Secure RPC Protocol: Encrypt-Then-Sign Encrypt messages with recipient’s public key Sign the ciphertexts with the sender’s private key A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Does this ensure message integrity? sender authentication? Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 9 / 66
Secure RPC Protocol: Replay Attacks A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) What if request = “Transfer 1000EUR to O ”? O ( A ) � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) O ( A ) � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) O ( A ) � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) We can prevent such replays by incorporating a challenge-response nonce, or a timestamp, or both. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 10 / 66
Secure RPC Protocol: Response confidentiality Suppose request contains the login/password for A ’s account Suppose response is A ’s current bank statement Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 11 / 66
Secure RPC Protocol: Response confidentiality Suppose request contains the login/password for A ’s account Suppose response is A ’s current bank statement Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) No! We show a man-in-the-middle attack Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 11 / 66
Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66
Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Then O replaces the signature with its own and forwards it O � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( O ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66
Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Then O replaces the signature with its own and forwards it O � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( O ) B thinks that this request came from O and responds with: B � ! O : { response } pk ( O ) , sig {{ response } pk ( O ) } sk ( B ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66
Protocol 2: Man-in-the-middle Attack Does protocol 2 keep response confidential? A � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B � ! A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Suppose O intercepts A ’s request to B A � ! O ( B ) : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) Then O replaces the signature with its own and forwards it O � ! B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( O ) B thinks that this request came from O and responds with: B � ! O : { response } pk ( O ) , sig {{ response } pk ( O ) } sk ( B ) Hence O obtains the secret response (bank statement of A ) Exercise: Fix the protocol to protect response confidentiality Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 12 / 66
Finding Attacks Systematically Both attacks above are symbolic attacks that exploit logical flaws. How can we be confident that there are no other logical flaws? Can we formally prove that the protocol satisfies its security goals against all symbolic attackers? To precisely state and prove such security theorems about cryptographic protocols, we need to move to a more formal setting. What does A � ! B : m mean? It specifies the message but now what A and B must do How do we specify security goals? How do we encode the threat model? Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 13 / 66
Formal Syntax and Semantics of ProVerif Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 14 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application if M = N then P else Q conditional Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application if M = N then P else Q conditional P | Q parallel composition Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
ProVerif Syntax: a process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . M , N , O ::= Messages x , y , z variables a , b , c names f ( M 1 , . . . , M n ) constructor application Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application if M = N then P else Q conditional P | Q parallel composition ! P replication Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 15 / 66
Constructors and destructors Two kinds of operations: Constructors f are used to build terms f ( M 1 , . . . , M n ) Destructors g manipulate terms let x = g ( M 1 , . . . , M n ) in P else Q Destructors are defined by rewrite rules g ( N 1 , . . . , N n ) ! N . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 16 / 66
Examples of constructors and destructors Shared-key encryption: { M } K ; one decrypts with the key K Constructor: Shared-key encryption enc ( M , K ) . Destructor: Decryption dec ( M 0 , K ) dec ( enc ( x , y ) , y ) ! x . Perfect encryption assumption: one can decrypt only if one has the key. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 17 / 66
Examples of constructors and destructors (continued) One-way hash function: Constructor: One-way hash function H ( M ) . Very idealized model of a hash function (essentially corresponds to the random oracle model). Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 18 / 66
Examples of constructors and destructors (continued) Tuples: Constructor: tuple ( M 1 , . . . , M n ) . Destructors: projections i th ( M ) i th (( x 1 , . . . , x n )) ! x i Tuples are used to represent all kinds of data structures in protocols. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 19 / 66
Example: The Denning-Sacco protocol Message 1. A ! B : {{ k } sk A } pk B k fresh Message 2. B ! A : { s } k new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( A ) ! in ( c , x _ pk B ); new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in ( B ) | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 20 / 66
Exercise: The Needham-Schroeder public-key protocol Exercise Model the following protocol: Message 1. A ! B { N a , A } pk B N a fresh Message 2. B ! A { N a , N b } pk A N b fresh Message 3. A ! B { N b } pk B Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 21 / 66
Formal Semantics Semantic configurations are E , P where E is a set of names P is a multiset of processes Intuitively, E , P where E = { a 1 , . . . , a n } and P = { P 1 , . . . , P m } corresponds to new a 1 ; . . . new a n ; ( P 1 | . . . | P m ) Initial configuration for P : fn ( P ) , { P } . The semantics is defined by reduction E , P ! E 0 , P 0 : the execution of the configuration is modeled by transforming it into another configuration. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 22 / 66
Formal Semantics: reduction relation E , P [ { 0 } ! E , P (Red Nil) E , P [ { ! P } ! E , P [ { P , ! P } (Red Repl) E , P [ { P | Q } ! E , P [ { P , Q } (Red Par) E , P [ { new a ; P } ! E [ { a 0 } , P [ { P { a 0 / a } } (Red Res) where a 0 / 2 E . E , P [ { out ( N , M ); . Q , in ( N , x ) . P } ! E , P [ { Q , P { M / x } } (Red I/O) E , P [ { let x = g ( M 1 , . . . , M n ) in P else Q } ! E , P [ { P { M 0 / x } } if g ( M 1 , . . . , M n ) ! M 0 (Red Destr 1) E , P [ { let x = g ( M 1 , . . . , M n ) in P else Q } ! E , P [ { Q } if there exists no M 0 such that g ( M 1 , . . . , M n ) ! M 0 (Red Destr 2) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 23 / 66
Example: Denning-Sacco Execution with Adversary { c } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); | new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } A benign adversary (the first process) reads the public keys of A and B and sends a message on c to initiate a new session from A to B . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 24 / 66
Example (2): generate keys ! { c } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 25 / 66
Example (2): generate keys ! { c } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , new sk A ; new sk B ; let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk B ); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 25 / 66
Example (3): generate keys ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 26 / 66
Example (3): generate keys ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in out ( c , pk A ); . out ( c , pk ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk A ) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 26 / 66
Example (4) ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , out ( c , pk ( sk A )); . out ( c , pk ( sk B )); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 27 / 66
Example (4) ! ⇤ { c , sk A , sk B } , { in ( c , x pk A ) . in ( c , x pk B ) . out ( c , x pk B ); , out ( c , pk ( sk A )); . out ( c , pk ( sk B )); . ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 27 / 66
Example (5) ! ⇤ { c , sk A , sk B } , { out ( c , pk ( sk B )); , ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 28 / 66
Example (5) ! ⇤ { c , sk A , sk B } , { out ( c , pk ( sk B )); , ( ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in | let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 28 / 66
Example (6) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 29 / 66
Example (6) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , ! in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 29 / 66
Example (7) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 30 / 66
Example (7) ! { c , sk A , sk B } , { out ( c , pk ( sk B )); , in ( c , x _ pk B ) . new k ; out ( c , penc ( sign ( k , sk A ) , x _ pk B )); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 30 / 66
Example (8) ! { c , sk A , sk B } , { new k ; out ( c , penc ( sign ( k , sk A ) , pk ( sk B ))); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 31 / 66
Example (8) ! { c , sk A , sk B } , { new k ; out ( c , penc ( sign ( k , sk A ) , pk ( sk B ))); . in ( c , x ) . let s = dec ( x , k ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 31 / 66
Example (9) ! { c , sk A , sk B , k 0 } , out ( c , penc ( sign ( k 0 , sk A ) , pk ( sk B ))); . { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 32 / 66
Example (9) ! { c , sk A , sk B , k 0 } , out ( c , penc ( sign ( k 0 , sk A ) , pk ( sk B ))); . { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . let y 0 = pdec ( y , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 32 / 66
Example (10) ! ⇤ { c , sk A , sk B , k 0 } , { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , let y 0 = pdec ( penc ( sign ( k 0 , sk A ) , pk ( sk B )) , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 33 / 66
Example (10) ! ⇤ { c , sk A , sk B , k 0 } , { in ( c , x ) . let s = dec ( x , k 0 ) in 0 , ! in ( c , x _ pk B ) . . . . , let y 0 = pdec ( penc ( sign ( k 0 , sk A ) , pk ( sk B )) , sk B ) in let k = checksign ( y 0 , pk ( sk A )) in out ( c , enc ( s , k )); ) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 33 / 66
Example (11) ! ⇤ { c , sk A , sk B , k 0 } , in ( c , x ) . let s = dec ( x , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , out ( c , enc ( s , k 0 ));) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 34 / 66
Example (11) ! ⇤ { c , sk A , sk B , k 0 } , in ( c , x ) . let s = dec ( x , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , out ( c , enc ( s , k 0 ));) ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 34 / 66
Example (12) ! { c , sk A , sk B , k 0 } , let s = dec ( enc ( s , k 0 ) , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 35 / 66
Example (12) ! { c , sk A , sk B , k 0 } , let s = dec ( enc ( s , k 0 ) , k 0 ) in 0 , { ! in ( c , x _ pk B ) . . . . , ! in ( c , y ) . . . . } Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 35 / 66
Symbolic Adversary The protocol is executed in parallel with an adversary. The adversary can be any process. S = finite set of names (initial knowledge of the adversary). Definition The closed process Q is an S -adversary , fn ( Q ) ✓ S . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 36 / 66
Symbolic Secrecy Intuitive definition The secret M cannot be output on a public channel Definition A trace T = E 0 , P 0 ! ⇤ E 0 , P 0 outputs M if and only if T contains a reduction E , P [ { out ( c , M ); . Q , in ( c , x ) . P } ! E , P [ { Q , P { M / x } } for some E , P , x , P , Q , and c 2 S . Definition The closed process P preserves the secrecy of M from S , 8 S -adversary Q , 8 T = fn ( P ) [ S , { P , Q } ! ⇤ E 0 , P 0 , T does not output M . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 37 / 66
Verification with ProVerif Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 38 / 66
Verifying protocols in the symbolic model Compute the set of all terms that the attacker can obtain. This set is infinite: The attacker can generate messages of unbounded size. The number of sessions of the protocol is unbounded. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 39 / 66
Verification Complexity Bounded messages and number of sessions ) finite state Model checking: FDR [Lowe, TACAS’96] Bounded number of sessions but unbounded messages ) insecurity is typically NP-complete Constraint solving: Cl-AtSe, integrated in AVISPA Extensions of model checking: OFMC, integrated in AVISPA Unbounded messages and number of sessions ) the problem is undecidable Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 40 / 66
Solutions to undecidability Rely on user interaction Interactive theorem proving, Isabelle [Paulson, JCS’98] Use approximations Abstract interpretation [Monniaux, SCP’03], TA4SP integrated in AVISPA Typing [Abadi, JACM’99], [Gordon, Je ff rey, CSFW’02] (Sometimes also relies on type annotations by the user.) Allow non-termination ProVerif uses approximations and allows non-termination. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 41 / 66
ProVerif ProVerif is a verifier for cryptographic protocols Fully automatic For an unbounded number of sessions and an unbounded message size Undecidable problem ) need for abstractions Handles a wide range of cryptographic primitives, defined by rewrite rules or equations Proves various security properties: secrecy, correspondences, some equivalences Does not always terminate and is not complete. In practice: E ffi cient: small examples verified in less than 0.1 s; complex ones in a few minutes. Very precise: no false attack in our tests for secrecy and authentication. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 42 / 66
How ProVerif Works Two ideas (extending [Weidenbach, CADE’99]): a simple abstract representation of protocols, by a set of Horn clauses; an e ffi cient resolution algorithm to find which facts can be derived from these clauses. Using these ideas, we can prove secrecy properties of protocols, or exhibit attacks showing why a message is not secret. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 43 / 66
Protocol representation as horn clauses Messages terms M ::= x | f ( M 1 , . . . , M n ) | k [ M 1 , . . . , M n ] penc ( c 0 , pk ( sk A )) . Properties facts F ::= attacker ( M ) . Protocol, attacker Horn clauses F 1 ^ . . . ^ F n ) F attacker ( m ) ^ attacker ( pk ) ) attacker ( penc ( m , pk )) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 44 / 66
Example - Cryptographic primitives Public-key encryption: Encryption penc ( m , pk ) . attacker ( m ) ^ attacker ( pk ) ) attacker ( penc ( m , pk )) Public key generation pk ( sk ) . (builds a public key from a secret key) attacker ( sk ) ) attacker ( pk ( sk )) Decryption pdec ( penc ( m , pk ( sk )) , sk ) ! m . attacker ( penc ( m , pk ( sk ))) ^ attacker ( sk ) ) attacker ( m ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 45 / 66
Initial knowledge Clauses that represent the initial knowledge of the adversary: attacker ( M ) if the adversary knows M . Example For the Denning-Sacco protocol: attacker ( pk ( sk A )) attacker ( pk ( sk B )) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 46 / 66
Names Normally, fresh names are created each time the protocol is run. Here, we only distinguish two names when they are created after receiving di ff erent messages. Each name k becomes a function of the messages previously received: k [ M 1 , . . . , M n ] . (Skolemisation) These functions can only be applied by the principal that creates the name, not by the attacker. The attacker can create his own fresh names: attacker ( b [ ]) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 47 / 66
Denning-Sacco protocol A ! B : {{ k } sk A } pk B k fresh A talks to any principal represented by its public key pk ( x ) . A sends to it the message {{ k } sk A } pk ( x ) . attacker ( pk ( x )) ) attacker ( penc ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x ))) . B ! A : { s } k B has received a message {{ y } sk A } pk B . B sends { s } y . attacker ( penc ( sign ( y , sk A [ ]) , pk ( sk B [ ]))) ) attacker ( enc ( s , y )) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 48 / 66
General coding of a protocol If a principal A has received the messages M 1 , . . . , M n and sends the message M , attacker ( M 1 ) ^ . . . ^ attacker ( M n ) ) attacker ( M ) . Exercise Give Horn clauses for the Needham-Schroeder public key protocol: Message 1. A ! B { N a , A } pk B N a fresh Message 2. B ! A { N a , N b } pk A N b fresh Message 3. A ! B { N b } pk B Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 49 / 66
Approximations The freshness of nonces is partially modeled. The number of times a message appears is ignored, only the fact that is has appeared is taken into account. The state of the principals is not fully modeled. These approximations are keys for an e ffi cient verification. Solve the state space explosion problem. No limit on the number of runs of the protocols. ) essential for the certification of protocols. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 50 / 66
Secrecy Secrecy criterion If attacker ( M ) cannot be derived from the clauses, then M is secret. The term M cannot be built by an attacker. The resolution algorithm will determine whether a given fact can be derived from the clauses. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 51 / 66
Authenticity Authenticity means: if A thinks he talks to B then he really talks to B . Authenticity can be defined by correspondence assertions [Woo and Lam, Oakland’93]: If A executes e A ( B ) ( A thinks he talks to B ), then B must have executed e B ( A ) ( B has started a run with A ). Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 52 / 66
Correspondences: events Events record that some program point has been reached, with certain values of the variables. Syntax: P , Q ::= processes . . . event ( M ) . P event Semantics: E , { event ( M ) . P } [ P ! E , { P } [ P (Red Event) An S -adversary does not contain events. Definition A trace T = E 0 , P 0 ! ⇤ E 0 , P 0 executes event ( M ) if and only if T contains a reduction E , P [ { event ( M ) . P } ! E , P [ { P } for some E , P , P . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 53 / 66
Correspondences Intuitive definition If event ( M ) has been executed then event ( M 1 ) , . . . event ( M n ) have been executed Definition The closed process P 0 satisfies the correspondence l ^ event ( M ) event ( M k ) k = 1 with respect to S -adversaries if and only if, for any S -adversary Q , for any E 0 containing fn ( P 0 ) [ S [ fn ( M ) [ S k fn ( M k ) , for any substitution σ , for any trace T = E 0 , { P 0 , Q } ! ⇤ E 0 , P 0 , if T executes σ event ( M ) , then there exists σ 0 such that σ 0 M = σ M and, for all k 2 { 1 , . . . , l } , T executes event ( σ 0 M k ) as well. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 54 / 66
Analyzing TLS 1.3 with ProVerif Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 55 / 66
Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Why did we need a new protocol? Security: remove broken legacy crypto constructions E ffi ciency: reduce handshake roundtrip latency 0-RTT when the client and server have a pre-shared key 0.5-RTT Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 56 / 66
Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Why did we need a new protocol? Security: remove broken legacy crypto constructions E ffi ciency: reduce handshake roundtrip latency 0-RTT when the client and server have a pre-shared key 0.5-RTT These are potentially contradictory goals Needs extensive security analysis before deployment! The IETF called for academics to formally analyze the protocol drafts. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 56 / 66
Symbolic analysis to find downgrade (and other) attacks Recent attacks on legacy crypto in TLS: RC4 Keystream biases [Mar’13] Lucky13 MAC-Encode-Encrypt CBC [Mar’13] POODLE SSLv3 MAC-Encode-Encrypt [Dec’14] FREAK Export-grade 512-bit RSA [Mar’15] LOGJAM Export-grade 512-bit DH [May’15] SLOTH RSA-MD5 signatures [Jan’16] DROWN SSLv2 PSA-PKCS#1v1.5 Enc [Mar’16] Legacy crypto remains in TLS libraries for backwards compatibility. Is TLS 1.3 secure, if it is deployed alongside older versions of TLS? Can a man-in-the-middle downgrade TLS 1.3 peers to use legacy crypto? Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 57 / 66
Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 58 / 66
Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks e.g. a weak Di ffi e-Hellman group behaves like a trivial 1-element group fun dh_ideal ( element , b i t s t r i n g ) : element . equation f o r a l l x : b i t s t r i n g , y : b i t s t r i n g ; dh_ideal ( dh_ideal (G, x ) , y ) = dh_ideal ( dh_ideal (G, y ) , x ) . fun dh_exp ( group , element , b i t s t r i n g ) : element reduc f o r a l l g : group , e : element , x : b i t s t r i n g ; dh_exp (WeakDH, e , x ) = BadElement otherwise f o r a l l g : group , e : element , x : b i t s t r i n g ; dh_exp ( StrongDH , BadElement , x ) = BadElement otherwise f o r a l l g : group , e : element , x : b i t s t r i n g ; dh_exp ( StrongDH , e , x ) = dh_ideal ( e , x ) . Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 58 / 66
Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks e.g. a weak Di ffi e-Hellman group behaves like a trivial 1-element group Similarly, we model strong and weak authenticated encryption, hash functions, MACs, RSA encryption and signatures. Our model is overly conservative, it may not indicate real exploits Our goal is to verify TLS 1.3 against future attacks on legacy crypto Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 59 / 66
Modeling TLS 1.3 in ProVerif Key Derivation Functions: HKDF-Extract ( k , s ) = HMAC-H k ( s ) Client C Server S hkdf-expand-label 1 ( s , l , h ) = HMAC-H s ( len H () k “ TLS 1 . 3 , ” k l k h k 0x01 ) Long-term Keys: ( sk C , pk C ) Long-term Keys: ( sk S , pk S ) Derive-Secret ( s , l , m ) = ClientHello ( n C , o ff er C [( G , g x ) , G 0 ]) hkdf-expand-label 1 ( s , l , H ( m )) RetryRequest ( G 0 ) TLS 1.3 1-RTT handshake 1-RTT Key Schedule: Generates x 0 and computes: Generates y and computes: es = kdf 0 es = kdf 0 kdf 0 = HKDF-Extract ( 0 len H () , 0 len H () ) 12 messages in 3 flights, ClientHello ( n C , o ff er 0 C [ G 0 , g x 0 ]) kdf hs ( es , e ) = HKDF-Extract ( es , e ) kdf ms ( hs , log 1 ) = ms , k h c , k h s , k m c , k m s where Chooses parameters: 16 derived keys, mode S = ( TLS1.3 , DHE ( G 0 ) , H () , enc ()) ms = HKDF-Extract ( hs , 0 len H () ) ServerHello ( n S , mode S [ G 0 , g y ]) hts c = Derive-Secret ( hs , hts c , log 1 ) log 1 log 1 then data exchange hts s = Derive-Secret ( hs , hts s , log 1 ) Computes: Computes: hs = kdf hs ( es , g x 0 y ) hs = kdf hs ( es , g x 0 y ) k h c = hkdf-expand-label ( hts c , key , “" ) ms , k h c , k h s , k m c , k m s = kdf ms ( hs , log 1 ) ms , k h c , k h s , k m c , k m s = kdf ms ( hs , log 1 ) k m + PSK-based 0-RTT c = hkdf-expand-label ( hts c , finished , “" ) enc k h s ( Extensions ( . . . )) enc k h s ( CertRequest ( . . . )) k h s = hkdf-expand-label ( hts s , key , “" ) enc k h s ( Certificate ( pk S )) log 2 log 2 k m s = hkdf-expand-label ( hts s , finished , “" ) + TLS 1.2 enc k h s ( CertVerify ( signp sk S ( H ( log 2 )))) log 3 log 3 enc k h s ( Finished ( mac k m s ( H ( log 3 )))) log 4 log 4 kdf k ( ms , log 4 ) = k c , k s , ems where ats c = Derive-Secret ( ms , ats c , log 4 ) Computes: Computes: Agile Crypto: ⇠ 400 lines k c , k s , ems = kdf k ( ms , log 4 ) k c , k s , ems = kdf k ( ms , log 4 ) ats s = Derive-Secret ( ms , ats s , log 4 ) enc k h c ( Certificate ( pk C )) log 5 log 5 ems = Derive-Secret ( ms , ems , log 4 ) enc k h c ( CertVerify ( signp sk C ( H ( log 5 )))) log 6 log 6 enc k h c ( Finished ( mac k m c ( H ( log 6 )))) k c = hkdf-expand-label ( ats c , key , “" ) TLS models: ⇠ 500 lines log 7 log 7 k s = hkdf-expand-label ( ats s , key , “" ) Computes: Computes: psk 0 = kdf psk ( ms , log 7 ) psk 0 = kdf psk ( ms , log 7 ) kdf psk ( ms , log 7 ) = psk 0 where cid = ems or psk 0 or H ( log 7 ) cid = ems or psk 0 or H ( log 7 ) Modeling is easy, psk 0 = Derive-Secret ( ms , rms , log 7 ) New client session: New server session: PSK-based Key Schedule: C = C ] cid 7! ( o ff er C , mode S , S = S ] cid 7! ( o ff er C , mode S , verification takes e ff ort kdf es ( psk ) = es , k b where pk C , pk S , pk C , pk S , k c , k s , ems , psk 0 ) k c , k s , ems , psk 0 ) enc k c ( Data ( m 1 )) es = HKDF-Extract ( 0 len H () , psk ) enc k s ( Data ( m 2 )) k b = Derive-Secret ( es , pbk , “" ) Application Data Stream: Application Data Stream: kdf 0RTT ( es , log 1 ) = k c where cid cid C ! S : m 1 , m 2 , . . . C ! S : m 1 , m 2 , . . . ets c = Derive-Secret ( es , ets c , log 1 ) k c = hkdf-expand-label ( ets c , key , “" ) Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 60 / 66
Writing and verifying security goals We state security queries for data sent between honest users Secrecy: messages between honest peers are unknown to an adversary Authenticity: messages between honest peers cannot be tampered Replay prevention: messages between honest peers cannot be replayed Forward secrecy: secrecy holds even if the peers’ long-term keys are leaked after the session is complete Secrecy query for msg ( conn , S ) sent from anonymous C to server S query attacker ( msg ( conn , S )) = ) false Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 61 / 66
Refining security queries QUERY: is msg ( conn , S ) secret? query attacker ( msg ( conn , S )) = ) false FALSE: ProVerif finds a counterexample if S ’s private key is compromised. Karthikeyan Bhargavan (INRIA) Finding Attacks with Symbolic Analysis February 2018 62 / 66
Recommend
More recommend