Composition of Password-based Protocols ephanie Delaune 1 , Steve - PowerPoint PPT Presentation

Composition of Password-based Protocols ephanie Delaune 1 , Steve Kremer 1 and Mark Ryan 2 St´ 1 LSV, ENS de Cachan, CNRS & INRIA, France 2 School of Computer Science, University of Birmingham, UK CSF’08, Pittsburgh June 2008

Password-based protocols and Guessing attacks Handshake protocol Guessing attack on w : Guess w A B Let x = sdec w (senc w ( r )) new r senc w ( r ) − − − − − − − − − − − → Let y = sdec w (senc w ( f ( r ))) senc w ( f ( r )) ← − − − − − − − − − − − Confirm guess of w by checking y = f ( x ) Encrypted key exchange No guessing attack on w (assuming it is possible to encode A B pk ( k ) so it looks indistinguishable new k senc w ( pk ( k )) − − − − − − − − − − − → from a random bitstring). new r senc w ( aenc pk ( k ) ( r )) ← − − − − − − − − − − −

Password-based protocols and Guessing attacks Handshake protocol Guessing attack on w : Guess w A B Let x = sdec w (senc w ( r )) new r senc w ( r ) − − − − − − − − − − − → Let y = sdec w (senc w ( f ( r ))) senc w ( f ( r )) ← − − − − − − − − − − − Confirm guess of w by checking y = f ( x ) Encrypted key exchange No guessing attack on w (assuming it is possible to encode A B pk ( k ) so it looks indistinguishable new k senc w ( pk ( k )) − − − − − − − − − − − → from a random bitstring). new r senc w ( aenc pk ( k ) ( r )) ← − − − − − − − − − − −

Password-based protocols and Guessing attacks Handshake protocol Guessing attack on w : Guess w A B Let x = sdec w (senc w ( r )) new r senc w ( r ) − − − − − − − − − − − → Let y = sdec w (senc w ( f ( r ))) senc w ( f ( r )) ← − − − − − − − − − − − Confirm guess of w by checking y = f ( x ) Encrypted key exchange No guessing attack on w (assuming it is possible to encode A B pk ( k ) so it looks indistinguishable new k senc w ( pk ( k )) − − − − − − − − − − − → from a random bitstring). new r senc w ( aenc pk ( k ) ( r )) ← − − − − − − − − − − −

Composing protocols “EKE++” “EKE+++” A B A B new k new k senc w ( pk ( k )) senc w ( pk ( k )) − − − − − − − − − − − → − − − − − − − − − − − → new r new r senc w ( aenc pk ( k ) ( r )) senc w ( aenc pk ( k ) ( r )) ← − − − − − − − − − − − ← − − − − − − − − − − − x senc r ( w ) − − − − → − − − − − − − − − − − → sdec r ( x ) ← − − − − − Each of them resists guessing attack separately Attack (even without guessing!) if they are run together: let x = senc r ( w )

Composing protocols “EKE++” “EKE+++” A B A B new k new k senc w ( pk ( k )) senc w ( pk ( k )) − − − − − − − − − − − → − − − − − − − − − − − → new r new r senc w ( aenc pk ( k ) ( r )) senc w ( aenc pk ( k ) ( r )) ← − − − − − − − − − − − ← − − − − − − − − − − − x senc r ( w ) − − − − → − − − − − − − − − − − → sdec r ( x ) ← − − − − − Each of them resists guessing attack separately Attack (even without guessing!) if they are run together: let x = senc r ( w )

Outline Define guessing attacks in the formal model active and passive attacks Study composition of protocols that share the password if the individual protocols resist guessing attacks, does the composed protocol also resist?

Terms and equational theories Describe processes in a simple language inspired by applied pi calculus. Messages are modeled using terms. Abstract algebra given by a signature, i.e. a set of function symbols with arities Equivalence relation (= E ) on terms induced by an equational theory Example (equational theory) Consider the signature Σ enc = { sdec , senc , adec , aenc , pk , � � , proj 1 , proj 2 } sdec y (senc y ( x )) = x adec y (aenc pk( y ) ( x ) = x senc y (sdec y ( x )) = proj i ( � x 1 , x 2 � ) = i = 1 , 2 x x i

Frames and deduction As a process evolves, it may output terms which are available to the attacker. The output of a process is called a frame: a set of secrets + a substitution: n . ( { M 1 / x 1 } | { M 2 / x 2 } | . . . | { M n / x n } ) ν ˜ Example: φ = ν k , s 1 . { senc k ( � s 1 , s 2 � ) / x 1 , k / x 2 } Definition (Deduction) ν ˜ n .σ ⊢ E M iff there exists N such that fn ( N ) ∩ ˜ n = ∅ and N σ = E M . We call N a recipe of the term M . Recipe φ ⊢ E enc k x 2 φ ⊢ E enc s 1 proj 1 (sdec x 2 ( x 1 )) φ ⊢ E enc s 2 s 2

Frames and deduction As a process evolves, it may output terms which are available to the attacker. The output of a process is called a frame: a set of secrets + a substitution: n . ( { M 1 / x 1 } | { M 2 / x 2 } | . . . | { M n / x n } ) ν ˜ Example: φ = ν k , s 1 . { senc k ( � s 1 , s 2 � ) / x 1 , k / x 2 } Definition (Deduction) ν ˜ n .σ ⊢ E M iff there exists N such that fn ( N ) ∩ ˜ n = ∅ and N σ = E M . We call N a recipe of the term M . Recipe φ ⊢ E enc k x 2 φ ⊢ E enc s 1 proj 1 (sdec x 2 ( x 1 )) φ ⊢ E enc s 2 s 2

Static equivalence Definition (Static equivalence) Two frames are statically equivalent if there is no “test” that tells them apart. φ and ψ are statically equivalent, φ ≈ E ψ , when: dom ( φ 1 ) = dom ( φ 2 ), and for all terms M , N such that ˜ n ∩ ( fn ( M ) ∪ fn ( N )) = ∅ , M φ = E N φ iff M ψ = E N ψ Example φ = ν k . { senc k ( s 0 ) / x 1 , k / x 2 } �≈ ν k . { senc k ( s 1 ) / x 1 , k / x 2 } = φ ′ because of the test (sdec x 2 ( x 1 ) , s 0 ) However, ν k . { senc k ( s 0 ) / x 1 } ≈ ν k . { senc k ( s 1 ) / x 1 }

Guessing attacks (passive case) A passive guessing or dictionary attack consists of two phases 1 the attacker eavesdrops on one or several sessions of a protocol 2 the attacker tries offline each of the possible passwords (e.g. using a dictionary) on the data collected during the first phase We suppose the eavesdropping phase results in a frame ν w .φ . Definition (Passive guessing attacks) ν w .φ is resistant to guessing attacks against w iff ν w . ( φ | { w / x } ) ≈ ν w . ( φ | ν w ′ . { w ′ / x } ) [Baudet05, Corin et al.03]

EKE resists guessing attacks? EKE EKE resists guessing attacks only if pk ( k ) can be encoded indistinguishably from an A B new k senc w ( pk ( k )) arb. bitstring. − − − − − − − − − − → new r senc w ( aenc pk ( k ) ( r )) Consider the equational theory: ← − − − − − − − − − − sdec y (senc y ( x )) = x senc y (sdec y ( x )) = x adec y (aenc pk( y ) ( x ) = x proj i ( � x 1 , x 2 � ) = x i ( i = 1 , 2) We have ν w , k . ( { senc w ( pk ( k )) / x 1 } , { w / x 2 } ) ≈ ν w , w ′ , k . ( { senc w ( pk ( k )) / x 1 } , { w ′ / x 2 } )

EKE resists guessing attacks? EKE EKE resists guessing attacks only if pk ( k ) can be encoded indistinguishably from an A B new k senc w ( pk ( k )) arb. bitstring. − − − − − − − − − − → new r senc w ( aenc pk ( k ) ( r )) Consider the equational theory: ← − − − − − − − − − − sdec y (senc y ( x )) = x senc y (sdec y ( x )) = x adec y (aenc pk( y ) ( x ) = x proj i ( � x 1 , x 2 � ) = x i ( i = 1 , 2) ispk(pk( x )) = true We have ν w , k . ( { senc w ( pk ( k )) / x 1 } , { w / x 2 } ) �≈ ν w , w ′ , k . ( { senc w ( pk ( k )) / x 1 } , { w ′ / x 2 } ) as witnessed by the test: ispk(sdec x 2 ( x 1 )) = true.

Composing protocols that are resistant to passive guessing attacks Proposition The three following statements are equivalent: 1 ν w .φ | { w / x } ≈ ν w .φ | ν w ′ . { w ′ / x } [Baudet05] 2 φ ≈ ν w .φ [Corin et al.03] 3 φ ≈ φ { w ′ / w } Corollary If ν w .φ 1 and ν w .φ 2 are resistant to guessing attacks against w then ν w . ( φ 1 | φ 2 ) is also resistant to guessing attacks against w . Thus, resistance to guessing attacks composes in the passive case. In particular, resistance for one session implies resitance for multiple sessions.

Composing protocols that are resistant to passive guessing attacks Proposition The three following statements are equivalent: 1 ν w .φ | { w / x } ≈ ν w .φ | ν w ′ . { w ′ / x } [Baudet05] 2 φ ≈ ν w .φ [Corin et al.03] 3 φ ≈ φ { w ′ / w } Corollary If ν w .φ 1 and ν w .φ 2 are resistant to guessing attacks against w then ν w . ( φ 1 | φ 2 ) is also resistant to guessing attacks against w . Thus, resistance to guessing attacks composes in the passive case. In particular, resistance for one session implies resitance for multiple sessions.

Active case