Lecture Note 6 Date:

Transcription

1 P.Lafourcade Lecture Note 6 Date: Security models 1st Semester 2010/2011 Jeremy BRUN-NOUVION Hicham HOSSAYNI Contents 1 Logical Attacks Perfect Encryption Hypothesis Examples Simple Example: Prone to Replay Attack Using RSA Other types of Attacks Man-in-the-Middle (MITM) Attack Replay Attack Reflection Attack Oracle Attack Type Flaw Attack Diffie-Hellman Description MITM Attack Message Abstraction 6 4 Needham Schroeder Needham Schroeder protocol Needham Schroeder Public key authentication Protocol Lowe Attack (MITM) Fixing the Lowe Attack Type Flow Attack on the Needham-Schroeder-Lowe protocol Another Type Flaw attack: Otway-Rees Protocol Another Type Flaw attack: Woo-Lam Protocol Formal approaches to find attacks on protocols Computational Security for Needham Schroeder Link between Computational and Symbolic Protocol Verification Difficulty Parallel attack The FFGG protocol The FFGG protocol Attack TMN protocol Attack on TMN Protocol With homomorphic encryption Dolev Yaos Intruder Proof System Notations for Proof System Intruder Deduction Problems Dolev-Yoa Deduction System Example: T 0? s

2 6 Undecidability for unbounded number of sessions Main Results Undecidability Undecidability for protocols

3 1 Logical Attacks 1.1 Perfect Encryption Hypothesis The perfect encryption hypothesis relies on the robustness of the decryption key used. In other terms, it considers that a cryptogram can be decrypted only using its designated decryption key and that no secret can be guessed even if an attacker posses other information. Actually, there are different kinds of attacks that can be performed on a cryptosystem corresponding to different goals: attempting to break the key, recover the whole message or if not possible, try to get - even partial - information about the plaintext. 1.2 Examples Simple Example: Prone to Replay Attack In a simple cryptographic scheme, Alice and Bob would like to schedule a meeting time which Alice decides on; she encrypts the time with Bob s key, and sends it to him. An adversary can intercept Alice s message, and resend it at a later time. In that first phase, the attacker is passive in the sense that he only catches all the messages - and eventually keeps some copies - that are sent to Bob from Alice. The following figure illustrates this attack: Alice {12h10} K B {12h10} KB Ivan Bob Day after Alice {11h45} K B {12h10} KB Ivan Bob Figure 1: A basic example of Replay attack If Alice chooses to change the time of the meeting, she would do the same: she would choose the new time, encrypt it with Bob s key and send it to him again. The adversary, who have previously intercepted the first message from Alice, can now resend it. In that case, Bob would never receive the new updated time. This is a classic case of Man-in-the-Middle Attack. This attack is a classic case of Man-in-the-Middle (MITM) attack. It still valid for all encryption scheme without authentication Using RSA Using RSA, Alice encrypts a message and sends it to Bob. In return, Bob decrypts the message to retrieve the plaintext, encrypts it with his key and then uses Alice s key. The two messages should be equal for the algorithm to be valid. Alice should be able to retrieve Bob s encrypted message, so she sends it back to confirm that it is correct. An attack is clearly possible in this algorithm, because there are no authentication in the scheme. Alice does not know whether she is communicating with Bob or an intruder; Bob could be anyone claiming to be Bob. The following figure illustrates this problem: Alice {12345} K A Bob Alice {{12345} K A } KB ={{12345} KB } KA Bob Alice {12345} K B Bob 3

4 1.3 Other types of Attacks Alice {12345} K A Ivan Alice {{12345} K A } KI ={{12345} KI } KA Ivan Alice {12345} K I Ivan Man-in-the-Middle (MITM) Attack This is a form of active eavesdropping in which the intruder is between two victims - Alice and Bob - and makes them believe that they are talking directly to each other over a private connection, when in fact the communication is fully controlled by the attacker. A I B This attack is also called Parallel Session attack because it requires two sessions to be running in parallel: one between Alice and Ivan, and another between Ivan and Bob. There are different possible countermeasures to avoid MITM attacks, for example: Public Key Infrastructure (PKI): The use of trusted third-parties (Certificate Authorities) who can issue digital certificates in order to certify the authenticity of each entity. Stronger mutual authentication using different kinds of mechanisms Replay Attack This attack is also called Freshness attack because it exploits the freshness of the message transmitted. Basically, this attack consists in retransmitting a valid message. The attacker must be able to intercept communication between two people in order to repeat a valid data transmission. The intruder does not necessarily know the content of the message he is replaying. There are different ways to avoid replay attacks: Using session tokens: if Alice wants to communicate with Bob, he should generate a onetime-use session token and send it to Alice. Then, she should use this token in the messages she send to Bob during all the session. Thus, Bob could check if the value of the token is correct, i.e. if it matches with the one he has previously generated at the beginning of the session. Now suppose that an attacker - named Ivan - is able to capture a message transmitted between Alice and Bob and after some delay, he tries to replay it in another session. The message in question will be rejected because the session token is not valid anymore. It implies that session tokens must be chosen using a pseudo-random generator in order to be sure that their values change from a session to an other and that they are not predictable by an attacker. Timestamping: for example, Bob periodically sends to Alice his time. When she wants to send a message to Bob, she includes her estimate of the time on Bob s clock. Bob will only accept messages for which the timestamp is within a reasonable tolerance. Further details are given in the paper [2]. Use of nonce with Message Authentication Code (MAC) Further details about Replay attacks can be found in the paper [10]. 4

5 1.3.3 Reflection Attack This attack is really simple to perform: it is just a type of replay attack in which transmitted data is sent back to its originator. Sometimes, such a simple attack will be successful if the protocol is bad designed and it will leak some secrets. This attack is also called a Mirror attack Oracle Attack In this type of attack, the intruder takes advantage of normal protocol responses as encryption and decryption services. Therefore, the attacker is able to encrypt chosen plaintext and has access to a decryption oracle. The analysis of the outputs can leak valuable information about the algorithm used, the secret key or the message transmitted Type Flaw Attack This attack is also called confusion attack. Basically in this attack, a field that was originally intended to have one type is subsequently interpreted as having another type. It occurs when an attacker manipulates the raw data of a communication protocol to cause a misinterpretation of that data at the message level. 2 Diffie-Hellman 2.1 Description The Diffie-Hellman (D-H) key exchange protocol is a method of exchanging keys over an insecure channel. It was created by Whitfield Diffie and Martin Hellman in 1976, and it is actually the first practical example of public-key cryptosystem. In the formal description of the Diffie-Hellman Protocol given in [3], Alice and Bob agree to choose two public parameters g and p where: p prime number, g generator of (Z/pZ, ) Furthermore, Alice chooses a number x and computes X = g x mod p. On the other hand, Bob chooses a number y and computes Y = g y mod p. The Basic Diffie-Hellman key exchange basically expresses that the two parties exchange half keys of the mutual session key such that K = g xy mod p. Both Alice and Bob are able to compute this session key, since we have: K = g xy mod p = (g x ) y mod p = X y mod p K = g xy mod p = (g y ) x mod p = Y x mod p 2.2 MITM Attack Again, Diffie-Hellman Protocol is prone to Man-in-the-Middle attack due to its lack of authentication. The opponent adversary intercepts the initiator s public value and sends his own public value to the responder. The adversary and the initiator thus agree on one shared key, and on the other hand, the adversary and the responder agree on another shared key. After this exchange, the adversary simply decrypts any messages sent out by the initiator or the responder, and then is able to read or even to modify them before re-encrypting with the appropriate key and transmitting them to the other party. This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants. Therefore, the attacker can play the protocol in one side and in the other side. Possible solutions include the use of digital signatures and other protocol variants. The following figure demonstrates the attack: 5

6 Figure 2: Basic DiffieHellman key exchange protocol Figure 3: Man-in-the-Middle attack on Diffie-Hellman key exchange protocol 3 Message Abstraction Names: Can use either set of letters (A,B etc) or common names (Alice, Bob etc) Nonces: N A, which means new data or fresh data was used of A Keys: K of it is inverse K 1, can be either and encryption or decryption Asymmetric Encryption: {M} ka, message encrypted/decrypted with key of A Symmetric Encryption: {M} kab, message encrypted/decrypted with the key of A and B 6

7 Message Concatenation: < M 1, M 2 > 4 Needham Schroeder 4.1 Needham Schroeder protocol The Needham Schroeder protocol refers to two methods of communication protocols through an insecure network. They were proposed by Roger Needham and Michael Schroeder in [8]. Needham Schroeder Symmetric key Protocol, which is based on symmetric encryption algorithm to establish a session key between two parties in a network. Needham Schroeder Public-key protocol, based on the public key cryptography to provide mutual authentication between two communication parties over a network. 4.2 Needham Schroeder Public key authentication Protocol 1978 The Needham Schroeder public key authentication protocol aims to provide a mutual authentication between two parties Alice (A) and Bob (B). Both parties want to insure each other identity before starting to communicate. The protocol is as follows: K A and K B are Alice s public key and Bob s public key respectively, N A and N B are nonces generated by A and B respectively. 1. A B : {N A, A} KB (Init) Alice generates a nonce N A and sends it to Bob with her identity. Everything is encrypted using Bob s public key. 2. B A : {N A, N B } KA (Challenge) Bob generates a nonce N B, and sends it to Alice with N A he has just received. It is a way to prove that he is really the owner of the private key corresponding to K B. In other word, this mechanism is implemented in order to authenticate Bob. Sending back to Alice N A is also a way to avoid a replay of this message. 3. A A : {N B } KB (Response) Alice decrypts the message and check if it contains the right value of N A. Then, she sends back N B to Bob to prove her ability to decrypt with her private key, and so to authenticate herself. 4.3 Lowe Attack (MITM) In 1995, G. Lowe found an attack on this protocol 17 years after its publication. Indeed, the protocol is vulnerable to a MITM attack: if an attacker (Ivan) is able to persuade Alice to initiate a session with him, then he can relay the messages to Bob and impersonate Alice. In other words, Bob will believe that the messages he receives come from Alice, when in fact they come from Ivan. The attack is described in [5] and works as follows: 1. A I : {N A, A} KI Alice sends a nonce N A to Ivan using Ivan s public key. The important point to notice is that Alice is totally aware that she is speaking to Ivan. 2. I B : {N A, A} KB Ivan decrypts the message from Alice and re-encrypts it using Bob s public key. By doing so, he is pretending to Bob that Alice wants to communicate with him. 7

8 3. B I : {N A, N B } KA Bob sends to Alice the nonce he has generated and N A. As the man-in-the-middle, Ivan intercepts the message but he is unable to decrypt it, so he just forwards it to Alice. 4. A I : {N B } KI At this point, Alice think that the nonce N B she has received was actually generated by Ivan, so she sends it back to him using his public key. 5. I B : {N B } KB Ivan is now able to learn the value of N B, so he can then send it to Bob after encrypting it with Bob s public key. When receiving the message, Bob has no evidence that the person with whom he is speaking is not Alice. Therefore after this attack, Ivan is authenticated as being Alice from Bob s point of view. 4.4 Fixing the Lowe Attack The paper [5] also describes a fixed version of the scheme, referred to as the Needham-Schroeder- Lowe protocol. The fix involves the following modification: B A : {N A, N B } KA (step 2 in the original protocol) is replaced by: B A : {N A, N B, B} KA, i.e. the identity of Bob is appended to the message. The message modified by this new version of the protocol is the only one which cannot be decrypted by Ivan in the previous attack. As a consequence, he will not be able to change B by his own identity I. Alice will now see that the message she receives does not come from Ivan but from Bob and so, she will not send N B to Ivan. Thus, the attacker is unable to discover the value of N B. Moreover, this fix of the protocol is not cryptographically costly. 4.5 Type Flow Attack on the Needham-Schroeder-Lowe protocol A Message consists of sequence of sub-message. For example, the Principal s name, nonce, a key, etc. Message is sent as a string of bits Type flow is when A B : M and B accepts M as valid but parses it differently. That is that B interprets the bits differently than A. For example, two 16-bit nonces {N A, N B } could be mistaken as a 32-bit shared key. The paper [4] presents a Type Flow attack on the Needham-Schroeder-Lowe protocol which works as follows: 1. I B : {N I, A} KB First of all, Ivan sends to Bob the first message of the mutual authentication protocol with the identity of Alice A. 2. B I : {N I, N B, B} KA Bob replies to Alice. 3. I A : {I, (N B, B)} KA Ivan cannot decrypt the message since it is encrypted using Alice s public key, so he just forwards it to Alice. {I, (N B, B)} KA is the first message Alice receives, and so interprets it as the start of a new protocol run, taking the field (N B, B) to be an agent s identity, and so believes this message came from (N B, B), therefore tries to request (N B, B) s public key, by sending the identity (N B, B) to the server which stores the public keys. 8

9 4. A I : (N B, B) Ivan is able to intercept the request for the (N B, B) s public key sent by Alice. Thus, it allows Ivan to learn N B and so, to respond to the nonce challenge. 5. I B : {N B } KB Complete the authentication process between Ivan and Bob, with Ivan who impersonates Alice. A possible countermeasure to avoid Type Flow attacks is detailed in the paper [4]: it consists in tagging each field with its intended type, and having honest participants who check the tags of incoming messages. Basically, for each distinct type used in a protocol (for example: nonce, agent/identity, pair... ) we use a different tag number. These type identifiers would then appear as the initial part of each message, and inside pair types and encryption types. However, C. Meadows argued in [7] that tagging messages is not sufficient because messages are bit strings. She developed a method that enables the intruder to identify a strategy to raise the probability of two messages are confused above a preset threshold. Actually, to prevent these attacks, it is necessary to follow good practices of message encoding, such as those proposed by M. Abadi and R. Needham in [1]. The goal is to create a protocol so called properly encoded which means that all its messages are such that on their arrival, the conditions upon which the receiver associates the message to a particular step in the protocol should be verifiable. Furthermore, critics say that Type Flow attacks are not realistic, and it depends mainly on the developer. 4.6 Another Type Flaw attack: Otway-Rees Protocol This authentication protocol - described in [9] - allows individuals communicating over a network to prove their identity to each other, while also preventing eavesdropping or replay attacks and allow for the detection of modification. The protocol can be specified as follows in security protocol notation, where Alice is authenticating herself to Bob using a server S (M is a session-identifier, N A and N B are nonces): 1. A B : (M, A, B, (N A, M, A, B) Kas ) 2. B S : (M, A, B, (N A, M, A, B) Kas, (N B, M, A, B) Kbs ) 3. S B : (M, (N A, K ab ) Kas, (N B, K ab ) Kbs 4. B A : (M, (N A, K ab ) Kas ) This is the server which generates the key K ab used by both parties to communicate. However, there exists an attack on the Otway-Rees Protocol, where an intruder I(S) - i.e. an intruder who impersonates the server S - can trick A and B, with A and B ending up with a different key: 1. A B : (M, A, B, (N A, M, A, B) Kas ) Start of a new protocol run. 2. B I(S) : (M, A, B, (N A, M, A, B) Kas, (N B, M, A, B) Kbs ) Ivan is the man-in-the-middle between B and S, so he intercepts the message sent to the server. 3. I(S) B : (M, (N A, M, A, B) Kas, (N B, M, A, B) Kbs ) Ivan just performs a mirror attack by sending back to Bob: (N A, M, A, B) Kas, (N B, M, A, B) Kbs. 4. B A : (M, (N A, (M, A, B)) Kas ) Actually, Bob interprets (N A, M, A, B) Kas, (N B, M, A, B) Kbs as (N A, K ab ) Kas, (N B, K ab ) Kbs, and therefore K ab = (M, A, B). Ivan now knows the key used for the communication between Alice and Bob. 9

10 4.7 Another Type Flaw attack: Woo-Lam Protocol The Woo-Lam Protocol is another authentication protocol based on a server S, that shares a public-key pair with network participants. According to [12], the Woo-Lam Protocol π 1 works as follows: 1. A B : A 2. B A : N B 3. A B : (A, B, N B ) Kas 4. B S : (A, B, (A, B, N B ) Kas ) Kbs 5. S B : (A, B, N B ) Kbs Here K as denotes a key shared between A and S. Note that Bob cannot decrypt the message he receives in message 3, but instead simply includes it inside message 4. The paper [4] shows that this protocol is vulnerable to the following Type Flaw attack: 1. I(A) B : A Ivan plays the role of A and starts a new protocol run by claiming to B that he is A. 2. B I(A) : N B Bob generates a nonce and sends it. Ivan intercepts the message. 3. I(A) B : N B Instead of sending (A, B, N B ), Ivan sends back N B to Bob (Mirror attack). 4. B I(S) : (A, B, N B ) Kbs Bob accepts the nonce N B as being of the form (A, B, N B ) Kas. Therefore, he encrypts N B within the message. 5. I(S) B : (A, B, N B ) Kbs Ivan has retrieved (A, B, N B ) Kbs thanks to the previous manipulation, and this is precisely the type of message he requires to fake the server response. After that, from Bob s point of view, Ivan is authenticated as being Alice. 4.8 Formal approaches to find attacks on protocols We may wonder how can we find attacks on protocols? Actually, we need to set up a formal approach which will use: Models for Protocols, for abstraction purpose Models for Properties Theories: we can choose to use logical, tree automated... approach Dedicated technique Tools: automatics and semi-automatic. In fact, in today s cryptographic research community, there are two distinct sub-communities. The gap between the two is largely due to the use of different approaches for modeling security of systems, each approach having its own advantages and disadvantages: 10

11 The formal methods or Symbolic approach, also known as the Dolev-Yao model, consists in proving security of protocols by abstracting the details of the primitives used. Researchers in this community are able to automate this kind of proofs by employing methodologies and tools such as model checkers and theorem provers. However, the degree of abstraction involved by the use of this approach is so high that it raises a legitimate question: what are the precise security guarantees that a formal proof entails? The computational approach, also known as provable security, uses both probability and complexity theory. In this approach, protocols are defined by combining Turing machines running algorithms which model cryptographic operations that are seen as functions on strings of bits. Contrary to the formal approach, there is no automated way to perform such proofs. More precisely, in this approach, an encryption scheme is defined by a triple of algorithm π = (K, E, D), and an adversary is typically a Turing machine which has access to an oracle. 4.9 Computational Security for Needham Schroeder The paper [11] provides a computational proof that the Needham-Schroeder-Lowe protocol is a secure mutual authentication protocol, if the encryption scheme used in the implementation is IND-CCA secure Link between Computational and Symbolic The paper [6] published in 2000 establishes a link between the two different approaches previously presented. It demonstrates that the formal assertions are valid in computational models, if not absolutely at least with high probability and against adversaries of limited computational power. Therefore, there is a kind of equivalence between the two approaches and if a flow is found in computational security then there is flow in symbolic security. Reciprocally, if a flow is found in symbolic security, then there is flow in computational security. The proof uses an hybrid argument Protocol Verification Difficulty The difficulty to perform a protocol verification is due to the considerable number of unknown parameters: Messages : message size can vary. Therefore, we do not know which size we need to find a flow. Nonces : arbitrary values. Channel : unsecure, can be controlled by Intruder. Intruder : unlimited Capabilities, like trying different schemes, sending different messages (we consider the worst case). The intruder controls everything, and therefore is able to open as many sessions he wants, to play the role of any entity... Instance : unbound number of principals Interleaving : unlimited application of the protocol. It is possible to change the way we are mixing the different sessions Parallel attack The paper A necessarily parallel attack prove that to find an attack, it is necessary to analyze a system with at least two processes running the same role for the same principal. Furthermore, the two processes must run concurrently; that is, the protocol is secure if the two processes are serialized. An attack requiring this type of role concurrency is called a parallel attack. Parallel 11

12 attacks are significant because state exploration techniques encounter a combinatorial explosion with concurrent processes that is avoided if they can be serialized The FFGG protocol The FFGG protocol is an artificial protocol constructed with a parallel attack exposing a secret data item. It is proved that a parallel attack is necessary, because the protocol is shown to be secure under non-parallel attacks. In this protocol, A and B are agents (principals possessing a public/private key pair), N and M are nonces, S is a secret of the same field length as a nonce, and PKB is B s public key. 1. A B : A 2. B A : B, N, M 3. A B : A, {N, M, S} P kb forbviewa, {N, X, S} P kb 4. B A : N, X, {X, S, N} P kb In this case, when B receives message 3, B checks N. It also extracts the next field, but does not care whether it matches M; it just saves it as X. The use of P KB rather than P KA in the last message is intentional, though odd-looking. We do not claim that this protocol is suitable for any practical application, only that it lends itself to an interesting theoretical result. This protocol is called FFGG, because the responder B has two state transitions: the first, or F-transition, is to reply to message 1 with message 2, and the second, or g-transition,is to reply to message 3 with message 4. In the attack scenario, there is another B responder doing F and G transitions,and these are interleaved concurrently with Fand G in the pattern FFGG The FFGG protocol Attack A message-modification attack that exposes the secret data field M is presented below. An agent identifier in parentheses indicates interference by the attacker: if the source is in parentheses, the message has been forged or modified by the attacker. If the destination is in parentheses, the message is intercepted before it reaches the named destination. In this protocol, A and B are agents (principals possessing a public/private key pair), N and M are nonces, S is a secret of the same field length as a nonce, and PKB is B s public key. There are two responder processes running for agent B; the second process is associated with primed symbols B ; N2 ; M2. Note that, because the second responder process is running on behalf of the same agent B, it still uses the same public key P KB A B : A 2.1. I(A) B : A 1.2. B I(A) : B, N1, M B I(A) : B, N2, M I(B) A : B, N1, N A B : A, {N1, N2, S} P kb 1.4. B A : N1, N2, {N2, S, N1} P kb 2.3. I(A) B : A, {N2, S, N1} P kb 2.4. B A : N2, S, {S, N1, N2} P kb This attack is illustrated in the following figure. The secret S is exposed in the last message from the second B strand. 12

13 4.15 TMN protocol [?]The TMN protocol is used for distribution of a fresh symmetric key, it concerns three players: an initiator O (Osiris), a responder I (Isis), and a server S who mediates between them. The process of sharing the symmetric key requires four messages as shown below. * We assume that both I and O initially know the public key PK(S) of S. * NO, NI are session symmetric keys freshly created by O, resp. I. 1. O S : O, I, {NO} P ubs 2. S I : S, O 3. I S : I, O, {NI} P ubs 4. S O : S, I, NO NI The shared key will be NI, and Osiris can get it by computing NO (NO NI) = NI Attack on TMN Protocol With homomorphic encryption Requirement : We suppose that the encryption used by the server S is homomorphic, that means for any messages M1 and M2: Description of the attack : {M1} P ubs {M2} P ubs = {M1 M2} P ubs. This attack involves an intruder B and his accomplice C, the intruder knows the nonce NB and that of his accomplice NC. B intercepts in a normal session the message {NI} P ubs, and plays the protocol normally with his partner [?]. Instead of sending {NB} P ubs to the server, it sends the product the message and the intercepted message : {NI} P ubs {NB} P ubs which is equal to : {NI NB} P ubs because the encryption is homomorphic. The server after receiving {NC} P ubs from the intruder s accomplice, returns NC NI NB. The intruder can then find NI. 1. B S: B, C, {NI} P ubs {NB} P ubs 2. S C: S, B 3. C S: C, B, {NC} P ubs 4. S B: S, (NI NB) NC ((NI NB) NC) NB NC = NI (NB NB) (NC NC) = NI 13

14 5 Dolev Yaos Intruder A large network of computers, devices and resources (for example, the Internet) is typically open, which means that a principal (or entity, agent, user), which can be a computer, a device, a resource, a service provider, a person or an organization of these things, can join such a network and start sending and receiving messages to and from other principals across it, without a need of being authorized by a super principal. In such an open environment we must anticipate that there are bad guys (or attacker, adversary, enemy, intruder, eavesdropper, impostor, etc.) out there who will do all sorts of bad things, not just passively eavesdropping, but also actively altering (maybe using some unknown calculations or methods), forging, duplicating, rerouting, deleting or injecting messages. The injected messages can be malicious and cause a destructive effect to the principals on the receiving end. In the literature of cryptography such a bad guy is called an active attacker. The attacker can be an individual, a coalition of a group of attackers, and, as a special case, a legitimate principal in a protocol (an insider)[?]. In general, it is assumed that the active attacker is very clever in manipulating communications over the open network. His manipulation techniques are unpredictable because they are unspecified. Also because the attacker can represent a coalition of bad guys, he may simultaneously control a number of network nodes which are geographically far apart. In anticipation of such a powerful adversary over such a vulnerable environment, Dolev and Yao propose a threat model which has been widely accepted as the standard threat model for cryptographic protocols. In that model, Malice has the following characteristics: He can obtain any message passing through the network. He is a legitimate user of the network, and thus in particular can initiate a conversation with any other user. He will have the opportunity to become a receiver to any principal. He can send messages to any principal by impersonating any other principal. However, unless explicitly stated, we do not consider the attacker to be all powerful. This means that there are certain things that attacker cannot do : He cannot guess a random number which is chosen from a sufficiently large space. Without the correct secret (or private) key, the attacker cannot retrieve plaintext from given ciphertext, and cannot create valid ciphertext from given plaintext, with respect to the perfect encryption algorithm. Attacker cannot find the private component, i.e., the private key, matching a given public key. While attacker may have control of a large public part of our computing and communication environment, in general, he is not in control of many private areas of the computing environment, such as accessing the memory of a principal s offline computing device. 5.1 Proof System A sequent is an expression of the form T u. Definition A proof of a sequent T u is a tree whose nodes are labeled by either sequents or expressions of the form v T, such that: 14

15 Each leaf is labeled by an expression of the term v T, and each non-leaf node is labeled by a sequent. Each node labeled by a sequent T v has n children labeled by T s 1,...,T s n such that there is an instance of an inference rule with conclusion T E v and hypotheses T s 1,...,T s n The root of the tree is labeled by T u. A subproof of a proof P is a subtree of P. 5.2 Notations for Proof System Definition Size of the proof P of T u is denoted by P, is the number of nodes in the proof. A proof P of T u is minimal if there does not exist a proof P of T u such that P < P. 5.3 Intruder Deduction Problems [?]In security protocol analysis, the knowledge of an attacker is often described in terms of deduction: Given some messages T and a message S, can the Intruder deduce S from T? This problem, called the intruder deduction problem, corresponds to the security decision problem in presence of an eavesdropper and is a cornerstone for the verification problem and for the search of attacks. This deduction problem depends on the equational theory that governs the function symbols appearing in messages. In several works, the underlying cryptographic primitives are based on the Dolev-Yao model which may be too strong in some situations. 5.4 Dolev-Yoa Deduction System The most widely used deduction relation representing the deduction abilities of an intruder is often referred to as the Dolev-Yao model. In addition, we give to the intruder the power to use equational reasoning modulo a set E of equational axioms. It is not di?cult to design a similar deduction system for asymmetric encryption and to extend our results to this inference system. The classic Dolev-Yao model defines the deduction capacities of an intruder assuming perfect cryptography. This deduction system is composed of the following rules: (A) the intruder knows any term that he has previously observed, (P) the intruder can build a pair of two messages, (UL, UR) he can extract each member of a pair, (C) he can encrypt a message m with a key k, (D) if he knows a key k he can decrypt a message encrypted by the same key [?]. (A) u T0 T 0 u (UL) T0 u,v T 0 u (P) T0 u T0 v T 0 u,v (UR) T0 u,v T 0 v (C) T0 u T0 v T 0 {u} v (D) T0 {u} v T 0 v T 0 u 5.5 Example: T 0? s Is s deducible from T 0? Solution: T 0 = {k, {b} c, a, {c} k } and s=b 15

16 (D) (A) {b} c T 0 T 0 {b} c (A) a,{c} k T 0 (D) (UR) T 0 a,{c} k (A) k T 0 T 0 {c} k T 0 k T 0 c T 0 b 6 Undecidability for unbounded number of sessions 6.1 Main Results An undecidable problem is a decision problem for which it is impossible to construct a single algorithm that always leads to a correct answer. In general security problem is undecidable, but with bounded number of session decidability becomes more achievable. 6.2 Undecidability An example for the undecidability problem is the Post Correspondence Problem (PCP) which is defined as the following: Definition: Let Σ be a finite alphabet. Input: Sequence of pairs u i, v i 1 i n u i, v i Σ, n N Question: Existence of k, i 1,..., i k N such that u i1...u ik = v i1...v ik? Example: u 1 u 2 u 3 u 4 v 1 v 2 v 3 v 4 aba bbb aab bb a aaa abab babba Solution: 1431 u 1 u 4 u 3 u 1 = aba bb aab aba=a babba abab a=v 1 v 4 v 3 v 1 But no solution for u 1, v 1, u 2, v 2, u 3, v 3 Therefore, PCP is undecidable. 6.3 Undecidability for protocols Protocols are to be constructed in order to be undecidable, and an important requirement for that is that secret data should not fall in the intruder hands. For example, if a protocol is constructed with decidability equal to the one of the PCP example. A: send ({ u i, v i } Kab ) (1 i n) B: receive ({ x, y } Kab ) send ( { x u i, y v i } Kab, {s} { x ui,x u i } Kab ) (1 i n) We assume that K AB is shared between A and B. Its undecidable for the intruder to find A and B. Therefore, intruder can find s if and only if he can solve PCP. 16

17 References [1] H. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. In IEEE Transactions on Software Engineering, pages 6 15, [2] Wenbo Mao Hewlett-Packard Company. Modern Cryptography: Theory and Practice. Prentice Hall PTR, [3] D.E.Denning and G.M. Sacco. Timestamps in key distribution protocols. Communications of the ACM, 24(8): , [4] Stephanie Delaunee. Easy intruder deduction problems with homomorphisms. Information Processing Letters, [5] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on information Theory, 22(6): , [6] S. Schneider J. Heather, G. Loweb. How to prevent type flaw attacks on security protocols. Journal of Computer Security, 11(2): , [7] Pascal Lafourcade. Vrification de protocoles cryptographiques en prsence de thories quationnelles. PhD thesis, ENS de Cachan, [8] Pascal Lafourcade. Relation between unification problem and intruder deduction problem. 3rd Int. Workshop on Security, [9] G. Lowe. An attack on the Needham-Schroeder public-key authentication protocol. Information processing letters, 56(3): , [10] N. Matsuzaki M. Tatebayashi and D.B. Newman. Tmn [11] Phillip Rogaway Martin Abadi. Reconciling two views of cryptography (the computational soundness of formal encryption). IFIP International Conference on Theoretical Computer Science, [12] C. Meadows. A procedure for verifying security against type confusion attacks. In Computer Security Foundations Workshop, Proceedings. 16th IEEE, pages IEEE, [13] R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12): , [14] D. Otway and O. Rees. Efficient and timely mutual authentication. ACM SIGOPS Operating Systems Review, 21(1):8 10, [15] P. Syverson. A taxonomy of replay attacks [cryptographic protocols]. In Computer Security Foundations Workshop VII, CSFW 7. Proceedings, pages IEEE, [16] Bogdan Warinschi. Computational analysis of the needham schroder lowe protocol. Journal of Computer Security, pages , [17] Thomas Y.C. Woo, Thomas Y. C, Woo Simon, and Simon S. Lam. A lesson on authentication protocol design