,y)) y
- One solution is x d, y a because
p(snd(p(c,d)),fst(p(a,b))) p(d,a)
20Cap Unification in Protocol Analysis
- Suppose we have malicious intruder trying to
learn secret - Constraint S gt t
- S represents current intruder knowledge
- t is a term intruder needs to learn
- Set of constraints represents possible attack
real attack if Cap E-unif solvable
21Theory DYHE
- DY
- d(e(x,y),y) x
- fst(p(x,y)) x
- snd(p(x,y)) y
- HE
- e(p(x,y),z) p(e(x,z),e(y,z))
- We will consider CAP unification modulo DYHE
22Recall Attack on Example Protocol
- A ? I(B) e(p(k,na), k)
- I(B) ? A e(p(na,k), k)
- A ? I(B) k
- Intruder took message 1 apart and put it back
together backwards - Step 3 from Alices POV
- Receive e(p(na,z),k) Send z
23Finding attack with Cap Unification
- Let t be first message e(p(k,na),k)
- t gt e(p(na,z),k)
- t,z gt k
- Solution is z k
- Cap for first one p(snd(t),fst(t))
- Cap for second one z
24Contents
- Cryptographic Protocol Analysis
- Cap Unification
- Modulo Homomorphic Encryption (HE)
- Inference rules to solve Cap-HE Unif
- First solve HE-unification
- Then solve Cap-HE-unification
25HE Unification
- No caps yet
- No DY yet
- only HE e(p(x,y),z) p(e(x,z),e(y,z))
- This will be a procedure used in inference rules
for Cap Unification - Consider signature e,p and constants
26Syntactic part of HE unification
- Trivial C, (tt) ? C
- Decomposition
- C,(f(s1,..,sn)f(t1,,tn))?C,(s1t1),..,(sntn)
- Orient C, (tx) ? C, (xt)
- Apply C, (xt) ? Cx -gt t, (xt) if
- Clash C,(f()g()) ? Fail
- Unless f,g e,p
- OccurCheck C,(x tx) ? Fail if t is not x
27HE part of HE unification
- How do we solve e() p()?
- We will use some abbrevations
- Pv(t1,,tn) represents p-term where ti are terms
not labeled with p, with only ps on top, and v
is vector of associated positions - E(t,k1,,kn) represents e-term where ki are terms
not labeled with e, with only es on top
28P11,121,122,21,22(e(a,k),a,b,c,a)
p
p
d
c
a
e
p
a
k
a
b
29E(a,k1,k2,k3)
e
e
k3
e
k2
a
k1
30P11,12,2(E(a,k),E(b),E(b,k,k))
p
p
e
e
b
e
k
a
k
b
k
31Solving e() p()
- Assume all terms in normal form
- es on top, ps on the bottom
- i.e., apply rewriting but not narrowing
- We will apply substitution to make p() be normal
form of e() - Pv(,E(ti,k1,,kn),) is normal form of
E(Pv(t1,,tm),k1,,kn))
32Homomorphic Encryption
p
e
e
p
e
k
x
k
y
x
y
k
33Shaping inference rule
- E(t,k1,,kn) Pv(,E(x,k1,,km),)
- --------------------------------------------------
mltn - Apply substitution x -gt E(x,k1,,kn-m)
- The point is to extend the number of keys in E
arguments of P, so that rhs can look like normal
form of lhs - Fail if t x, also fail if x was constant
34Parsing inference rule
- E(t,k1,,kn) Pv(E(s1,,k1),,E(sm,,km))
- --------------------------------------------------
-- - E(t,k1,) Pv(E(s1,),,E(sm,)), knk1km
- The rhs is the normal form of the lhs only if the
final keys are the same
35Result of HE-unification
- Rules are deterministic, so theory is unitary
- Does not increase variables
- Decreases variables if instantiation
- This is important for termination
- Note HE-unification DYHE-unification on terms
not containing d, fst, snd - Terms in protocols do not contain d, fst, snd
36Contents
- Cryptographic Protocol Analysis
- Cap Unification
- Modulo Homomorphic Encryption (HE)
- Inference rules to solve Cap-DYHE Unif
- First solve HE-unification
- Then solve Cap-DYHE-unification
37Solving Cap-DYHE-unification
- We have constraints of the form S gt t
- Want to find a term s in cap(S) that unifies with
t modulo DYHE - We give a nondeterministic set of inference rules
- All equalities generated are solved with the
HE-unification algorithm
38Cap Decomposition
- S gt f(t1,,tn)
- -------------------
- Sgt t1 S gt tn
- Justification we may put f on top as cap
39Degeneracy
- S U s gt t
- ----------------
- s t
- Justification There may be no cap
40Projection
- S U p(r,s) gt t
- ----------------------
- S U r,s gt t
- The cap symbol might be fst, it also might be
snd - This is a simplification
41Decryption
- S U e(s,k) gt t
- ----------------------
- S U s gt t, S gt k
- The cap symbol might be d
42Homomorphic Deduction
- S U e(t1,k1),,e(tn,kn) gt e(t,k)
- ----------------------------------------------
- S U t1,,tn gt t, k1k, , knk
- The cap might be p, and HE is applicable, where t
is some pairing of t1,,tn - Note The signature in the conclusion is only
p,fst,snd
43Variable Substitution
-
- ---
- , x Pv(t1,,tn)
- where x is a variable in the constraints, t1,,tn
are distinct terms in the lhs of the
constraints, with x not in ti - Nondeterministic guess of the value of x
44Result of Cap-DYHE-unification
- The rules are nondeterministic
- They are guaranteed to halt with a complete set
of unifiers or fail
45Conclusion
- Cap unification modulo equality for cryptographic
protocol analysis - First decision procedure for insecurity problem
modulo HE with bounded number of protocol
sessions - Future work Equational theory for definition of
CBC algorithm, not just properties of it