Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu

Published byNorma Dennis Modified over 7 years ago

Similar presentations

Presentation on theme: "On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu"— Presentation transcript:

1 On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu http://www.cs.ut.ee/~peeter_l (joint work with Madeline González Muñiz)

2 Message recognition protocols Alice Bob Never met before Know nothing about each other Authentic channel Eve Later wants to send messages in an authentic manner How can we extend authenticity? Bob does not accept a that Eve has not sent This setup corresponds to certain trust models in ad hoc networks

3 A simple solution ● During the initialization phase, Alice generates signing key and verification key ● Alice sends verification key to Bob ● During the main phase, Alice signs the messages using the newly generated key ● Bob can verify the signatures

4 Another simple solution ● During the initialization phase, Alice and Bob perform a Diffie-Hellman key exchange ● They agree on a secret ● During the main phase, Alice sends to Bob

5 What if public-key cryptography is too expensive?

6 Using hash chains ● During initialization, Alice generates secret and defines ● Alice sends to Bob ● Main phase: the i-th send by Alice (of some M): ● Bob already knows and can verify Hash chains are not cheap, either. Need one of ● time ● memory or a combination of both

7 Problems: robustness ● Eve can cause Alice and Bob to go “out of sync” ● In the Jane Doe protocol, Bob sends back acknowledgments ● authenticated in the same way – Bob also creates a hash chain ● Alice and Bob do not move forward as long as they have not received the ACK for the previous message ● If Eve stops interfering, the messages from Alice will be accepted by Bob

8 Perenniality ● What if Eve goes away only after Alice and Bob have consumed their hash chains? ● A message recognition protocol is perennial if the number of rounds Alice and Bob can participate in is not limited during the initialization phase ● Perenniality — if Eve stops interfering then all messages sent by Alice will be accepted by Bob. ● Alice and Bob do not know if/when Eve stops

9 Authentic and perennial MRP-s ● Are there any authentic and perennial MRP-s that use only symmetric cryptography? ● symmetric encryption, hash functions, MAC-s, random numbers, one-way functions or permutations,... ● not too well defined – not signatures or Diffie-Hellman... ● Some have been proposed, all have been broken. ● We show that the answer is: No

10 Perfect cryptography model ● Messages — elements of a term algebra ● a given set of constructors ● given set of rules for message construction and taking apart – also applies to the adversary ● possibly: a congruence relation over messages – to model primitives like XOR

11 Synchronous communication ● Protocol proceeds in rounds ● In a round: Alice and Bob compute Eve computes accept

12 Communication rounds ● Both initialization and main phase can be modeled like this ● In the initialization phase: ● Alice decides when main phase starts ● Eve decides when to leave ● Payloads that Alice sends to Bob are determined by Eve

13 Message constructors ● Constants, nonces, payloads are messages ● If are messages then is a message ● If and are messages then is a message ● The congruence on messages expresses the properties of XOR ● there is a constant 0 ● Alice and Bob send sequences of messages to each other

14 Symmetric cryptography ● Hash functions and XOR capture symmetric cryptography ● is a random function ● Random permutation can be constructed from a random function using the Luby-Rackoff construction

15 Memories of Alice and Bob ● Alice and Bob have some internal state ● We do not care about its structure ● They also have message stores ● Sequence of messages, containing – nonces generated by him-/herself, – messages (presumably) received from the other party, – for Alice: payloads received from Eve ● Messages received from the network are added to the end of the message stores ● Messages to send to the other party are computed from the message stores

16 Common secrets ● A message s is a common secret for Alice and Bob, if ● it can be computed from Alice's message store ● it can be computed from Bob's message store ● it cannot be computed from Eve's view ● Proposition. Alice and Bob have no common secrets. ● Proof depends on properties of h and

17 Attacking the main phase ● There is a finite set of messages Z, such that ● As long as no message from Z “is sent” between Alice and Bob, Eve can simulate the traffic – Authenticity means: before Bob accepts a payload, a message in Z must be sent from Alice to Bob. ● Eve cannot simulate the step containing messages from Z, but can continue simulation after that – these messages are removed from Z ● Perenniality means: while Eve is not noticeable, Alice and Bob must work towards Bob accepting payloads ● Eventually Z will be empty and Eve can masquerade Alice

18 Simulation: more details ● Z is the set of submessages of messages changed during the initialization phase ● as long as XORs are not used ● Eve rewrites messages by replacing ● elements of Z ● new nonces generated by Alice or Bob ● with new nonces of her own ● if Alice [Bob] sends a message to Bob [Alice], such that an element z ∈ Z can be found then Eve removes z from Z and continues.

19 Simulation: considering XOR-s ● The set Z also contains the XOR-s of all submessages of messages sent during the initialization phase ● remove from Z the messages that Eve knows ● Now it is possible to learn an element of Z without this element actually being sent as a message

20 Simulation: about the proof ● A homomorphism of messages is a homomorphism of the underlying algebra ● A party cannot notice a monomorphism applied to its message store ● Eve's translation defines a mapping φ on ● Alice's nonces – φ(r)=r for all nonces r ● messages received from Bob ● We must show φ can be extended to a monomorphism

21 Conclusions ● We have shown that authentication cannot be extended to infinity using just the primitives of symmetric cryptography. ● The proof had two parts ● no common secrets ● possibility of simulation ● Both parts depended on the choice of primitives

22 But in the computational model... ● Signature schemes can be constructed from hash functions ● Some constructions do not a priori bound the number of signatures possible – [Merkle, CRYPTO'87] ● MRP-s can be constructed from signature schemes ● If number of signatures is unbounded, then MRP is perennial

23 No common secrets ● Let be two sets of messages corresponding to how Alice and Bob could compute during the initialization phase ● The set is closed wrt. submessages ● If then or ● same when we swap Alice and Bob ● Let be such, that ● Those conditions keep holding when we apply a single computational step to messages in or and add the result back to this set.

24 Example: Mashatan-Stinson MRP ● Initialization phase: ● Alice generates nonces and sends to Bob ● Bob generates nonces and sends to Alice ● Note that the protocol uses only hash functions. ● Here the set Z is

25 Example: Mashatan-Stinson MRP ● Main phase: Alice must transmit a payload generat e check generat e check Increment the indices

26 Eve's simulation generate remember Bob does not notice a change

27 Eve's simulation generat e Elements of Z are sent now generate remember Alice does not notice a change

28 Eve's simulation generat e Bob compares and sees a problem

29 Resynchronization generate

30 Eve's simulation: Alice's resynchronization generat e At this point, Eve can masquerade Alice

Download ppt "On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu"

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS 4362 - CIS 5357 Network Security.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.

Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.

Similar presentations

Ads by Google