Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Size: px

Start display at page:

Download "Models and analysis of security protocols 1st Semester Security Protocols Lecture 6"

Bryan Blair
6 years ago
Views:

1 Models and analysis of security protocols 1st Semester Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th / 46

2 Last Time (I) Symmetric encryption and Protocols ECB, CBC, FBC, OFB Attack on ECB Hybrid Encryption OAEP Remarks, questions, comments? 2 / 46

3 Last Time (II) Exercises done CBC Attacks 3 / 46

4 Outline of Today: Logical Attacks 4 / 46

5 Outline of Today: Logical Attacks Diffie-Hellman 4 / 46

6 Outline of Today: Logical Attacks Diffie-Hellman 4 / 46

7 Outline of Today: Logical Attacks Diffie-Hellman Dolev Yao s Intruder 4 / 46

8 Outline of Today: Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions 4 / 46

9 Outline of Today: Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 4 / 46

10 Logical Attacks Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 5 / 46

11 Logical Attacks Attacks Computational Model Cryptanalysis 6 / 46

12 Logical Attacks Attacks Computational Model Cryptanalysis 6 / 46

13 Logical Attacks Attacks Computational Model Cryptanalysis Perfect Encryption hypothesis Symbolic Model Logical Attack Needham-Schroeder Public Key Protocol (1978) Man in the middle attack [Lowe 96] 6 / 46

14 Logical Attacks Simple Example {12h10} KB 7 / 46

15 Logical Attacks Simple Example {12h10} KB {12h10} KB 7 / 46

16 Logical Attacks Simple Example {12h10} KB {12h10} KB Day After {11h45} KB {12h10} KB 7 / 46

17 Logical Attacks Simple Example {12h10} KB {12h10} KB Day After {11h45} KB {12h10} KB This kind of attack is valid for all encryptions 7 / 46

18 Logical Attacks Another Simple Example using RSA {12345} KA 8 / 46

19 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA 8 / 46

20 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB 8 / 46

21 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA 8 / 46

22 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA {{12345} KA } KI = {{12345} KI } KA 8 / 46

23 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA {{12345} KA } KI = {{12345} KI } KA {12345} KI 8 / 46

24 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA {{12345} KA } KI = {{12345} KI } KA Problem of Authentication {12345} KI 8 / 46

25 Logical Attacks Examples of kinds of attack Man-in-the-middle (or parallel sessions) attack: pass messages through to another session A I B. Replay (or freshness) attack: record and later re-introduce a message or part. Reflection attack: send transmitted information back to originator. Oracle attack: take advantage of normal protocol responses as encryption and decryption services. Type flaw (confusion) attack: substitute a different type of message field (e.g. a key vs. a name). 9 / 46

26 Diffie-Hellman Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 10 / 46

27 Diffie-Hellman The Diffie-Hellman protocol g, p are public parameters. g x mod p Diffie chooses x and computes g x mod p. Hellman chooses y and computes g y mod p. Basic Diffie-Hellman key-exchange: initiator I and responder R exchange public half-keys to arrive at mutual session key k = g xy mod p. 11 / 46

Hellman chooses y and computes g y mod p.

28 Diffie-Hellman The Diffie-Hellman protocol g, p are public parameters. g x mod p g y mod p Diffie chooses x and computes g x mod p. Hellman chooses y and computes g y mod p. Basic Diffie-Hellman key-exchange: initiator I and responder R exchange public half-keys to arrive at mutual session key k = g xy mod p. 11 / 46

29 Diffie-Hellman Man-in-the-middle attack Choose g, p Generate x Compute X = g xmod p x Compute k I = Z mod p I (1) X [g,p] (2) Z A Generate z z Compute Z = g mod p z Compute k I = X mod p (1 ) Z [g,p] (2 ) Y z Compute k R = Y mod p R Generate y y Compute Y = g mod p y Compute k R = Z mod p 12 / 46

30 Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 13 / 46

31 Messages Abstraction Names: A, B or Alice, Bob,... Nonces: N A. Fresh data. Keys: K and inverse keys K 1 Asymmetric Encryption: : {M} KA Symmetric Encryption: {M} KAB. Message concatenation: M 1,M 2. Example: { A N B,K AB } KB. 14 / 46

32 Example: Needham-Schroeder Protocol 1978 {N A,A} KB 15 / 46

33 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA 15 / 46

34 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA {N B } KB 15 / 46

35 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA {N B } KB Question Is N B a shared secret between A et B? 15 / 46

36 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA {N B } KB Question Is N B a shared secret between A et B? Answer In 1995, G.Lowe find an attack 17 years after its publication! 15 / 46

37 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46

38 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46

39 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {A,N a } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46

40 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {A,N a } KB {N a,n b } KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46

41 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {N a,n b } KA {A,N a } KB {N a,n b } KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46

42 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {N a,n b } KA {A,N a } KB {N a,n b } KA {N b } KI Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46

43 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {N a,n b } KA {A,N a } KB {N a,n b } KA {N b } KI {N b } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46

44 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB 17 / 46

45 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA 17 / 46

46 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA {N B } KB 17 / 46

47 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA {N B } KB Question This time the protocol is secure? 17 / 46

48 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA {N B } KB Question This time the protocol is secure? Answer There exists a type flaw attack. 17 / 46

49 Type flaw attacks A message consists of a sequence of sub-messages. Examples: a principal s name, a nonce, a key,... Messages sent as bit strings. No type information Type flaw is when A B : M and B accepts M as valid but parses it differently. I.e., B interprets the bits differently than A. Example: two 16-bit nonces {N A,N B } could be mistaken as a 32-bit shared key. Let s consider several examples from actual protocols. 18 / 46

50 Type Flaw Attack on the Needham-Schroeder-Lowe Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46

51 Type Flaw Attack on the Needham-Schroeder-Lowe {A,I } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46

52 Type Flaw Attack on the Needham-Schroeder-Lowe {A,I } KB {I,N b,b} KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46

53 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {A,I } KB {I,N b,b} KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46

54 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {(N b,b),n a,a} KI {A,I } KB {I,N b,b} KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46

55 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {(N b,b),n a,a} KI {A,I } KB {I,N b,b} KA {N b } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46

56 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {(N b,b),n a,a} KI {N a } KA {A,I } KB {I,N b,b} KA {N b } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46

57 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. 20 / 46

58 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 20 / 46

59 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 20 / 46

60 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 20 / 46

61 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 I(S) B : (M,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) Kab = (M,A,B) 20 / 46

62 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 I(S) B : (M,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) Kab = (M,A,B)4 B A : (M,(N A,M,A,B) Kas ) 20 / 46

63 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 I(S) B : (M,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) Kab = (M,A,B)4 B A : (M,(N A,M,A,B) Kas ) 20 / 46

64 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs 21 / 46

65 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 21 / 46

66 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 21 / 46

67 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 3 I(A) B : (N B ) instead of (A,B,N B ) Kas 21 / 46

68 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 3 I(A) B : (N B ) instead of (A,B,N B ) Kas 4 B I(S) : (A,B,N B ) Kbs 21 / 46

69 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 3 I(A) B : (N B ) instead of (A,B,N B ) Kas 4 B I(S) : (A,B,N B ) Kbs 5 I(S) B : (A,B,N B ) Kbs 21 / 46

70 What about Computational Security for Needham Schroeder? A Computational Analysis of the Needham Schroder Lowe Protocol by Bogdan Warinschi in Journal of Computer Security; 13(3), pp: , If encryption scheme is IND-CCA then Needham Schroder Lowe Protocol is indeed a secure mutual authentication protocol. 22 / 46

71 Link between Computational and Symbolic Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) 2000, by Martin Abadi, Phillip Rogaway in IFIP International Conference on Theoretical Computer Science. Using an hybrid Argument ;-) 23 / 46

72 Questions? How can we find such attacks? Models for Protocols Models for Properties Theories Dedicated Techniques Tools Automatic Semi-automatic 24 / 46

73 Why is it difficult to verify such protocols? Messages: Size not bounded Nonces: Arbitrary number Channel: Insecure Intruder: Unlimited capabilities Instances: Unbounded numbers of principals Interleaving: Unlimited applications of the protocol. 25 / 46

74 FFGG by J.Millen 1 A B : A 2 B A : B,N,M 3 A B : A, {N,M,S} PkB for B view A, {N,X,S} PkB 4 B A : N,X, {X,S,N} PkB 26 / 46

75 FFGG by J.Millen 1 A B : A 2 B A : B,N,M 3 A B : A, {N,M,S} PkB for B view A, {N,X,S} PkB 4 B A : N,X, {X,S,N} PkB Is S secret? 26 / 46

76 FFGG by J.Millen 1 A B : A 2 B A : B,N,M 3 A B : A, {N,M,S} PkB for B view A, {N,X,S} PkB 4 B A : N,X, {X,S,N} PkB Is S secret? Parallel Attack 1.1 A B : A 2.1 A B : A 1.2 B I(A) : B,N 1,M B I(A) : B,N 2,M I(B) A : B,N 1,N 2 a 1.3 A B : A, {N 1,N 2,S} PkB b 1.4 B A : N 1,N 2, {N 2,S,N 1 } PkB c 2.3 I(A) B : A, {N 2,S,N 1 } PkB d 2.4 B A : N 2,S, {S,N 1,N 2 } PkB 26 / 46

77 TMN Protocol: Distribution of a fresh symmetric key [Tatebayashi, Matsuzuki, Newmann 89]: O S I : O,I, {N O } PubS : S,O : I,O, {N I } PubS : S,I,N O N I Osiris retrieves N I : 27 / 46

78 Attack on TMN Protocol [Simmons 94] With homomorphic encryption {a} k {b} k = {a b} k B S C : B, C, {N I } PubS {N B } PubS }{{} {N I N B } PubS : S, B : C, B, {N C } PubS : S, (N I N B ) N C Buto Learns: 28 / 46

79 Dolev Yao s Intruder Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 29 / 46

80 Dolev Yao s Intruder The Intruder is the Network (Worst Case) 30 / 46

81 Dolev Yao s Intruder The Intruder is the Network (Worst Case) Listen Passive: Intruder deduction problem 30 / 46

82 Dolev Yao s Intruder The Intruder is the Network (Worst Case) Listen Intercept message Passive: Intruder deduction problem Active: Security problem (Re)play message Delete message 30 / 46

83 Dolev Yao s Intruder The Intruder is the Network (Worst Case) Listen Intercept message Passive: Intruder deduction problem Active: Security problem (Re)play message Delete message Intruder Capabilities (Dolev-Yao Model 80 s) Encryption, Decryption with a key Pairing, Projection. 30 / 46

84 Dolev Yao s Intruder Dolev-Yao 1982 Intruder controls the network and can: intercept messages modify messages block messages generate new messages insert new messages Perfect cryptography: Abstraction with terms algebra Decryption only if inverse key is known Protocol has Arbitrary number of principals Arbitrary number of parallel sessions Messages with arbitrary size 31 / 46

85 Dolev Yao s Intruder Proof System A sequent is an expression of the form T u. Definition A proof of a sequent T u is a tree whose nodes are labeled by either sequents or expressions of the form v T, such that: Each leaf is labeled by an expression of the form v T, and each non-leaf node is labeled by an sequent. Each node labeled by a sequent T v has n children labeled by T s 1,...,T s n such that there is an instance of an inference rule with conclusion T E v and hypotheses T s 1,...,T s n. The root of the tree is labeled by T u. A subproof of a proof P is a subtree of P. 32 / 46

86 Dolev Yao s Intruder Notions for Proof System Definition Size of a proof P of T u is denoted by P, is the number of nodes in the proof. A proof P of T u is minimal if there does not exist a proof P of T u such that P < P. 33 / 46

87 Dolev Yao s Intruder Dolev-Yao Deduction System Deduction System : T 0? s (A) u T 0 T 0 u (UL) T 0 u,v T 0 u (P) T 0 u T 0 v T 0 u,v (UR) T0 u,v T 0 v (C) T 0 u T 0 v T 0 {u} v (D) T 0 {u} v T 0 v T 0 u 34 / 46

88 Dolev Yao s Intruder Example: T 0? s Example T 0 = {k, {b} c, a, {c} k } and s = b 35 / 46

89 Dolev Yao s Intruder Example: T 0? s Example T 0 = {k, {b} c, a, {c} k } and s = b (D) (A) a, {c} k T 0 T 0 a, {c} k (A) {b} (UR) (A) k T 0 c T 0 T 0 {c} k T 0 k (D) T 0 {b} c T 0 c T 0 b 35 / 46

90 Dolev Yao s Intruder Exercise: T 0? s Is it possible from T 0 to deduce s T 0 = {a,k} and s = a, {a} k T 0 = {a,k} and s = b, {k} a T 0 = {{k} a,b} and s = {b} {k}a, {k} a T 0 = { a, {k} a } and s = { a, {k} a } k 36 / 46

91 Undecidability for unbounded number of sessions Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 37 / 46

92 Undecidability for unbounded number of sessions Main Results In general security problem undecidable [DLMS 99, AC 01] Bounded number of session Decidability [AL 00, RT 01] 38 / 46

93 Undecidability for unbounded number of sessions Undecidability Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet. Input : Sequence of pairs u i,v i 1 i n u i,v i Σ, n N Question : Existence of k,i 1,...,i k N such that u i1...u ik = v i1...v ik? 39 / 46

94 Undecidability for unbounded number of sessions Undecidability Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet. Input : Sequence of pairs u i,v i 1 i n u i,v i Σ, n N Question : Existence of k,i 1,...,i k N such that u i1...u ik = v i1...v ik? Example u 1 u 2 u 3 u 4 v 1 v 2 v 3 v 4 aba bbb aab bb a aaa abab babba Solution: 1431 u 1 u 4 u 3 u 1 = aba bb aab aba = a babba abab a = v 1 v 4 v 3 v 1 But no solution for u 1,v 1, u 2,v 2, u 3,v 3 39 / 46

95 Undecidability for unbounded number of sessions Undecidability Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet. Input : Sequence of pairs u i,v i 1 i n u i,v i Σ, n N Question : Existence of k,i 1,...,i k N such that u i1...u ik = v i1...v ik? Example u 1 u 2 u 3 u 4 v 1 v 2 v 3 v 4 aba bbb aab bb a aaa abab babba Solution: 1431 u 1 u 4 u 3 u 1 = aba bb aab aba = a babba abab a = v 1 v 4 v 3 v 1 But no solution for u 1,v 1, u 2,v 2, u 3,v 3 PCP is undecidable 39 / 46

96 Undecidability for unbounded number of sessions Undecidability for Protocols We construct a protocol such that decidability of secret implies decidability of PCP. A : send({ u i,v i } Kab ) (1 i n) B : receive({ x,y } Kab ) send( { x u i,y v i } Kab, {s} { x ui,x u i } Kab ) (1 i n) We assume that K AB is a shared key between A and B. Intruder can find s iff he can solve PCP. 40 / 46

97 Conclusion Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 41 / 46

98 Conclusion Summary Today Diffie Hellman Dolev Yao Intruder Undecidability Result 42 / 46

99 Conclusion Next Time Passive Intruder Locality 43 / 46

100 Conclusion Thank you for your attention. Questions? 44 / 46

101 Conclusion Some References A Necessarily Parallel Attack (1999), Jonathan K. Millen In Workshop on Formal Methods and Security Protocols Makoto Tatebayashi, Natsume Matsuzaki, David B. Newman, Jr., Key Distribution Protocol for Digital Mobile Communication Systems, Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology, p , August 20-24, 1989 Needham, Roger; Schroeder, Michael (December 1978). Using encryption for authentication in large networks of computers.. Communications of the ACM 21 (12): Lowe, Gavin (November 1995). An attack on the Needham-Schroeder public key authentication protocol.. Information Processing Letters 56 (3): / 46

102 Conclusion Some References Using CSP to Detect Errors in the TMN Protocol, Gavin Lowe and Bill Roscoe 1997 Undecidability of bounded security protocols. N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov. In Proc. Workshop on formal methods in security protocols, Trento, Italy, / 46

Verification of Security Protocols in presence of Equational Theories with Homomorphism

Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,