Automated Analysis of the Security of XOR-Based Key Management Schemes

Similar documents
Quantum Wireless Sensor Networks

A new security notion for asymmetric encryption Draft #8

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

Lecture 3,4: Multiparty Computation

On the Automatic Analysis of Recursive Security Protocols with XOR

A new security notion for asymmetric encryption Draft #10

Cryptography. P. Danziger. Transmit...Bob...

A new security notion for asymmetric encryption Draft #12

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

RSA RSA public key cryptosystem

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Exercise Sheet Cryptography 1, 2011

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Hardness of Mastermind

An undecidability result for AGh

Complexity of Checking Freshness of Cryptographic Protocols

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Gurgen Khachatrian Martun Karapetyan

Intruder Deduction for AC-like Equational Theories with Homomorphisms

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Verification of Security Protocols in presence of Equational Theories with Homomorphism

Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

StatVerif: Modelling protocols that involve persistent state

Rapporto di Ricerca CS

An Undecidability Result for AGh

Cryptographic Protocols Notes 2

Winter 2011 Josh Benaloh Brian LaMacchia

Public Key Cryptography

Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Complexity of automatic verification of cryptographic protocols

ASYMMETRIC ENCRYPTION

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Introduction to Cybersecurity Cryptography (Part 4)

Algebraic Intruder Deductions

Cryptographical Security in the Quantum Random Oracle Model

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Division Property: a New Attack Against Block Ciphers

Introduction to Cybersecurity Cryptography (Part 4)

Notes on BAN Logic CSG 399. March 7, 2006

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

18733: Applied Cryptography Anupam Datta (CMU) Course Overview

Recommended Reading. A Brief History of Infinity The Mystery of the Aleph Everything and More

A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures

The odd couple: MQV and HMQV

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

CPSC 467: Cryptography and Computer Security

Automata-based analysis of recursive cryptographic protocols

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

Cryptography and Security Midterm Exam

A Logic of Authentication

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Guessing bank PINs by winning a Mastermind game

Bachet s equation and groups formed from solutions in Z p

Synthesising Secure APIs

A process algebraic analysis of privacy-type properties in cryptographic protocols

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

The Elliptic Curve in https

dit-upm RSA Cybersecurity Cryptography

CPSC 467b: Cryptography and Computer Security

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Two Posts to Fill On School Board

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Universal Blind Quantum Computing

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Other Public-Key Cryptosystems

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

8.1 Principles of Public-Key Cryptosystems

Ma/CS 6a Class 3: The RSA Algorithm

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

8 Elliptic Curve Cryptography

A Small Subgroup Attack on Arazi s Key Agreement Protocol

Background: Lattices and the Learning-with-Errors problem

Number theory (Chapter 4)

Introduction to Modern Cryptography Lecture 4

Short Exponent Diffie-Hellman Problems

10 Concrete candidates for public key crypto

Public Key Cryptography

Carmen s Core Concepts (Math 135)

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Introduction to Cryptography. Lecture 8

Probabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

CPSC 467b: Cryptography and Computer Security

Advanced Cryptography 1st Semester Public Encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Topics. Probability Theory. Perfect Secrecy. Information Theory

Cryptography and Security Final Exam

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Cryptography 2017 Lecture 2

functions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**

Transcription:

Automated Analysis of the Security of XOR-Based Key Management Schemes Véronique Cortier, Gavin Keighren, Graham Steel E H U N I V E R S I T Y T O H F R G E D I N B U

1 Automated Teller Machines

2

3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA

3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA 3DES encrypt under a PDK (PIN Derivation Key) Decimalise first 4 digits of result

3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA 3DES encrypt under a PDK (PIN Derivation Key) Decimalise first 4 digits of result PIN = IPIN + Offset (modulo 10 each digit) Offset NOT secure!

4

4 data, pin, imp,...

4 data, pin, imp,... { d1 } km data { pdk1 } km pin

5 CCA API - Examples Encrypt Data: Host HSM : { D1 } km data, Message HSM Host : { Message } D1

5 CCA API - Examples Encrypt Data: Host HSM : { D1 } km data, Message HSM Host : { Message } D1 Verify PIN: Host HSM : { PINBlock } p1, PAN, { pdk1 } km pin, OFFSET, { p1 } km ipinenc HSM Host : yes/no

6 Importing Key Parts Separation of duty Key k = k1 k2 Host HSM : k1, TYPE HSM Host : { k1 } km kp TYPE

6 Importing Key Parts Separation of duty Key k = k1 k2 Host HSM : k1, TYPE HSM Host : { k1 } km kp TYPE Host HSM : { k1 } km kp TYPE, k2, TYPE HSM Host : { k1 k2 } km TYPE Usually used to import a key encrypting key ({ KEK } km imp )

7 Importing Encrypted Keys Exported from another 4758 encrypted under KEK TYPE Key Import: Host HSM : { KEY1 } KEK TYPE, TYPE, { KEK } km imp HSM Host : { KEY1 } km TYPE

8 Attack (Bond, 2001) (part 1) PIN derivation key: { pdk } kek pin Have key part { kek k2 } km imp kp for known k2

8 Attack (Bond, 2001) (part 1) PIN derivation key: { pdk } kek pin Have key part { kek k2 } km imp kp for known k2 Host HSM : { kek k2 } km kp imp, k2 pin data, imp HSM Host : { kek pin data} km imp

9 Attack (Bond, 2001) (part 2) Key Import Host HSM : { pdk } kek pin, data, { kek pin data } km imp HSM Host : { pdk } km data

9 Attack (Bond, 2001) (part 2) Key Import Host HSM : { pdk } kek pin, data, { kek pin data } km imp HSM Host : { pdk } km data Encrypt data Host HSM : { pdk } km data, pan HSM Host : { pan } pdk (= PIN!)

10 IBM Recommendations Published in response to attacks

10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import 2 officer protocol to generate key pair at destination, transfer public key to source PKA SYMMETRIC KEY IMPORT command

10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import 2 officer protocol to generate key pair at destination, transfer public key to source PKA SYMMETRIC KEY IMPORT command 2. More access control security officers access fewer commands

10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import 2 officer protocol to generate key pair at destination, transfer public key to source PKA SYMMETRIC KEY IMPORT command 2. More access control security officers access fewer commands 3. Procedural controls to check entered key parts

10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import 2 officer protocol to generate key pair at destination, transfer public key to source PKA SYMMETRIC KEY IMPORT command 2. More access control security officers access fewer commands 3. Procedural controls to check entered key parts Not to be confused with Bond s own recommendations

11 Formal Modelling Following the classical Dolev-Yao style: Bitstrings modelled as terms Cryptography modelled as function on terms

11 Formal Modelling Following the classical Dolev-Yao style: Bitstrings modelled as terms Cryptography modelled as function on terms API rules modelled as Horn clauses

11 Formal Modelling Following the classical Dolev-Yao style: Bitstrings modelled as terms Cryptography modelled as function on terms API rules modelled as Horn clauses Security problem modelled as derivability of a secret term

12 Examples Encrypt data: x,{ xd1} km data { x } xd1

12 Examples Encrypt data: x,{ xd1} km data { x } xd1 Intruder rules: x,y { x } y { x } y,y x x,y x y

12 Examples Encrypt data: x,{ xd1} km data { x } xd1 Intruder rules: x,y { x } y { x } y,y x x,y x y Secrecy problem undecidable in general

13 Characterisation of Class Finite set of atoms (km, imp, data, pin,...) XOR term ::= atom atom XOR term Encryption term ::= { XOR term } XOR term Well Formed Term ::= Encryption term XOR term Well Formed Rule ::= WFT,..., WFT WFT

14 Theorem If: R finite set of well-formed rules S finite set of well-formed ground terms u some ground well-formed term Then: S R u S R u using only well-formed terms.

14 Theorem If: R finite set of well-formed rules S finite set of well-formed ground terms u some ground well-formed term Then: S R u S R u using only well-formed terms. Corollary: The question of whether S R u is decidable

15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ({. }. )

15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ({. }. ) Encode terms as integers kek pin data km kp kek imp exp data pin 19 0 0 1 0 0 1 1

15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ({. }. ) Encode terms as integers kek pin data km kp kek imp exp data pin 19 0 0 1 0 0 1 1 Each rule is a partial function f : N k N for k inputs e.g. f 1 : x1,x2 x1 x2 x1,x2 x1 x2

15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ({. }. ) Encode terms as integers kek pin data km kp kek imp exp data pin 19 0 0 1 0 0 1 1 Each rule is a partial function f : N k N for k inputs e.g. f 1 : x1,x2 x1 x2 x1,x2 x1 x2 f 2 : [xky x],xtype,[xkek km imp] [xky km xtype] IF x = xkek xtype

16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered

16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered Some optimisations used

16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered Some optimisations used Possible attack on recommendation 1!

16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered Some optimisations used Possible attack on recommendation 1! After fix, verifies all recommendations in a few seconds

17 Evaluation Attack As serious as the original Bond attack API Modelling Methodology Works well for this stateless API, will need further work to broaden scope XOR/integer representation trick Highly efficient, but requires finite vocabulary of terms

18 Related Work Decidable classes for protocols using XOR: Comon and Cortier 03, Verma et al. 05 incomparable Otter work, Youn et. al 05: Rediscovered old attacks, used heuristics without proof Courant & Monin 06: Verified Bond s proposed fixes

19 Summary Found a new attack on the CCA API Proved decidability for a class containing the API Devised new representation and decision procedure Verified a fixed version of the API More to do (key conjuring, parallel key search...)

19 Summary Found a new attack on the CCA API Proved decidability for a class containing the API Devised new representation and decision procedure Verified a fixed version of the API More to do (key conjuring, parallel key search...) EPSRC Project Automated Analysis of Security Critical Systems http://dream.inf.ed.ac.uk/projects/aascs/

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback