© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols...

© UCL Crypto group 20/04/23

On the Perfect Encryption Assumption in the Study of

Security Protocols

O. Pereira and J.-J. Quisquater

UCL Crypto Group

http://www.uclcrypto.org

© UCL Crypto group 20/04/23 On the Perfect Encryption Assumption 2

Outline

• Definition of the “Perfect Encryption Assumption”• Example of an attack on a protocol using CBC• “New” attack on a protocol using RSA• Description of a model taking into account some

properties of RSA• Conclusions


Perfect Encryption Assumption

• Is part of almost all formal models

• May be expressed as follows:– « You need to possess the good key in order to

extract any information from a given ciphertext »

– « The only way to compute the message {m}K is by encrypting the message m with the key K »


• Perfect Encryption is not true !• First Example :

Cipher Block Chaining (C.B.C.)

PlainText : P1P2…Pn

CipherText : C0C1C2…Cn

Where C0 = IV, Ci = {Ci-1Pi}K

For this scheme :

If C0C1C2…CiCi+1…Cn = {P1P2…PiPi+1…Pn}K

Then C0C1C2…Ci = {P1P2…Pi}K

Opposition with the second part of the perfect encryption assumption!

In the Real World...

K

Pi

Ci-1

Ci


Needham-Schroeder Symmetric Key Protocol

• Aim of the protocol : – establish Kab as shared secret key with the help of

Server S– prove each the good reception of the key

1. AS : A.B.Na

2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas

3. AB : {Kab.A}Kbs

4. BA : {Nb}Kab

5. AB : {Nb-1}Kab


(Known) Attack on Needham-Schroeder (SK)

2. SA : {Na.B.Kab.{Kab.A}Kbs}Kas

3. AB : {Kab.A}Kbs

From 2. you can compute {Na.B}Kas

if size(Na) = size(Kab)then you can fool A into accepting the

publicly known Na as a shared key with B !

3’. C(B)A : {Na.B}Kas

4’. AC(B) : {Nc}Na

5’. C(B)A : {Nc-1} Na


Weaknesses of Block Ciphers• Often sensitive to

– Chosen-Plaintext Attacks– Chosen-Ciphertext Attacks– Known-Pair Attacks

(due to the Risk of Dictionary Attacks, …)

• Recent works of Stubblebine and Meadows in order to automatically detect the risk of such problems


Another Example : RSA

• let K=(e,n)– {m1}K= m1

e mod n = c1

– {m2}K= m2e mod n = c2

Knowing {m1}K and {m2}K, you can compute {m1*m2}K=c1.c2 without knowing m1*m2 nor K !

c1.c2 = (m1*m2)e mod n


Needham-Schroeder-Lowe’s Public-Key Protocol

Everyone has the (fresh) public key of the other principals

Aim of the protocol : – prove each other recent presence

– establish Na and Nb as shared secrets

AB : {Na.A}Kb

BA : {Na.Nb.B}Ka

AB : {Nb}Kb


Use of RSA• We suppose :

– RSA Modulus is 1024 bits long– Nonces are 64 bits long– Identifiers are 32 bits long– Null padding is used– At reception, principals check only the bits needed

for protocol’s use

– C 1 mod 8 (C is the identifier of the intruder)– A is one of the four identifiers such that

A2 mod 232 = C


Resulting Flaw

1 AC(B) : {Na.A}Kb

1 CB : {Nc1.C}Kb= ({Na.A}Kb)2 mod nb

2 BC : {Nc1.Nb.B}Kc

2 C(B)A : {Na.Nc2.B}Kc (computed from Nc1)

3 AC(B) : {Nc2}Kc


How to compute Na from Nc1 ?

{Nc1.C} = {Na.A}2 mod nb

= (232*Na+A)2 mod nb

= 264*Na

2 + 233*Na*A+A2 (nb is 1024 bits long)

…0000…

…0000…

Na

Na2

Na.A

A

A2

= 32 bits


How to compute Na from Nc ? (II)

It can be checked that :– The identifier read by B will be A2 mod 232 = C – Nc1 is the sum of

• The 32 most significant bits of A2

• The 64 least significant bits of 2*Na*A• 232 times the 32 least significant bits of Na

2

The choice between the different solutions of this problem can be done by recomputing {Na.A}Kb

…0000…

…0000…

Na

Na2

Na.A

A

A2


Remarks• An increase of the size of the RSA modulus make

such attacks easier rather than the opposite• The following protocol does not permit this

attack…

AB : {A.Na}Kb

BA : {B.Na.Nb}Ka

AB : {Nb}Kb

• Instead of squaring messages, it is possible to multiply them by small encrypted factors


Our Model• Classical atomic types:

– Identifiers (A, B, …)

– Nonces (Na, Nb, …)

– Keys (Ka, Kb, …)

• New atomic type:– Small multiplicative factors (f1, f2, …)

• Distributivity of product on concatenation– f*(m1.m2) = (f*m1).(f*m2)


Our Model (II)

• Assumptions:– Distributivity: f *(m1.m2) = (f *m1).(f *m2) (for

small f only)

– The Intruder possesses identifiers C1 and C2 such that C1=f *A and C2=f *B (and the corresponding keys)

• Checking : – We define a bounded system and check it with

a standard model checker : SPIN


Limiting our state space

• Definition of a system– number of honest users– number of concurrent sessions– number of « small factors »


Specificity of the Model• In other systems, Authors use

– « Normalized derivations » (Marrero & al.)– « Unique readability axioms » (Guttman & al.)– ...

• We have to deal with – Distributivity of « * » on « . » – …

Several ways to obtain and read messages!


SPIN

• Model Checker developed at Bell Labs

• Its input language (ProMeLa) allows the use of the integer type (with the basic operations)

Modelling of a unique factor: f =2

Definition of a range of values for each atomic type (A=11, B=12, C1=22, C2=24, ...)

Properties of multiplication naturally taken into account !


Conclusions

• With this model, we found two similar flaws in the Needham-Schroeder-Lowe Protocol in a few seconds

• A solution to this problem is the adding of redundancies in the messages

• The definition of efficient redundancies is however difficult (see Grieu’s attack on ISO/IEC 9796-1 signature scheme with redundancy for instance (eurocrypt 2000))

• Another solution is the use of distinct cryptographic primitives in order to prevent the exploitation of such properties

© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols...

Documents

Transcript of © UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols...