Dhcp++: Applying an Eecient Implementation Method for Fail-stop Cryptographic Protocols

The DHCP protocol is used by hosts to dynamically allocate an IP address and con gure client hosts. The protocol greatly eases the administration of an IP subnetwork and is thus widely used. The basic approach of the DHCP protocol is for a client to broadcast a request for an address, and for one or more servers to respond with addresses. This creates signi cant opportunities for security risks due to active attackers. We have designed a new, e cient implementation method for the fail-stop cryptographic protocols originated by Gong and Syverson. The implementation method uses cryptographic hashes of the state of the sender and receiver and the exchanged messages to detect if any deviation from expected behavior has taken place. If it has, an attack is assumed and the protocol ceases execution. We present a proof outline of protocol security using our method. We have applied our method to DHCP, resulting in DHCP++. DHCP++ uses our fail-stop implementation technique to prevent any attacks that could otherwise violate DHCP's security assumptions. The resulting protocol operates entirely within the context of DHCP. The paper analyzes the threats eliminated by this enhancement, and measurements against DHCP show that the incremental performance costs are minimal. Copyright c 1997, William A. Arbaugh, Angelos D. Keromytis and Jonathan M. Smith. Permission is granted to redistribute this document in electronic or paper form, provided that this copyright notice is retained. Authors' email addresses are fwaa,angelos,[email protected]. This research was supported by DARPA under contract #N66001-96-C-852. 1 Fail-stop protocols Cryptographic protocols are used in many advanced applications such as electronic banking, networked software distribution, and wireless personal communications systems. Due to the complexity of conditions they may encounter, careful reasoning and formal means such as proofs are used to validate the design of a cryptographic protocol. Such validation is easier if the set of threat conditions is reduced. Techniques resulting in the construction of protocols which by design reduce the complexity of threat conditions are thus extremely attractive. One such technique is a fail-stop cryptographic protocol, introduced by Gong and Syverson [FS]: A protocol is fail-stop if any attack interfering with a message sent in one step will cause all causally-after messages in the next step or later not to be sent. As Gong and Syverson show, fail-stop protocols possess a very useful security property, namely: active attacks cannot cause the release of secrets within the run of a fail-stop protocol The fail-stop property lets a protocol designer restrict security concerns to passive (eavesdropping) attacks, a significant reduction in the class of threats to the protocol's security. The cost is that the protocol must terminate when active attacks occur, rather than attempt to continue. We believe that reliable termination is greatly preferred to unknown and insecure behavior in the face of active attacks on security, and when embedded in a larger system, protocol termination can be handled by higher-level detection and resolution mechanisms. 1.1 Specifying fail-stop behavior Syverson and Gong state the following speci cations for a fail-stop protocol: 2 MESSAGE CHAINING 1 1. The content of each message has a header containing the identity of its sender, the identity of its intended recipient, the protocol identi er and its version number, a message sequence number, and a freshness identi er. 2. Each message is encrypted under the key shared between its sender and intended recipient. 3. An honest process follows the protocol and ignores all unexpected messages. 4. A process halts any protocol run in which an expected message does not arrive within a speci ed timeout period. The above speci cations assume that the two communicating parties share a secret encryption key used with a symmetric key cryptosystem (such as DES [FIPS46]). It should be noted that this is not the only method for generating fail-stop protocols, but rather the simplest one. The freshness identi er can be a nonce issued by the intended recipient or a time stamp (if the clocks are assumed to be securely and reliably synchronized [LG92]). 1.2 Outline of this paper Section 2 presents our method for chaining the messages of a protocol run. This makes the messages sequenced and non-reusable outside the context of this protocol run, thereby making message tampering and replay attacks infeasible [PS]. Section 3 brie y discusses the DHCP protocol. Section 4 presents our extensions to DHCP. Section 5 discusses our implementation of DHCP++ and, section 6 concludes the paper and summarizes its contributions.