verified protocol implementaons in f* - meetupfiles.meetup.com/10193032/fstar-crypto.pdf · $...
TRANSCRIPT
Verifiedprotocolimplementa0onsinF*
AlessandroBruni
$whoami#AlessandroBruni–ComputerScien0st
Now:• Postdocresearcher@ITU
(computersecurity,SWverifica0on,theoremprovers…)Before:• Fall2015:[email protected]• 2012-2015:PhD@DTU(computersec.,SWver,...)– ContributedcryptoexamplestotheFStarrepo
• 2012:ResearchEng.@SiavSpA(processmining)
Findmeat:alessandrobruni.name/@hoheinzollern
Recap:F*&Refinementtypes
• F*=F#+TypesonSteroids:
• Canexpresspowerfulproper0esondata,e.g.:val cons: n: nat -> l: ‘a list {n = List.length l} " -> x: ‘a -> l’: ‘a list {n+1 = List.length l’}
“Canweuserefinementtypesforprovingsecurityofprotocols?”
= +
Source:XKCD
Source:XKCD
Could/that/beprevented?
1. Yes2. Yes!Liketonsofsimilarvulnerabili0es,using
astrongtypingdiscipline
Op0on2:val reply: len:nat -> msg:text{length msg = len} " -> resp:text{resp = msg}Hint:notacompletesolu0on…
miTLS:AVerifiedReferenceImplementa0onofTLS
• UsesF*dependenttypestoreasonaboutthesecurityofTLS
• AiacksdiscoveredwhileverifyingTLS:– Alert3SHAKEVHCSMACKLogjamSLOTH
• Quickmorale:– Automa0creasoningaboutprogramcorrectnesshelpstodiscoverproblems,otherwiseunno0ced
– Themoreautoma0cchecking,thebeier
Introducing:SecurityGames“theonlywinningmoveisnottoplay”
• Ar0ficialsetup:– AiackergivenaccesstoanOracle,whogiveshimlotsofinforma0on(e.g.encrypts/decryptsmessagesforhim)minussomeimportantbits(e.g.encryp0onkeys)
– Gamefollowsascript:theaiackerandtheoraclebothfollowtherulesofthegame
• Securityproof:– Iftheaiackerhasnobeierstrategythanpurelyrandomguessesthentheprotocolissecure
Eavesdroppingsecurity(EAV)
,( )
EavesdropperOracle(knowsk)
m[0] m[1]
b=sample{0,1}
encrypt(k,m[b])
guessb
EavesdropperwinsthegameifP(guessb)>½+ε
Uppin’theGame:ChosenPlaintextAiacks(IND-CPA)
• Wegivetheaiackeraccesstoencrypt(k,-)beforeandatertheinterac0onwiththeuser
• S0ll,weshouldhaveP(guessb)<½+ε• Encryp0onshouldneverreturnthesamevaluetwice;)
,( )
m[0] m[1]
b=sample{0,1}encrypt(k,m[b])
guessb
IntegrityofChosenMessageAiacks(INT-CMA)
AiackerOracle(knowsk)
t=sign(k,m)
m
(m’,t’)
t’=sign(m’,k)
• Aiackercanquerytheoracleforsignatures,buteachrequestedmessagemisloggedalongwithitssignaturetagt
• Theaiackerwinsthegameifhecanproduceanewpair(m’,t’),wheret’=sign(k,m’),withprobability>ε
ReasoninginF*
• Securitygamesarerecipes(programs?)• Involveinterac0onbetweenpar0es
val send: string -> IO unit"val recv: unit -> IO string
• Expressverifica0oncondi0ons– IND-CPAEncryp0on:
val enc: k:key -> plain -> c:cipher{Encrypted k c}"val dec: k:key -> c:cipher{Encrypted k c} -> plain
– INT-CMASignatures:val mac: k:key -> t:text{Oracle k t} -> tag"val verify: k:key -> t:text -> tag ->" b:bool{b ==> Oracle k t}
• Arewemissingsomething?
Introducing:Probabilis0cF*
• Newconstruct:let n = sample {0,1} in
n=1
n=0
50%
50%
Negligibledifferenceslet mac k t = " let m = hmac_sha1 k t in " log := Entry k t m :: !log; " m ""let verify k text tag = " let m = hmac_sha1 k text in " let verified = (m = tag) in " let found = " is_Some (List.find" (fun (Entry k' text' tag’) " -> k = k' && text = text') " !log) in "" verified && found "
let mac k t = " let m = hmac_sha1 k t in" m """let verify k text tag = " let m = hmac_sha1 k text in " let verified = (m = tag) in " verified
≈<ε
Remember:val mac: k:key -> t:text{Oracle k t} -> tag "val verify: k:key -> t:text -> tag -> " b:bool{b ==> Oracle k t}
Example:RPCprotocolA -> B: utf8 s, mac kAB s "B -> A: utf8 t, mac kAB (s, t) "
let client q =" assume Request(q) ..." send mac k (utf8 q)
let server q =" ..." if verify k (utf8 q) m" then " assert Request(q) " process q
assume forall k t . Oracle k (utf8 t) <==> Request t
Demo
Conclusions
• Wecanbuildcryptographicproofsofcorrectnessusingdependenttypes
• Preciselyreasoningaboutthecorrectnessofprograms(usingtypes)helpsdiscoverproblems(miTLSaiacks)
• Interestedinmorecryptoprotocols?Explore/FStar/examples/crypto