mpri 2-30: automated verification of …...reading lecture notes on the course website: • rcf: a...
TRANSCRIPT
MPRI 2-30: !Automated Verification of !
Cryptographic Protocol Implementations
K Bhargavan (Slides from A.D. Gordon and C. Fournet)
Spring, 2014
Outline of Lectures • Lectures 1 and 2 (Jan 22, 29)
– Intro to Verified Protocol Implementations – RCF type system – Symbolic protocol verification with F7
• (Skip Feb 5)
• Lecture 3 (Feb 12) – Using RCF for computational protocol verification – Case Study: TLS 1.2
• Lecture 4 (Feb 19) – Advanced verification techniques
Reading Lecture notes on the course website: • RCF: a compact definition of the type system, plus
exercises • Principles and Applications of Refinement Types, a tutorial
on the RCF type system. • Cryptographic Verification by Typing for a Sample Protocol
Implementation, a tutorial on F7
Research papers: http://research.microsoft.com/f7 More exercise: Next two weeks
RCF (REVIEW)
a concurrent call-by-value lambda-calculus!with refinement types
Syntax for values and expressions • A concurrent !
call-by-value!lambda-calculus
• A formal core for F#!
• Specifications !expressed by !assume and assert !over logic formulas
Basis for Verification: Refinement types
Safety by typing
Example Protocol in F#
Modelling Opponents as F# Programs
Symbolic Security Theorem
Symbolic proof: Typechecking
Security Assumptions: MACs
Symbolic Interfaces: MAC
module'MAC$$
type'text'='bytes ''type'key$ $$type'mac''='bytes'
predicate'Msg'of'key'*'text''
val'GEN''':'unit'9>'key''val'MAC''':'k:key'9>'t:text{Msg(k,t)}'9>'mac$val'VERIFY:'k:key'9>'t:text'9>'mac'''''''' ''9>'b:bool{'b=true'=>'Msg(k,t)}''
Only%models%integrity,%not%key%or%data%confiden4ality%
Symbolic Interfaces: MAC module'MAC$$
type'text'='mac'='bytes ''type'key$ $$predicate'Msg'of'key'*'text'predicate'Bad'of'key''
val'GEN''':'unit'9>'key''val'LEAK'':'k:key{Bad(k)}'9>'b:bytes{Pub(b)}$val'COERCE:'b:bytes{Pub(b)}$9>'k:key{Bad(k)}'''val'MAC''':'k:key''' ' ' ''9>'t:text{Bad(k)$\/$Msg(k,t)}''' ' '''''9>'m:mac{Pub(t)$=>$Pub(m)}$
val'VERIFY:'k:key'9>'t:text'9>'mac'''''''' ''9>'b:bool{'b=true'=>'Msg(k,t)}''
Symbolic Interfaces: ENC module'ENC$type$key$$'
val'GEN''':'unit'9>'key''Val'ENC''':'k:key'9>'t:bytes'' ' ' ''9>'c:bytes{Pub(c)$/\$Cipher(k,t,c)}$
val'DEC$$$:'k:key'9>'c:bytes$N>'''''''' ''9>'t:bytes{forall$t’.$$$ $ $ $ $ $ $$$$$$Cipher(k,t’,c)$=>$t=t’}$
Symbolic Interfaces: ENC module'ENC$type$key$predicate'Bad'of'key$$'
val'GEN''':'unit'9>'key''val'LEAK'':'k:key{Bad(k)}'9>'b:bytes{Pub(b)}$val'COERCE:'b:bytes{Pub(b)}$9>'k:key{Bad(k)}'''val'ENC''':'k:key'9>'t:bytes{Bad(k)$=>$Pub(t)}''' ' ' ''9>'c:bytes{Pub(c)$/\$Cipher(k,t,c)}$
val'DEC$$$:'k:key'9>'c:bytes$N>'''''''' ''9>'t:bytes{Bad(k)$=>$Pub(t)$/\$$ $ $ $ $ $ $ $$forall$t’.$$$ $ $ $ $ $ $$$$$$Cipher(k,t’,c)$=>$t=t’}$
Symbolic Interfaces: PK-ENC module'ENC$type$pkey$=$b:bytes{Pub(b)}$type$skey$predicate'Bad'of'pkey$function'PK:'skey'9>'pkey$$'
val'GEN''':'unit'9>'s:skey$*$p:pkey{p$=$PK(s)}$$val'LEAK'':'s:skey{Bad(PK(s))}'9>'b:bytes{Pub(b)}$val'COERCE:'b:bytes{Pub(b)}$9>'s:skey{Bad(PK(s))}'$val'ENC''':'p:pkey'9>'t:bytes{Bad(p)$=>$Pub(t)}''' ' ' ''9>'c:bytes{Pub(c)$/\$Wrap(k,t,c)}$
val'DEC$$$:'s:key'9>'c:bytes$N>'''''''' ''9>'t:bytes{Bad(PK(s))$=>$Pub(t)$/\$$ $ $ $ $ $ $ $$forall$t’.$$$ $ $ $ $ $ $$$$$$Wrap(PK(s),t’,c)$=>$t=t’}$
Models of Crypto • Many possible symbolic models – Various levels of imprecision/abstraction
• How do they relate to computational models? – Can we use the same interfaces to model
computational assumptions for MAC, ENC, PK-ENC? – Are our symbolic models computationally sound? – Can we do computational proofs by typing?
Computational Soundness:!Typed Ideal Interfaces for
Cryptographic Functionalities
Cryptographic primitives are partially specified
• Symbolic models reason about fully-specified crypto primitives – Same rewrite rules apply for the attacker as for the protocol – Each crypto primitive yields distinct symbolic terms
• Computational models reason about partially-specified primitives (the less specific, the better) – Positive assumptions: what the protocol needs to run as intended!
e.g. successful decryption when using matching keys – Negative assumptions: what the adversary cannot do!
e.g. cannot distinguish between encryptions of two different plaintexts
• Security proofs apply parametrically,!for any concrete primitives that meet these assumptions
• Typed interfaces naturally capture partial specifications
Computational Security with F7 • We adapt our F7 typechecker
– We remove non-determinism – We add probabilistic sampling and mutable references – We formally prove type safety & parametricity!
for this new extended subset of F7 using Coq/SSReflect • We type protocols and applications against!
refined typed interfaces that idealize crypto libraries
• Next: two sample ideal functionalities – For MACs (trace properties) – For encryption (equivalence properties)
Probabilistic RCF • We equip RCF with a probabilistic!
semantics (Markov chains)
– We add a new “fair coin-tossing” primitive – The rest of the semantics is unchanged!
(reductions, structural rules, robust safety)
Probabilistic RCF
• We equip RCF with a probabilistic!semantics (Markov chains)
– We add a typing rule for sampling
– All typing theorems!apply unchanged (one possible trace at a time)
Probabilistic RCF
MACs & CMA
Sample ideal functionalities!for keyed hash functions
Sample ideal functionality:!
Keyed cryptographic hashes module'MAC$$
type'text'='bytes''val'macsize'type'key$$='bytes$type'mac''='bytes'''
''
val'GEN''':'unit'9>'key''val'MAC''':'key'9>'text'9>'mac$val'VERIFY:'key'9>'text'9>'mac'9>'bool''
plain%F#%interface%This%interface%says%nothing%
on%the%security%of%MACs.%
Sample ideal functionality:!
Keyed cryptographic hashes module'MAC$$
type'text'='bytes''val'macsize'type'key $ $$type'mac''='bytes''
'''
val'GEN''':'unit'9>'key''val'MAC''':'key'9>'text'9>'mac$val'VERIFY:'key'9>'text'9>'mac'9>'bool''
MAC%keys%are%abstract%
Sample ideal functionality:!
Keyed cryptographic hashes module'MAC$$
type'text'='bytes''val'macsize'type'key $ $$type'mac''='b:bytes{Length(b)=macsize}''
'''
val'GEN''':'unit'9>'key''val'MAC''':'key'9>'text'9>'mac$val'VERIFY:'key'9>'text'9>'mac'9>'bool''
MACs%are%fixed%sized%
MAC%keys%are%abstract%
Sample ideal functionality:!
Keyed cryptographic hashes module'MAC$$
type'text'='bytes''val'macsize'type'key $ $$type'mac''='b:bytes{Length(b)=macsize}''
predicate'Msg'of'key'*'text''
val'GEN''':'unit'9>'key''val'MAC''':'k:key'9>'t:text{Msg(k,t)}'9>'mac$val'VERIFY:'k:key'9>'t:text'9>'mac'
''''''9>'b:bool{'b=true'=>'Msg(k,t)}''
ideal&F7&interface&
“All%verified%messages%have%been%MACed”%
MAC%keys%are%abstract%
MACs%are%fixed%sized%
Msg%is%specified%%by%protocols%using%MACs%
module'RPC$$
definition'!k,q.'Msg(k,Utf8(q))'<=>'Request(q)''
let'client'q'=' '''''''let'server'q'=''''//'precondition:' '''''…'if'VERIFY'k'(utf8'q)'m'''//'Request(q) '''''''then'//'we'have'Request(q)''…'send'MAC'k'(utf8'q)''''''''process'q''''''
%sample%protocol%using%MACs%%
Sample ideal functionality:!
Keyed cryptographic hashes module'MAC$$
type'text'='bytes''val'macsize'type'key $ $$type'mac''='b:bytes{Length(b)=macsize}''
predicate'Msg'of'key'*'text''
val'GEN''':'unit'9>'key''val'MAC''':'k:key'9>'t:text{Msg(k,t)}'9>'mac$val'VERIFY:'k:key'9>'t:text'9>'mac'
''''''9>'b:bool{'b=true'=>'Msg(k,t)}''
ideal&F7&interface&
MAC%keys%are%abstract%
MACs%are%fixed%sized%
Msg%is%specified%%by%protocols%using%MACs%
concrete%F#%implementa4on%(using%.NET)%
module'MAC$open$System.Security.Cryptography'$
let'macsize'='20'let'GEN()'''='randomBytes'16'let'MAC$k't'='(new'HMACSHA1()).ComputeHash''t'let'VERIFY$k't'm'='(MAC'k't'='m)'
“All%verified%messages%have%been%MACed”%
This%can’t%be%true!%(collisions)%
Sample computational assumption:!
Resistance to Chosen-Message !Existential Forgery Attacks (CMA)
module'CMA$open$Mac$$
let'k'='GEN()''let'log'='ref'[]'let'mac't'='''log':='t::!log'''MAC'k't''let'verify't'm'=''''let'v'='VERIFY'k't'm'in'''assert'(not'v'||'mem't'!log)'''v'
CMA&game&(coded%in%F#)%
Asympto4c%security%a%probabilis4c%poly4me%program%calling%mac%and%verify%forges%a%MAC%only%with%negligible%probability%
refined%F7%interface%
for%func4onal%correctness%
Concrete MAC Interface
module'MAC$$…''
predicate'Msg'of'key'*'text''
val'GEN''':'unit'9>'key''val'MAC''':'k:key'9>'t:text{Msg(k,t)}'9>'mac$val'VERIFY:'k:key'9>'t:text'9>'mac'
''''''9>'b:bool{'b=true'=>'Msg(k,t)}'`'
Ideal%MAC%Interface%
MACs: interfaces and implementations
CMA.fs7&
Mac&
RPC&Mac&
CMA&
LINK%
a%plain%F#%%interface%%
some%sample%protocol%
some%concrete%implementa4on%
CMA&
a%plain%F#%%interface%%
%%…%and%its%refinements%%
MACs: interfaces and implementations
RPC&
CMA.fs7&
Ideal&Mac&
Mac&
RPC&Mac&
CMA&
LINK%
some%sample%protocol%
cannot&typecheck&in&F7!&
some%concrete%implementa4on%
CMA&
a%plain%F#%%interface%%%%%%%%%%%%%%%…%and%its%refinements%
MACs: interfaces and implementations
RPC&
CMA.fs7&
Concrete&Mac&
Mac&
RPC&Mac&
CMA&
LINK%
some%sample%protocol%
some concrete!implementation
Ideal&Mac&
cannot&typecheck&in&F7!&
CMA&
a%plain%F#%%interface%%%%%%%%%%%%%%%…%and%its%refinements%
MACs: interfaces and implementations
some concrete!implementation
RPC&Concrete&Mac&
Ideal&Mac&
Mac&
RPC&Mac&
some%sample%protocol%
LINK%Ideal&Mac&
LINK%
some%error%correc4ng%wrapper%
CMA&
MACs: interfaces and implementations
is safe too, with!overwhelming!probability
RPC&Concrete&Mac&
is%always%safe%(by%typing)%
Ideal&Mac&
is%indis4nguishable%from%
RPC&Concrete&Mac&
Adversary&
Adversary&
Indistinguishability!& Encryption
Secrecy by typing Modules for secret plaintexts
Ideal functionalities for CPA and CCA2 encryption
Perfect Secrecy by Typing • Secrecy is expressed using observational
equivalences !between systems that differ on their secrets
• We can prove secrecy by typing,!relying on parametricity over some abstract type
Plaintext Modules • Encryption is parameterized by a module!
that abstractly define plaintexts, with interface
module'Plain$$
val'plainsize:'int$type'plain''type'repr$='b:bytes{Length(b)=plainsize}$''
val'plain'':'repr$9'>'plain$//$turning$bytes$to$secrets'val'repr''':'plain$9>'repr$$//$breaking$secrecy!$$
'''''val'respond:'plain'9>'plain$//$sample$protocol$code'
If%we%remove%the%repr%func4on,%%we%get%perfect%secrecy%by%typing%%
The%size%of%plaintext%is%fixed%%(as%we%cannot%hide%it)%
Plain%may%also%include%%any%code%that%operates%on%secrets%
An Ideal Interface for CCA2 Encryption
• Its ideal implementation encrypts zeros instead
of plaintexts!so it never accesses plaintext representations, !and can be typed parametrically
module'PKENC$open'Plain$$
val'pksize:'int$type'skey'type'pkey$='b:bytes{'PKey(k)'Æ'Length(b)=pksize'}$''
val'ciphersize:'int' ''type'cipher$='b:bytes{Length(b)=ciphersize}$''
val'GEN:$unit'9>$pkey$*$skey'val'ENC:'pkey$9>$plain$9>'cipher'val'DEC:'skey$9>'cipher$N>$plain'
Sample computational assumption:!
Indistinguishability against !Chosen Plaintexts & Ciphertexts Attacks
module'CCA2$open$RSA_OAEP$$
let'k'='GEN()''let'log'='ref'[]'let'b'='sample'{true,false}'let'encrypt'p0'p1'='''let'p'='if'b'then'p0'else'p1''''let'e'='ENC(k,p)'''log':='e::!log'''e''let'decrypt'e'=''''if'e'in'!log''''then'None'''else'Some(DEC(k,e))'
CCA&game&(coded%in%F#)%
Asympto4c%security%a%probabilis4c%poly4me%program%calling%encrypt%and%decrypt%guesses%which%plaintexts%are%encrypted%only%with%a%negligible%advantage%
Typed Secrecy from CCA2-Secure Encryption
Variants: CPA & Authentication • With CPA-secure encryption, we have a weaker ideal interface!
that demands ciphertext integrity before decryption
• With authenticated encryption, we have a stronger ideal interface that ensure plaintext integrity (much as MACs)
predicate'Encrypted'of'key'*'cipher''
val'ENC:'k:key$9>$plain$9>'c:cipher{Encrypted(k,c)}'val'DEC:'k:key$9>'c:cipher{Encrypted(k,c)}$9>$plain'
predicate'Msg'of'key'*'plain'//'defined'by'protocol''
val'ENC:'k:key$9>$p:plain{Msg(k,p)}$9>'cipher'val'DEC:'k:key$9>'cipher$9>$p:plain{Msg(k,p)}'option'
Applications: Cryptographic Constructions
• We program and verify sample crypto constructions!such as hybrid encryption and encrypt-then-MAC
• We prove these constructions secure by
typechecking!against interfaces of Plain, SymEnc, and PKEnc
symmetric&encryp?on&&&&&&&&&&&
.&
publicBkey&encryp?on&
&&&&
hybrid&encryp?on&
&
INDBCPA&
INDBCPA&
INDBCPA&
symmetric&encryp?on&&&&&&&&&&&
.&
MAC&&
EncryptBthenBMAC&
&
INDBCPA&
Auth&Encrypt&
INTBCMA&
module'HybridEnc''let'pksize'''''='PKEnc.pksize'''''+'SymEnc.ciphersize'let'ciphersize'='PKEnc.ciphersize'+'SymEnc.ciphersize''
let'GEN()'=$PKEnc.GEN()''
let'ENC$pk'plain'=''$$let'k'='SymEnc.GEN()$$$concat'(PKEnc.ENC'pk'k)'(SymEnc.ENC'k'plain)'$$
let'DEC$sk'cipher'=''''let'c0,c1'='split'SymEnc.ciphersize'cipher'''SymEnc.DEC'(PKEnc.DEC'sk'c0)'c1'
&some&cryptographic&&implementa?on&
%
Sample modular verification (protocol)!RPC protocol using !Authenticated Encryption
FormaGng%
ac4ve%adversaries%
security%protocols%
any$typed$F#$program$
Secure&RPC&%
Bytes%
system%libraries%
Adversary%Model%
applica4on%code%
any$typed$F7$program$
authen?cated&encryp?on& message&format&
RPC&API&
Networking%
Sample modular verification (crypto)!RPC using Encrypt-then-MAC
cryptographic%schemes%
FormaGng%
ac4ve%adversaries%
security%protocols%
MAC&authen?ca?on&
%
any$typed$F#$program$
Secure&RPC&%
Bytes%
system%libraries%
Adversary%Model%
applica4on%code%
any$typed$F7$program$
cryptographic%construc4ons%&
probabilis?c&computa?onal%indis4nguishability%%
EncryptBthenBMAC&%
AESBCBC&encryp?on&
%
authen?cated&encryp?on& message&format&
RPC&API&
≈"IDEAL%INDBCPA&
≈"IDEAL%INTBCMA&
Networking%
Applications: Security Protocols • We program and verify sample protocols !
(authenticated RPC, encrypted RPC) • We typecheck larger protocols previously
verified using F7 symbolic libraries (secure multiparty sessions)
• Case studies requiring custom crypto – DKM with cryptographic agility – TLS 1.2 with ad hoc constructions – Private authentication with key-hiding & decoys – Private data processing with zero-knowledge proofs
Modular Type-Based!Cryptographic Verification for!
TLS 1.2!!!!
TLS on the Web Server%
Authen+ca+on%
Secure%Channel%
Transport Layer Security (1994—) The most widely deployed !cryptographic protocol?
HTTPS, 802.1x (EAP), !FTPS VPN, mail, VoIP, …
18 years of attacks, !fixes, and extensions
1994 – Netscape’s Secure Sockets Layer 1994 – SSL2 1995 – SSL3 1999 – TLS1.0 (RFC2246, ≈SSL3) 2006 – TLS1.1 (RFC4346) 2008 – TLS1.2 (RFC5246)
Many implementations • SChannel, OpenSSL, NSS, !
GnuTLS, JSSE, PolarSSL, … • Several security patches every year Many papers • Well-understood, detailed specs • Security theorems… mostly for small simple models of TLS
Protocol&Logic%e.g.%ambiguous%messages%• cause%clients%and%%
server%to%nego4ate%older,%weaker%TLS%
Cryptography%e.g.%no%fresh%IV%• write%applet%to%%
realize%adap4ve%aTack%(BEAST)%%
Weak&Algorithms&MD5,%PKCS1,%RC4,%…%%
Implementa?on&Errors&many%cri4cal%bugs&
TLS&DESIGN&
What can still possibly go wrong?
encryption!using RC4 is !
broken!(but fast)
Weak&Algorithms&MD5,%PKCS1,%RC4,%…%%
What can still possibly go wrong?
Protocol&Logic%e.g.%ambiguous%messages%• cause%clients%and%%
server%to%nego4ate%older,%weaker%TLS%
Cryptography%e.g.%no%fresh%IV%• write%applet%to%%
realize%adap4ve%aTack%(BEAST)%%
Weak&Algorithms&MD5,%PKCS1,%RC4,%…%%
Implementa?on&Errors&many%cri4cal%bugs&
TLS&DESIGN&
Infrastructure&cer4ficate%management%
Applica?on%protocol%configura4on%
Infrastructure&cer4ficate%management%
Applica?on%protocol%configura4on%
What%if%you%“proceed%anyway”?%
This%happens%automa4cally%with%buggy%cert%
valida4on%
Infrastructure&cer4ficate%management%
Applica?on%protocol%configura4on%
Protocol&Logic%e.g.%ambiguous%messages%• cause%clients%and%%
server%to%nego4ate%older,%weaker%TLS%
Cryptography%e.g.%no%fresh%IV%• write%applet%to%%
realize%adap4ve%aTack%(BEAST)%%
Weak&Algorithms&MD5,%PKCS1,%RC4,%…%%
Implementa?on&Errors&many%cri4cal%bugs&
TLS&DESIGN&
Combining&all&of&the&above&Recent%cryptographic%aTacks%exploit%side%channels%in%protocol%logic%(errors)%and%implementa4on%(4ming)%
Combining&all&of&the&above&Recent%cryptographic%aTacks%exploit%side%channels%in%protocol%logic%(errors)%and%implementa4on%(4ming)%
On the (provable) security of TLS “A handful of works have attempted to analyse the entirety of SSL or TLS using machine-assisted proof techniques. This is incredibly ambitious, and moreover it's probably the only real way to tackle the problem. Unfortunately, the proofs hugely simplify the underlying cryptography, and thus don't cover the full range of attacks. Moreover, only computers can read them.”
• Matthew Green:!http://blog.cryptographyengineering.com/
59%
TLS in F# & F7 We develop and verify a reference implementation for SSL 3.0—TLS 1.2
1. Standard compliance: we closely follow the RFCs – concrete message formats – support for multiple ciphersuites, sessions and connections, !
re-handshakes and resumptions, alerts, message fragmentation,… – interop with other implementations such as web browsers and servers
2. Verified security: we structure our code to enable its !modular verification, from its main API down to !concrete assumptions on its base cryptography (e.g. RSA) – formal computational security theorems!
for a 5000-line functionality (automation required)
3. Experimental platform: for testing corner cases,!trying out attacks, analysing new extensions and patches, …
TLS in F# & F7 (Backup)
Try%it%out!%%
hTps://mitls.org%
Verifying our TLS!implementation !
DHGroup%
DH%
CRE%
PRF%
RSA%
Cert%
Sig%
SessionDB%
StAE%
LHAE%
Enc%
MAC%
Record%
Dispatch%
TCP%
Untyped%Adversary%
Encode%
LHAEPlain%
StPlain%
TLSFragment%
Alert%Datastream%
Handshake%(and%CCS)%
TLSInfo%TLSConstants%
Handshake/CCS%
TLS%Record%
AppData%
Base% Bytes%
Untyped%API%Adversary%
RPC%
RPCPlain%Applica4on%
TLS%API%
Alert%Protocol%
AppData%Protocol%
Nonce%
TLS%
CoreCrypto%
RSAKey%
Auth%
AuthPlain%
Extensions%
1%
2%
3% 4%
5%
6%7%
Range%
8%
9%Error%
Modular%Architecture%for%miTLS%%
DHGroup%
DH%
CRE%
PRF%
RSA%
Cert%
Sig%
SessionDB%
StAE%
LHAE%
Enc%
MAC%
Record%
Dispatch%
TCP%
Untyped%Adversary%
Encode%
LHAEPlain%
StPlain%
TLSFragment%
Alert%Datastream%
Handshake%(and%CCS)%
TLSInfo%TLSConstants%
Handshake/CCS%
TLS%Record%
AppData%
Base% Bytes%
Untyped%API%Adversary%
RPC%
RPCPlain%Applica4on%
TLS%API%
Alert%Protocol%
AppData%Protocol%
Nonce%
TLS%
CoreCrypto%
RSAKey%
Auth%
AuthPlain%
Extensions%
1%
2%
3% 4%
5%
6%7%
Range%
8%
9%Error%
Modular%Architecture%for%miTLS%%
Transport Layer Security (Review)
• Interleaving of four protocols !on top of the record layer
Record%Layer%
Handshake%protocol%
%
Change%ciphersuite%
%
Alert%protocol%
%
Applica4on%data%%
authen4cated%encryp4on%with%addi4onal%data%
stateful%authen4cated%encryp4on%
fragment%;%compress%
dispatch%
CS$Ka$Ke$
CS’$Ka’$Ke’$
TCP/IP%
plain%fragments%
encrypted%fragments%
I/O%bytestreams%
Applica4on%
web%pages%
''''''ClientHello''''''''' ''''''''''''99999999>'''''''''''''''''''''''''''''''''''''''''''''''''''''''ServerHello''''''''''''''''''''''''''''''''''''''''''''''''''''''Certificate*''''''''''''''''''''''''''''''''''''''''''''''''ServerKeyExchange*'''''''''''''''''''''''''''''''''''''''''''''''CertificateRequest*'''''''''''''''''''''''''''<99999999'''''''''''''''ServerHelloDone'''''''Certificate*'''''''ClientKeyExchange'''''''CertificateVerify*'''''''ChangeCipherSpec'''''''Finished''''''''''''99999999>''''''''''''''''''''''''''''''''''''''''''''''''''ChangeCipherSpec'''''''''''''''''''''''''''<99999999''''''''''''''''''''''Finished'''''''''''''''''''''''''''<9999999>''''''''''''''Application'Data'''''''Application'Data'''
Full%hand
shake%
Ciphersuites !& crypto agility
• Not all !
algorithms !are equal!
• Cautionary tale [Brumley et al, CT-RSA 2012] – ECDH part of the latest, strongest ciphersuites using elliptic curves – OpenSSL vulnerable to a software “bug attack”!
on its multiplication algorithm (635 handshakes) !widely deployed & left open for 2 years
• Intuitively, clients and servers should get the security for !the ciphersuites they accept, not for the weakest supported ones – Non trivial: there is a circular dependency,!
as TLS relies on the ciphersuites being negotiated
• We verify TLS generically, for multiple ciphersuites:!formally, the adversary provides the weaker algorithms.
'TLS_NULL_WITH_NULL_NULL''''''''''='{'0x00,0x00'}'TLS_RSA_WITH_NULL_SHA256'''''''''='{'0x00,0x3B'}'TLS_RSA_WITH_RC4_128_MD5'''''''''='{'0x00,0x04'}'TLS_DH_anon_WITH_AES_256_CBC_SHA'='{'0x00,0x3A'}'(…)$38$ciphersuites$in$TLS$1.2$(…)$many$others$in$recent$TLS$extensions$TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA''
data%data%
data%
Sessions and Connections • Sessions (S, S’) are for key establishment: DH, RSA, KDF • Connections are for transporting records (AE), !
within a series of “epochs” !possibly with different principals, ciphersuites, and keys
new%S% finished% rehandshake%S’% close%
resume%S’% data% rekey% data% alert%(fatal)%
TCP% TCP%
TCP’%
first%epoch%(same%ciphersuite%&%keys)%
CCS% CCS%
next%handshake%interleaved%with%data%(different%peer%cert)%first%handshake%(unprotected)%
abbreviated%handshake%%
next%handshake%just%for%rekeying%
data%data%
Fragmentation Issues (1/2) • A recent attack
– Application messages can be fragmented across several epochs!(possibly with different principals & security)
– Man-in-the-middle attack 1. Intercept a target client’s handshake to a secure server 2. Connect to the server; inject a message fragment; !
then forward all messages between the victim and the server 3. The server interprets the victim’s first handshake !
as a (correct) rehandshake, then accepts the attacker’s !message as a valid request from the victim
– Existing TLS APIs do not notify the application of rehandshakes.!(Our API does.)
– Fix: a new “safe negotiation” extension hashing all HS conversations!(not just the last one) in Finished messages
Fragmentation Issues (2/2) • A new authentication attack: alert fragmentation
– Alert messages can be sent at any time !(for signalling, closing connections, reporting cert errors…)
– Alert messages are 2-byte long…hence can be fragmented! – Our attack:
1. Inject a one-byte A0 alert fragment during the first handshake!this byte is silently cached (not recorded in HS conversation)
2. Later, as a genuine 2-byte X0X1 alert is received!and authenticated on the secure connection, !A0X0 is passed instead to the application
– Simple fix: discard fragmented alerts
Agile Length-Hiding Stateful !
Authenticated Encryption!with Additional Data
MAC&
Fragment; MAC; Encode; then Encrypt plaintext%message%sent%by%the%applica4on%
fragment% to%be%sent%later%
fragment%
pad&MAC&fragment%
sent%earlier%
fragmen4ng%&%padding%%are%underlspecified%
IV%%%%%%%%encrypted%%record%%%%%%%%%%.%header&
sent/received&on&TCP&connec?on&
• TLS%decodes%the%decrypted%text%before%authen4ca4on;%poten4ally%leaking%secret%informa4on%(via%“padding%oracles”)%%
• Security%relies%on%joint%ciphertext%integrity%(INTlCTXT)%%The%proof%is%ad%hoc%(for%CBC)%and%depends%on%|MAC|%>%|Block|%(recent%aTack%&%proof%by%Paterson%et%al.%at%ASIACRYPT’11)%
&content&type&&&&sequence&number&
&content&type&&&sequence&number&
&
Fragment-then-Compress? (new attack) • Large messages are sliced !
into many fragments • When encoded, each fragment is "
independently compressed • An eavesdropper can record!
the sequence of fragment!ciphertext lengths, and obtain!precise message fingerprints – leaking much more than!
the total message length
max%fragment%length%(16KB)%%
lengths%observed%on%the%network%
(16KB)%%
Fragment-then-Compress? (new attack) • Experimental data: downloading songs over HTTPS:
Another recent !attack exploiting !
compression !with chosen!
plaintexts
Our approach: disable compression, then!
Hide secret lengths within public ranges • The application chooses its own plaintext range,!
e.g. any secret URL of size 0..200 bytes!!!
• !0 !
• Fragmentation and padding depends!only on the range & ciphersuite,!not on the secret message length & content
Formally,%we%index%our%type%of%plaintext%fragments%by%their%range%&%sequence%number%in%the%stream%too.%By%typing,%we%check%that%
Hiding lengths within public ranges • (;range) plain:!
an abstract plain fragment whose length is within range – 0
The application chooses its own bucket sizes: – any secret URL of size 0..200 bytes – any 3MB image +/- 10%.
• Fragmentation and encoding depends only on the range,!not on the actual length and content (enforced by parametricity)
Abstract Plaintext Fragments
• Abstract%plaintext%fragments%are%indexed%by%%– key&info%including%nego4ated%algorithms%and%connec4on%info%– range%for%the%(secret)%plaintext%length %%– addi?onal&data,%encoding%e.g.%TLS%version%&%fragment%number%
• Type%abstrac4on%yields%condi+onal%security%for%plaintexts%with%safe%key%info%
'
val'ENC:'k:key$9>$p:plain{Msg(k,p)}$9>'cipher'val'DEC:'k:key$9>'cipher$9>$p:plain{Msg(k,p)}'option'
module'PlainAEAD$type'(;ki:KeyInfo)$data$='b:bytes{…}'type'(;ki:KeyInfo,rg:range,ad:data)$fragment$'
val'leak:'''ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''(;ki,rg,ad)'fragment'9>'b:bytes{Length(b)'in'rg}''
val'coerce:$$$ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''b:bytes{Length(b)'in'rg}'9>(;ki,rg,ad)'fragment''
module'PlainAEAD$type'(;ki:KeyInfo)$data$='b:bytes{…}'type'(;ki:KeyInfo,rg:range,ad:data)$fragment$'
val'LEAK:'''ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''(;ki,rg,ad)'fragment'9>'b:bytes{Length(b)'in'rg}''
val'COERCE:$$$ki:KeyInfo{not(Safe(ki))}'9>'rg:range'9>'ad:data'9>''''b:bytes{Length(b)'in'rg}'9>(;ki,rg,ad)'fragment''
Authenticated Encryption in TLS
• encryption & decryption with a safe index!do not access the plaintext bytes (IND-CPA)
• decryption with a safe index!succeeds on correctly-encrypted ciphertexts,!returns an error otherwise (INT-CTXT)
'
val'ENC:'k:key$9>$p:plain{Msg(k,p)}$9>'cipher'val'DEC:'k:key$9>'cipher$9>$p:plain{Msg(k,p)}'option'
module'AEAD'$
val$encrypt:$$$ki:KeyInfo'9>'(;ki)key'9>'ad:(;ki)data'9>'''rg:range'9>'p:(;ki,rg,ad)'fragment'9>'c:(;ki)'cipher'{'CTXT(ki,ad,p,c)'}'$
val$decrypt:$$$ki:KeyInfo'9>'(;ki)key'9>'ad:(;ki)data'9>''''c:cipher{CipherLength(ki,c)}'9>'rg:range'*'r:(;ki,rg,ad)'fragment'option'''{'Safe(ki)'=>'!p.'r'='Some(p)'<=>'CTXT(ki,ad,p,c)'}'