from crypto to code
play

From Crypto to Code Greg Morrisett Languages over a career - PowerPoint PPT Presentation

Dec 19, 2023 •659 likes •1.04k views

From Crypto to Code Greg Morrisett Languages over a career Pascal/Ada/C/SML/Ocaml/Haskell ACL2/Coq/Agda Latex Powerpoint Someone elses Powerpoint 2 Cryptographic techniques Already ubiquitous: e.g., SSL/TLS

  1. From Crypto to Code Greg Morrisett

  2. Languages over a career • Pascal/Ada/C/SML/Ocaml/Haskell • ACL2/Coq/Agda • Latex • Powerpoint • Someone else’s Powerpoint 2

  3. Cryptographic techniques • Already ubiquitous: e.g., SSL/TLS • Offer great hope: e.g., homomorphic encryption • Perhaps most importantly: • Offer a rigorous way to think about, model, and verify protocols for important security properties. • A true “science” basis for security? 3

  4. Yet … “In theory there is no difference between theory and practice; in practice there is.” - Jan L.A. van de Snepscheut 4

  5. For instance The Heartbleed Bug The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11. - Bruce Schneier 5

  6. Auditing Open source libraries, such as OpenSSL, power the internet. But frankly, we cannot rely upon the open source community to do an adequate job of auditing security-critical code. 6

  7. In addition to coding errors: • Flawed schemes • Needham-Schroeder-(Lowe) • Assumed secure for 17 years before broken. • Dual-EC-DRBG • Flaw suspected for 6 years, ignored due to culture of trust. • Advanced Privacy Protection (APP) scheme • Proved secure, proof independently verified, still flawed. • The situation is getting worse • Bellare & Rogaway (2006): “Our field may be approaching a crisis of rigor.” • Halevi (2005): “…we generate more proofs than we carefully verify.” 7

  8. One Way Forward • Mechanized proofs of security for cryptographic schemes. • Instead of humans, a machine takes care of auditing proofs. • Forces community to standardize definitions. • Coupled with formal verification of code. • Connect the actual (source) code to the cryptographic algorithms. • And fully abstract, verified compilers. • Verified compilation ensures machine code preserves behaviors. • Full abstraction ensures possible attacks at the target level are reflected in the source. 8

  9. Mechanizing Cryptography • Goal: no need to trust the proof of security • Still need to inspect definitions and assumptions. • (Even this is fraught with peril.) • Two basic models: • Symbolic: functions/values are opaque, adversary capability is algebraic, proof by underlying logic. • Computational: considers probabilities, adversary is computationally bounded, proof by reduction. 9

  10. Some very influential computational work: • 2008: CertiCrypt (Barthe et al.) • First fully-general proof framework for crypto • Library in Coq; deep embedding • 2011: EasyCrypt (Barthe et al.) • As expressive as CertiCrypt, but much easier to use • Standalone system using Why3 as backend 10

  11. EasyCrypt case study (circa 2012) • External team attempted to use EasyCrypt • MIT Lincoln Lab, US Naval R. Lab, U. of Maryland • Mix of PL and crypto experts • Goal: security of a private information retrieval protocol • Outcome: partial success • Most lemmas could be proved. • Found minor flaws in scheme. • But unable to prove certain results. 11

  12. The Foundational Cryptography Framework 1. A formal language, embedded in Coq, for specifying cryptographic protocols, games, and other specifications. 2. The language comes equipped with both a simple operational model, as well as a denotational one. Adam Petcher ( POST 2015) 3. From the model, we derive a program logic that allows one to formally prove (probabilistic) correctness and security. 4. Set of libraries for common cryptographic constructions and a set of tactics that help automate some of the proofs. 12

  13. Probabilistic Programs We re-use Coq’s functional language, Gallina and add a (discrete) probability monad: 13

  14. So for example: A one-time-pad encryption for a message of n bits. Definition OTP(n:nat)(msg:Bvector n) := p <-$ {0, 1} ˆ n ; ret (p xor msg). 14

  15. More Generally • Security definitions given as “games” • Adversary should not “win” the game • Alternatively: two games that adversary cannot distinguish • Advantage: the probability that the adversary wins the game • Also used to describe (assumed) hard problems 15

  16. Example: Encryption (IND-CPA) Adversary Game Generate random encryption key Adversary wins i f b=b’ Not shown: adversary can request ciphertext for any plaintext 16

  17. Reasoning via Game Hopping We often need to show that a given program has the same distribution as another program. Or more generally, that the probability of some certain bad events is bounded when moving from one program to another. 17

  18. Denotational Semantics: Probability Mass Fn. 18

  19. Lots of equational properties 19

  20. Program Logic Probabilistic relational post-condition logic (PRPL): 20

  21. Some Properties of the Logic 21

  22. What’s It Like to Use the Logic? • Lots of standard constructions for encryption, authentication, etc. • See Petcher’s 2015 Harvard PhD thesis • Case Study: Searchable Symmetric Encryption • Based on work of Cash et al. (2013) • Petcher & Morrisett, Computer Security Foundations 2015 • Case Study: Security of OpenSSL HMAC code • Beringer et al., USENIX Security 2015 22

  23. Searchable Symmetric Encryption Two parties: client and server Database: list of keyword, value pairs Client • Knows database and list of queries • Creates encrypted database and queries to give to server Server • Executes queries and gives encrypted results to client • Learns very little about database and queries 23

  24. Key Component: Tuple Sets Three procedures • TSetSetup : Database -> (TSet * SecretKey) • TSetGetTag : SecretKey -> Keyword -> Tag • TSetRetrieve: TSet -> Tag -> list Value Security: Adversary cannot distinguish T-Set and tags from those produced by simulator Correctness: Adversary cannot cause incorrect answers 24

  25. SSE from Tuple Sets T-Set is almost an SSE Scheme for single-keyword search • Reveals results of query Solution: Store ciphertexts in T-Set • Encryption key is derived from keyword via PRF • Proof requires secure and correct T-Set Relatively simple proof • ~ 1100 lines of Coq code • 8 intermediate games 25

  26. The Hard Part: Tuple-Sets Cash et al. provide a T-Set scheme Based on a fixed-size 2D table • Row is determined by hash • Location in row chosen at random Complications • A row can become full (setup restarts) • Sampling without replacement • Nested loops, loop manipulations 26

  27. Hybrid Arguments Security/correctness given one implies security/correctness given many Encryption/PRF with many keys/oracles Simplify T-Set proofs • Consider simplified “single - trial” T -Set scheme • Conclude facts about full T-Set scheme 27

  28. Single-Trial T-Set Security Proof 28

  29. Single-Trial T-Set Correctness Proof 29

  30. SSE Proof Size Among largest mechanized crypto proofs to date • 58 intermediate games in 9 reductions • Over 14,000 lines of Coq code • 1,300 lines of definition and intermediate games • Unlike in traditional crypto, these intermediate games (S1-S18, C1-C19) do not have to be inspected. 30

  31. Compilation • It’s possible to automatically extract an OCaml implementation from the Coq definitions. • But we have to trust extraction & OCaml compiler • CertiCoq: a verified compiler for Coq • Joint project between Princeton, Cornell, Inria • Very much a work in progress 31

  32. Reasoning about existing code FCF can be combined with other Coq libraries. Verified Software Toolchain (VST) by Appel: • Allows to prove correctness of C code. • Leroy’s CompCert compiler produces assembly- level refinement. 32

  33. Secure HMAC Code Correct implementation of HMAC in C • Developed by Appel and Beringer • Equivalent to functional specification HMAC is a PRF • Developed by Petcher • Assuming hash function has certain properties Functional spec equivalent to crypto model • Developed by Ye 33

  34. What next? • For FCF, complexity arguments are done by hand. • Need much more proof automation. • The work on HMAC did not consider side channels. • But see recent F* work out of INRIA on ECs. • There’s a serious issue around getting cryptographers to read and understand the definitions to show we are proving the right things. 34 • Freedom to explore!

  35. Much Related Work • CertiCrypt, EasyCrypt (Barthe et al.) • CryptoVerif (Blanchet) • F* (Fournet et al.) • Nowak • Verypto (Berg) • Crypto-agda • Probabilistic Protocol Composition Logic (Datta et al.) • Backes • … 35

  36. To Summarize Mechanizing crypto proofs is a way to support open source development without needing the same (misplaced) trust that we have today. The tools are rapidly coming together to reason about computational security of real code executing on real systems. 36

  37. Thanks! 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation &amp; opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box:

to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box:

Q: Must you know the code of f to securely compute f ? Mike Rosulek | | CRYPTO 2012 . B : B X is an algorithm for Y Black-box: Non-black-box: Algorithm for Y depends on code of algorithm for X . Pervasive question since [ImpagliazzoRudich89] : .

742 views • 63 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a strong elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit

121 views • 11 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform Stable Coin Dapps Sum $ Bitcoin 154.00 $ Ethereum 29.00 $ XRP 18.70 $ BCH 7.70 $ EOS 7.20 $ LiteCoin 7.00 $ BNB 4.70 $ Tether

160 views • 12 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
Enabling the Aviation CO 2 Allowance Trading Through Secure Market Mechanisms Massimiliano Zanin

Enabling the Aviation CO 2 Allowance Trading Through Secure Market Mechanisms Massimiliano Zanin

Enabling the Aviation CO 2 Allowance Trading Through Secure Market Mechanisms Massimiliano Zanin mz@innaxis.org Secure CO 2 allowance trading :: Introduction Secure CO 2 allowance trading :: Introduction Problem: Computing without trust

598 views • 25 slides
Reusable Non-Interactive Secure Computation Melissa Chase (MSR Redmond) Yevgeniy Dodis (NYU)

Reusable Non-Interactive Secure Computation Melissa Chase (MSR Redmond) Yevgeniy Dodis (NYU)

Reusable Non-Interactive Secure Computation Melissa Chase (MSR Redmond) Yevgeniy Dodis (NYU) Yuval Ishai (Technion) Daniel Kraschewski (TNG Technology Consulting) Tianren Liu (MIT UW) Rafail Ostrovsky (UCLA) Vinod Vaikuntanathan

1.31k views • 109 slides
Course Information CS 838 Applied Cryptography Instructor: Thomas Ristenpart Website:

Course Information CS 838 Applied Cryptography Instructor: Thomas Ristenpart Website:

Course Information CS 838 Applied Cryptography Instructor: Thomas Ristenpart Website: http://pages.cs.wisc.edu/ rist/cs838/ 1 / 55 Cryptography usage Did you use any cryptography today? 2 / 55 Cryptography usage Did you use any

851 views • 83 slides
from Biometrics Benjamin Fuller, Boston University/MIT Lincoln Laboratory Privacy Enhancing

from Biometrics Benjamin Fuller, Boston University/MIT Lincoln Laboratory Privacy Enhancing

Strong Key Derivation from Biometrics Benjamin Fuller, Boston University/MIT Lincoln Laboratory Privacy Enhancing Technologies for Biometrics, Haifa January 15, 2015 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13]

1.44k views • 55 slides
Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology

Background Secure Computation Security Model Generic Protocol Applications Secure Multi-Party Computation Gunnar Kreitz KTH Royal Institute of Technology gkreitz@kth.se October 4 2012 Gunnar Kreitz Secure Multi-Party Computation

1.28k views • 59 slides
Secure, Archival Storage With POTSHARDS Mark W. Storer Kevin M. Greenan Ethan L. Miller

Secure, Archival Storage With POTSHARDS Mark W. Storer Kevin M. Greenan Ethan L. Miller

Secure, Archival Storage With POTSHARDS Mark W. Storer Kevin M. Greenan Ethan L. Miller Kaladhar Voruganti FAST WIP Session February 14, 2007 Problem: Long-Term Encryption Keys may be lost Effectively short-term data deletion

311 views • 6 slides
Performance of Secure Multiparty Computation Ludwig Dickmanns Thursday 11 th October, 2018 Chair

Performance of Secure Multiparty Computation Ludwig Dickmanns Thursday 11 th October, 2018 Chair

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Performance of Secure Multiparty Computation Ludwig Dickmanns Thursday 11 th October, 2018 Chair of Network Architectures and Services

676 views • 20 slides
Security Notions 1

Security Notions 1

Security Notions 1 Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given

1.1k views • 37 slides

More recommend