Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

60 CHAPTER 3. PROTOCOLS WITH VULNERABLE HASH FUNCTIONS Motivations. We give now one motivation for each of the three major properties above. Consider a digital signature scheme wherein the signature is applied to the hash h(x) rather than the message x. Here h should be a second-preimage resistant hash function, otherwise, a intruder I may observe the signature of some agent A on h(x), then find an x ′ such that h(x ′ ) = h(x), and claim that A has signed x ′ . If I is able to actually choose the message which A signs, then I needs only find a pair x, x ′ such that h(x) = h(x ′ ) rather than the harder task of finding a second preimage of x; in this case, collision resistance is also necessary [153]. Less obvious is the requirement of preimage resistance for some public-key signature schemes; consider RSA [174], where agent A has public key (e, n). I may choose a random value y, compute z = y e (mod n), and claim that y is As signature on z. This attack is possible if I can find an input x such that h(x) = z. 3.1.3 Examples of hash functions Let us consider the following function: h(x) = x 2 - 1 (mod p), with p a prime number. This function h is a hash function as per Definition 34, but h is not a one-way hash function because finding x such that h(x) = y for a given y is easy [153]. Let us consider the following function: h(x) = x 2 (mod n) with n = p ∗ q, p, q are two randomly chosen primes. h is a one-way hash function because finding a x such that h(x) = y for a given y is computationally equivalent to factoring and thus intractable, but finding a 2nd-preimage, and, therefore, collisions, is trivial (given x, we have that h(x) = h(−x)), and thus h is neither secondpreimage resistant hash function nor collision resistant hash function [153]. 3.2 Collision vulnerability property A hash function is a function h : D → R with �D� > �R� (Definition 34), that is a hash function is many-to-one. This implies that the existence of pair of inputs x, x ′ with x �= x ′ and h(x) = h(x ′ ) is unavoidable, we call such pair of inputs a collision. However, only a few years ago, it was intractable to compute collisions on hash functions, so they were considered to be collision resistant by cryptographers, and protocols were built upon this assumption. From the nineties on, several authors [98, 103, 199, 201] have proved the tractability of finding pseudo-collision and collision attacks over several hash functions. Taking this into account, we consider in this chapter hash functions having the following properties: preimage resistance, second-preimage resistance, and collision vulnerability. From now on, we call a collision vulnerable hash function a hash function having these properties. The collision vulnerability means that the hash function is not collision resistant, i.e. it is computationally feasible to compute
3.2. COLLISION VULNERABILITY PROPERTY 61 two distinct inputs x and x ′ with h(x) = h(x ′ ) provided that x and x ′ are created at the same time and independently one of the other. To mount a collision attack, the intruder would typically begin by constructing two different messages with the same hash where one message appears legitimate or innocuous while the other serves the intruder’s purposes. 3.2.1 Hash functions having this property MD5 Hash function [173] is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement on MD4 [172], and its security was widely studied since then by several authors. The first result was a pseudo-collision for MD5 [98]. When permitting to change the initialisation vector, another attack (free-start collision) has been found [103]. Recently, a real collision involving two 1024-bits messages was found with the standard value [199]. This first weakness was extended into a differential-like attack [202] and tools were developed [129, 130] for finding the collisions which work for any initialisation value and which are quicker than methods presented in [199]. Finally, other methods have been developed for finding new MD5 collisions [204, 183]. The development of collision-finding algorithms is not restricted to MD5 hash function. Several methods for MD4 [172] research attack have been developed [200, 104]. In [200] a method to search RIPEMD [105] collision attacks was also developed, and in [42], a collision on SHA-0 [7] has been presented. Finally, Wang et al. have developed in [201] another method to search for collisions for the SHA-1 [4] hash function. 3.2.2 Collision vulnerability in practice We consider here the story of Alice and her boss [94]. Alice has been working for some time in the office of Julius Caesar. On her last day of work, Caesar gives her a letter of recommendation on paper. Alice decides to take advantage of this opportunity to gain access to Caesar’s secret documents. Caesar uses MD5 hash function which is collision vulnerable (Section 3.2.1) for his digital signature scheme DSA [3]. When she receives her letter of recommendation on paper, Alice prepars two postscripts files with the same MD5 hash: one is the letter given by Caesar and the other is an order from Caesar to grant Alice some kind of secrecy clearance. She asks Caesar to digitally sign the letter and due to the hash collision, Caesar’s signature for the letter of recommendation is also valid for the order. She then presents the order and the digital signature to the person in charge of Caesar’s files, and finally gains access to Caesar’s secret documents.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23: 10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25: 12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27: 14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29: 16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31: 18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33: 20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 122 and 123:
110 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?