a formal tls handshake
play

A Formal TLS Handshake Model in LNT Josip Bozic, Franz Wotawa Lina - PowerPoint PPT Presentation

Jan 05, 2024 •286 likes •603 views

0 0 A Formal TLS Handshake Model in LNT Josip Bozic, Franz Wotawa Lina Marsso, Radu Mateescu Graz University of Technology Univ. Grenoble Alpes, Inria, Institute of Software Technology CNRS, Grenoble INP, LIG 38000 Grenoble, France 8010

  1. 0 0 A Formal TLS Handshake Model in LNT Josip Bozic, Franz Wotawa Lina Marsso, Radu Mateescu Graz University of Technology Univ. Grenoble Alpes, Inria, Institute of Software Technology CNRS, Grenoble INP, LIG 38000 Grenoble, France 8010 Graz, Austria {lina.marsso,radu.mateescu}@inria.fr {jbozic,wotawa}@ist.tugraz.at MARS/VPT, April 20 𝑢ℎ , 2018 u tugraz.at, inria.fr

  2. Outline 1 1. Introduction 2. Formal model 3. Validation 4. Conclusion A Formal TLS Handshake Model in LNT

  3. Introduction 2 • Security services in e-government, online banking, online shops, social media, … • New vulnerabilities are detected on a regular basis. • Many faults have their roots in the software development cycle or intrinsic leaks in the system specification. • Testing of network services represents one of the biggest challenges in cyber security. • Conformance testing checks whether a system behaves according to its specification. • Formal specification of a system behavior. A Formal TLS Handshake Model in LNT

  4. Contributions 3 • Formalization of the Handshake protocol of the Transport Layer Security (TLS) in the LNT language. • Conformance testing of TLS implementations. • Connection to framework for automated testing of TLS implementations [1]. A Formal TLS Handshake Model in LNT

  5. Transport Layer Security (TLS) 4 • Security/cryptographic protocols assure reliable and secure communication between peers. • Predecessor of TLS: the Secure Sockets Layer (SSL). • Currently used version: TLS 1.2 [3]; Working draft: TLS 1.3. • Reasons for vulnerability: Complexity of the protocol and its high number of interactions. A Formal TLS Handshake Model in LNT

  6. Known TLS Vulnerabilities 5 • BEAST (CVE-2011-3389) • CRIME (CVE-2012-4929) • BREACH (CVE-2013-3587) • Heartbleed (CVE-2014-0160) • POODLE (CVE-2014-3566 ) • DROWN (CVE-2016-0800): 33% of all HTTPS sites were affected [4]. Vulnerabilities of implementations (not the protocol). A Formal TLS Handshake Model in LNT

  7. TLS Handshake Protocol 6 • One of the most complex and vulnerable parts of TLS. • Consists of TLS messages. • Every of these messages encompasses a specific set of parameters and values.  Our task: Implement the interaction and execute it for testing purposes. A Formal TLS Handshake Model in LNT

  8. 7 Formal Model of TLS 1.3 Handshake • LNT – Formal specification language for concurrent systems. – Process calculus with imperative syntax. – Imperative language. • Starting point – Description of state machines [draft-tls-1.3]. – TLS 1.3 handshake informal requirements (not self-contained: refers to further documents). A Formal TLS Handshake Model in LNT

  9. Model Overview 8 43 types 3 constants data types 5 functions 5 processes + client 1 main process (105 lines) 7 processes + server 1 main process (101 lines) communication 1 process (25 lines) A Formal TLS Handshake Model in LNT

  10. 9 Data Type Example: ClientHello (1/2) Protocol Version : TLS10, TLS11, TLS12, DTLS10, DTLS12 Client Random : 28-byteRand Session ID : NULL, 32-byteID Supported Cipher Suites : TLS_FALLBACK_SCSV, TLS_NULL_WITH_NULL_NULL, TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA Supported Compression Methods : NULL, DEFLATE, LZS Extensions : extension_type, extension_data type ClientHello is ClientHello (legacy_version: ProtocolVersion, random: Random32, legacy_session_id: SessionId, cipher_suite: Ciphers, legacy_compression_methods: CompressionMethods, extensions: Extensions) end type A Formal TLS Handshake Model in LNT

  11. Data Type Example: ClientHello (2/2) 10 var e: Extensions in e := {Extension (supported_version, SupportedVersion ({TLS12})) } end var type ExtensionType is type Extensions is signature_algorithms, list of Extension supported_versions, with “member”, “remove” … end type end type type SupportedVersions is type ExtensionData is list of ProtocolVersion type Extension is Cookie (c: Cookie), end type Extension ( SupportedVersions ( type: ExtensionType, sv: supportedVersion), data: ExtensionData) … end type end type A Formal TLS Handshake Model in LNT

  12. 11 Client, Server and their Interactions • Interactions described by sequence diagrams. • Incomplete state machines for client and server – Human readable. – Compact. + Added management of Alerts – Handling handshake errors. – Requirements not respected. A Formal TLS Handshake Model in LNT

  13. 12 (incomplete) Client-side State Machine -- Start lo loopL in in -- client key exchange [K_send = early data] ClientHello [clientHello_c] (is_helloRequest, !?CH_p, HRR_P, ?alert); if alert != undefined then if -- abort the handshake with an alert alert_c (alert) els lse -- WAIT_ServerHello select helloRetryRequest_c (?HRR_P); is_helloRequest := true [] serverHello_c (?any ServerHello); [] break L [] [] -- protocol messages sent in the wrong order se select encryptedExtensions_c (?any EncryptedExtensions) [] [] certificateRequest_c (?any CertificateRequest) … select ; end se alert := unexpected_message; -- abort the handshake with an "unexpected_message" alert alert_c (alert) end se select end if if end lo end loop; A Formal TLS Handshake Model in LNT

  14. TLS Interruptions 13 Informal requirements • “The TLS 1.3 handshake refuses renegotiation without a hello retry request message.” disrupt … content by - - TLS 1.3 refuses renegotiation without a Hello Retry Request clientHello_c (?CH_p); alert := unexpected_message; end disrupt • “The client hello message can only arrive at the beginning of the handshake, or right after a hello retry request message.” A Formal TLS Handshake Model in LNT

  15. Conformance Testing 14 • Model-based testing approach to compare the formal model of the TLS handshake with implementations. • Extract test cases from the formal model. • Run test cases on an implementation (SUT – System Under Test ) and check whether the SUT conforms to the model. • We used TESTOR [5], a recent tool for on-the-fly conformance test case generation guided by test purposes, developed on top of the CADP toolbox [6]. • The SUT in this validation process is an implementation of TLS 1.2. A Formal TLS Handshake Model in LNT

  16. Conformance Testing Overview 15 A Formal TLS Handshake Model in LNT

  17. Test Purposes 16 • A test purpose aims to select a functionality to be tested by guiding the selection of test cases. • Three test purposes corresponding to three requirements from the draft TLS 1.3 handshake specification: TP1. The protocol messages must be sent in the standard order (without the HelloRetryRequest message). TP2. The handshake must be aborted with an “unexpected message” alert, if there is a client renegotiation attempt. TP3. The protocol messages are sent in the right order with an unexpected CertificateRequest (with a HelloRetryRequest message). A Formal TLS Handshake Model in LNT

  18. Test Cases 17 A test case (TC) is a sequence of interactions with the SUT. TCi corresponds to one generated TC for a test purpose i. TC2. TLS handshake TC3. TLS handshake with TC1. Standard TLS aborted by an Alert renegotiation handshake A Formal TLS Handshake Model in LNT

  19. Test Execution 18 • Follow track of executed attack. • Three possible verdicts: – Pass: Test purpose is reached. – Fail : The SUT is not conform to M . – Inconclusive: No indicative error encountered but the test purpose is not reached. A Formal TLS Handshake Model in LNT

  20. Test Execution Framework 19 • Emulate the interaction between client and server in a controlled and iterative way. • Establish a connection to a TLS implementation with the execution framework and automatically test the SUT by following a formal specification from LNT. • An adapted TLS-Attacker [7], an implementation for analyzing TLS libraries. • Comprehends all TLS functionality according to v1.2 standard. A Formal TLS Handshake Model in LNT

  21. Test Execution Example (1/3) 20 • The framework creates TLS messages on the fly according to the table, submits them against a SUT and reads its responses. • Since no concrete values for the parameters of the messages are assigned, the tool generates default values automatically. A Formal TLS Handshake Model in LNT

  22. Test Execution Example (2/3) 21 process Client [clientHello_c: CH, process ClientHello_TP [ clienth: CH] serverHello_c: SH, ( is_hello_retry_request : bool , certificate_c_c, in out CH_p : ClientHello , certificate_s_c: C, HRR_p : HelloRetryRequest , certificateVerify_s_c: CV, out alert : AlertType ) is finished_c_c, finished_s_c: F, ... alert_c: A] is ... digraph BCG { size = "7, 10.5"; TESTOR center = TRUE; node [shape = circle]; 0 [peripheries = 2]; 0 -> 11 [label = "CLIENTHELLO_C !CLIENTHELLO (TLS12, 28BYTERAND, T_NULL, BCG {}, T_NULL, {EXTENSION (SIGNATURE_ALGORITHMS, SIGNATURESCHEMELIST ({RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512, ECDSA_SECP256R1_SHA256})), DOT EXTENSION (SUPPORTED_VERSIONS, SUPPORTEDVERSIONS ({TLS13}))})"]; A Formal TLS Handshake Model in LNT

  23. Test Execution Example (3/3) 22 Execution Framework SUT Results Action #1: CLIENT_HELLO Action #2: SERVER_HELLO compare Action #3: CERTIFICATE ALERT message: Action #4: SERVER_HELLO_DONE trace Level: FATAL Action #5: CERTIFICATE_REQUEST Description: Action #6: ALERT UNEXPECTED_MESSAGE verdict A Formal TLS Handshake Model in LNT

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends? http://miTLS.org Karthik Bhargavan Markulf Kohlweiss with Antoine Delignat-Lavaud, Cdric Fournet, Alfredo Pironti, Pierre-Yves Strub, Santiago Zanella

639 views • 46 slides
Clockless IC Design using Handshake Technology Ad Peeters Handshake Solutions Philips

Clockless IC Design using Handshake Technology Ad Peeters Handshake Solutions Philips

Clockless IC Design using Handshake Technology Ad Peeters Handshake Solutions Philips Electronics Philips Semiconductors Philips Corporate Technologies Philips Medical Systems Lighting, ... Philips Research Philips IP & Standards,

474 views • 26 slides
Create a Handshake Account 1. Log into go.ucr.edu/ucrhandshake with your UCR username and

Create a Handshake Account 1. Log into go.ucr.edu/ucrhandshake with your UCR username and

Create a Handshake Account 1. Log into go.ucr.edu/ucrhandshake with your UCR username and password. 2. Complete your UCR Handshake profile by adding your resume, photos, skills and more. Make your profile public to employers. 3. Click Jobs

551 views • 24 slides
Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

handshake 1 Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g , where K fg can be hash AB authentication not mutual connection hijacking off-line password attack compromise of database

424 views • 16 slides
Student Login Path: My Baker My Services Career Services Handshake

Student Login Path: My Baker My Services Career Services Handshake

Student Login Path: My Baker My Services Career Services Handshake Handshake (Single Sign-on) My Profile How do I edit my education information? Uploading Resume Click on your name towards the top right

551 views • 22 slides
Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake Solutions Handshake Technology Counting asynchronous millionaires More metrics # trained people # competition # asynchronous

528 views • 36 slides
1 Description Mur Modeling Prior to 4-way handshake, we assume:

1 Description Mur Modeling Prior to 4-way handshake, we assume:

Scenario: 802.11 Analysis of 4-way handshake protocol in IEEE 802.11i Wired Network Changhua He Stanford University Security ! Mar. 04, 2004 An example of a 802.11 wireless local area network History of Security Concerns Terms

285 views • 3 slides
Annex-4 Formal vs. Non-formal Debate ICT in Non-Formal Education ad hoc, not

Annex-4 Formal vs. Non-formal Debate ICT in Non-Formal Education ad hoc, not

Annex-4 Formal vs. Non-formal Debate ICT in Non-Formal Education ad hoc, not hierarchically structured, standardized chronologically graded, for the standardized Anir Chowdhury for the mainstream dropouts Policy Advisor

395 views • 5 slides
Modernizing Legacy Equipment Permitting no longer just a handshake with landowner

Modernizing Legacy Equipment Permitting no longer just a handshake with landowner

Modernizing Legacy Equipment Permitting no longer just a handshake with landowner Typically digital stations require larger footprint Telemetry Long distance radio links and phone lines Limited success so far with digital VHF

166 views • 4 slides
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy Vanhoef, Domien Schepers, Frank Piessens imec-DistriNet, KU Leuven Asia CCS 2017 Introduction More and more Wi-Fi network use encryption: 2010 Most

531 views • 19 slides
WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm Black Hat, 27 July 2017 In collaboration with Domien Schepers and Frank Piessens Introduction More and more Wi-Fi network use

414 views • 26 slides
Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC

Dragonblood: A Security Analysis of WPA3s SAE Handshake Mathy Vanhoef and Eyal Ronen WAC Workshop @ CRYPTO, Santa Barbara, 17 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate

1.04k views • 69 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views • 105 slides
Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto,

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto,

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto, Canada, 16 October 2018 Key reinstallations in the 4-way handshake 2 WPA2: 4-way handshake Used to connect to any protected Wi-Fi network Mutual

814 views • 43 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Real World Crypto, New York, 10 January 2020. Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) Broken in 2001 [FMS01] 2003:

818 views • 62 slides
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views • 45 slides
Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt

Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt

Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt Bishop Slide #1 Supporting Crypto All parts of SSL use them Initial phase: public key system exchanges keys Messages enciphered using

856 views • 63 slides
Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien @inliniac http://www.inliniac.net/ Content of this talk Introduction to Suricata, OISF Eric Leblond will speak about recent

580 views • 47 slides
Resources for Controlled Languages for Alert Messages and Protocols in the European Perspective

Resources for Controlled Languages for Alert Messages and Protocols in the European Perspective

Resources for Controlled Languages for Alert Messages and Protocols in the European Perspective Sylviane Cardey 1 , Krzysztof Bogacki 2 , Xavier Blanco 3 , Ruslan Mitkov 4 1 Centre Tesnire, Universit de Franche-Comt (FR) 2 Uniwersytet

491 views • 22 slides
Communication Systems SSL University of Freiburg Computer Science Computer Networks and

Communication Systems SSL University of Freiburg Computer Science Computer Networks and

Communication Systems SSL University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer Organization I. Data and voice communication in IP networks II. Security issues in networking

557 views • 24 slides
Shared Situation Awareness: The Tactical Situation Object Initially defined in the frame of the EU

Shared Situation Awareness: The Tactical Situation Object Initially defined in the frame of the EU

Shared Situation Awareness: The Tactical Situation Object Initially defined in the frame of the EU project Now published as a CEN workshop agreement Martine Couturier, EADS Defence & Security

634 views • 14 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
Wireless Access Protocol Wireless Access Protocol (WAP) (WAP) NiePin & Zhou & Zhou Hu

Wireless Access Protocol Wireless Access Protocol (WAP) (WAP) NiePin & Zhou & Zhou Hu

Wireless Access Protocol Wireless Access Protocol (WAP) (WAP) NiePin & Zhou & Zhou Hu Hu NiePin HUT HUT TML Latoratory Latoratory TML T- -110.456 110.456 T Agenda Agenda WAP Introduction WAP Introduction

475 views • 22 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides

More recommend