Key substitution vulnerable signature schemes are signature schemes that permit an intruder, given a public verification key and a signed message, to compute a pair of signature and verification keys such that the message appears to be signed with the new signature key. A digital signature scheme is said to be vulnerable to destructive exclusive ownership property (DEO) If it is computationaly feasible for an intruder, given a public verification key and a pair of message and its valid signature relatively to the given public key, to compute a pair of signature and verification keys and a new message such that the given signature appears to be valid for the new message relatively to the new verification key. In this paper, we prove decidability of the insecurity problem of cryptographic protocols where the signature schemes employed in the concrete realisation have this two properties.
According to West's Encyclopedia of American Law, a signature is "A mark or sign made by an individual on an instrument or document to signify knowledge, approval, acceptance, or obligation. . . [Its purpose] is to authenticate a writing, or provide notice of its source 1 . . . "
We will not deal any further with legal considerations, but it is interesting to note that while digital signatures are primarily employed to authenticate a document, i.e. ensure that the signer endorses the content of the document, they can also be employed to prove the origin of a document, i.e. ensure that only one person could have signed it. Indeed, most of the cryptographic work on digital signatures has aimed at certifying that no-one could sign a document in the place of someone else.
The analysis of digital signature primitives has however focused on the former authentication property. Formally speaking, the yardstick security notion for assessing the robustness of a digital signature scheme is the existential enforceability against adaptative chosen-message attacks (UNF-CCA) [10]. This notion states that, given a signing key/verification key pair, it is infeasible for someone ignorant of the signing key to forge a message that can pass the verification with the public verification key, and this even when messages devised by the attacker are signed beforehand. The security goal provided by this property is the impossibility (within given computing bounds) to impersonate a legitimate user (i.e. one that does not reveal its signature key) when signing a message.
We note that this robustness does not address the issue of the identification of a source of a message. However, this latter concept is also pertaining to digital signatures when they are employed in a non-repudiation protocol. While one would not differentiate the two properties at first glance, they are different since the authentication property requires the existence of the participation of the signer in the creation of the message, while the latter mandates the unicity of a possible creator of a message.
The two notions of message authentication and source authentication collapse in the single-user setting when there exists only one pair of signature/verification keys. They may however be different in a multi-user setting. We believe that the first work in this direction was the discovery of a flaw on the Station-to-Station protocol by Blake-Wilson and Menezes [12], where the authors show how it is possible to confuse a participant into thinking it shares a key with another person than the actual one. The attack consisted in the creation, by the attacker, of a signature/verification key pair dependent upon messages sent in the protocol. Defining a signature scheme to have the Duplicate Signature Key Selection (DSKS) property if it permits such a construction with non-negligible probability, they showed that several standard signature schemes (including RSA, DSA, ECDSA and ElGamal) had this property, but also that a simple countermeasure (signing the public key along with the message) existed in all cases, but was rarely implemented. This DSKS property was formally defined as Key substitution in [2], where it is also discussed, after a review of what could be called an attack on a signature scheme in the multi-user setting. It was also later presented independently in [8] as Conservative Exclusive Ownership. The companion property of Destructive Exclusive Ownership by which an intruder may also change arbitrarily the signed message is also introduced and they showed that the usual signature algorithms (such as RSA and DSS) have this property. While the same attacks as in [2] are exhibited, the authors also demonstrate how this can be used in practice to poison a badly implemented PKI with fake CRLs (T. Pornin, personal communication).
Automated validation of security protocols. Cryptographic protocols have been applied to securing communications over an insecure network for many years. While these protocols rely on the robustness of the employed security primitives, their design is error-prone. This difficulty is reflected by the repeated discovery of logical flaws in proposed protocols, even under the assumption that cryptographic primitives were perfect. As an attempt to solve the problem, there has been a sustained effort to devise formal methods for specifying and verifying the security goals of protocols. Various symbolic approaches have been proposed to represent protocols and reason about them, and to attempt to verify security properties such as confidentiality and authenticity, or to discover bugs. Such approaches include process algebra, model-checking, equational reasoning, constraint solving and resolution theorem-proving (e.g., [14,9,16,1]).
Our goal is to adapt the symbolic model of concrete cryptographic primitives in order to reflect inasmuch as possible their imperfections that could be used by an attacker to find a flaw on a protocol. The
This content is AI-processed based on open access ArXiv data.
