Khair Eddin Sabri and Ridha Khedri

Transcription

1 Khair Eddin Sabri and Ridha Foundations & Practice of Security Symposium (Oct. 2012) CRYPTO

2 Presentation Outline 1 Introduction Order Semiring 5 keystructure Technique 9 Verification of secrecy properties 10 Conclusion and Future Work CRYPTO

3 Introduction Data Store Data Agent 1 Server Agent 3 Agent 2 Data Store Agent 1 Encrypted Data Agent 3 Agent 2 CRYPTO

4 Introduction Encrypted-data stores require Encryption of information Distribution of keys to users Cipher? Either, a common cipher is used by all agents Or, each agent uses in a quasi-permanent way a set of already agreed-on ciphers CRYPTO

5 Introduction What governs key-assignments? for key assignments are adopted Object-based scheme: focuses on objects and the required conditions to decrypt each one of them Key-based scheme: ÐÝOur focus Objects are partially ordered (i.e., ď is transitive, reflexive, and antisymmetric) c i ď c j : security level c j is more sensitive than the security level c i ùñ User at c j can also have an access to an information classified c i CRYPTO

6 Introduction Key-based scheme: K1 Dean K2 K3 K4 Student Prof. Key k 1 can be used to derive the keys k 2, k 3 and k 4 However, no practical way to derive a key associated to a node n from those associated to its descendants Chair CRYPTO

7 Several s exist in the literature to handle key assignment: rakltaylor1983, AtallahBlantonFazio2009, KuoShenChenLai1999, Sandhu1987s Problem: Lack of formal means to proof their correctness / secrecy Several of them have been found to be flawed or very weak in preserving secrecy Crampton et al. advocate the adoption of a generic model for key assignment schemes For evaluating proposals for key assignment schemes CRYPTO

8 What do we propose? A generic model for the specification and analysis of cryptographic-key assignment schemes An analysis of two representative schemes: key assignment rakltaylor1983r scheme A scheme based on the remainder theorem rchenchung2002s A generalized and extended scheme to assign more than one key to a security class The automation of the analysis of systems that use key assignment schemes (Prover9) CRYPTO

9 The key-structure within a set of structures: Envelope Structure Message Structure Cipher Structure Secret Structure A B Structure B is a building block of structure A Fundamenta Informaticae, 112(4): , CRYPTO

10 Order Let C be a set. A partial order (or order) on C is a binary relation ă on C such that, for all x, y, z P C, 1 x ă x, Reflexive 2 x ă y ^ y ă x ùñ x y, Antisym. 3 x ă y ^ y ă z ùñ x ă z Trans. A set equipped with a partial order is called an ordered set, partially ordered set, or poset A pre-ordered set (or quasi-ordered set): satisfies only (1) and (3), but not (2) For a pre-ordered set pp, ăq, its dual pp, ăq is def defined as for all x, y, we have x ă y ðñ y ă x Order Semiring CRYPTO

11 Semiring Definition (Semiring) Let S H be a set and ` and binary operations on S, named addition and multiplication. Then `S, `, is called a semiring if `S, ` is a commutative semigroup, `S, is a semigroup, and distributes over ` on both the left and right. `S, ` is an idempotent semigroup `S, `, an additively idempotent semiring `S, is a commutative semigroup `S, `, a commutative semiring `S, `, is an additively idempotent semiring there exists a natural ordering relation Order Semiring CRYPTO

12 keystructure A key in its most common form can be perceived as a parameter given to a cipher A key can be a string as in the Vigenère cipher or it can be a pair of numbers as in an RSA cipher Keys can be combined RSA cipher) An inverse is usually defined on keys (generalization of the Our representation of RSA uses one key pe, d, nq Public key pe, nq and private key pd, nq CRYPTO

13 keystructure Definition () Let K def pk, `k, k, 0 k q be an algebraic structure that is an additively idempotent commutative semiring with a multiplicatively absorbing zero 0 k. We call K a key-structure. The operators `k and k are both used to combine keys k operator (two argts are used simultaneously) operator (only one argt is used to enc./decr. one `k plain/cipher unit) CRYPTO

14 keystructure Table: Vigenère Table a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z a b c d e f g h i j k l m n o p q r s t u v w x y z b c d e f g h i j k l m n o p q r s t u v w x y z a c d e f g h i j k l m n o p q r s t u v w x y z a b d e f g h i j k l m n o p q r s t u v w x y z a b c e f g h i j k l m n o p q r s t u v w x y z a b c d f g h i j k l m n o p q r s t u v w x y z a b c d e g h i j k l m n o p q r s t u v w x y z a b c d e f h i j k l m n o p q r s t u v w x y z a b c d e f g i j k l m n o p q r s t u v w x y z a b c d e f g h j k l m n o p q r s t u v w x y z a b c d e f g h i k l m n o p q r s t u v w x y z a b c d e f g h i j l m n o p q r s t u v w x y z a b c d e f g h i j k m n o p q r s t u v w x y z a b c d e f g h i j k l n o p q r s t u v w x y z a b c d e f g h i j k l m o p q r s t u v w x y z a b c d e f g h i j k l m n p q r s t u v w x y z a b c d e f g h i j k l m n o q r s t u v w x y z a b c d e f g h i j k l m n o p r s t u v w x y z a b c d e f g h i j k l m n o p q s t u v w x y z a b c d e f g h i j k l m n o p q r t u v w x y z a b c d e f g h i j k l m n o p q r s u v w x y z a b c d e f g h i j k l m n o p q r s t v w x y z a b c d e f g h i j k l m n o p q r s t u w x y z a b c d e f g h i j k l m n o p q r s t u v x y z a b c d e f g h i j k l m n o p q r s t u v w y z a b c d e f g h i j k l m n o p q r s t u v w x z a b c d e f g h i j k l m n o p q r s t u v w x y CRYPTO

15 Definition (Key assignment scheme) We call a key-assignment scheme the system pk, C, ă, aq, where: K is a key-structure, pc, ăq is a poset, and a : K Ñ C is a surjective (onto) function. C and a are respectively identified as the set of security classes, and the assignment function. The poset pc, ăq is said to be the poset of the scheme S. CRYPTO

16 Usually, keys are assigned to users (and users are assigned to security classes) For x and y users, x ă u y ô the security class of x is lower than the security class of y The structure pu, ă u q is a poset Findings: There is an order isomorphism between pc, ăq and pu, ă u q It is the map s : U ÝÑ C such that x ă u y ô spxq ă spyq c P C : s pcq H q A class can be assigned several keys CRYPTO

17 On dom(a), we define a relation ă d a : K Ñ C k 1 ă d k 2 : part of the information that can be revealed by using k 1 can be also revealed by using k 2 pdompaq, ă d q is a pre-order (quasi-order) as it not necessarily antisymmetric CRYPTO

18 The structure K is an additively idempotent commutative semiring It has a natural order relation ď inherent to it x ď y ðñ x `k y y k 1 ď k 2 : the key k 1 is a sub-key of the key k 2 We have also Ď defined as: a Ď b def ðñ Dpc c P K : a ď b k c q The relation Ď is a pre-order (ñ can be used as ă) CRYPTO

19 Proposition (HofnerMoller2006) Let K pk, `k, k, 0 k, 1 k q be a key structure with an identity 1 k. Let k 1, k 2 P K be keys. We have: 1 k 1 ď k k 2 ùñ k 1 Ď k 2 2 k 1 k k 2 Ď k 2 3 k 1 Ď k 2 ùñ k 1 `k k 3 Ď k 2 `k k 3 4 k 1 Ď k 2 ùñ k 1 k k 3 Ď k 2 k k 3 5 k Ď 1 k CRYPTO

20 Definition Let S def pk, C, ă, aq be a key-assignment scheme. Given a key-derivation relation ă d defined on dompaq, the scheme S is said to be cluster-secure with regard to ă d i, k j k i, k j P dompaq ^ pk i k j q ^ papk i q ă apk j qq : pk j ă d k i q q. a(k ) i a(k ) j CRYPTO

21 What can we do with this theory? Evaluate proposals for key assignment schemes : It assigns to each user a key k i k i κ t i pmod mq κ is a private number m is a public number that is the product of two large prime numbers t i is a public number formed from a multiplication of prime numbers CRYPTO

22 Key-derivation: Fact: k t j {t i i pκ t i q t j {t ipmod mq κ t jpmod mq kj Consequence: A key k j can be derived from k i iff t j is divisible by t i Example: Let m 11 ˆ and κ 13 User 1: Public number t 1 5 ˆ 7 35 The key becomes pmod 187q 21 User 2: Public number t 2 7 (It divides 35) The key becomes 13 7 pmod 187q 106 The key 106 can be used to derive the key 21 p106 5 pmod 187q 21q CRYPTO

23 Once κ is fixed, the exponent t i determines the key log k i log κ t i t i is the product of a set of distinct prime numbers Generalization: Keys are sets of products of distinct elements from IN p Products of prime number can be considered as subsets of IN p t i 2 ˆ 3 ˆ 7 can be represented as tt2, 3, 7uu CRYPTO

24 P def tp 1 ˆ ˆ p n all p i are prime and differentu A bijective function rep: rep : P Ñ PpPpIN p qq reppp 1 ˆ p 2 ˆ ˆ p n q def ttp 1, p 2,, p n uu. FF def pppppin p qq, `k, k, 0, 1q k `k : PpPpIN k p qq ˆ PpPpIN p qq Ñ PpPpIN p qq A B def ta Y b : a P A, b P Bu. k : PpPpIN `k p qq ˆ PpPpIN p qq Ñ PpPpIN p qq A B def A Y B, `k FF is a key structure with an identity CRYPTO

25 The system pff, C, ă, aq presents a generalization of the A key in our case is not a single key but a set of keys e.g., tκ 2ˆ3, κ 5ˆ7 u In the, pc, ăq has to be a tree In our framework, pc, ăq can be a forest We may need this generalization, if a user is involved in more than one scheme needs to combine several keys to build a useful one Key-derivation is nothing but, the relator Ď We get for free several identities CRYPTO

26 The key in our case is not a single key but a set of keys e.g., {κ 2 3, κ 5 7 }.Inthe ALGEBRAIC MODEL, FOR THE (C, ) ANALYSIS has to be akey tree, while in our framework ASSIGNMENT it can be a forest. Therefore, for dealing with more than a tree structure and for handling more than one key per user, the is a special case of the one we propose. We may need this generalization if a user is involved in more than one scheme. Example: κ κ 2 κ 3 κ 2 3 κ κ 3 11 { } {{2}} c2 c3 {{3}} {{2, 3}} {{2, 3, 7}} {{3, 11}} (a) (b) Fig. 1. An example of the scheme and its equivalent scheme c1 c4 c5 c6 Example 1. Figure 1 shows an example of the scheme and its representation using our mathematical structure. In the system (FF,C,,a), FF is defined as above, C = {c 1,c 2,c 3,c 4,c 5,c 6} such that c 4 c 2, c 5 c 2, c 5 c 3, c 6 c 3, c 2 c 1, c 3 c 1, and the function a is defined as a = {(,c 1), ({{2}},c 2), ({{3}},c 3), ({{2, 3}},c 4), ({{2, 3, 7}},c 5), ({{3, 11}},c 6)}. For instance, the key κ 2 3 is derived from κ 2.Indeed, pff, C, ă, aq C tc 1, c 2, c 3, c 4, c 5, c 6 u such that c 4 ă c 2, c 5 ă c 2, c 5 ă c 3, c 6 ă c 3, c 2 ă c 1, c 3 ă c 1 PLUS the properties of an order κ 2 3 d κ 2 A key is determined by its exponent & k 1 is derived from k 2 log ki iff k 1 k 2, and log κ = ti rep(2 3) rep(2) Definition of the function rep, and Definition of (c c P(IN p) : {{2, 3}} {{2}} k c ) Definition of x y for x and y elements of an idempotent commutative semiring (c c P(IN p) : {{2, 3}} + k {{2}} k c = {{2}} k c ) Definition of + k on the structure FF (c c P(IN Speaker: p) : {{2, Ridha 3}} {{2}} k c = {{2}} k c ) CRYPTO a tph, c 1 q, ptt2uu, c 2 q, ptt3uu, c 3 q, ptt2, 3uu, c 4 q, ptt2, 3, 7uu, c 5 q, ptt3, 11uu, c 6 qu

27 The key κ 2ˆ3 is derived from κ 2. κ 2ˆ3 ă d κ 2 ðñ x A key is determined by its exponent & k1 is derived from k2 iff k1 Ď k2, and log k i log κ t i y repp2 ˆ 3q Ď repp2q ðñ x Definition of the function rep, and Definition of Ď y Dpc c P PpINpq : tt2, 3uu ď tt2uu c q k ðñ x Definition of x ď y for x and y elements of an idempotent commutative semiring y Dpc c P PpINpq : tt2, 3uu tt2uu c tt2uu c q `k k k ðñ x Definition of on the structure FF y `k Dpc c P PpINpq : tt2, 3uu Y tt2uu c tt2uu c q k k ðù x c tt3uu P PpINpq, and the definition of k on the structure FF y Dpc c P PpINpq : tt2, 3uu Y tt2, 3uu tt2, 3uu q ðñ x Idempotence of Y, c P PpINpq, and Dpc : true q true y true The above scheme is cluster-secure: pc i ă c j ùñ papc i q Ď apc j qqq CRYPTO

28 Technique [ChenChung2002] Similar treatment as for ď is Ď a Ď b def ðñ Dpc c P PpPpF qq : a Ď b k c q def k 1 ă d k 2 ðñ k 2 Ď k 1 (It is the dual to that of ) CRYPTO

29 Verification of secrecy properties We can easy verify properties such as the ability of a user to get an information intended for a higher class the ability of using several keys to reveal an information that can be revealed by using another key The proof of the above properties involve the axioms of the key-structure We use Prover9 to verify each property In the paper, you find an example illustrating the above points CRYPTO

30 Conclusion and Future Work We presented a generic model for key assignment schemes (based on the key-structure) This model does not depend on a specific crypto-system The proofs for security properties are performed in an algebraic calculational way (easily automated) Future work: investigate other key assignment schemes to assess their strengths and weaknesses CRYPTO

31 CRYPTO