Cryptographic Protocol Models and Free Algebras

Chris Lynch and Cathy Meadows

Naval Research Laboratory

Idea

• Cryptographic Protocol Analysis usually ignores properties of algorithms (Free Algebra Approach)

• NRL Protocol Analyzer uses equational theories to model some algorithm properties (Equational Approach)

• Under what conditions, do the two approaches find the same attacks?

Why Study This (reason 1)

• Equational Approach finds attacks that Free Algebra approach does not

• However, equational unification can have higher complexity that syntactic unification

• So an Analyzer would like to know what conditions require Equational Approach

Why Study This (reason 2)

• A Protocol Developer can use our conditions as guidelines for developing protocols

Our conditions are simple and sensible

• Then the Protocol Developer can be assured that no attacks will be caused by these algorithm properties

Our Results

• Millen gave conditions to guarantee that Free Algebra approach is equivalent to Equational Approach (Cancellation Rules) for Shared Key Cryptography

• He left Public Key Cryptography as an Open Problem. We solve that and generalize his results for shared key

Guidelines

• Assume received encrypted/signed messages are structured

because any message can be viewed as the encryption of a decrypted message

• Only send structured encrypted messages

to avoid intruder attacking you with a decrypted message

• Must trust that keys are of proper type (encryption and signed keys are distinguished)

Alternative Guidelines

• All encrypted/signed messages are structured

• Do not directly encrypt/sign an encrypted/signed message

• Easy to do, e.g., send encrypted messages with another piece of data

• Don’t need to trust keys, and keys don’t need to be distinguished

Contents of Talk

1. Derivations for Cryptographic Protocol Analysis

2. Conditions where Free Algebra approach equals Equational Approach

3. Soundness Theorems

4. Conclusions and Future Work

Representing Keys

• Key represented as pk(N,P,E), where

• N = name of key

• P = pub or priv

• E = enc or sig

• e.g. pk(a,pub,enc) is a key for public encryption for principal A

• pe(pk(a,priv,sig),m) represents message m signed with A’s private key

Pure Protocols

• In a protocol, we assume the second and third arguments to pk are not variables

• A protocol is pure if it does not contain private encryption or public signature

Dolev Yao Model

• Intruder can see all sent messages

• Intruder can create and modify and send messages

• We use derivation rules to model messages that Intruder can construct

Free Algebra

• [X,Y]├ X

• [X,Y]├ Y

• X,Y├ [X,Y]

• X, pk(K,pub,enc)├ pe(pk(K,pub,enc),X)

• X, pk(K,priv,sig)├ pe(pk(K,priv,sig),X)

• pe(pk(K,pub,enc),X), pk(K,priv,enc)├ X

• pe(pk(K,priv,sig),X), pk(K,pub,sig)├ X

Equational Theory

• pe(pk(K,pub,enc),pe(pk(K,priv,enc),X) = X• pe(pk(K,priv,enc),pe(pk(K,pub,enc),X) = X• pe(pk(K,pub,sig),pe(pk(K,priv,sig),X) = X• pe(pk(K,priv,sig),pe(pk(K,pub,sig),X) = X

• Can be expressed as Confluent Rewrite System R

Additional Derivation Rules

• X, pk(K,priv,enc)├ pe(pk(K,priv,enc),X)

• X, pk(K,pub,sig)├ pe(pk(K,pub,sig),X)

• Everything is reduced by R

• Need to compare Original Derivation Rules with Extended Set (reducing by R)

Example 1

• Protocol: If A receives pe(pk(k,pub,enc),X) then A sends s

• Attack: Send m to A

• X = pe(pk(k,priv,enc),m) so A will send s

• This cannot be detected by Free Algebra

Example 2 (Millen)

• Protocol: A sends pe(pk(k,pub,enc),s)• If B receives

pe(pk(k,pub,enc),pe(pk(c,pub,enc),X)) then B sends X

• Attack: I sends pe(pk(k,pub,enc),s) to B• X = pe(pk(c,priv,enc),s) so B sends

pe(pk(c,priv,enc),s)• If I knows pk(c,pub,enc) then I knows s

Example 3

• Protocol: If A receives X then A sends pe(pk(a,priv,sig),pe(pk(c,pub,enc),X))

• Attack: I sends pe(pk(c,priv,enc),s) to A

• So A sends pe(pk(a,priv,sig),s)

Example 4

• Protocol: If A receives keys X and Y then A sends pe(X,pe(Y,s))

• Attack: I sends pk(c,pub,enc) and pk(c,priv,enc) to A

• So A sends s

Finding Attacks

• Millen and Shmatikov show that any reachability problem can be converted into a constraint problem

• Given set of terms T and term t find σ such that Tσ ├ tσ

• T represents sent messages

• t represents received messages or secret

Setting up Constraint Problem

• Interleave finitely many instances of protocol with terms Intruder wants to find

• If constraint set has a simultaneous solution then terms are found by Intruder

Constraint Example

• A sends t0 = pe(pk(c,pub,enc),pe(pk(k,pub,enc),s))

• If B receives pe(X,Y) then B sends Y

• I knows c and I wants to know s

• T1 = {c,t0} t1 = pe(X,Y)

• T2 = {c,t0,Y} t2 = s

• Solution is X=pe(pk(k,pub,enc),s), Y=s

PEV-free

• A protocol is PEV-free if pe never has a variable for an argument

• Theorem: If a protocol is pure and PEV-free, then any attack using Equational Approach can be converted to an attack in Free Algebra

Purification

• Rewrite System P:

• pe(pk(K,priv,enc),X) → X

• pe(pk(K,pub,sig),X) → X

• We actually show that the Equational attack can be converted into a purified attack in Free Algebra

Main Theorem

• Suppose s1 …sn irreducible by R and s1

…sn ├ s in Equational Derivation

• Then either s1↓P …sn↓P ├ s↓P in Free Algebra Derivation or si↓P = s↓P for some i

• Also, s is irreducible by R

Main Lemmas

1. If t is pure and PEV-free and t and σ are irreducible by R then tσ is irreducible by R

2. If t and σ are pure then tσ is pure

Limitations of Approach

• Encryption and Signature keys must be distinguished

• Principals must trust that they receive a key of expected type (Trusted Server)

• Approach only deals with pure protocols

Structured Protocols

• Second argument of pe cannot be a variable or a pe-term

could just pair with constant

• First argument is allowed to be variable

implies that Principals do not need to trust key types or distinguish keys

• Results also apply to non-pure protocols

Structured Theorem

• If a protocol is structured, then any attack in Equational Approach has a corresponding Free Algebra attack

• In the non-pure case, the Free Algebra Derivation rules are same as Equational Derivation rules (except equational theory)

Conclusion

• We now have a better understanding of relationship between Free Algebra and Equational Approach

• We have guidelines for Protocol Developers

If they follow our guidelines, there is a guarantee that Cancellation Properties won’t cause attacks

We can easily tell if they are not followed, then use Equational Approach to analyze

Future Work

• Other Equational Theories for other algorithms

• Currently working on Diffie-Hellman, and have some conjectures

xab = xba

• Cathy will talk about more future work