© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols...
-
Upload
charles-wilcox -
Category
Documents
-
view
214 -
download
0
Transcript of © UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols...
© UCL Crypto group 20/04/23
On the Perfect Encryption Assumption in the Study of
Security Protocols
O. Pereira and J.-J. Quisquater
UCL Crypto Group
http://www.uclcrypto.org
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 2
Outline
• Definition of the “Perfect Encryption Assumption”• Example of an attack on a protocol using CBC• “New” attack on a protocol using RSA• Description of a model taking into account some
properties of RSA• Conclusions
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 3
Perfect Encryption Assumption
• Is part of almost all formal models
• May be expressed as follows:– « You need to possess the good key in order to
extract any information from a given ciphertext »
– « The only way to compute the message {m}K is by encrypting the message m with the key K »
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 4
• Perfect Encryption is not true !• First Example :
Cipher Block Chaining (C.B.C.)
PlainText : P1P2…Pn
CipherText : C0C1C2…Cn
Where C0 = IV, Ci = {Ci-1Pi}K
For this scheme :
If C0C1C2…CiCi+1…Cn = {P1P2…PiPi+1…Pn}K
Then C0C1C2…Ci = {P1P2…Pi}K
Opposition with the second part of the perfect encryption assumption!
In the Real World...
K
Pi
Ci-1
Ci
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 5
Needham-Schroeder Symmetric Key Protocol
• Aim of the protocol : – establish Kab as shared secret key with the help of
Server S– prove each the good reception of the key
1. AS : A.B.Na
2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas
3. AB : {Kab.A}Kbs
4. BA : {Nb}Kab
5. AB : {Nb-1}Kab
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 6
(Known) Attack on Needham-Schroeder (SK)
2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas
3. AB : {Kab.A}Kbs
From 2. you can compute {Na.B}Kas
if size(Na) = size(Kab)then you can fool A into accepting the
publicly known Na as a shared key with B !
3’. C(B)A : {Na.B}Kas
4’. AC(B) : {Nc}Na
5’. C(B)A : {Nc-1} Na
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 7
Weaknesses of Block Ciphers• Often sensitive to
– Chosen-Plaintext Attacks– Chosen-Ciphertext Attacks– Known-Pair Attacks
(due to the Risk of Dictionary Attacks, …)
• Recent works of Stubblebine and Meadows in order to automatically detect the risk of such problems
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 8
Another Example : RSA
• let K=(e,n)– {m1}K= m1
e mod n = c1
– {m2}K= m2e mod n = c2
Knowing {m1}K and {m2}K, you can compute {m1*m2}K=c1.c2 without knowing m1*m2 nor K !
c1.c2 = (m1*m2)e mod n
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 9
Needham-Schroeder-Lowe’s Public-Key Protocol
Everyone has the (fresh) public key of the other principals
Aim of the protocol : – prove each other recent presence
– establish Na and Nb as shared secrets
AB : {Na.A}Kb
BA : {Na.Nb.B}Ka
AB : {Nb}Kb
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 10
Use of RSA• We suppose :
– RSA Modulus is 1024 bits long– Nonces are 64 bits long– Identifiers are 32 bits long– Null padding is used– At reception, principals check only the bits needed
for protocol’s use
– C 1 mod 8 (C is the identifier of the intruder)– A is one of the four identifiers such that
A2 mod 232 = C
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 11
Resulting Flaw
1 AC(B) : {Na.A}Kb
1 CB : {Nc1.C}Kb= ({Na.A}Kb)2 mod nb
2 BC : {Nc1.Nb.B}Kc
2 C(B)A : {Na.Nc2.B}Kc (computed from Nc1)
3 AC(B) : {Nc2}Kc
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 12
How to compute Na from Nc1 ?
{Nc1.C} = {Na.A}2 mod nb
= (232*Na+A)2 mod nb
= 264*Na
2 + 233*Na*A+A2 (nb is 1024 bits long)
…0000…
…0000…
Na
Na2
Na.A
A
A2
= 32 bits
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 13
How to compute Na from Nc ? (II)
It can be checked that :– The identifier read by B will be A2 mod 232 = C – Nc1 is the sum of
• The 32 most significant bits of A2
• The 64 least significant bits of 2*Na*A• 232 times the 32 least significant bits of Na
2
The choice between the different solutions of this problem can be done by recomputing {Na.A}Kb
…0000…
…0000…
Na
Na2
Na.A
A
A2
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 14
Remarks• An increase of the size of the RSA modulus make
such attacks easier rather than the opposite• The following protocol does not permit this
attack…
AB : {A.Na}Kb
BA : {B.Na.Nb}Ka
AB : {Nb}Kb
• Instead of squaring messages, it is possible to multiply them by small encrypted factors
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 15
Our Model• Classical atomic types:
– Identifiers (A, B, …)
– Nonces (Na, Nb, …)
– Keys (Ka, Kb, …)
• New atomic type:– Small multiplicative factors (f1, f2, …)
• Distributivity of product on concatenation– f*(m1.m2) = (f*m1).(f*m2)
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 16
Our Model (II)
• Assumptions:– Distributivity: f *(m1.m2) = (f *m1).(f *m2) (for
small f only)
– The Intruder possesses identifiers C1 and C2 such that C1=f *A and C2=f *B (and the corresponding keys)
• Checking : – We define a bounded system and check it with
a standard model checker : SPIN
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 17
Limiting our state space
• Definition of a system– number of honest users– number of concurrent sessions– number of « small factors »
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 18
Specificity of the Model• In other systems, Authors use
– « Normalized derivations » (Marrero & al.)– « Unique readability axioms » (Guttman & al.)– ...
• We have to deal with – Distributivity of « * » on « . » – …
Several ways to obtain and read messages!
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 19
SPIN
• Model Checker developed at Bell Labs
• Its input language (ProMeLa) allows the use of the integer type (with the basic operations)
Modelling of a unique factor: f =2
Definition of a range of values for each atomic type (A=11, B=12, C1=22, C2=24, ...)
Properties of multiplication naturally taken into account !
© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 20
Conclusions
• With this model, we found two similar flaws in the Needham-Schroeder-Lowe Protocol in a few seconds
• A solution to this problem is the adding of redundancies in the messages
• The definition of efficient redundancies is however difficult (see Grieu’s attack on ISO/IEC 9796-1 signature scheme with redundancy for instance (eurocrypt 2000))
• Another solution is the use of distinct cryptographic primitives in order to prevent the exploitation of such properties