Deduction with XOR Constraints in Security API Modelling Graham - - PowerPoint PPT Presentation

deduction with xor constraints in security api modelling
SMART_READER_LITE
LIVE PREVIEW

Deduction with XOR Constraints in Security API Modelling Graham - - PowerPoint PPT Presentation

Feb 15, 2024 242 likes •442 views

Deduction with XOR Constraints in Security API Modelling Graham Steel V I N E U R S E I H T Y T O H F G R E U D B I N 1 Automated Teller Machines ATM Maestro UK Hansabank HSBC Graham Steel XOR and Security APIs

slide-1
SLIDE 1

Deduction with XOR Constraints in Security API Modelling

Graham Steel

T H E U N I V E R S I T Y O F E D I N B U R G H

slide-2
SLIDE 2

1

Automated Teller Machines

ATM Maestro UK Hansabank HSBC

Graham Steel XOR and Security APIs July 19, 2005

slide-3
SLIDE 3

2

Hardware Security Modules

Graham Steel XOR and Security APIs July 19, 2005

slide-4
SLIDE 4

3

IBM 4758 - Control Vectors

Mechanism to support many types of key: ‘role based access’ Keys stored outside box encrypted under master key XOR control vector E.g. data keys

d1

✂ ✁

km

data

Encrypt Data: Host

HSM :

d1

✂ ✁

km

data, message

HSM

Host :

message

✂ ✁

d1

Graham Steel XOR and Security APIs July 19, 2005

slide-5
SLIDE 5

4

Importing Key Parts

‘Separation of duty’ Typically used to import a ‘key encrypting key’ (kek) Key kek = k1

  • k2

Host

HSM : k1, TYPE HSM

Host :

k1

✂ ✁

km

kp

TYPE

Host

HSM :

k1

✂ ✁

km

kp

TYPE, k2, TYPE

HSM

Host :

k1

  • k2
✂ ✁

km

TYPE

Graham Steel XOR and Security APIs July 19, 2005

slide-6
SLIDE 6

5

Importing Encrypted Keys

Exported from another 4758 under KEK

  • TYPE

First import KEK, obtaining

KEK

✂ ✁

km

imp

Host

HSM :

KEY1

✂ ✁

KEK

TYPE, TYPE,

KEK

✂ ✁

km

imp

HSM

Host :

KEY1

✂ ✁

km

TYPE

Graham Steel XOR and Security APIs July 19, 2005

slide-7
SLIDE 7

6

Attack (Bond, 2001)

PIN derivation key:

pdk

✂ ✁

kek

pin

Have key part

kek

  • k3
✂ ✁

km

imp

kp for known k3

Host

HSM :

kek

  • k3
✂ ✁

km

kp

imp, k3

  • pin
  • data, imp

HSM

Host :

kek

  • pin
  • data
✂ ✁

km

imp

Graham Steel XOR and Security APIs July 19, 2005

slide-8
SLIDE 8

7

Attack (Bond, 2001) (part 2)

Key Import Host

HSM :

pdk

✂ ✁

kek

pin, data,

kek

  • pin
  • data
✂ ✁

km

imp

HSM

Host :

pdk

✂ ✁

km

data

Encrypt data Host

HSM :

pdk

✂ ✁

km

data, pan

HSM

Host :

pan

✂ ✁

pdk (= PIN!)

Graham Steel XOR and Security APIs July 19, 2005

slide-9
SLIDE 9

8

Formal Modelling

HSMs are ‘stateless’

P

  • x

if x is ‘public’ - i.e. outside HSM One clause for each command Host

HSM :

d1

✂ ✁

km

data, message

HSM

Host :

message

✂ ✁

d1

P

  • Msg
✁ ✂

P

  • crypt
  • km
  • data

D1

✁ ✁ ☎

P

  • crypt
  • D1

Msg

✁ ✁

Graham Steel XOR and Security APIs July 19, 2005

slide-10
SLIDE 10

9

The Problem with XOR P

  • x
✁ ✂

P

  • y
✁ ☎

P

  • x
  • y

Associativity and Commutativity Self-Inverse (a

  • b
  • a
  • b)

Graham Steel XOR and Security APIs July 19, 2005

slide-11
SLIDE 11

10

XOR constraints

Host

HSM :

KEY1

✂ ✁

KEK

TYPE, TYPE,

KEK

✂ ✁

km

imp

HSM

Host :

KEY1

✂ ✁

km

TYPE

P

  • crypt
  • X

Key

✁ ✁ ✂

P

  • Type
✁ ✂

P

  • crypt
  • km
  • imp

Kek

✁ ✁ ☎

P

  • crypt
  • km
  • Type

decrypt

  • Kek
  • Type

crypt

  • X

Key

✁ ✁ ✁ ✁✁ ☎

decrypt

  • K

crypt

  • K

X

✁ ✁ ✂

X

  • P
  • crypt
  • X

Key

✁ ✁ ✂

P

  • Type
✁ ✂

P

  • crypt
  • km
  • imp

Kek

✁ ✁ ☎

P

  • crypt
  • km
  • Type

Key

✁ ✁

IF Kek

  • Type

xor X

  • Graham Steel

XOR and Security APIs July 19, 2005

slide-12
SLIDE 12

11

Checking Solubility

Permit only inferences which leave soluble constraints Check: If there are any variables at XOR positions, it is soluble Otherwise count up all terms. If there are an even number of each term, it is soluble. If not, insoluble. Store in normal form

x1

  • xn

t1

  • tn

Graham Steel XOR and Security APIs July 19, 2005

slide-13
SLIDE 13

12

Subsumption Checking

If C1 subsumes C2 without consideration of XOR constraints, then it is a valid subsumer iff:

  • 1. C1 has no XOR constraint
  • r
  • 2. C1 and C2 have the same XOR constraints after substitutions applied

Graham Steel XOR and Security APIs July 19, 2005

slide-14
SLIDE 14

13

Results

Implemented in da T ac, [Vigneron, 1994] Bond’s attack shown above Import/Export Attack (also due to Bond) IBM’s own attack Attack on NSPKL variant - Jacquemard et al. model

Graham Steel XOR and Security APIs July 19, 2005

slide-15
SLIDE 15

14

4758 Attack 1

Graham Steel XOR and Security APIs July 19, 2005

slide-16
SLIDE 16

15

Related Work

Security APIs: Longley & Rigby, 1992 - Key management scheme without XOR Ganapathy et al, 2005 - Model checking for fragment of first attack Bond & Clulow - Work in progress on first-order model Protocols with XOR: Chevalier et al. , Comon-Shmatikov, 2003 - Insecurity shown decidable (bounded runs, NP). Basin, M¨

  • dersheim, Vigan`
  • , 2005 - General framework for OFMC

(unimplemented)

Graham Steel XOR and Security APIs July 19, 2005

slide-17
SLIDE 17

16

Further Work

Improve solving of final XOR constraint Look at new APIs for novel attacks Comparison to (special purpose) model checking PIN Block format analysis

Graham Steel XOR and Security APIs July 19, 2005

slide-18
SLIDE 18

17

Conclusions

XOR constraints considerably improve reasoning capabilities of a FOTP when dealing with bitwise XOR Allow implicit encryption model to be used Allow forward, backward and mixed strategies Reduce explicit construction of terms by XOR http://dream.inf.ed.ac.uk/projects/aascs/

Graham Steel XOR and Security APIs July 19, 2005