Cap%20Unification:%20Application%20to%20Protocol%20Security%20modulo%20Homomorphic%20Encryption

1
Cap Unification Application to Protocol Security
modulo Homomorphic Encryption

• Siva Anantharaman, Hai Lin, Chris Lynch, Paliath
  Narendran, Michael Rusinowitch

2
Contents

• Cryptographic Protocol Analysis
• Cap Unification
• Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif
• First solve HE-unification
• Then solve Cap-DYHE-unification

3
Contents

• Cryptographic Protocol Analysis
• Cap Unification
• Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif
• First solve HE-unification
• Then solve Cap-DYHE-unification

4
First some syntax

• e(m,k) message m encrypted with key k
• p(x,y) pair (concatenation) of x and y

5
Next some vocabulary

• Nonce number used once (random number) for
  freshness
• Long term key secure key shared by principals
• Session key less secure key established for
  session

6
Key authentication protocol

• Protocol used to establish a session key
• In my example, one principal creates a key and
  sends it to the other principal

7
My example protocol

• A ? B e(p(k,na), k)
• B ? A e(p(na,nb),k)
• A ? B nb
• Alice sends Bob new session key k and nonce na
  encrypted with long term key k
• Bob sends na along with new nonce nb to Alice
  indicating Bob got the session key
• Alice sends nonce nb back to Bob to indicate she
  got Bobs message

8
Cryptographic Protocol security problem

• We assume an all powerful intruder who can read
  all messages, send messages, and pretend to be
  someone else
• Can the intruder learn a secret (key k)?
• Dolev Yao model An intruder can learn an
  encrypted message if and only if he knows the
  encryption key

9
Dolev Yao theory

• d(e(x,y),y) x
• fst(p(x,y)) x
• snd(p(x,y)) y

10
Decision procedure for security problem

• Undecidable in general
• NP-complete for bounded number of protocol
  sessions
• In this talk, we only consider bounded number of
  sessions

11
Extending Dolev Yao

• Some cryptographic algorithms have properties
  giving intruder more power
• For example, properties of exclusive OR allow
  intruder more attacks
• Security problem also NP-complete for XOR
• What other properties are interesting?
• We consider Homomorphic Encryption
• Security problem was open for HE

12
Homomorphic Encryption

• ECB algorithm breaks message into blocks and
  encrypts each block independently
• e(p(x,y),k) p(e(x,k),e(y,k))
• This property gives an attack on my example
  protocol

13
Recall example protocol

• A ? B e(p(k,na), k)
• B ? A e(p(na,nb),k)
• A ? B nb
• Step 2 from Bobs POV
• Receive e(p(x,y),k) Send e(p(y,nb),k)
• Step 3 from Alices POV
• Receive e(p(na,z),k) Send z
• Use variables for attack

14
Attack on Example Protocol

• A ? I(B) e(p(k,na), k)
• I(B) ? A e(p(na,k), k)
• A ? I(B) k
• Intruder took message 1 apart and put it back
  together backwards
• Step 3 from Alices POV
• Receive e(p(na,z),k) Send z

15
Contents

• Cryptographic Protocol Analysis
• Cap Unification
• Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-HE Unif
• First solve HE-unification
• Then solve Cap-HE-unification

16
E-Unification

• Given terms s and t and a theory E, find a
  substitution µ such that sµ and tµ are the same
  modulo E
• Theory E AC of symbol f
• Problem f(a,y) f(b,x)
• Solution x a, y b

17
Cap

• Let S be a set of terms
• Cap(S) is defined resursively so that
• S is a subset of Cap(S)
• If t1,,tn in Cap(S) then f(t1,,tn) in Cap(S)
• Constants not considered as function symbols
• Example S a,fb
• a fb g(a,fb) g(a,a) fa g(fb,fa) ffb are in Cap(S)
• b c fc, g(a,c) g(b,a) are not in Cap(S)

18
Cap E-Unification

• Given set S, term t, and theory E, find a
  substitution µ and term s in Cap(S) such that sµ
  and tµ are the same modulo E
• Example p(fa,b) gt fx
• where Efst(p(x,y)) x, snd(p(x,y)) y
• Solution x a because fst(p(fa,b)) fa

19
Another Example

• Example p(a,b),p(c,d) gt p(x,y)
• where Efst(p(x,y)) x, snd(p(x,y)) y
• One solution is x d, y a because
  p(snd(p(c,d)),fst(p(a,b))) p(d,a)

20
Cap Unification in Protocol Analysis

• Suppose we have malicious intruder trying to
  learn secret
• Constraint S gt t
• S represents current intruder knowledge
• t is a term intruder needs to learn
• Set of constraints represents possible attack
  real attack if Cap E-unif solvable

21
Theory DYHE

• DY
• d(e(x,y),y) x
• fst(p(x,y)) x
• snd(p(x,y)) y
• HE
• e(p(x,y),z) p(e(x,z),e(y,z))
• We will consider CAP unification modulo DYHE

22
Recall Attack on Example Protocol

• A ? I(B) e(p(k,na), k)
• I(B) ? A e(p(na,k), k)
• A ? I(B) k
• Intruder took message 1 apart and put it back
  together backwards
• Step 3 from Alices POV
• Receive e(p(na,z),k) Send z

23
Finding attack with Cap Unification

• Let t be first message e(p(k,na),k)
• t gt e(p(na,z),k)
• t,z gt k
• Solution is z k
• Cap for first one p(snd(t),fst(t))
• Cap for second one z

24
Contents

• Cryptographic Protocol Analysis
• Cap Unification
• Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-HE Unif
• First solve HE-unification
• Then solve Cap-HE-unification

25
HE Unification

• No caps yet
• No DY yet
• only HE e(p(x,y),z) p(e(x,z),e(y,z))
• This will be a procedure used in inference rules
  for Cap Unification
• Consider signature e,p and constants

26
Syntactic part of HE unification

• Trivial C, (tt) ? C
• Decomposition
• C,(f(s1,..,sn)f(t1,,tn))?C,(s1t1),..,(sntn)
• Orient C, (tx) ? C, (xt)
• Apply C, (xt) ? Cx -gt t, (xt) if
• Clash C,(f()g()) ? Fail
• Unless f,g e,p
• OccurCheck C,(x tx) ? Fail if t is not x

27
HE part of HE unification

• How do we solve e() p()?
• We will use some abbrevations
• Pv(t1,,tn) represents p-term where ti are terms
  not labeled with p, with only ps on top, and v
  is vector of associated positions
• E(t,k1,,kn) represents e-term where ki are terms
  not labeled with e, with only es on top

28
P11,121,122,21,22(e(a,k),a,b,c,a)
p
p
d
c
a
e
p
a
k
a
b
29
E(a,k1,k2,k3)
e
e
k3
e
k2
a
k1
30
P11,12,2(E(a,k),E(b),E(b,k,k))
p
p
e
e
b
e
k
a
k
b
k
31
Solving e() p()

• Assume all terms in normal form
• es on top, ps on the bottom
• i.e., apply rewriting but not narrowing
• We will apply substitution to make p() be normal
  form of e()
• Pv(,E(ti,k1,,kn),) is normal form of
  E(Pv(t1,,tm),k1,,kn))

32
Homomorphic Encryption
p
e
e
p
e
k
x
k
y
x
y
k
33
Shaping inference rule

• E(t,k1,,kn) Pv(,E(x,k1,,km),)
• --------------------------------------------------
  mltn
• Apply substitution x -gt E(x,k1,,kn-m)
• The point is to extend the number of keys in E
  arguments of P, so that rhs can look like normal
  form of lhs
• Fail if t x, also fail if x was constant

34
Parsing inference rule

• E(t,k1,,kn) Pv(E(s1,,k1),,E(sm,,km))
• --------------------------------------------------
  --
• E(t,k1,) Pv(E(s1,),,E(sm,)), knk1km
• The rhs is the normal form of the lhs only if the
  final keys are the same

35
Result of HE-unification

• Rules are deterministic, so theory is unitary
• Does not increase variables
• Decreases variables if instantiation
• This is important for termination
• Note HE-unification DYHE-unification on terms
  not containing d, fst, snd
• Terms in protocols do not contain d, fst, snd

36
Contents

• Cryptographic Protocol Analysis
• Cap Unification
• Modulo Homomorphic Encryption (HE)
• Inference rules to solve Cap-DYHE Unif
• First solve HE-unification
• Then solve Cap-DYHE-unification

37
Solving Cap-DYHE-unification

• We have constraints of the form S gt t
• Want to find a term s in cap(S) that unifies with
  t modulo DYHE
• We give a nondeterministic set of inference rules
• All equalities generated are solved with the
  HE-unification algorithm

38
Cap Decomposition

• S gt f(t1,,tn)
• -------------------
• Sgt t1 S gt tn
• Justification we may put f on top as cap

39
Degeneracy

• S U s gt t
• ----------------
• s t
• Justification There may be no cap

40
Projection

• S U p(r,s) gt t
• ----------------------
• S U r,s gt t
• The cap symbol might be fst, it also might be
  snd
• This is a simplification

41
Decryption

• S U e(s,k) gt t
• ----------------------
• S U s gt t, S gt k
• The cap symbol might be d

42
Homomorphic Deduction

• S U e(t1,k1),,e(tn,kn) gt e(t,k)
• ----------------------------------------------
• S U t1,,tn gt t, k1k, , knk
• The cap might be p, and HE is applicable, where t
  is some pairing of t1,,tn
• Note The signature in the conclusion is only
  p,fst,snd

43
Variable Substitution

• ---
• , x Pv(t1,,tn)
• where x is a variable in the constraints, t1,,tn
  are distinct terms in the lhs of the
  constraints, with x not in ti
• Nondeterministic guess of the value of x

44
Result of Cap-DYHE-unification

• The rules are nondeterministic
• They are guaranteed to halt with a complete set
  of unifiers or fail

45
Conclusion

• Cap unification modulo equality for cryptographic
  protocol analysis
• First decision procedure for insecurity problem
  modulo HE with bounded number of protocol
  sessions
• Future work Equational theory for definition of
  CBC algorithm, not just properties of it