An Algebra for Symbolic Diffie-Hellman Protocol Analysis

We study the algebra underlying symbolic protocol analysis for protocols using Diffie-Hellman operations. Diffie-Hellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted previous symbolic approaches. We define an algebra that validates precisely the equations that hold almost always as the order of the cyclic group varies. We realize this algebra as the set of normal forms of a particular rewriting theory. The normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by UM, a protocol using Diffie-Hellman for implicit authentication. Despite vigorous research in symbolic analysis of security protocols, many limitations remain. While systems such as NPA-Maude [21], ProVerif [8], AVISPA [3, 5], CPSA [36], and Scyther [16] are extremely useful, great ingenuity is still needed—as for instance in [31]—for the analysis of protocols that use fundamental cryptographic ideas such as Diffie-Hellman key agreement [17], henceforth, DH. Moreover, important protocols, such as the implicitly authenticated key-agreement protocol MQV [7], appear to be out of reach of known symbolic techniques. Indeed, for these protocols, computational techniques have led to arduous proofs after which controversy remains [27,29,30,33]. In this paper, we develop algebraic ideas that allow us to give rigorous proofs of security goals such as authentication and confidentiality in a symbolic model. Moreover, our techniques also help identify the security goals that the protocol does not achieve. DH protocols work in a cyclic group of prime order q, which we will write multiplicatively, using an agreed-upon generator g. For a particular session, A and B choose random values x, y respectively, raising a base g to these scalar powers: A, x • g // • g oo B, y (1) ? We gratefully acknowledge support by the National Science Foundation under grant CNS-0952287. They can then each compute the value (g) = g = (g) as a new shared secret for A,B. The Decisional Diffie-Hellman assumption (DDH) says that, in suitable groups, any observer who has observed neither x nor y, cannot distinguish g from the g we would get from a randomly chosen z. This basic protocol—while secure against a passive adversary, who observes messages, but can neither create them nor alter (or misdirect) messages of compliant principals—is, however, vulnerable to an active attacker. The adversary chooses his own values w, g, substituting g for the values each participant should receive. Then the two participants will end up with different keys, g and g, unfortunately each shared with the attacker. One idea to avoid this man-in-the-middle attack is for each of the principals A and B to maintain a long-term secret value. We will write A’s long term secret as a, and B’s as b. They publish the long term public values YA = g , YB = g , having a certificate authority certify the bindings to A and B. Now any pair of participants may each use the long term public value of the other—and their own long term secrets—to compute the same fresh secret, in such a way that no principal other than A or B can. The “Unified Model” UM of Ankney, Johnson, and Matyas [2] is an example. A and B send only the messages shown in Eqn. 1. For clarity, the valueB receives, purportedly fromA, will be calledRA.A receives the value RB , purportedly from B. Without adversary interference, RA = g x and RB = g . Letting h(x) be a hash function, A and B compute their keys: A : k = h(YB a ‖ RB) B : k = h(YA ‖ RA), (2) obtaining the shared value h(g ‖ g) if RA = g and RB = g. We will present a technique for proving authentication and confidentiality results about protocols such as this. The heart of this paper develops a well-behaved rewriting theory for DH values, which yields a powerful tool for symbolic analysis. The challenge for such a theory derives from the fact that, since we are operating in a cyclic group of prime order, the exponents form a field. Although UM uses only the field multiplication, some protocols (including MQV) also use the field addition. This is challenging for rewriting-based approaches to protocol analysis since the theory of fields does not admit an axiomatization using equations, or even conditional equations. The standard axiomatization uses negation to say that 0 has no multiplicative inverse; to see that there can be no conditional-equational axiomatization, note that the category of fields is not closed under products. This paper makes the following contributions: 1. We define an order-sorted equational theory AGˆ whose models include all fields. We equip AGˆ with a rewrite system modulo associativity and commutativity (AC), and show that this system is terminating and confluent modulo AC: an equation s = t is derivable in AGˆ if and only if s and t rewrite to the same normal form modulo AC. The free algebra over this rewrite system offers a natural DH message algebra. (Section 1.) 2. We show, via a model-theoretic argument using ultraproducts, that AGˆ captures uniform equality in the theory of finite fields. Namely, if s = t is an