On Searching for Known and Chosen Cipher Pairs Using the NRL Protocol Analyzer

Formal methods have been successfully applied to exceedingly abstract system speciications to verify high level security properties such as authentication, key exchange, and fail-safe revocation. Furthermore, considerable research exists on evaluating particular ciphers and secure hash functions used to implement high level security properties. However, verifying that less abstract system speciications satisfy low level security properties has been largely impractical. This is evidenced by innumerable system vulnerabilities where high level properties are not attained due to failed assumptions of low level properties. This paper presents ongoing work on investigating known and chosen ciphertext pairs using the NRL Protocol Analyzer. We give a formal characterization of known and chosen pairs, and map it to the NRL Protocol Analyzer model. We also describe the use of the Analyzer to rediscover attacks on an early version of the ESP protocol, and show how our experience in using it has led us to reene our model. This was the rst use of the Analyzer to model protocols at such a low level of abstraction. 1 Background A chosen text attack is characterized by an adversary causing another principal to encrypt or decrypt chosen text using a secret key unknown to the adversary. A known text attack is characterized by an adversary learning encrypted or decrypted text not necessarily chosen by the adversary. Chosen-and known-text in cryptographically protected systems is an important area of study since its presence can lead to vulnerabilities. Chosen-ciphertext can enable the adversary to read conndential messages. Chosen-plaintext can enable the adversary to create messages that may be accepted as legitimate. It can also be used by the adversary to conduct a dictionary attack in an attempt to learn secrets. The problem is compounded when the same key is used for diierent protocols. Guidance on how to avoid chosen-and known-text attacks has been in the literature for many years 11]. However, attacks based on chosen-and known-text continue to be a problem even in security protocols designed and reviewed by teams of security experts. In spite of this, little work has been done on developing formal theories and techniques for detection and prevention of chosen and known text attacks. This is mainly because the degree of abstraction at which the problem occurs is at a somewhat lower level than that usually handled by most of the existing applications of formal methods of cryptographic protocols. However, as the work of Stubblebine and Gligor …