Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46
Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46
Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46
Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46
Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46
Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis Name Key Derivation Encryption Integrity Metadata Integrity Sharing ✦ ✦ (PKI) Application-level Wuala PBKDF2 AES, RSA HMAC Crypto on the Web ✦ ✦ SpiderOak PBKDF2 AES, RSA HMAC ★ ★ Motivations BoxCryptor PBKDF2 AES None Formal analysis of cryptographic ★ ✦ (PKI) CloudFogger PBKDF2 AES, RSA None web applications ★ ✦ 1Password PBKDF2-SHA1 AES None Protocols of ★ ✦ LastPass PBKDF2-SHA256 AES, RSA None cryptographic web ✦ ✦ PassPack SHA256 AES None applications ★ ✦ RoboForm PBKDF2 AES, DES None ✦ ★ Generic encrypted storage Clipperz SHA256 AES SHA256 protocol ✦ ✦ (PKI) ConfiChair PBKDF2 RSA, AES SHA1 Web encrypted cloud storage Helios N/A El Gamal SHA256 Zero-Knowledge Proof N/A Web attacker model Formal verification Table : Example encrypted web storage applications WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 4 / 46
Formal analysis of cryptographic web Keys to the Cloud Bansal, Bhargavan, applications Delignat-Lavaud, Maffeis Research questions Application-level Crypto on the Web ◮ Can a web attack be used to break a Motivations Formal analysis of cryptographic web applications provably secure protocol? Protocols of cryptographic web ◮ Can cryptography be used to prevent or applications mitigate web attacks? Generic encrypted storage protocol Web encrypted cloud storage ◮ Can we build a formal model that covers Web attacker model Formal verification both the cryptographic and web protocols of WebSpi model an application? ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 5 / 46
Formal analysis of cryptographic web Keys to the Cloud Bansal, Bhargavan, applications Delignat-Lavaud, Maffeis Research questions Application-level Crypto on the Web ◮ Can a web attack be used to break a Motivations Formal analysis of cryptographic web applications provably secure protocol? Protocols of cryptographic web ◮ Can cryptography be used to prevent or applications mitigate web attacks? Generic encrypted storage protocol Web encrypted cloud storage ◮ Can we build a formal model that covers Web attacker model Formal verification both the cryptographic and web protocols of WebSpi model an application? ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 5 / 46
Formal analysis of cryptographic web Keys to the Cloud Bansal, Bhargavan, applications Delignat-Lavaud, Maffeis Research questions Application-level Crypto on the Web ◮ Can a web attack be used to break a Motivations Formal analysis of cryptographic web applications provably secure protocol? Protocols of cryptographic web ◮ Can cryptography be used to prevent or applications mitigate web attacks? Generic encrypted storage protocol Web encrypted cloud storage ◮ Can we build a formal model that covers Web attacker model Formal verification both the cryptographic and web protocols of WebSpi model an application? ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 5 / 46
Keys to the Cloud Previous works Bansal, Bhargavan, Delignat-Lavaud, Maffeis Chetan Bansal, Karthikeyan Bhargavan and Sergio Maffeis Application-level Crypto on the Web Discovering Concrete Attacks on Website Motivations Formal analysis of cryptographic Authrorization by Formal Analysis web applications CSF 2012 Protocols of cryptographic web applications Antoine Delignat-Lavaud and Karthikeyan Generic encrypted storage protocol Bhargavan Web encrypted cloud storage Web attacker model Web-based attacks on host-proof encrypted Formal verification storage WebSpi model ConfiChair WOOT, Usenix 2012 SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 6 / 46
Keys to the Cloud This work Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Motivations Combine extended website model (WebSpi) with Formal analysis of cryptographic web applications protocol model to find attacks on cryptographic Protocols of cryptographic web web applications. applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 7 / 46
Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46
Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46
Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46
Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46
Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic web applications Login ( u , s u , b ); Get ( m ) Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model ( m , e , h ) Formal verification Mac K ′ ( m , e ) = h WebSpi model ConfiChair SpiderOak store[u] 1Password local db = ( m , e , h ) Web attacks on encrypted cloud storage ∨ 9 / 46
Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic web applications Login ( u , s u , b ); Get ( m ) Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model ( m , e , h ) Formal verification Mac K ′ ( m , e ) = h WebSpi model ConfiChair SpiderOak store[u] 1Password local db = ( m , e , h ) Web attacks on encrypted cloud storage ∨ 9 / 46
Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic web applications Login ( u , s u , b ); Get ( m ) Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model ( m , e , h ) Formal verification Mac K ′ ( m , e ) = h WebSpi model ConfiChair SpiderOak store[u] 1Password local db = ( m , e , h ) Web attacks on encrypted cloud storage ∨ 9 / 46
Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); Get ( m ) web applications Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage ( m , e , h ) Web attacker model Mac K ′ ( m , e ) = h Formal verification store[u] WebSpi model ConfiChair SpiderOak local db = ( m , e , h ) 1Password Web attacks on encrypted cloud storage ∨ 9 / 46
Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); Get ( m ) web applications Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage ( m , e , h ) Web attacker model Mac K ′ ( m , e ) = h Formal verification store[u] WebSpi model ConfiChair SpiderOak local db = ( m , e , h ) 1Password Web attacks on encrypted cloud storage ∨ 9 / 46
Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); Get ( m ) web applications Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage ( m , e , h ) Web attacker model Mac K ′ ( m , e ) = h Formal verification store[u] WebSpi model ConfiChair SpiderOak local db = ( m , e , h ) 1Password Web attacks on encrypted cloud storage ∨ 9 / 46
Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46
Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46
Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46
Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46
Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Login ( u , s u , b ); Formal analysis of cryptographic web applications Protocols of cryptographic web Up ( m , Enc K ( x ) , Mac K ′ ( x )) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification store[u] WebSpi model ConfiChair SpiderOak Updated ( m , x ) 1Password Web attacks on encrypted cloud storage ∨ 10 / 46
Keys to the Cloud Attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Attacker model Motivations Formal analysis of cryptographic ◮ comprimised server web applications Protocols of ◮ network attacker cryptographic web applications ◮ stolen/hijacked device Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 11 / 46
Keys to the Cloud Web login protocol Bansal, Bhargavan, Delignat-Lavaud, Web Login and Key Derivation: Login ( u , p , b ) Maffeis user on browser a navigates to ❤tt♣s✿✴✴❜✴❧♦❣✐♥ a and b establish TLS connection c : TLS → b ( − ) , TLS ← b ( − ) c c TLS → b ( Request ( ✴❧♦❣✐♥ )) 1. a → b c TLS ← b ( Response ( LoginForm )) 2. b → a c Application-level user enters username u and passphrase p Crypto on the Web a derives and stores K = kdf p A u iter , K ′ = kdf p B u iter Motivations Formal analysis of cryptographic a derives secret u , b = kdf p C u iter web applications TLS → b ( Request ( ✴❧♦❣✐♥ , ✉s❡r = ✉ & s❡❝r❡t = secret u , b )) 3. a → b Protocols of c cryptographic web b verifies that s❡❝r❡t = secret u , b applications b generates a cookie sid u , b Generic encrypted storage b stores ( sid u , b , u ) protocol Web encrypted cloud storage TLS ← b ( Response [ sid u , b ]( LoginSuccess ())) 4. b → a Web attacker model c a stores ( b , sid u , b ) Formal verification WebSpi model ConfiChair SpiderOak 1Password In the browser Web attacks on ◮ Need to store K and K ′ encrypted cloud storage ◮ Cookie-based session [ sid u , b ] ∨ 12 / 46
Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46
Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46
Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46
Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46
Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications decryption script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data 1Password Web attacks on encrypted cloud storage ∨ 14 / 46
Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic CSRF App Website web applications Server authentication Protocols of cryptographic web encrypted data applications Hacker Generic encrypted storage decryption script protocol Web encrypted cloud storage Web attacker model XSS Formal verification WebSpi model 3rd party release ConfiChair SpiderOak 1Password Decrypted Data Web attacks on encrypted cloud storage ∨ 14 / 46
Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications malicious script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data Hacker 1Password Web attacks on encrypted cloud storage ∨ 14 / 46
Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications malicious script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model key Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data Hacker 1Password Web attacks on encrypted cloud storage ∨ 14 / 46
Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friends? User sharing Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications decryption script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data 1Password Web attacks on encrypted cloud storage ∨ 14 / 46
Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data 1Password Web attacks on encrypted cloud storage ∨ 14 / 46
Keys to the Cloud Release of plaintext Bansal, Bhargavan, Delignat-Lavaud, Maffeis Automatic Form Filling for Web Login: Fill ( b ) user on browser a navigates to ❤tt♣s✿✴✴❜✴❧♦❣✐♥ Application-level a and b establish TLS connection c : TLS → b ( − ) , TLS ← b Crypto on the Web ( − ) c c Motivations TLS → b ( Request ( ✴❧♦❣✐♥ )) 1. a → b Formal analysis of cryptographic c web applications TLS ← b ( Response ( LoginForm )) 2. b → a c Protocols of a triggers browser extension x with the current page hostname cryptographic web Lookup ( b ) 3. a → x applications x looks up encdb for ( b , e , h ) Generic encrypted storage protocol x checks that mac K ′ ( b , e ) = h Web encrypted cloud storage x computes ( u , p ) = decrypt K e Web attacker model Result ( b , u , p ) 4. x → a Formal verification a fills LoginForm with ( u , p ) WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 15 / 46
Keys to the Cloud Sharing by web link Bansal, Bhargavan, Delignat-Lavaud, Maffeis URL-based File Sharing: Share ( u , m ) Application-level Crypto on the Web user u sends to v the link Motivations U = ❤tt♣s✿✴✴❜✴❄✉s❡r❂ u ✫❢✐❧❡❂ m ✫❦❡②❂ K Formal analysis of cryptographic web applications user v on browser a navigates to U Protocols of TLS → b ( Request []( U )) 1. a → b cryptographic web c applications b retrieves storage [ u ] = ( m , e , h ) Generic encrypted storage b decrypts f = decrypt K e protocol TLS ← b Web encrypted cloud storage 2. b → a ( Response []( Download ( f ))) c Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 16 / 46
Keys to the Cloud Browser security model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of cryptographic web applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 17 / 46
Keys to the Cloud Browser security model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Same-Origin Policy Crypto on the Web Motivations Formal analysis of cryptographic Access control all based on same-origin policy web applications Protocols of (SOP) to isolate frames, cookies, ❧♦❝❛❧❙t♦r❛❣❡ ... cryptographic web applications Generic encrypted storage Origin = protocol + domain + port protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 18 / 46
Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46
Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46
Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46
Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46
Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis P , Q ::= process send M on channel a out(a,M);P receive message in X in(a,X);P Application-level Crypto on the Web insert M into table t insert(t,M);P Motivations retrieve table entry in X Formal analysis of cryptographic get(t,X) in P web applications fresh name with scope P new a;P Protocols of cryptographic web insert event in trace event e(M1,...,Mn);P applications Generic encrypted storage pattern matching let X=M in P protocol Web encrypted cloud storage conditional statement if p(M) then P else Q Web attacker model Formal verification run P and Q in parallel P|Q WebSpi model run unbounded number of ConfiChair !P SpiderOak copies of P in parallel 1Password Web attacks on encrypted cloud storage ∨ 21 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis M , N , X ::= message Application-level Crypto on the Web channel,key,data,... a Motivations variable Formal analysis of cryptographic x web applications pair (M,N) Protocols of cryptographic web constructor or destructor f(M1,...,Mn) applications Generic encrypted storage f applied to M 1 , ..., Mn protocol Web encrypted cloud storage matching operator =M Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 22 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Symbolic cryptography Cryptographic algorithms = perfect black-boxes Application-level Crypto on the Web represented by constructors and destructors. Motivations Formal analysis of cryptographic web applications fun aenc(bitstring,symkey): bitstring. Protocols of cryptographic web reduc forall b:bitstring,k:symkey; adec(aenc(b,k),k) = b. applications Generic encrypted storage protocol Web encrypted cloud storage fun hash(bitstring) : bitstring. Web attacker model fun pk(privkey):pubkey. Formal verification WebSpi model fun sign(bitstring,privkey): bitstring. ConfiChair reduc forall b:bitstring,sk:privkey; verify(sign(b,sk),pk(sk)) = b. SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 23 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis HTTP server ◮ implemented by HttpServer process ◮ possess private and public keys for TLS sessions in serverIdentities Application-level Crypto on the Web ◮ table also has server name flag xdr for XORS Motivations Formal analysis of cryptographic web applications Protocols of cryptographic web let HttpServer() = applications !in(net,(b:Browser,o:Origin,m:bitstring)); Generic encrypted storage protocol get serverIdentities(=o,pk_P,sk_P,xdrp) in Web encrypted cloud storage Web attacker model let (k:symkey,httpReq(u,hs,req)) = reqdec(o,m,sk_P) in Formal verification if origin(u) = o then WebSpi model let corr = mkCorrelator(k) in ConfiChair out(httpServerRequest,(u,hs,req,corr)); SpiderOak 1Password in(httpServerResponse, Web attacks on (=u,resp:HttpResponse,cookieOut:Cookie,=corr)); encrypted cloud storage out(net,(o,b,respenc(o,httpResp(resp,cookieOut,xdrp),k))). ∨ 24 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser ◮ implemented by HttpClient process identified by b and associated with a user Application-level Crypto on the Web ◮ handles user- and page-triggered requests Motivations Formal analysis of cryptographic and responses (including redirections) and web applications Protocols of their encryption/decryption cryptographic web applications ◮ browserRequest channel for URL bar, pageClick for Generic encrypted storage protocol links and included contents, ajaxRequest for Web encrypted cloud storage Web attacker model AJAX Formal verification WebSpi model ◮ cookies, local storage maintained in global ConfiChair SpiderOak table indexed by browser, origin and for 1Password cookies, path Web attacks on encrypted cloud storage ∨ 25 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis HttpClient code for sending a request req to URI u from page p , with referrer ref and AJAX flag aj : Application-level let o = origin(u) in let p = path(u) in Crypto on the Web Motivations get cookies(=b,=o,=slash(),cs) in Formal analysis of cryptographic get cookies(=b,=o,=p,cp) in web applications Protocols of let header = headers(ref, cookiePair(cs,cp), aj) in cryptographic web get publicKey(=o,pk_host) in applications let m = httpReq(u,header,req) in Generic encrypted storage protocol let (k:symkey,e:bitstring) = reqenc(o,m,pk_host) in Web encrypted cloud storage Web attacker model out(net,(b, o, e)); Formal verification WebSpi model Headers include cookies cs for path “ ✴ " and cp for ConfiChair SpiderOak path p and the AJAX flag aj 1Password Web attacks on encrypted cloud storage ∨ 26 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Cookies ◮ can be accessed from the JS on a page from the private getCookieStorage and setCookieStorage channels Application-level Crypto on the Web ◮ can have the secure or HTTP-only flags Motivations Formal analysis of cryptographic web applications Protocols of JavaScript of page p on browser b wants to set cryptographic web applications cookies dc and store ns in local storage is: Generic encrypted storage protocol in (setCookieStorage(b),(p:Page,dc:Cookie,ns:Data)); Web encrypted cloud storage Web attacker model get pageOrigin(=p,o,h,ref) in get cookies(=b,=o,=h,ck) in Formal verification insert cookies(b,o,h, WebSpi model ConfiChair updatedomcookie(ck,securejs(dc),insecurejs(dc))); SpiderOak insert storage(b,o,ns) 1Password Web attacks on encrypted cloud updatedomcookie prevents JavaScript from storage updating HTTP-only cookies from ck . ∨ 27 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Web client model Maffeis The client side of a web application is modeled by a process that accesses the browser channels pageClick , ajaxRequest , getCookieStorage and Application-level Crypto on the Web setCookieStorage Motivations Formal analysis of cryptographic web applications Attacker model Protocols of cryptographic web ◮ public network channel net enables the applications Generic encrypted storage standard Dolev-Yao network attacker protocol Web encrypted cloud storage Web attacker model ◮ a compromised server has its private key Formal verification released WebSpi model ConfiChair ◮ XSS and code injection attacks are modeled SpiderOak 1Password by a process AttackerProxy forwarding Web attacks on encrypted cloud messages from a public channel to the storage (normally secret) browser interface channels ∨ 28 / 46
Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Verification Application-level Security goals written as correspondence Crypto on the Web assertions between user-defined events: Motivations Formal analysis of cryptographic web applications Protocols of ∀ M 1 , ... M k . e ( M 1 , ... M k ) ⇒ ϕ cryptographic web applications Generic encrypted storage protocol Incompleteness Web encrypted cloud storage Web attacker model WebSpi not an exhaustive browser model: it can Formal verification WebSpi model find attacks but not prove that no attack exists! ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 29 / 46
Keys to the Cloud Analysis of cloud storage services Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Real-world applications Motivations Formal analysis of cryptographic ◮ ConfiChair: conference management service web applications Protocols of ◮ SpiderOak: encrypted cloud file storage cryptographic web applications ◮ 1password: password manager Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 30 / 46
Keys to the Cloud Analysis of cloud storage services Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Real-world applications Motivations Formal analysis of cryptographic ◮ ConfiChair: conference management service web applications Protocols of ◮ SpiderOak: encrypted cloud file storage cryptographic web applications ◮ 1password: password manager Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 30 / 46
Keys to the Cloud Analysis of cloud storage services Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Real-world applications Motivations Formal analysis of cryptographic ◮ ConfiChair: conference management service web applications Protocols of ◮ SpiderOak: encrypted cloud file storage cryptographic web applications ◮ 1password: password manager Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 30 / 46
Keys to the Cloud ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of cryptographic web applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 31 / 46
Keys to the Cloud ConfiChair login page Bansal, Bhargavan, Delignat-Lavaud, Login page Maffeis ◮ LoginApp : server listening for requests on ✴❧♦❣✐♥ ◮ LoginUserAgent : JS and HTML of login page. ◮ waits for user to type username and password Application-level Crypto on the Web ◮ derives credential and sends it with username Motivations Formal analysis of cryptographic to LoginApp over HTTPS web applications Protocols of cryptographic web applications let loginURI = uri(https(), confichair, loginPath(), noParams()) in Generic encrypted storage protocol out(browserRequest(b),(loginURI, httpGet())); Web encrypted cloud storage in (newPage(b),(p:Page,=loginURI,d:bitstring)); Web attacker model get userData(=confichair, uid, pwd, paper) in Formal verification WebSpi model let cred = kdf1(pwd) in ConfiChair in (getCookieStorage(b),(=p,cookiePair(cs,ch),od:Data)); SpiderOak 1Password out (setCookieStorage(b),(p,ch,storePassword(pwd))); Web attacks on event LoginInit(confichair, b, uid); encrypted cloud storage out(pageClick(b),(p,loginURI, httpPost(loginFormReply(uid,cred)))) ∨ 32 / 46
Keys to the Cloud ConfiChair conference pages Bansal, Bhargavan, Delignat-Lavaud, Conference pages Maffeis ◮ server-side ConferenceApp and client-side ConferenceUserAgent processes ◮ ConferencesUserAgent first retrieves user’s Application-level Crypto on the Web keypurse using AJAX Motivations Formal analysis of cryptographic ◮ keypurse decrypted with stored key and web applications Protocols of stored in local storage cryptographic web applications Generic encrypted storage protocol let keypurseURI = uri(https(), confichair, Web encrypted cloud storage Web attacker model keyPursePath(), nullParams()) in Formal verification out (ajaxRequest(b),(p,keypurseURI,httpGet())); WebSpi model in (ajaxResponse(b),(=p,=keypurseURI,JSON(x))); ConfiChair SpiderOak in (getCookieStorage(b), 1Password (=p,cookiePair(cs,ch),storePassword(pwd))); Web attacks on encrypted cloud let keypurse(k) = adec(x, kdf2(pwd)) in storage out (setCookieStorage(b),(p,ch,storeKeypurse(k)))) ∨ 33 / 46
Keys to the Cloud ConfiChair conference pages Bansal, Bhargavan, Delignat-Lavaud, Maffeis Conference pages Application-level At any point, user may request a paper to be Crypto on the Web downloaded and decrypted using key in keypurse Motivations Formal analysis of cryptographic web applications Protocols of let paperURI = uri(https(), h, paperPath(), nullParams()) in cryptographic web applications out (ajaxRequest(b),(p,paperURI,httpGet())); Generic encrypted storage protocol in (ajaxResponse(b),(=p,=paperURI,JSON(y))); Web encrypted cloud storage in (getCookieStorage(b), Web attacker model (=p,cookiePair(cs,ch),storeKeypurse(k))); Formal verification WebSpi model let paper = adec(y,k) in event PaperReceived(paper)) ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 34 / 46
Keys to the Cloud ConfiChair security goals Bansal, Bhargavan, Delignat-Lavaud, Maffeis Security goals ◮ Login authentication: Application-level Crypto on the Web event(LoginAuthorized(confichair,id,u,c)) Motivations Formal analysis of cryptographic ⇒ event(LoginInit(confichair,b,id)) web applications = Protocols of cryptographic web ◮ Secrecy of papers: applications Generic encrypted storage protocol in(paperChannel, paper:bitstring); Web encrypted cloud storage Web attacker model get userData(h, uId, k, =paper) in Formal verification event PaperLeak(uId,paper). WebSpi model query u:Id,p:bitstring; event(PaperLeak(id,p)) ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 35 / 46
Keys to the Cloud ConfiChair attacker Bansal, Bhargavan, Delignat-Lavaud, Maffeis XSS vulnerability in Role Page ❤tt♣✿✴✴❝♦♥❢✐❝❤❛✐r✳♦r❣✴❄s❡t✲r♦❧❡❂❁s❝r✐♣t❃❙❁✴s❝r✐♣t❃ Application-level Crypto on the Web If requested role is invalid, returned error page Motivations Formal analysis of cryptographic contains the unsanitized requested role name. web applications Protocols of In RoleUserAgent , the page identifier is released cryptographic web applications Generic encrypted storage protocol let roleURI = uri(https(), h, changeRolePath(), roleParams(x)) in Web encrypted cloud storage Web attacker model out(browserRequest(b),(roleURI, httpGet())); Formal verification in (newPage(b),(p:Page,=roleURI,y:bitstring)); WebSpi model out(pub, p) ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 36 / 46
Keys to the Cloud Result of verification Bansal, Bhargavan, Delignat-Lavaud, Maffeis Authentication goal is broken Attacker can read the user’s password from local Application-level Crypto on the Web storage and leak it to a malicious website Motivations Formal analysis of cryptographic web applications Protocols of Paper privacy is broken cryptographic web applications Attacker can read the paper decryption key from Generic encrypted storage protocol Web encrypted cloud storage local storage and leak it to a malicious website Web attacker model Formal verification ... in previous ProVerif analysis, same goals were WebSpi model ConfiChair valid against cloud attacker model. SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 37 / 46
Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46
Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46
Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46
Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46
Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46
Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of SpiderOak Attacker Server cryptographic web applications JSONP query session Generic encrypted storage protocol Web encrypted cloud storage JSON listing JSON listing Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 39 / 46
Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of SpiderOak Attacker Server cryptographic web applications JSONP query session Generic encrypted storage protocol Web encrypted cloud storage JSON listing JSON listing Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 39 / 46
Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of SpiderOak Attacker Server cryptographic web applications JSONP query session Generic encrypted storage protocol Web encrypted cloud storage JSON listing JSON listing Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 39 / 46
Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis Query ❤tt♣s✿✴✴s♣✐❞❡r♦❛❦✳❝♦♠✴st♦r❛❣❡✴❁✉✸✷❃✴❄❝❛❧❧❜❛❝❦❂❢ Application-level Result Crypto on the Web Motivations ❢✭④ Formal analysis of cryptographic web applications ✧st❛ts✧✿ ④ Protocols of cryptographic web ✧❢✐rst♥❛♠❡✧✿ ✧✳✳✳✧✱ applications Generic encrypted storage ✧❧❛st♥❛♠❡✧✿ ✧✳✳✳✧✱ protocol Web encrypted cloud storage ✧❞❡✈✐❝❡s✧✿ ✳✳✳✱ Web attacker model ⑥✱ Formal verification WebSpi model ✧❞❡✈✐❝❡s✧✿ ❬ ConfiChair SpiderOak ❬✧♣❝✶✧✱ ✧♣❝✶✴✧❪✱❬✧❧❛♣t♦♣✧✱ ✧❧❛♣t♦♣✴✧❪✱✳✳✳ 1Password ❪ Web attacks on encrypted cloud ⑥✮ storage ∨ 40 / 46
Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis Query ❤tt♣s✿✴✴s♣✐❞❡r♦❛❦✳❝♦♠✴st♦r❛❣❡✴❁✉✸✷❃✴s❤❛r❡s Application-level Result Crypto on the Web Motivations ④ Formal analysis of cryptographic web applications ✧s❤❛r❡❴r♦♦♠s✧ ✿ ❬ Protocols of cryptographic web ✧✉r❧✧ ✿ ✧✴❜r♦✇s❡✴s❤❛r❡✴❁✐❞❃✴❁❦❡②❃✧✱ applications Generic encrypted storage ✧r♦♦♠❴❦❡②✧ ✿ ✧❁❦❡②❃✧✱ protocol Web encrypted cloud storage ✧r♦♦♠❴❞❡s❝r✐♣t✐♦♥✧ ✿ ✧✧ ✱ Web attacker model ✧r♦♦♠❴♥❛♠❡✧✿ ✧❁r♦♦♠❃✧ Formal verification WebSpi model ❪✱ ConfiChair SpiderOak ✧s❤❛r❡❴✐❞✧ ✿ ✧❁✐❞❃✧✱ 1Password ✧s❤❛r❡❴✐❞❴❜✸✷✧ ✿ ✧❁✉✸✷❃✧ Web attacks on encrypted cloud ⑥ storage ∨ 41 / 46
Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46
Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46
Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46
Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46
Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46
Keys to the Cloud 1Password Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friend google → bad User ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications 1Password Protocols of Content Server cryptographic web applications ❣♦♦❣❧❡✳❝♦♠ Generic encrypted storage protocol ❊◆❈✭✉✱ ♣✮ Web encrypted cloud storage Web attacker model Formal verification WebSpi model p ConfiChair SpiderOak p 1Password google.com Hacker Web attacks on encrypted cloud storage ∨ 43 / 46
Keys to the Cloud 1Password Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friend google → bad User ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications 1Password Protocols of Content Server cryptographic web applications ❜❛❞✳❝♦♠ Generic encrypted storage protocol ❊◆❈✭✉✱ ♣✮ Web encrypted cloud storage Web attacker model Formal verification WebSpi model p ConfiChair SpiderOak p 1Password google.com Hacker Web attacks on encrypted cloud storage ∨ 43 / 46
Keys to the Cloud 1Password Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friend google → bad User ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications 1Password Protocols of Content Server cryptographic web applications ❜❛❞✳❝♦♠ Generic encrypted storage protocol ❊◆❈✭✉✱ ♣✮ Web encrypted cloud storage Web attacker model Formal verification WebSpi model p ConfiChair SpiderOak p 1Password bad.com Hacker Web attacks on encrypted cloud storage ∨ 43 / 46
Recommend
More recommend