Security Models Lecture 3 Passive Intruder

(1)

Security Models Lecture 3 Passive Intruder

Pascal Lafourcade

2020-2021

(2)

Outline of Today:

1 Logical Attacks

2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

2 / 50

(3)

Outline of Today:

1 Logical Attacks 2 Diffie-Hellman

3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(4)

Outline of Today:

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder

4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

2 / 50

(5)

Outline of Today:

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(6)

Outline of Today:

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions

6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

2 / 50

(7)

Outline of Today:

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(8)

Outline of Today:

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

2 / 50

(9)

Security Models Lecture 3 Passive Intruder Logical Attacks

Outline

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(10)

Attacks

Logical Attacks Perfect cryptography Computational vs symbolic

4 / 50

(11)

Simple Example

Replay message

(12)

Examples of kinds of attack

• Man-in-the-middle (or parallel sessions) attack: pass messages through to another session A ↔ I ↔ B .

• Replay (or freshness) attack: record and later re-introduce a message or part.

• Reflection attack: send transmitted information back to originator.

• Oracle attack: take advantage of normal protocol responses as encryption and decryption “services”.

• Type flaw (confusion) attack: substitute a different type of message field (e.g. a key vs. a name).

6 / 50

(13)

Security Models Lecture 3 Passive Intruder Diffie-Hellman

Outline

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(14)

The Diffie-Hellman protocol

g, p are public parameters.

(g

^y

)

^x

mod p = k = g

^xy

mod p = (g

^x

)

^y

mod p

8 / 50

(15)

Man-in-the-middle attack

Compute X = g mod p^x

R

Compute Z = g mod p^z

Compute Y = g mod p^y

Compute k = Z mod pR ^y

Compute k = Z mod pI x

Choose g, p Generate x

I A

Generate z (1) X [g,p]

(2) Z

(1’) Z [g,p]

(2’) Y Compute k = X mod pI ^z

Generate y

Compute k = Y mod pR ^z

(16)

Security Models Lecture 3 Passive Intruder Needham Schroeder

Outline

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

10 / 50

(17)

Messages Abstraction

• Names: A, B or Alice, Bob, ...

• Nonces: N

_A

. Fresh data.

• Keys: K and inverse keys K

⁻¹

• Asymmetric Encryption: : {M}

_K_A

• Symmetric Encryption: {M}

_K_AB

.

• Message concatenation: hM

₁

, M

₂

i.

Example: {hA ⊕ N

_B

, K

_AB

i}

_K_B

.

(18)

Example: Needham-Schroeder Protocol 1978

Question

• Is N

_B

a shared secret between A et B?

12 / 50

(19)

Example: Needham-Schroeder Protocol 1978

Question

• Is N

_B

a shared secret between A et B?

(20)

Example: Needham-Schroeder Protocol 1978

Question

• Is N

_B

a shared secret between A et B?

12 / 50

(21)

Example: Needham-Schroeder Protocol 1978

Question

• Is N

_B

a shared secret between A et B?

(22)

Example: Needham-Schroeder Protocol 1978

Question

• Is N

_B

a shared secret between A et B?

Answer

• In 1995, G.Lowe find an attack 17 years after its publication!

12 / 50

(23)

Lowe Attack on the Needham-Schroeder

so-called “Man in the middle attack”

(24)

Needham-Schroeder corrected by Lowe 1995

Question

• This time the protocol is secure?

14 / 50

(25)

Type flaw attacks

• A message consists of a sequence of sub-messages.

Examples: a principal’s name, a nonce, a key, ...

• Messages sent as bit strings. No type information.

1011 0110 0010 1110 0011 0111 1010 0000

• Type flaw is when A → B : M and B accepts M as valid but parses it differently. I.e., B interprets the bits differently than A.

• Example: two 16-bit nonces {N

_A

, N

_B

} could be mistaken as a 32-bit shared key.

Let’s consider several examples from actual protocols.

(26)

Type Flaw Attack on the Needham-Schroeder-Lowe

16 / 50

(27)

Another Type Flaw Attack: Otway-Rees Protocol

Otway-Rees

1 A → B : (M , A, B, (N

_A

, M, A, B)

_Kas

)

2 B → S : (M , A, B, (N

A

, M , A, B )

Kas

, (N

B

, M , A, B)

Kbs

) 3 S → B : (M , (N

_A

, Kab)

_Kas

, (N

_B

, Kab)

_Kbs

)

4 B → A : (M , (N

_A

, Kab)

_Kas

) where M is the session-identifier.

Attack

1 A → B : (M , A, B, (N

_A

, M , A, B)

_Kas

)

2 B → I (S ) : (M, A, B, (N

_A

, M, A, B)

_Kas

, (N

_B

, M, A, B)

_Kbs

)

3 I (S ) → B : (M, (N

A

, M , A, B)

Kas

, (N

B

, M , A, B)

Kbs

)

Kab = (M,A,B)4 B → A : (M, (N

_A

, M , A, B )

_Kas

)

(28)

Another Type Flaw Attack: Otway-Rees Protocol

Otway-Rees

1 A → B : (M , A, B, (N

_A

, M, A, B)

_Kas

)

2 B → S : (M , A, B, (N

A

, M , A, B )

Kas

, (N

B

, M , A, B)

Kbs

) 3 S → B : (M , (N

_A

, Kab)

_Kas

, (N

_B

, Kab)

_Kbs

)

4 B → A : (M , (N

_A

, Kab)

_Kas

) where M is the session-identifier.

Attack

1 A → B : (M , A, B, (N

_A

, M , A, B)

_Kas

)

2 B → I (S ) : (M, A, B, (N

_A

, M, A, B)

_Kas

, (N

_B

, M, A, B)

_Kbs

) 3 I (S ) → B : (M, (N

A

, M , A, B)

Kas

, (N

B

, M , A, B)

Kbs

) Kab = (M,A,B)4 B → A : (M, (N

_A

, M , A, B )

_Kas

)

17 / 50

(29)

Another Type Flaw Attack: Otway-Rees Protocol

Otway-Rees

1 A → B : (M , A, B, (N

_A

, M, A, B)

_Kas

)

2 B → S : (M , A, B, (N

A

, M , A, B )

Kas

, (N

B

, M , A, B)

Kbs

) 3 S → B : (M , (N

_A

, Kab)

_Kas

, (N

_B

, Kab)

_Kbs

)

4 B → A : (M , (N

_A

, Kab)

_Kas

) where M is the session-identifier.

Attack

1 A → B : (M , A, B, (N

_A

, M , A, B)

_Kas

)

2 B → I (S ) : (M, A, B, (N

_A

, M, A, B)

_Kas

, (N

_B

, M, A, B)

_Kbs

)

3 I (S ) → B : (M, (N

A

, M , A, B)

Kas

, (N

B

, M , A, B)

Kbs

)

Kab = (M,A,B)4 B → A : (M, (N

_A

, M , A, B )

_Kas

)

(30)

Another Type Flaw Attack: Otway-Rees Protocol

Otway-Rees

1 A → B : (M , A, B, (N

_A

, M, A, B)

_Kas

)

2 B → S : (M , A, B, (N

A

, M , A, B )

Kas

, (N

B

, M , A, B)

Kbs

) 3 S → B : (M , (N

_A

, Kab)

_Kas

, (N

_B

, Kab)

_Kbs

)

4 B → A : (M , (N

_A

, Kab)

_Kas

) where M is the session-identifier.

Attack

1 A → B : (M , A, B, (N

_A

, M , A, B)

_Kas

)

2 B → I (S ) : (M, A, B, (N

_A

, M, A, B)

_Kas

, (N

_B

, M, A, B)

_Kbs

)

3 I (S ) → B : (M, (N

A

, M , A, B)

Kas

, (N

B

, M , A, B)

Kbs

) Kab = (M,A,B)4 B → A : (M, (N

_A

, M , A, B )

_Kas

)

17 / 50

(31)

Another Type Flaw Attack: Otway-Rees Protocol

Otway-Rees

1 A → B : (M , A, B, (N

_A

, M, A, B)

_Kas

)

2 B → S : (M , A, B, (N

A

, M , A, B )

Kas

, (N

B

, M , A, B)

Kbs

) 3 S → B : (M , (N

_A

, Kab)

_Kas

, (N

_B

, Kab)

_Kbs

)

4 B → A : (M , (N

_A

, Kab)

_Kas

) where M is the session-identifier.

Attack

1 A → B : (M , A, B, (N

_A

, M , A, B)

_Kas

)

2 B → I (S ) : (M, A, B, (N

_A

, M, A, B)

_Kas

, (N

_B

, M, A, B)

_Kbs

) 3 I (S ) → B : (M, (N

A

, M , A, B)

Kas

, (N

B

, M , A, B)

Kbs

) Kab = (M,A,B)

4 B → A : (M, (N

_A

, M , A, B )

_Kas

)

(32)

Another Type Flaw Attack: Otway-Rees Protocol

Otway-Rees

1 A → B : (M , A, B, (N

_A

, M, A, B)

_Kas

)

2 B → S : (M , A, B, (N

A

, M , A, B )

Kas

, (N

B

, M , A, B)

Kbs

) 3 S → B : (M , (N

_A

, Kab)

_Kas

, (N

_B

, Kab)

_Kbs

)

4 B → A : (M , (N

_A

, Kab)

_Kas

) where M is the session-identifier.

Attack

1 A → B : (M , A, B, (N

_A

, M , A, B)

_Kas

)

2 B → I (S ) : (M, A, B, (N

_A

, M, A, B)

_Kas

, (N

_B

, M, A, B)

_Kbs

) 3 I (S ) → B : (M, (N

A

, M , A, B)

Kas

, (N

B

, M , A, B)

Kbs

) Kab = (M,A,B)4 B → A : (M, (N

_A

, M , A, B)

_Kas

)

17 / 50

(33)

Another Type Flaw Attack: Otway-Rees Protocol

Otway-Rees

1 A → B : (M , A, B, (N

_A

, M, A, B)

_Kas

)

2 B → S : (M , A, B, (N

A

, M , A, B )

Kas

, (N

B

, M , A, B)

Kbs

) 3 S → B : (M , (N

_A

, Kab)

_Kas

, (N

_B

, Kab)

_Kbs

)

4 B → A : (M , (N

_A

, Kab)

_Kas

) where M is the session-identifier.

Attack

1 A → B : (M , A, B, (N

_A

, M , A, B)

_Kas

)

2 B → I (S ) : (M, A, B, (N

_A

, M, A, B)

_Kas

, (N

_B

, M, A, B)

_Kbs

)

3 I (S ) → B : (M, (N

A

, M , A, B)

Kas

, (N

B

, M , A, B)

Kbs

)

Kab = (M,A,B)4 B → A : (M, (N

_A

, M , A, B)

_Kas

)

(34)

Another Type Flaw Attack: Yahalom Protocol

Yahalom

1 A → B : (A, N

_A

)

2 B → S : (B, (A, N

_A

, N

_B

)

_Kbs

)

3 S → A : ((B, Kab, N

A

, N

B

)

Kas

, (A, Kab, N

B

)

Kbs

) 4 A → B : ((A, Kab, N

_B

)

_Kbs

, (N

_B

)

_Kab

)

Attack

1 I(A) → B : (A, N

_A

)

2 B → I (S ) : (B, (A, N

A

, N

B

)

Kbs

) 4 I (A) → B : ((A, N

_A

, N

_B

)

_Kbs

, (N

_B

)

_N_A

)

18 / 50

(35)

Another Type Flaw Attack: Yahalom Protocol

Yahalom

1 A → B : (A, N

_A

)

2 B → S : (B, (A, N

_A

, N

_B

)

_Kbs

)

3 S → A : ((B, Kab, N

A

, N

B

)

Kas

, (A, Kab, N

B

)

Kbs

) 4 A → B : ((A, Kab, N

_B

)

_Kbs

, (N

_B

)

_Kab

)

Attack

1 I(A) → B : (A, N

_A

)

2 B → I (S ) : (B, (A, N

A

, N

B

)

Kbs

)

4 I (A) → B : ((A, N

_A

, N

_B

)

_Kbs

, (N

_B

)

_N_A

)

(36)

Another Type Flaw Attack: Woo Lam Protocol

Woo Lam 1 A → B : (A) 2 B → A : (N

B

)

3 A → B : (A, B, N

_B

)

_Kas

4 B → S : (A, B , (A, B , N

_B

)

_Kas

)

_Kbs

5 S → B : (A, B , N

B

)

Kbs

Attack

1 I(A) → B : (A) 2 B → I (A) : (N

B

) 3 I (A) → B : (N

_B

)

instead of (A, B , N

_B

)

_Kas

4 B → I (S ) : (A, B, N

_B

)

_Kbs

5 I (S ) → B : (A, B, N

B

)

Kbs

19 / 50

(37)

Another Type Flaw Attack: Woo Lam Protocol

Woo Lam 1 A → B : (A) 2 B → A : (N

B

)

3 A → B : (A, B, N

_B

)

_Kas

4 B → S : (A, B , (A, B , N

_B

)

_Kas

)

_Kbs

5 S → B : (A, B , N

B

)

Kbs

Attack

1 I(A) → B : (A)

2 B → I (A) : (N

B

) 3 I (A) → B : (N

_B

)

instead of (A, B , N

_B

)

_Kas

4 B → I (S ) : (A, B, N

_B

)

_Kbs

5 I (S ) → B : (A, B, N

B

)

Kbs

(38)

Another Type Flaw Attack: Woo Lam Protocol

Woo Lam 1 A → B : (A) 2 B → A : (N

B

)

3 A → B : (A, B, N

_B

)

_Kas

4 B → S : (A, B , (A, B , N

_B

)

_Kas

)

_Kbs

5 S → B : (A, B , N

B

)

Kbs

Attack

1 I(A) → B : (A) 2 B → I (A) : (N

B

)

3 I (A) → B : (N

_B

)

instead of (A, B , N

_B

)

_Kas

4 B → I (S ) : (A, B, N

_B

)

_Kbs

5 I (S ) → B : (A, B, N

B

)

Kbs

19 / 50

(39)

Another Type Flaw Attack: Woo Lam Protocol

Woo Lam 1 A → B : (A) 2 B → A : (N

B

)

3 A → B : (A, B, N

_B

)

_Kas

4 B → S : (A, B , (A, B , N

_B

)

_Kas

)

_Kbs

5 S → B : (A, B , N

B

)

Kbs

Attack

1 I(A) → B : (A) 2 B → I (A) : (N

B

) 3 I (A) → B : (N

_B

) instead of (A, B , N

_B

)

_Kas

4 B → I (S ) : (A, B, N

_B

)

_Kbs

5 I (S ) → B : (A, B, N

B

)

Kbs

(40)

Another Type Flaw Attack: Woo Lam Protocol

Woo Lam 1 A → B : (A) 2 B → A : (N

B

)

3 A → B : (A, B, N

_B

)

_Kas

4 B → S : (A, B , (A, B , N

_B

)

_Kas

)

_Kbs

5 S → B : (A, B , N

B

)

Kbs

Attack

1 I(A) → B : (A) 2 B → I (A) : (N

B

) 3 I (A) → B : (N

_B

)

instead of (A, B , N

_B

)

_Kas

4 B → I (S ) : (A, B, N

_B

)

_Kbs

5 I (S ) → B : (A, B, N

B

)

Kbs

19 / 50

(41)

Another Type Flaw Attack: Woo Lam Protocol

Woo Lam 1 A → B : (A) 2 B → A : (N

B

)

3 A → B : (A, B, N

_B

)

_Kas

4 B → S : (A, B , (A, B , N

_B

)

_Kas

)

_Kbs

5 S → B : (A, B , N

B

)

Kbs

Attack

1 I(A) → B : (A) 2 B → I (A) : (N

B

) 3 I (A) → B : (N

_B

)

instead of (A, B , N

_B

)

_Kas

4 B → I (S ) : (A, B, N

_B

)

_Kbs

5 I (S ) → B : (A, B, N )

(42)

Questions?

How can we find such attacks?

• Models for Protocols

• Models for Properties

• Theories

• Dedicated Techniques

• Tools

• Automatic

• Semi-automatic

20 / 50

(43)

Why is it difficult to verify such protocols?

• Messages: Size not bounded

• Nonces: Arbitrary number

• Channel: Insecure

• Intruder: Unlimited capabilities

• Instances: Unbounded numbers of principals

• Interleaving: Unlimited applications of the protocol.

(44)

TMN Protocol: Distribution of a fresh symmetric key

[Tatebayashi, Matsuzuki, Newmann 89]:

O S I

→ : O, I , {N

_O

}

_Pub_S

→ : S, O

← : I, O, {N

_I

}

_Pub_S

← : S, I, N

_O

⊕ N

_I

Osiris retrieves N

_I

:

Using x ⊕ x ⊕ y = y , knowing N

_O

22 / 50

(45)

Attack on TMN Protocol [Simmons’94]

With homomorphic encryption {a}

_k

⊕ {b}

_k

= {a ⊕ b}

_k

B S C

→ : B, C, {N

I

}

Pub_S

⊕ {N

B

}

Pub_S

| {z }

{NI⊕NB}_PubS

→ : S, B

← : C, B, {N

C

}

Pub_S

← : S, (N

I

⊕ N

B

) ⊕ N

C

(46)

Security Models Lecture 3 Passive Intruder Dolev Yao’s Intruder

Outline

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

24 / 50

(47)

The Intruder is the Network (Worst Case)

Intruder Capabilities (Dolev-Yao Model 80’s)

• Encryption, Decryption with a key

• Pairing, Projection.

(48)

Dolev-Yao 1982

• Intruder controls the network and can:

• intercept messages

• modify messages

• block messages

• generate new messages

• insert new messages

• Perfect cryptography:

• Abstraction with terms algebra

• Decryption only if inverse key is known

• Protocol has

• Arbitrary number of principals

• Arbitrary number of parallel sessions

• Messages with arbitrary size

26 / 50

(49)

Proof System

A sequent is an expression of the form T ` u.

Definition

A proof of a sequent T ` u is a tree whose nodes are labeled by either sequents or expressions of the form “v ∈ T ”, such that:

• Each leaf is labeled by an expression of the form v ∈ T , and each non-leaf node is labeled by an sequent.

• Each node labeled by a sequent T ` v has n children labeled by T ` s

₁

, . . . , T ` s

_n

such that there is an instance of an inference rule with conclusion T `

_E

v and hypotheses T ` s

1

, . . . , T ` s

n

.

• The root of the tree is labeled by T ` u.

(50)

Notions for Proof System

Definition

• Size of a proof P of T ` u is denoted by |P |, is the number of nodes in the proof.

• A proof P of T ` u is minimal if there does not exist a proof P

⁰

of T ` u such that |P

⁰

| < |P |.

28 / 50

(51)

Dolev-Yao Deduction System

Deduction System : T

0

`

^?

s

(A)

u∈T0

T0`u

(UL)

T0` hu,vi

T0`u

(P)

T0`u T0`v

T0` hu,vi

(UR)

T0` hu,vi T0`v

(C)

T0`u T0`v T0` {u}v

(D)

T0` {u}v T0`v T0`u

(52)

Example: T ₀ ` ^? s

Example

T

₀

= {k, {b}

_c

, ha, {c }

_k

i} and s = b

(D)

(A) {b}

c

∈ T

0

T

0

` {b}

c

(D) (UR)

(A) ha, {c}

k

i ∈ T

0

T

0

` ha, {c}

k

i T

0

` {c}

k

(A) k ∈ T

0

T

0

` k T

0

` c

T

₀

` b

30 / 50

(53)

Example: T ₀ ` ^? s

Example

T

₀

= {k, {b}

_c

, ha, {c }

_k

i} and s = b

(D)

(A) {b}

c

∈ T

0

T

0

` {b}

c

(D) (UR)

(A) ha, {c}

k

i ∈ T

0

T

0

` ha, {c}

k

i T

0

` {c}

k

(A) k ∈ T

0

T

0

` k T

0

` c

T

₀

` b

(54)

Exercise: T ₀ ` ^? s

Is it possible from T

0

to deduce s

• T

0

= {a, k} and s = ha, {a}

_k

i

• T

₀

= {a, k} and s = hb, {k }

_a

i

• T

₀

= {{k}

_a

, b} and s = h{b}

_{k}_a

, {k}

_a

i

• T

0

= {ha, {k }

_a

i} and s = {ha, {k }

_a

i}

_k

31 / 50

(55)

Security Models Lecture 3 Passive Intruder Undecidability for unbounded number of sessions

Outline

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(56)

Main Results

In general security problem undecidable [DLMS’99, AC’01]

Bounded number of session ⇒ Decidability [AL’00, RT’01]

33 / 50

(57)

Undecidability

Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet.

Input : Sequence of pairs hu

_i

, v

i

_1≤i≤n

u

i

, v

i

∈ Σ

^∗

, n ∈ N Question : Existence of k , i

1

, . . . , i

_k

∈ N such that u

_i₁

. . . u

_i_k

= v

_i₁

. . . v

_i_k

?

Example

u

₁

u

₂

u

₃

u

₄

v

₁

v

₂

v

₃

v

₄

aba bbb aab bb a aaa abab babba Solution: 1431

u

₁

·u

₄

·u

₃

·u

₁

= aba· bb· aab ·aba = a ·babba ·abab·a = v

₁

· v

₄

·v

₃

·v

₁

But no solution for hu

₁

, v

₁

i, hu

₂

, v

₂

i, hu

₃

, v

₃

i

PCP is undecidable

(58)

Undecidability

Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet.

Input : Sequence of pairs hu

_i

, v

i

_1≤i≤n

u

i

, v

i

∈ Σ

^∗

, n ∈ N Question : Existence of k , i

1

, . . . , i

_k

∈ N such that u

_i₁

. . . u

_i_k

= v

_i₁

. . . v

_i_k

?

Example

u

₁

u

₂

u

₃

u

₄

v

₁

v

₂

v

₃

v

₄

aba bbb aab bb a aaa abab babba Solution: 1431

u

₁

·u

₄

·u

₃

·u

₁

= aba ·bb · aab ·aba = a ·babba· abab·a = v

₁

· v

₄

·v

₃

·v

₁

But no solution for hu

₁

, v

₁

i, hu

₂

, v

₂

i, hu

₃

, v

₃

i

PCP is undecidable

34 / 50

(59)

Undecidability

Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet.

Input : Sequence of pairs hu

_i

, v

i

_1≤i≤n

u

i

, v

i

∈ Σ

^∗

, n ∈ N Question : Existence of k , i

1

, . . . , i

_k

∈ N such that u

_i₁

. . . u

_i_k

= v

_i₁

. . . v

_i_k

?

Example

u

₁

u

₂

u

₃

u

₄

v

₁

v

₂

v

₃

v

₄

aba bbb aab bb a aaa abab babba Solution: 1431

u

₁

·u

₄

·u

₃

·u

₁

= aba ·bb · aab ·aba = a ·babba· abab·a = v

₁

· v

₄

·v

₃

·v

₁

(60)

Undecidability for Protocols

We construct a protocol such that decidability of secret implies decidability of PCP.

A : send ({hu

_i

, v

_i

i}

_K_ab

) (1 ≤ i ≤ n) B : receive({hx, y i}

_K_ab

)

send (h{hx · u

_i

, y · v

_i

i}

_K_ab

, {s }

_h{hx·u

i,x·u_ii}_Kabi

) (1 ≤ i ≤ n) We assume that K

_AB

is a shared key between A and B.

Intruder can find s iff he can solve PCP.

35 / 50

(61)

Security Models Lecture 3 Passive Intruder Notion of Locality

Outline

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(62)

Syntactic Subterms

Equivalent definition for Dolev Yao model S(t ) is the smallest set such that:

• t ∈ S (t)

• hu, vi ∈ S(t) ⇒ u, v ∈ S (t)

• {u }

_v

∈ S(t) ⇒ u, v ∈ S (t) Exercise:

• Let t = {ha, {b}

_k₂

i}

_k₁

37 / 50

(63)

Syntactic Subterms

Equivalent definition for Dolev Yao model S(t ) is the smallest set such that:

• t ∈ S (t)

• hu, vi ∈ S(t) ⇒ u, v ∈ S (t)

• {u }

_v

∈ S(t) ⇒ u, v ∈ S (t) Exercise:

• Let t = {ha, {b}

_k₂

i}

_k₁

S (t) = {t, a, b, k

1

, k

2

, {b}

_k₂

, ha, {b}

_k₂

i}

(64)

Definition of S-Locality

•

A proof

P

of

T0`s

is S-local :

S-Local Proof:

A proof

P

of

T `w

is

S-local

if all nodes are in

S(T∪ {w}).

S-Locality :

A proof system is

S-local

if whenever there is a proof of

T `w

then there is also a S-local proof ofT

`w

.

38 / 50

(65)

Definition of S-Locality

•

A proof

P

of

T0`s

is S-local :

S-Local Proof:

A proof

P

of

T `w

is

S-local

if all nodes are in

S(T∪ {w}).

S-Locality :

A proof system is

S-local

if whenever there is a proof of

T `w

then there is

also a S-local proof ofT

`w

.

(66)

Definition of S-Locality

•

A proof

P

of

T0`s

is S-local :

S-Local Proof:

A proof

P

of

T `w

is

S-local

if all nodes are in

S(T∪ {w}).

S-Locality :

A proof system is

S-local

if whenever there is a proof of

T `w

then there is also a S-local proof ofT

`w

.

38 / 50

(67)

Locality Idea [MacAllester’93]

Intruder Deduction Problem : T

₀

`

^?

s

• S-locality

• One-step deductibility

(68)

Example: a local proof of T ₀ ` s

Example

T

0

= {k, {b}

_c

, ha, {c }

_k

i} and s = b

(D) (D)

(UR)

(A) ha, {c}

k

i ∈ T

0

T

0

` ha, {c}

k

i T

0

` {c}

k

(A) k ∈ T

0

T

0

` k

T

0

` c (A) {b}

c

∈ T

0

T

0

` {b}

c

T

₀

` b

S(T

₀

∪ {s }) = T

₀

∪ {a, b, c , {c }

_k

}

40 / 50

(69)

Example: a local proof of T ₀ ` s

Example

T

0

= {k, {b}

_c

, ha, {c }

_k

i} and s = b

(D) (D)

(UR)

(A) ha, {c}

k

i ∈ T

0

T

0

` ha, {c}

k

i T

0

` {c}

k

(A) k ∈ T

0

T

0

` k

T

0

` c (A) {b}

c

∈ T

0

T

0

` {b}

c

T

₀

` b

S(T

₀

∪ {s }) = T

₀

∪ {a, b, c , {c }

_k

}

(70)

Locality Theorem

Theorem of Locality [McAllester 93]

If a proof system P is SyntacticSubterm-local then there is a P-time procedure to decide the deductibility in P .

Restrictions:

• Deduction system must be finite

• Use just syntactic subterms

41 / 50

(71)

Locality Theorem

Theorem of Locality [McAllester 93]

If a proof system P is SyntacticSubterm-local then there is a P-time procedure to decide the deductibility in P .

Restrictions:

• Deduction system must be finite

• Use just syntactic subterms

(72)

Adapted McAllester Results

McAllester’s Algorithm Input : T

0

, w

T ← T

0

;

while (∃s ∈ S (T

0

, w ) such that T `

^≤1

s and s 6∈ T ) T ← T ∪ {s};

Output :w ∈ T

Theorem

Let P be a proof system. If:

• the size of S (T ) is polynomial in the size of T ,

• P is S-local,

• one-step deducibility is P-time decidable,

then provability in the proof system P is P-time decidable.

42 / 50

(73)

Security Models Lecture 3 Passive Intruder Passive Intruder: Intruder Deduction Problem

Outline

1 Logical Attacks 2 Diffie-Hellman 3 Needham Schroeder 4 Dolev Yao’s Intruder

5 Undecidability for unbounded number of sessions 6 Notion of Locality

7 Passive Intruder: Intruder Deduction Problem

(74)

Locality Theorem

Theorem of Locality [McAllester 93]

If a proof system P is SyntacticSubterm-local then there is a P-time procedure to decide the deductibility in P .

Result:

Dolev Yao deduction system is S-local.

44 / 50

(75)

Locality Theorem

Theorem of Locality [McAllester 93]

If a proof system P is SyntacticSubterm-local then there is a P-time procedure to decide the deductibility in P .

Result:

Dolev Yao deduction system is S-local.

(76)

Example of necessity of S(T ∪ {s })

Example

T

0

= {k, {b}

_c

, ha, {c }

_k

i} and s = hb, k i

(P) (D)

(A){b}c∈T0

T0` {b}c

(D) (UR)

(A)ha,{c}_ki ∈T₀ T₀` ha,{c}ki T0` {c}k

(A)k∈T₀ T0`k T0`c

T₀`b (A)k∈T0

T₀`k T₀` hb,ki

S(T

₀

) = T

₀

∪ {a, b, c , k, {b}

_k

, {c }

_k

} but hb, ki 6∈ S (T

₀

) It is Not enough

Notice that hb, k i ∈ S (T

₀

∪ {s})

45 / 50

(77)

Example of necessity of S(T ∪ {s })

Example

T

0

= {k, {b}

_c

, ha, {c }

_k

i} and s = hb, k i

(P) (D)

(A){b}c∈T0

T0` {b}c

(D) (UR)

T₀`b (A)k∈T0

T₀`k T₀` hb,ki

S(T

₀

) = T

₀

∪ {a, b, c , k, {b}

_k

, {c }

_k

} but hb, ki 6∈ S (T

₀

) It is Not enough

Notice that hb, k i ∈ S (T

₀

∪ {s})

(78)

Example of necessity of S(T ∪ {s })

Example

T

0

= {k, {b}

_c

, ha, {c }

_k

i} and s = hb, k i

(P) (D)

(A){b}c∈T0

T0` {b}c

(D) (UR)

T₀`b (A)k∈T0

T₀`k T₀` hb,ki

S(T

0

) = T

0

∪ {a, b, c , k, {b}

_k

, {c }

_k

} but hb, ki 6∈ S (T

0

) It is Not enough

Notice that hb, k i ∈ S (T

₀

∪ {s})

45 / 50

(79)

Example non minimal proof is not S-local

GOAL: Find a good S . Example

T

0

= {k, {c}

_k

} and s = c

(D) (UL)

(P)

(A){c}k ∈T₀ T0` {c}k

T0` h{c}k,{c}ki T₀` {c}k

(A)k∈T0

T₀`k c

S(T

0

) = T

0

∪ {c} but h{c}

_k

, {c}

_k

i

It is Not in S (T

₀

∪ {s})

(80)

Example non minimal proof is not S-local

GOAL: Find a good S . Example

T

0

= {k, {c}

_k

} and s = c

(D) (UL)

(P)

(A){c}k ∈T0

T0` {c}k

(A){c}k ∈T0

T0` {c}k

(A)k∈T0

T₀`k c

S(T

0

) = T

0

∪ {c} but h{c}

_k

, {c}

_k

i It is Not in S (T

₀

∪ {s})

46 / 50

(81)

Example non minimal proof is not S-local

GOAL: Find a good S . Example

T

0

= {k, {c}

_k

} and s = c

(D) (UL)

(P)

(A){c}k ∈T0

T0` {c}k

(A){c}k ∈T0

T0` {c}k

(A)k∈T0

T₀`k c

S(T

0

) = T

0

∪ {c } but h{c}

_k

, {c}

_k

i

It is Not in S (T

₀

∪ {s})

(82)

Example :

Shamir 3-Pass Protocol

1 A → B : {m}

_K_A

47 / 50

(83)

Example :

Shamir 3-Pass Protocol

1 A → B : {m}

_K_A

(84)

Example :

Shamir 3-Pass Protocol

1 A → B : {m}

_K_A

47 / 50

(85)

Example :

Shamir 3-Pass Protocol

1 A → B : {m}

_K_A

(86)

Example :

Shamir 3-Pass Protocol

1 A → B : {m}

_K_A

2 B → A : {{m}

_K_A

}

_K_B

47 / 50

(87)

Example :

Shamir 3-Pass Protocol

1 A → B : {m}

_K_A

Commutative

2 B → A : {{m}

_K_A

}

_K_B

= {{m}

_K_B

}

_K_A

Encryption

(88)

Example :

Shamir 3-Pass Protocol

1 A → B : {m}

_K_A

Commutative

2 B → A : {{m}

_K_A

}

_K_B

= {{m}

_K_B

}

_K_A

Encryption 3 A → B : {m}

_K_B

47 / 50

(89)

Logical Attack on Shamir 3-Pass Protocol (I)

Perfect encryption one-time pad (Vernam Encryption) {m}

_k

= m ⊕ k

XOR Properties (ACUN)

• (x ⊕ y) ⊕ z = x ⊕ (y ⊕ z ) Associativity

• x ⊕ y = y ⊕ x Commutativity

• x ⊕ 0 = x Unity

• x ⊕ x = 0 Nilpotency

(90)

Logical Attack on Shamir 3-Pass Protocol (I)

Perfect encryption one-time pad (Vernam Encryption)

{m}

_k

= m ⊕ k

XOR Properties (ACUN)

• (x ⊕ y) ⊕ z = x ⊕ (y ⊕ z ) Associativity

• x ⊕ y = y ⊕ x Commutativity

• x ⊕ 0 = x Unity

• x ⊕ x = 0 Nilpotency

Vernam encryption is a commutative encryption :

{{m}

_K_A

}

_K_I

= (m ⊕ K

_A

) ⊕ K

_I

= (m ⊕ K

_I

) ⊕ K

_A

= {{m}

_K_I

}

_K_A

48 / 50

(91)

Logical Attack on Shamir 3-Pass Protocol (II)

Perfect encryption one-time pad (Vernam Encryption) {m}

_k

= m ⊕ k

Shamir 3-Pass Protocol

1 A → B : m ⊕ K

_A

2 B → A : (m ⊕ K

_A

) ⊕ K

_B

3 A → B : m ⊕ K

_B

Passive attacker : m ⊕ K

_A

⊕

m ⊕ K

_B

⊕ K

_A

⊕

m ⊕ K

_B

= m

(92)

Logical Attack on Shamir 3-Pass Protocol (II)

Perfect encryption one-time pad (Vernam Encryption) {m}

_k

= m ⊕ k

Shamir 3-Pass Protocol

1 A → B : m ⊕ K

_A

2 B → A : (m ⊕ K

_A

) ⊕ K

_B

3 A → B : m ⊕ K

_B

Passive attacker :

m ⊕ K

_A

⊕ m ⊕ K

_B

⊕ K

_A

⊕ m ⊕ K

_B

= m

49 / 50

(93)

Thank you for your attention.

Questions ?