mpri 2-30: automated veriﬁcation of …...reading lecture notes on the course website: • rcf: a...

MPRI 2-30: !Automated Verification of !

Cryptographic Protocol Implementations

K Bhargavan (Slides from A.D. Gordon and C. Fournet)

Spring, 2014

Outline of Lectures •  Lectures 1 and 2 (Jan 22, 29)

–  Intro to Verified Protocol Implementations –  RCF type system –  Symbolic protocol verification with F7

•  (Skip Feb 5)

•  Lecture 3 (Feb 12) –  Using RCF for computational protocol verification –  Case Study: TLS 1.2

•  Lecture 4 (Feb 19) –  Advanced verification techniques

Reading Lecture notes on the course website: •  RCF: a compact definition of the type system, plus

exercises •  Principles and Applications of Refinement Types, a tutorial

on the RCF type system. •  Cryptographic Verification by Typing for a Sample Protocol

Implementation, a tutorial on F7

Research papers: http://research.microsoft.com/f7 More exercise: Next two weeks

RCF (REVIEW)

a concurrent call-by-value lambda-calculus!with refinement types

Syntax for values and expressions •  A concurrent !

call-by-value!lambda-calculus

•  A formal core for F#!

•  Specifications !expressed by !assume and assert !over logic formulas

Basis for Verification: Refinement types

Safety by typing

Example Protocol in F#

Modelling Opponents as F# Programs

Symbolic Security Theorem

Symbolic proof: Typechecking

Security Assumptions: MACs

Symbolic Interfaces: MAC

module'MAC$$

type'text'='bytes ''type'key$ $$type'mac''='bytes'

predicate'Msg'of'key'*'text''

val'GEN''':'unit'9>'key''val'MAC''':'k:key'9>'t:text{Msg(k,t)}'9>'mac$val'VERIFY:'k:key'9>'t:text'9>'mac'''''''' ''9>'b:bool{'b=true'=>'Msg(k,t)}''

Only%models%integrity,%not%key%or%data%confiden4ality%

Symbolic Interfaces: MAC module'MAC$$

type'text'='mac'='bytes ''type'key$ $$predicate'Msg'of'key'*'text'predicate'Bad'of'key''

val'GEN''':'unit'9>'key''val'LEAK'':'k:key{Bad(k)}'9>'b:bytes{Pub(b)}$val'COERCE:'b:bytes{Pub(b)}$9>'k:key{Bad(k)}'''val'MAC''':'k:key''' ' ' ''9>'t:text{Bad(k)$\/$Msg(k,t)}''' ' '''''9>'m:mac{Pub(t)$=>$Pub(m)}$

val'VERIFY:'k:key'9>'t:text'9>'mac'''''''' ''9>'b:bool{'b=true'=>'Msg(k,t)}''

Symbolic Interfaces: ENC module'ENC$type$key$$'

val'GEN''':'unit'9>'key''Val'ENC''':'k:key'9>'t:bytes'' ' ' ''9>'c:bytes{Pub(c)$/\$Cipher(k,t,c)}$

val'DEC$$$:'k:key'9>'c:bytes$N>'''''''' ''9>'t:bytes{forall$t’.$$$ $ $ $ $ $ $$$$$$Cipher(k,t’,c)$=>$t=t’}$

Symbolic Interfaces: ENC module'ENC$type$key$predicate'Bad'of'key$$'

val'GEN''':'unit'9>'key''val'LEAK'':'k:key{Bad(k)}'9>'b:bytes{Pub(b)}$val'COERCE:'b:bytes{Pub(b)}$9>'k:key{Bad(k)}'''val'ENC''':'k:key'9>'t:bytes{Bad(k)$=>$Pub(t)}''' ' ' ''9>'c:bytes{Pub(c)$/\$Cipher(k,t,c)}$

val'DEC$$$:'k:key'9>'c:bytes$N>'''''''' ''9>'t:bytes{Bad(k)$=>$Pub(t)$/\$$ $ $ $ $ $ $ $$forall$t’.$$$ $ $ $ $ $ $$$$$$Cipher(k,t’,c)$=>$t=t’}$

Symbolic Interfaces: PK-ENC module'ENC$type$pkey$=$b:bytes{Pub(b)}$type$skey$predicate'Bad'of'pkey$function'PK:'skey'9>'pkey$$'

val'GEN''':'unit'9>'s:skey$*$p:pkey{p$=$PK(s)}$$val'LEAK'':'s:skey{Bad(PK(s))}'9>'b:bytes{Pub(b)}$val'COERCE:'b:bytes{Pub(b)}$9>'s:skey{Bad(PK(s))}'$val'ENC''':'p:pkey'9>'t:bytes{Bad(p)$=>$Pub(t)}''' ' ' ''9>'c:bytes{Pub(c)$/\$Wrap(k,t,c)}$

val'DEC$$$:'s:key'9>'c:bytes$N>'''''''' ''9>'t:bytes{Bad(PK(s))$=>$Pub(t)$/\$$ $ $ $ $ $ $ $$forall$t’.$$$ $ $ $ $ $ $$$$$$Wrap(PK(s),t’,c)$=>$t=t’}$

Models of Crypto •  Many possible symbolic models –  Various levels of imprecision/abstraction

•  How do they relate to computational models? –  Can we use the same interfaces to model

computational assumptions for MAC, ENC, PK-ENC? –  Are our symbolic models computationally sound? –  Can we do computational proofs by typing?

Computational Soundness:!Typed Ideal Interfaces for

Cryptographic Functionalities

Cryptographic primitives are partially specified

•  Symbolic models reason about fully-specified crypto primitives –  Same rewrite rules apply for the attacker as for the protocol –  Each crypto primitive yields distinct symbolic terms

•  Computational models reason about partially-specified primitives (the less specific, the better) –  Positive assumptions: what the protocol needs to run as intended!

e.g. successful decryption when using matching keys –  Negative assumptions: what the adversary cannot do!

e.g. cannot distinguish between encryptions of two different plaintexts

•  Security proofs apply parametrically,!for any concrete primitives that meet these assumptions

•  Typed interfaces naturally capture partial specifications

Computational Security with F7 •  We adapt our F7 typechecker

–  We remove non-determinism –  We add probabilistic sampling and mutable references –  We formally prove type safety & parametricity!

for this new extended subset of F7 using Coq/SSReflect •  We type protocols and applications against!

refined typed interfaces that idealize crypto libraries

•  Next: two sample ideal functionalities –  For MACs (trace properties) –  For encryption (equivalence properties)

Probabilistic RCF •  We equip RCF with a probabilistic!

semantics (Markov chains)

–  We add a new “fair coin-tossing” primitive –  The rest of the semantics is unchanged!

(reductions, structural rules, robust safety)

Probabilistic RCF

•  We equip RCF with a probabilistic!semantics (Markov chains)

–  We add a typing rule for sampling

–  All typing theorems!apply unchanged (one possible trace at a time)

Probabilistic RCF

MACs & CMA

Sample ideal functionalities!for keyed hash functions

Sample ideal functionality:!

Keyed cryptographic hashes module'MAC$$

type'text'='bytes''val'macsize'type'key$$='bytes$type'mac''='bytes'''

''

val'GEN''':'unit'9>'key''val'MAC''':'key'9>'text'9>'mac$val'VERIFY:'key'9>'text'9>'mac'9>'bool''

plain%F#%interface%This%interface%says%nothing%

on%the%security%of%MACs.%



type'text'='bytes''val'macsize'type'key $ $$type'mac''='bytes''

'''


MAC%keys%are%abstract%



type'text'='bytes''val'macsize'type'key $ $$type'mac''='b:bytes{Length(b)=macsize}''

'''


MACs%are%fixed%sized%






val'GEN''':'unit'9>'key''val'MAC''':'k:key'9>'t:text{Msg(k,t)}'9>'mac$val'VERIFY:'k:key'9>'t:text'9>'mac'

''''''9>'b:bool{'b=true'=>'Msg(k,t)}''

ideal&F7&interface&

“All%verified%messages%have%been%MACed”%



Msg%is%specified%%by%protocols%using%MACs%

module'RPC$$

definition'!k,q.'Msg(k,Utf8(q))'<=>'Request(q)''

let'client'q'=' '''''''let'server'q'=''''//'precondition:' '''''…'if'VERIFY'k'(utf8'q)'m'''//'Request(q) '''''''then'//'we'have'Request(q)''…'send'MAC'k'(utf8'q)''''''''process'q''''''

%sample%protocol%using%MACs%%






''''''9>'b:bool{'b=true'=>'Msg(k,t)}''

ideal&F7&interface&



Msg%is%specified%%by%protocols%using%MACs%

concrete%F#%implementa4on%(using%.NET)%

module'MAC$open$System.Security.Cryptography'$

let'macsize'='20'let'GEN()'''='randomBytes'16'let'MAC$k't'='(new'HMACSHA1()).ComputeHash''t'let'VERIFY$k't'm'='(MAC'k't'='m)'

“All%verified%messages%have%been%MACed”%

This%can’t%be%true!%(collisions)%

Sample computational assumption:!

Resistance to Chosen-Message !Existential Forgery Attacks (CMA)

module'CMA$open$Mac$$

let'k'='GEN()''let'log'='ref'[]'let'mac't'='''log':='t::!log'''MAC'k't''let'verify't'm'=''''let'v'='VERIFY'k't'm'in'''assert'(not'v'||'mem't'!log)'''v'

CMA&game&(coded%in%F#)%

Asympto4c%security%a%probabilis4c%poly4me%program%calling%mac%and%verify%forges%a%MAC%only%with%negligible%probability%

refined%F7%interface%

for%func4onal%correctness%

Concrete MAC Interface

module'MAC$$…''



''''''9>'b:bool{'b=true'=>'Msg(k,t)}'`'

Ideal%MAC%Interface%

MACs: interfaces and implementations

CMA.fs7&

Mac&

RPC&Mac&

CMA&

LINK%

a%plain%F#%%interface%%

some%sample%protocol%

some%concrete%implementa4on%

CMA&

a%plain%F#%%interface%%

%%…%and%its%refinements%%


RPC&

CMA.fs7&

Ideal&Mac&

Mac&

RPC&Mac&

CMA&

LINK%


cannot&typecheck&in&F7!&

some%concrete%implementa4on%

CMA&

a%plain%F#%%interface%%%%%%%%%%%%%%%…%and%its%refinements%


RPC&

CMA.fs7&

Concrete&Mac&

Mac&

RPC&Mac&

CMA&

LINK%


some concrete!implementation

Ideal&Mac&

cannot&typecheck&in&F7!&

CMA&

a%plain%F#%%interface%%%%%%%%%%%%%%%…%and%its%refinements%


some concrete!implementation

RPC&Concrete&Mac&

Ideal&Mac&

Mac&

RPC&Mac&


LINK%Ideal&Mac&

LINK%

some%error%correc4ng%wrapper%

CMA&


is safe too, with!overwhelming!probability

RPC&Concrete&Mac&

is%always%safe%(by%typing)%

Ideal&Mac&

is%indis4nguishable%from%

RPC&Concrete&Mac&

Adversary&

Adversary&

Indistinguishability!& Encryption

Secrecy by typing Modules for secret plaintexts

Ideal functionalities for CPA and CCA2 encryption

Perfect Secrecy by Typing •  Secrecy is expressed using observational

equivalences !between systems that differ on their secrets

•  We can prove secrecy by typing,!relying on parametricity over some abstract type

Plaintext Modules •  Encryption is parameterized by a module!

that abstractly define plaintexts, with interface

module'Plain$$

val'plainsize:'int$type'plain''type'repr$='b:bytes{Length(b)=plainsize}$''

val'plain'':'repr$9'>'plain$//$turning$bytes$to$secrets'val'repr''':'plain$9>'repr$$//$breaking$secrecy!$$

'''''val'respond:'plain'9>'plain$//$sample$protocol$code'

If%we%remove%the%repr%func4on,%%we%get%perfect%secrecy%by%typing%%

The%size%of%plaintext%is%fixed%%(as%we%cannot%hide%it)%

Plain%may%also%include%%any%code%that%operates%on%secrets%

An Ideal Interface for CCA2 Encryption

•  Its ideal implementation encrypts zeros instead

of plaintexts!so it never accesses plaintext representations, !and can be typed parametrically

module'PKENC$open'Plain$$

val'pksize:'int$type'skey'type'pkey$='b:bytes{'PKey(k)'Æ'Length(b)=pksize'}$''

val'ciphersize:'int' ''type'cipher$='b:bytes{Length(b)=ciphersize}$''

val'GEN:$unit'9>$pkey$*$skey'val'ENC:'pkey$9>$plain$9>'cipher'val'DEC:'skey$9>'cipher$N>$plain'

Sample computational assumption:!

Indistinguishability against !Chosen Plaintexts & Ciphertexts Attacks

module'CCA2$open$RSA_OAEP$$

let'k'='GEN()''let'log'='ref'[]'let'b'='sample'{true,false}'let'encrypt'p0'p1'='''let'p'='if'b'then'p0'else'p1''''let'e'='ENC(k,p)'''log':='e::!log'''e''let'decrypt'e'=''''if'e'in'!log''''then'None'''else'Some(DEC(k,e))'

CCA&game&(coded%in%F#)%

Asympto4c%security%a%probabilis4c%poly4me%program%calling%encrypt%and%decrypt%guesses%which%plaintexts%are%encrypted%only%with%a%negligible%advantage%

Typed Secrecy from CCA2-Secure Encryption

Variants: CPA & Authentication •  With CPA-secure encryption, we have a weaker ideal interface!

that demands ciphertext integrity before decryption

•  With authenticated encryption, we have a stronger ideal interface that ensure plaintext integrity (much as MACs)

predicate'Encrypted'of'key'*'cipher''

val'ENC:'k:key$9>$plain$9>'c:cipher{Encrypted(k,c)}'val'DEC:'k:key$9>'c:cipher{Encrypted(k,c)}$9>$plain'

predicate'Msg'of'key'*'plain'//'defined'by'protocol''

val'ENC:'k:key$9>$p:plain{Msg(k,p)}$9>'cipher'val'DEC:'k:key$9>'cipher$9>$p:plain{Msg(k,p)}'option'

Applications: Cryptographic Constructions

•  We program and verify sample crypto constructions!such as hybrid encryption and encrypt-then-MAC

•  We prove these constructions secure by

typechecking!against interfaces of Plain, SymEnc, and PKEnc

symmetric&encryp?on&&&&&&&&&&&

.&

publicBkey&encryp?on&

&&&&

hybrid&encryp?on&

&

INDBCPA&

INDBCPA&

INDBCPA&

symmetric&encryp?on&&&&&&&&&&&

.&

MAC&&

EncryptBthenBMAC&

&

INDBCPA&

Auth&Encrypt&

INTBCMA&

module'HybridEnc''let'pksize'''''='PKEnc.pksize'''''+'SymEnc.ciphersize'let'ciphersize'='PKEnc.ciphersize'+'SymEnc.ciphersize''

let'GEN()'=$PKEnc.GEN()''

let'ENC$pk'plain'=''$$let'k'='SymEnc.GEN()$$$concat'(PKEnc.ENC'pk'k)'(SymEnc.ENC'k'plain)'$$

let'DEC$sk'cipher'=''''let'c0,c1'='split'SymEnc.ciphersize'cipher'''SymEnc.DEC'(PKEnc.DEC'sk'c0)'c1'

&some&cryptographic&&implementa?on&

%

Sample modular verification (protocol)!RPC protocol using !Authenticated Encryption

FormaGng%

ac4ve%adversaries%

security%protocols%

any$typed$F#$program$

Secure&RPC&%

Bytes%

system%libraries%

Adversary%Model%

applica4on%code%

any$typed$F7$program$

authen?cated&encryp?on& message&format&

RPC&API&

Networking%

Sample modular verification (crypto)!RPC using Encrypt-then-MAC

cryptographic%schemes%

FormaGng%

ac4ve%adversaries%

security%protocols%

MAC&authen?ca?on&

%

any$typed$F#$program$

Secure&RPC&%

Bytes%

system%libraries%

Adversary%Model%

applica4on%code%

any$typed$F7$program$

cryptographic%construc4ons%&

probabilis?c&computa?onal%indis4nguishability%%

EncryptBthenBMAC&%

AESBCBC&encryp?on&

%

authen?cated&encryp?on& message&format&

RPC&API&

≈"IDEAL%INDBCPA&

≈"IDEAL%INTBCMA&

Networking%

Applications: Security Protocols •  We program and verify sample protocols !

(authenticated RPC, encrypted RPC) •  We typecheck larger protocols previously

verified using F7 symbolic libraries (secure multiparty sessions)

•  Case studies requiring custom crypto – DKM with cryptographic agility –  TLS 1.2 with ad hoc constructions – Private authentication with key-hiding & decoys – Private data processing with zero-knowledge proofs

Modular Type-Based!Cryptographic Verification for!

TLS 1.2!!!!

TLS on the Web Server%

Authen+ca+on%

Secure%Channel%

Transport Layer Security (1994—) The most widely deployed !cryptographic protocol?

HTTPS, 802.1x (EAP), !FTPS VPN, mail, VoIP, …

18 years of attacks, !fixes, and extensions

1994 – Netscape’s Secure Sockets Layer 1994 – SSL2 1995 – SSL3 1999 – TLS1.0 (RFC2246, ≈SSL3) 2006 – TLS1.1 (RFC4346) 2008 – TLS1.2 (RFC5246)

Many implementations •  SChannel, OpenSSL, NSS, !

GnuTLS, JSSE, PolarSSL, … •  Several security patches every year Many papers •  Well-understood, detailed specs •  Security theorems… mostly for small simple models of TLS

Protocol&Logic%e.g.%ambiguous%messages%•  cause%clients%and%%

server%to%nego4ate%older,%weaker%TLS%

Cryptography%e.g.%no%fresh%IV%•  write%applet%to%%

realize%adap4ve%aTack%(BEAST)%%

Weak&Algorithms&MD5,%PKCS1,%RC4,%…%%

Implementa?on&Errors&many%cri4cal%bugs&

TLS&DESIGN&

What can still possibly go wrong?

encryption!using RC4 is !

broken!(but fast)


What can still possibly go wrong?







TLS&DESIGN&

Infrastructure&cer4ficate%management%

Applica?on%protocol%configura4on%



What%if%you%“proceed%anyway”?%

This%happens%automa4cally%with%buggy%cert%

valida4on%









TLS&DESIGN&

Combining&all&of&the&above&Recent%cryptographic%aTacks%exploit%side%channels%in%protocol%logic%(errors)%and%implementa4on%(4ming)%

Combining&all&of&the&above&Recent%cryptographic%aTacks%exploit%side%channels%in%protocol%logic%(errors)%and%implementa4on%(4ming)%

On the (provable) security of TLS “A handful of works have attempted to analyse the entirety of SSL or TLS using machine-assisted proof techniques. This is incredibly ambitious, and moreover it's probably the only real way to tackle the problem. Unfortunately, the proofs hugely simplify the underlying cryptography, and thus don't cover the full range of attacks. Moreover, only computers can read them.”

•  Matthew Green:!http://blog.cryptographyengineering.com/

59%

TLS in F# & F7 We develop and verify a reference implementation for SSL 3.0—TLS 1.2

1.  Standard compliance: we closely follow the RFCs –  concrete message formats –  support for multiple ciphersuites, sessions and connections, !

re-handshakes and resumptions, alerts, message fragmentation,… –  interop with other implementations such as web browsers and servers

2.  Verified security: we structure our code to enable its !modular verification, from its main API down to !concrete assumptions on its base cryptography (e.g. RSA) –  formal computational security theorems!

for a 5000-line functionality (automation required)

3.  Experimental platform: for testing corner cases,!trying out attacks, analysing new extensions and patches, …

TLS in F# & F7 (Backup)

Try%it%out!%%

hTps://mitls.org%

Verifying our TLS!implementation !

DHGroup%

DH%

CRE%

PRF%

RSA%

Cert%

Sig%

SessionDB%

StAE%

LHAE%

Enc%

MAC%

Record%

Dispatch%

TCP%

Untyped%Adversary%

Encode%

LHAEPlain%

StPlain%

TLSFragment%

Alert%Datastream%

Handshake%(and%CCS)%

TLSInfo%TLSConstants%

Handshake/CCS%

TLS%Record%

AppData%

Base% Bytes%

Untyped%API%Adversary%

RPC%

RPCPlain%Applica4on%

TLS%API%

Alert%Protocol%

AppData%Protocol%

Nonce%

TLS%

CoreCrypto%

RSAKey%

Auth%

AuthPlain%

Extensions%

1%

2%

3% 4%

5%

6%7%

Range%

8%

9%Error%

Modular%Architecture%for%miTLS%%

Transport Layer Security (Review)

•  Interleaving of four protocols !on top of the record layer

Record%Layer%

Handshake%protocol%

%

Change%ciphersuite%

%

Alert%protocol%

%

Applica4on%data%%

authen4cated%encryp4on%with%addi4onal%data%

stateful%authen4cated%encryp4on%

fragment%;%compress%

dispatch%

CS$Ka$Ke$

CS’$Ka’$Ke’$

TCP/IP%

plain%fragments%

encrypted%fragments%

I/O%bytestreams%

Applica4on%

web%pages%

''''''ClientHello''''''''' ''''''''''''99999999>'''''''''''''''''''''''''''''''''''''''''''''''''''''''ServerHello''''''''''''''''''''''''''''''''''''''''''''''''''''''Certificate*''''''''''''''''''''''''''''''''''''''''''''''''ServerKeyExchange*'''''''''''''''''''''''''''''''''''''''''''''''CertificateRequest*'''''''''''''''''''''''''''<99999999'''''''''''''''ServerHelloDone'''''''Certificate*'''''''ClientKeyExchange'''''''CertificateVerify*'''''''ChangeCipherSpec'''''''Finished''''''''''''99999999>''''''''''''''''''''''''''''''''''''''''''''''''''ChangeCipherSpec'''''''''''''''''''''''''''<99999999''''''''''''''''''''''Finished'''''''''''''''''''''''''''<9999999>''''''''''''''Application'Data'''''''Application'Data'''

Full%hand

shake%

Ciphersuites !& crypto agility

•  Not all !

algorithms !are equal!

•  Cautionary tale [Brumley et al, CT-RSA 2012] –  ECDH part of the latest, strongest ciphersuites using elliptic curves –  OpenSSL vulnerable to a software “bug attack”!

on its multiplication algorithm (635 handshakes) !widely deployed & left open for 2 years

•  Intuitively, clients and servers should get the security for !the ciphersuites they accept, not for the weakest supported ones –  Non trivial: there is a circular dependency,!

as TLS relies on the ciphersuites being negotiated

•  We verify TLS generically, for multiple ciphersuites:!formally, the adversary provides the weaker algorithms.

'TLS_NULL_WITH_NULL_NULL''''''''''='{'0x00,0x00'}'TLS_RSA_WITH_NULL_SHA256'''''''''='{'0x00,0x3B'}'TLS_RSA_WITH_RC4_128_MD5'''''''''='{'0x00,0x04'}'TLS_DH_anon_WITH_AES_256_CBC_SHA'='{'0x00,0x3A'}'(…)$38$ciphersuites$in$TLS$1.2$(…)$many$others$in$recent$TLS$extensions$TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA''

data%data%

data%

Sessions and Connections •  Sessions (S, S’) are for key establishment: DH, RSA, KDF •  Connections are for transporting records (AE), !

within a series of “epochs” !possibly with different principals, ciphersuites, and keys

new%S% finished% rehandshake%S’% close%

resume%S’% data% rekey% data% alert%(fatal)%

TCP% TCP%

TCP’%

first%epoch%(same%ciphersuite%&%keys)%

CCS% CCS%

next%handshake%interleaved%with%data%(different%peer%cert)%first%handshake%(unprotected)%

abbreviated%handshake%%

next%handshake%just%for%rekeying%

data%data%

Fragmentation Issues (1/2) •  A recent attack

–  Application messages can be fragmented across several epochs!(possibly with different principals & security)

–  Man-in-the-middle attack 1.  Intercept a target client’s handshake to a secure server 2.  Connect to the server; inject a message fragment; !

then forward all messages between the victim and the server 3.  The server interprets the victim’s first handshake !

as a (correct) rehandshake, then accepts the attacker’s !message as a valid request from the victim

–  Existing TLS APIs do not notify the application of rehandshakes.!(Our API does.)

–  Fix: a new “safe negotiation” extension hashing all HS conversations!(not just the last one) in Finished messages

Fragmentation Issues (2/2) •  A new authentication attack: alert fragmentation

–  Alert messages can be sent at any time !(for signalling, closing connections, reporting cert errors…)

–  Alert messages are 2-byte long…hence can be fragmented! –  Our attack:

1.  Inject a one-byte A0 alert fragment during the first handshake!this byte is silently cached (not recorded in HS conversation)

2.  Later, as a genuine 2-byte X0X1 alert is received!and authenticated on the secure connection, !A0X0 is passed instead to the application

–  Simple fix: discard fragmented alerts

Agile Length-Hiding Stateful !

Authenticated Encryption!with Additional Data

MAC&

Fragment; MAC; Encode; then Encrypt plaintext%message%sent%by%the%applica4on%

fragment% to%be%sent%later%

fragment%

pad&MAC&fragment%

sent%earlier%

fragmen4ng%&%padding%%are%underlspecified%

IV%%%%%%%%encrypted%%record%%%%%%%%%%.%header&

sent/received&on&TCP&connec?on&

•  TLS%decodes%the%decrypted%text%before%authen4ca4on;%poten4ally%leaking%secret%informa4on%(via%“padding%oracles”)%%

•  Security%relies%on%joint%ciphertext%integrity%(INTlCTXT)%%The%proof%is%ad%hoc%(for%CBC)%and%depends%on%|MAC|%>%|Block|%(recent%aTack%&%proof%by%Paterson%et%al.%at%ASIACRYPT’11)%

&content&type&&&&sequence&number&

&content&type&&&sequence&number&

&

Fragment-then-Compress? (new attack) •  Large messages are sliced !

into many fragments •  When encoded, each fragment is "

independently compressed •  An eavesdropper can record!

the sequence of fragment!ciphertext lengths, and obtain!precise message fingerprints –  leaking much more than!

the total message length

max%fragment%length%(16KB)%%

lengths%observed%on%the%network%

(16KB)%%

Fragment-then-Compress? (new attack) •  Experimental data: downloading songs over HTTPS:

Another recent !attack exploiting !

compression !with chosen!

plaintexts

Our approach: disable compression, then!

Hide secret lengths within public ranges •  The application chooses its own plaintext range,!

e.g. any secret URL of size 0..200 bytes!!!

•  !0 !

•  Fragmentation and padding depends!only on the range & ciphersuite,!not on the secret message length & content

Formally,%we%index%our%type%of%plaintext%fragments%by%their%range%&%sequence%number%in%the%stream%too.%By%typing,%we%check%that%

Hiding lengths within public ranges •  (;range) plain:!

an abstract plain fragment whose length is within range –  0

The application chooses its own bucket sizes: –  any secret URL of size 0..200 bytes –  any 3MB image +/- 10%.

•  Fragmentation and encoding depends only on the range,!not on the actual length and content (enforced by parametricity)

Abstract Plaintext Fragments

•  Abstract%plaintext%fragments%are%indexed%by%%–  key&info%including%nego4ated%algorithms%and%connec4on%info%–  range%for%the%(secret)%plaintext%length %%–  addi?onal&data,%encoding%e.g.%TLS%version%&%fragment%number%

•  Type%abstrac4on%yields%condi+onal%security%for%plaintexts%with%safe%key%info%

'


module'PlainAEAD$type'(;ki:KeyInfo)$data$='b:bytes{…}'type'(;ki:KeyInfo,rg:range,ad:data)$fragment$'

val'leak:'''ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''(;ki,rg,ad)'fragment'9>'b:bytes{Length(b)'in'rg}''

val'coerce:$$$ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''b:bytes{Length(b)'in'rg}'9>(;ki,rg,ad)'fragment''

module'PlainAEAD$type'(;ki:KeyInfo)$data$='b:bytes{…}'type'(;ki:KeyInfo,rg:range,ad:data)$fragment$'

val'LEAK:'''ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''(;ki,rg,ad)'fragment'9>'b:bytes{Length(b)'in'rg}''

val'COERCE:$$$ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''b:bytes{Length(b)'in'rg}'9>(;ki,rg,ad)'fragment''

Authenticated Encryption in TLS

•  encryption & decryption with a safe index!do not access the plaintext bytes (IND-CPA)

•  decryption with a safe index!succeeds on correctly-encrypted ciphertexts,!returns an error otherwise (INT-CTXT)

'


module'AEAD'$

val$encrypt:$$$ki:KeyInfo'9>'(;ki)key'9>'ad:(;ki)data'9>'''rg:range'9>'p:(;ki,rg,ad)'fragment'9>'c:(;ki)'cipher'{'CTXT(ki,ad,p,c)'}'$

val$decrypt:$$$ki:KeyInfo'9>'(;ki)key'9>'ad:(;ki)data'9>''''c:cipher{CipherLength(ki,c)}'9>'rg:range'*'r:(;ki,rg,ad)'fragment'option'''{'Safe(ki)'=>'!p.'r'='Some(p)'<=>'CTXT(ki,ad,p,c)'}'

mpri 2-30: automated veriﬁcation of …...reading lecture notes on the course website: • rcf: a...

Documents