a formal security analysis of the signal messaging
play

A Formal Security Analysis of the Signal Messaging Protocol Luke - PowerPoint PPT Presentation

Oct 13, 2022 •328 likes •591 views

A Formal Security Analysis of the Signal Messaging Protocol Luke Garratt Computer Science University of Oxford 1 Why what is doing is . Luke Garratt Computer Science University of Oxford 2 Professors minions* Katriel Cohn-Gordon

  1. A Formal Security Analysis of the Signal Messaging Protocol Luke Garratt Computer Science University of Oxford 1

  2. Why what is doing is . Luke Garratt Computer Science University of Oxford 2

  3. Professors minions* Katriel Cohn-Gordon Cas Cremers Luke Garratt *PhD students Douglas Stebila 3 Ben Dowling

  4. What should Signal achieve? Does it? 4

  5. Forward secrecy: 5

  6. Forward secrecy: Post-compromise security: 6

  7. Why is this useful? 7

  8. Why is this useful? Older protocols have no forward secrecy. (E.g. TLS-RSA) Adversary can store ciphertext traffic of target session, obtain long-term keys ● later and then decrypt. 8

  9. Why is this useful? Older protocols have no forward secrecy. (E.g. TLS-RSA) Adversary can store ciphertext traffic of target session, obtain long-term keys ● later and then decrypt. Newer protocols have forward secrecy. (E.g. TLS-DHE) ● Adversary must now obtain long-term keys first, wait for interesting target session and then launch a man-in-the-middle attack. 9

  10. Why is this useful? Older protocols have no forward secrecy. (E.g. TLS-RSA) Adversary can store ciphertext traffic of target session, obtain long-term keys ● later and then decrypt. Newer protocols have forward secrecy. (E.g. TLS-DHE) ● Adversary must now obtain long-term keys first, wait for interesting target session and then launch a man-in-the-middle attack. Fancy protocols have post-compromise security. (Signal?) ● Adversary must now obtain long-term keys and immediately attack and keep on attacking if it wants to compromise future targeted sessions. 10

  11. [PCS, CSF ‘16]: “Security guarantees even after your peer’s key is compromised.” 11

  12. Our Signal security model Adapted Bellare-Rogaway-style, multi-stage key exchange model. [1] Bellare and Rogaway, “Entity Authentication and Key Distribution”. [2] Fischlin and Günther, “Multi-Stage Key Exchange…”. 12

  13. Our Signal security model Our model captures: ● Adversary has full network control. 13

  14. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. 14

  15. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. ● Key compromise impersonation attacks. 15

  16. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. ● Key compromise impersonation attacks. ● Some (but not all) random numbers can be compromised. 16

  17. Our Signal security model Our model captures: ● Adversary has full network control. ● Perfect forward secrecy. ● Key compromise impersonation attacks. ● Some (but not all) random numbers can be compromised. ● Post-compromise security. 17

  18. Main result Theorem. The Signal protocol is a secure multi-stage key exchange protocol in our model, under the GDH assumption and assuming all KDFs are random oracles. 18

  19. 19

  20. Limitations 20

  21. Limitations ● Theoretical analysis (not considering implementations). 21

  22. Limitations ● Theoretical analysis (not considering implementations). ● Long-term identity key is used in initial handshake and to sign medium-term key. We just assume for simplicity that the medium term key is authentic. 22

  23. Limitations ● Theoretical analysis (not considering implementations). ● Long-term identity key is used in initial handshake and to sign medium-term key. We just assume for simplicity that the medium term key is authentic. ● We assume honest key distribution. 23

  24. Limitations ● Theoretical analysis (not considering implementations). ● Long-term identity key is used in initial handshake and to sign medium-term key. We just assume for simplicity that the medium term key is authentic. ● We assume honest key distribution. ● Multiple devices not considered yet. 24

  25. [Signal, EuroS&P ‘17]: “Looks pretty good! (some caveats)” 25

  26. Thanks for listening 1. There’s this cool new security property called “post-compromise security”. 2. Signal Protocol achieves it in addition to other security properties. 3. But there is more to investigate. [PCS] On Post-Compromise Security . Cohn-Gordon, Cremers and Garratt. CSF ‘16. ePrint link: ia.cr/2016/221. [Signal] A Formal Security Analysis of the Signal Messaging Protocol . Cohn-Gordon, Cremers, Dowling, Garratt, and Stebila. Euro S&P ‘17. ePrint link: ia.cr/2016/1013. 26

Recommend

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Formal security analysis of authentication in an asynchronous communication model Bsc thesis

Formal security analysis of authentication in an asynchronous communication model Bsc thesis

Formal security analysis of authentication in an asynchronous communication model Bsc thesis presentation Jacob Wahlgren & Sam Hedin June 18 KTH 1 Outline Introduction Background Secure Data Sharing Methods Results Owner event

1.71k views • 124 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 4: Security

348 views • 34 slides
GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS Spectrum Monitoring Explore real-world signals Easy access for beginners Live demodulation Batch processing of signals TASKS OF RECEIVING UNKNOWN

626 views • 16 slides
Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web applications Marco Rocchetto REsearch Group in I nformation S ecurity Department of Computer Science University of Verona, Italy Verona, May 8, 2015

731 views • 62 slides
Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Fact or fiction? Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory http://www.cl.cam.ac.uk/teaching/0910/R08/ Michaelmas 2009 MPhil ACS Hans D. Baumann, DOCMA 3 Real Introductory examples:

491 views • 7 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 3: Coding

527 views • 36 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 7: Using

393 views • 38 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 2: A

530 views • 41 slides
ELG3 1 2 5 Signal and System Analysis Lab2: Signal Manipulation and Graphics TA: Jungang Liu

ELG3 1 2 5 Signal and System Analysis Lab2: Signal Manipulation and Graphics TA: Jungang Liu

ELG3 1 2 5 Signal and System Analysis Lab2: Signal Manipulation and Graphics TA: Jungang Liu School of Information Technology and Engineering (SITE) Outline 1. Periodic Signals 2. Signal Combination 3. Matlab Graphing

376 views • 20 slides
Video eavesdropping- RF Y.K. Roland Tai 1. Introduction 2. History of TEMPEST 3. Type of RF

Video eavesdropping- RF Y.K. Roland Tai 1. Introduction 2. History of TEMPEST 3. Type of RF

11/8/2009 Security : Forensic Signal Analysis: MPHIL ACS 2009 Security : Forensic Signal Analysis Video eavesdropping- RF Y.K. Roland Tai 1. Introduction 2. History of TEMPEST 3. Type of RF leakages 4. Counter-measures. 5. Experiment &

828 views • 23 slides
Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1 Code Analysis Tools Effective enough

575 views • 35 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable

933 views • 14 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Formal Security Analysis of Smart Embedded Systems Farid Molazem, Farid Molazem,

Formal Security Analysis of Smart Embedded Systems Farid Molazem, Farid Molazem,

Formal Security Analysis of Smart Embedded Systems Farid Molazem, Farid Molazem, Karthik Karthik Pattabiraman Pattabiraman Dependable Systems Lab University of British Columbia Internet of Things Real attacks against

344 views • 22 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal and Automated Theorem Proving and Applications. Belgrade, February 3-4, 2012. Marko Malikovi Mirko ubrilo Predrag Janii Faculty of Humanities

406 views • 27 slides
Modeling and Analysis of Security for Human Centric Systems Florian Kammller Middlesex

Modeling and Analysis of Security for Human Centric Systems Florian Kammller Middlesex

Modeling and Analysis of Security for Human Centric Systems Florian Kammller Middlesex University London & TU Berlin Assessment of ICT Security Risks in Socio-Technical Systems16, 16. November 2016 Formal Models for Insider Threat

97 views • 9 slides

More recommend