Keys to the Cloud: Formal Analysis and Concrete Application-level - - PowerPoint PPT Presentation

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage

• C. Bansal
• K. Bhargavan
• S. Maffeis
• A. Delignat-Lavaud

PROSECCO, INRIA Paris-Rocquencourt

December 7, 2012

1 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level Crypto on the Web

Sensitive data on the Web

◮ Ever more sensitive data online (bank and

health records, private communication...)

◮ Encryption commonly used only over the wire

(TLS)

◮ Web is great for large-scale attacks

servers are the Fort Knox of data server attacks are very bad publicity ... attacking the client directly can be easier more complex service = more attack vectors

Solution

Application-level encryption.

2 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

The pros

◮ Data stored encrypted server-side ◮ Decryption and data handling all in the

browser (good publicity)

◮ Server may not know user’s key/password ◮ ... almost no server-side computation

The cons

◮ Web client is even more critical (long term key

storage/caching)

◮ ...but still as easy to attack ◮ Chicken-egg problem of decryption and

application scripts

3 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

The pros

◮ Data stored encrypted server-side ◮ Decryption and data handling all in the

browser (good publicity)

◮ Server may not know user’s key/password ◮ ... almost no server-side computation

The cons

◮ Web client is even more critical (long term key

storage/caching)

◮ ...but still as easy to attack ◮ Chicken-egg problem of decryption and

application scripts

3 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

The pros

◮ Data stored encrypted server-side ◮ Decryption and data handling all in the

browser (good publicity)

◮ Server may not know user’s key/password ◮ ... almost no server-side computation

The cons

◮ Web client is even more critical (long term key

storage/caching)

◮ ...but still as easy to attack ◮ Chicken-egg problem of decryption and

application scripts

3 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

The pros

◮ Data stored encrypted server-side ◮ Decryption and data handling all in the

browser (good publicity)

◮ Server may not know user’s key/password ◮ ... almost no server-side computation

The cons

◮ Web client is even more critical (long term key

storage/caching)

◮ ...but still as easy to attack ◮ Chicken-egg problem of decryption and

application scripts

3 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

The pros

◮ Data stored encrypted server-side ◮ Decryption and data handling all in the

browser (good publicity)

◮ Server may not know user’s key/password ◮ ... almost no server-side computation

The cons

◮ Web client is even more critical (long term key

storage/caching)

◮ ...but still as easy to attack ◮ Chicken-egg problem of decryption and

application scripts

3 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

The pros

◮ Data stored encrypted server-side ◮ Decryption and data handling all in the

browser (good publicity)

◮ Server may not know user’s key/password ◮ ... almost no server-side computation

The cons

◮ Web client is even more critical (long term key

storage/caching)

◮ ...but still as easy to attack ◮ Chicken-egg problem of decryption and

application scripts

3 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

The pros

◮ Data stored encrypted server-side ◮ Decryption and data handling all in the

browser (good publicity)

◮ Server may not know user’s key/password ◮ ... almost no server-side computation

The cons

◮ Web client is even more critical (long term key

storage/caching)

◮ ...but still as easy to attack ◮ Chicken-egg problem of decryption and

application scripts

3 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Application-level encryption

Name Key Derivation Encryption Integrity Metadata Integrity Sharing Wuala PBKDF2 AES, RSA HMAC ✦ ✦(PKI) SpiderOak PBKDF2 AES, RSA HMAC ✦ ✦ BoxCryptor PBKDF2 AES None ★ ★ CloudFogger PBKDF2 AES, RSA None ★ ✦(PKI) 1Password PBKDF2-SHA1 AES None ★ ✦ LastPass PBKDF2-SHA256 AES, RSA None ★ ✦ PassPack SHA256 AES None ✦ ✦ RoboForm PBKDF2 AES, DES None ★ ✦ Clipperz SHA256 AES SHA256 ✦ ★ ConfiChair PBKDF2 RSA, AES SHA1 ✦ ✦(PKI) Helios N/A El Gamal SHA256 Zero-Knowledge Proof N/A

Table : Example encrypted web storage applications

4 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Formal analysis of cryptographic web applications

Research questions

◮ Can a web attack be used to break a

provably secure protocol?

◮ Can cryptography be used to prevent or

mitigate web attacks?

◮ Can we build a formal model that covers

both the cryptographic and web protocols of an application?

5 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Formal analysis of cryptographic web applications

Research questions

◮ Can a web attack be used to break a

provably secure protocol?

◮ Can cryptography be used to prevent or

mitigate web attacks?

◮ Can we build a formal model that covers

both the cryptographic and web protocols of an application?

5 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Formal analysis of cryptographic web applications

Research questions

◮ Can a web attack be used to break a

provably secure protocol?

◮ Can cryptography be used to prevent or

mitigate web attacks?

◮ Can we build a formal model that covers

both the cryptographic and web protocols of an application?

5 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Previous works

Chetan Bansal, Karthikeyan Bhargavan and Sergio Maffeis Discovering Concrete Attacks on Website Authrorization by Formal Analysis CSF 2012 Antoine Delignat-Lavaud and Karthikeyan Bhargavan Web-based attacks on host-proof encrypted storage WOOT, Usenix 2012

6 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

This work

Combine extended website model (WebSpi) with protocol model to find attacks on cryptographic web applications.

7 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Generic encrypted storage protocol

Components

◮ u uses app a synchronized with server b ◮ u has passphrase p, encryption/mac keys K

and K ′ and shared secret su,b derived from p

◮ a uses a set of db = (m, EncK(x), MacK ′(x)) ◮ a and b keep db synchronized with Sync and

Update

8 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Generic encrypted storage protocol

Components

◮ u uses app a synchronized with server b ◮ u has passphrase p, encryption/mac keys K

and K ′ and shared secret su,b derived from p

◮ a uses a set of db = (m, EncK(x), MacK ′(x)) ◮ a and b keep db synchronized with Sync and

Update

8 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Generic encrypted storage protocol

Components

◮ u uses app a synchronized with server b ◮ u has passphrase p, encryption/mac keys K

and K ′ and shared secret su,b derived from p

◮ a uses a set of db = (m, EncK(x), MacK ′(x)) ◮ a and b keep db synchronized with Sync and

Update

8 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Generic encrypted storage protocol

Components

◮ u uses app a synchronized with server b ◮ u has passphrase p, encryption/mac keys K

and K ′ and shared secret su,b derived from p

◮ a uses a set of db = (m, EncK(x), MacK ′(x)) ◮ a and b keep db synchronized with Sync and

Update

8 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Synchronize protocol

User u

Server b Application a

(K, K ′) TLS

Login(u, su,b); Get(m)

store[u] (m, e, h) Data(m, e, h) local db = (m, e, h) MacK ′(m, e) = h

9 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Synchronize protocol

User u

Server b Application a

(K, K ′) TLS

Login(u, su,b); Get(m)

store[u] (m, e, h) Data(m, e, h) local db = (m, e, h) MacK ′(m, e) = h

9 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Synchronize protocol

User u

Server b Application a

(K, K ′) TLS

Login(u, su,b); Get(m)

store[u] (m, e, h) Data(m, e, h) local db = (m, e, h) MacK ′(m, e) = h

9 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Synchronize protocol

User u

Server b Application a

(K, K ′) TLS

Login(u, su,b); Get(m)

store[u] (m, e, h) Data(m, e, h) local db = (m, e, h) MacK ′(m, e) = h

9 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Synchronize protocol

User u

Server b Application a

(K, K ′) TLS

Login(u, su,b); Get(m)

store[u] (m, e, h) Data(m, e, h) local db = (m, e, h) MacK ′(m, e) = h

9 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Synchronize protocol

User u

Server b Application a

(K, K ′) TLS

Login(u, su,b); Get(m)

store[u] (m, e, h) Data(m, e, h) local db = (m, e, h) MacK ′(m, e) = h

9 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Update protocol

User u

Server b Application a

Updated (m, x) (K, K ′) TLS Login(u, su,b);

Up(m, EncK (x), MacK ′(x))

store[u]

10 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Update protocol

User u

Server b Application a

Updated (m, x) (K, K ′) TLS Login(u, su,b);

Up(m, EncK (x), MacK ′(x))

store[u]

10 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Update protocol

User u

Server b Application a

Updated (m, x) (K, K ′) TLS Login(u, su,b);

Up(m, EncK (x), MacK ′(x))

store[u]

10 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Update protocol

User u

Server b Application a

Updated (m, x) (K, K ′) TLS Login(u, su,b);

Up(m, EncK (x), MacK ′(x))

store[u]

10 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Update protocol

User u

Server b Application a

Updated (m, x) (K, K ′) TLS Login(u, su,b);

Up(m, EncK (x), MacK ′(x))

store[u]

10 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Attacker model

Attacker model

◮ comprimised server ◮ network attacker ◮ stolen/hijacked device

11 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Web login protocol

Web Login and Key Derivation: Login(u,p,b)

user on browser a navigates to ❤tt♣s✿✴✴❜✴❧♦❣✐♥ a and b establish TLS connection c: TLS→b

c

(−), TLS←b

c

(−)

• 1. a → b

TLS→b

c

(Request(✴❧♦❣✐♥))

• 2. b → a

TLS←b

c

(Response(LoginForm)) user enters username u and passphrase p a derives and stores K = kdf p Au iter, K ′ = kdf p Bu iter a derives secretu,b = kdf p Cu iter

• 3. a → b

TLS→b

c

(Request(✴❧♦❣✐♥, ✉s❡r = ✉&s❡❝r❡t =secretu,b)) b verifies that s❡❝r❡t = secretu,b b generates a cookie sidu,b b stores (sidu,b, u)

• 4. b → a

TLS←b

c

(Response[sidu,b](LoginSuccess())) a stores (b, sidu,b)

In the browser

◮ Need to store K and K ′ ◮ Cookie-based session [sidu,b]

12 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cryptography in the browser

Browser crypto and key storage

◮ JS crypto considered harmful ◮ Some services (SpiderOak) just cache the

passphrase on the server

◮ sessionStorage exposes keys to full origin ◮ DJS and WebCryptoAPI can help

13 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cryptography in the browser

Browser crypto and key storage

◮ JS crypto considered harmful ◮ Some services (SpiderOak) just cache the

passphrase on the server

◮ sessionStorage exposes keys to full origin ◮ DJS and WebCryptoAPI can help

13 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cryptography in the browser

Browser crypto and key storage

◮ JS crypto considered harmful ◮ Some services (SpiderOak) just cache the

passphrase on the server

◮ sessionStorage exposes keys to full origin ◮ DJS and WebCryptoAPI can help

13 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cryptography in the browser

Browser crypto and key storage

◮ JS crypto considered harmful ◮ Some services (SpiderOak) just cache the

passphrase on the server

◮ sessionStorage exposes keys to full origin ◮ DJS and WebCryptoAPI can help

13 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cloud file storage

User

Server App Website

Decrypted Data

authentication encrypted data decryption script 3rd party release

14 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cloud file storage

User

Server App Website

Decrypted Data

authentication encrypted data decryption script 3rd party release

Hacker

CSRF XSS

14 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cloud file storage

User

Server App Website

Decrypted Data

authentication encrypted data malicious script 3rd party release

Hacker

14 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cloud file storage

User

Server App Website

Decrypted Data

authentication encrypted data malicious script 3rd party release

Hacker

key

14 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cloud file storage

User

Server App Website

Decrypted Data

authentication encrypted data decryption script 3rd party release

Friends?

sharing

14 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Cloud file storage

User

Server App Website

Decrypted Data

authentication encrypted data script 3rd party release

14 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Release of plaintext

Automatic Form Filling for Web Login: Fill(b)

user on browser a navigates to ❤tt♣s✿✴✴❜✴❧♦❣✐♥ a and b establish TLS connection c: TLS→b

c

(−), TLS←b

c

(−)

• 1. a → b

TLS→b

c

(Request(✴❧♦❣✐♥))

• 2. b → a

TLS←b

c

(Response(LoginForm)) a triggers browser extension x with the current page hostname

• 3. a → x

Lookup(b)

x looks up encdb for (b,e,h) x checks that mac K ′ (b, e) = h x computes (u, p) = decrypt K e

• 4. x → a

Result(b, u, p)

a fills LoginForm with (u, p)

15 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Sharing by web link

URL-based File Sharing: Share(u,m)

user u sends to v the link

U=❤tt♣s✿✴✴❜✴❄✉s❡r❂u✫❢✐❧❡❂m✫❦❡②❂K

user v on browser a navigates to U

• 1. a → b

TLS→b

c

(Request[](U)) b retrieves storage[u] = (m, e, h) b decrypts f = decrypt K e

• 2. b → a

TLS←b

c

(Response[](Download(f)))

16 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Browser security model

17 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Browser security model

Same-Origin Policy

Access control all based on same-origin policy (SOP) to isolate frames, cookies, ❧♦❝❛❧❙t♦r❛❣❡... Origin = protocol + domain + port

18 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Web attacker model

◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or

HTML (❡✈❛❧✱ ✐♥♥❡r❍❚▼▲)

◮ Session hijacking ◮ CSRF: URL-triggered action initiated on user’s

behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ s❝r✐♣t...)

◮ Open redirectors, phishing, framing and

clickjacking...

19 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Web attacker model

◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or

HTML (❡✈❛❧✱ ✐♥♥❡r❍❚▼▲)

◮ Session hijacking ◮ CSRF: URL-triggered action initiated on user’s

behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ s❝r✐♣t...)

◮ Open redirectors, phishing, framing and

clickjacking...

19 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Web attacker model

◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or

HTML (❡✈❛❧✱ ✐♥♥❡r❍❚▼▲)

◮ Session hijacking ◮ CSRF: URL-triggered action initiated on user’s

behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ s❝r✐♣t...)

◮ Open redirectors, phishing, framing and

clickjacking...

19 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Web attacker model

◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or

HTML (❡✈❛❧✱ ✐♥♥❡r❍❚▼▲)

◮ Session hijacking ◮ CSRF: URL-triggered action initiated on user’s

behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ s❝r✐♣t...)

◮ Open redirectors, phishing, framing and

clickjacking...

19 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Web attacker model

◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or

HTML (❡✈❛❧✱ ✐♥♥❡r❍❚▼▲)

◮ Session hijacking ◮ CSRF: URL-triggered action initiated on user’s

behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ s❝r✐♣t...)

◮ Open redirectors, phishing, framing and

clickjacking...

19 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

ProVerif

◮ Applied pi-calculus ◮ Computations = message-passing processes

communicating over asynchronous named channels

◮ Public channels available to all processes ◮ Private channels only available to processes

that know the name

◮ Processes can store and retrieve messages

from local database

20 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

ProVerif

◮ Applied pi-calculus ◮ Computations = message-passing processes

communicating over asynchronous named channels

◮ Public channels available to all processes ◮ Private channels only available to processes

that know the name

◮ Processes can store and retrieve messages

from local database

20 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

ProVerif

◮ Applied pi-calculus ◮ Computations = message-passing processes

communicating over asynchronous named channels

◮ Public channels available to all processes ◮ Private channels only available to processes

that know the name

◮ Processes can store and retrieve messages

from local database

20 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

ProVerif

◮ Applied pi-calculus ◮ Computations = message-passing processes

communicating over asynchronous named channels

◮ Public channels available to all processes ◮ Private channels only available to processes

that know the name

◮ Processes can store and retrieve messages

from local database

20 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

ProVerif

◮ Applied pi-calculus ◮ Computations = message-passing processes

communicating over asynchronous named channels

◮ Public channels available to all processes ◮ Private channels only available to processes

that know the name

◮ Processes can store and retrieve messages

from local database

20 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

P,Q

::= process

• ut(a,M);P

send M on channel a

in(a,X);P

receive message in X

insert(t,M);P

insert M into table t

get(t,X) in P

retrieve table entry in X

new a;P

fresh name with scope P

event e(M1,...,Mn);P

insert event in trace

let X=M in P

pattern matching

if p(M) then P else Q

conditional statement

P|Q

run P and Q in parallel

!P

run unbounded number of copies of P in parallel

21 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

M,N,X

::= message

a

channel,key,data,...

x

variable

(M,N)

pair

f(M1,...,Mn)

constructor or destructor f applied to M1, ..., Mn

=M

matching operator

22 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

Symbolic cryptography

Cryptographic algorithms = perfect black-boxes represented by constructors and destructors.

fun aenc(bitstring,symkey): bitstring. reduc forall b:bitstring,k:symkey; adec(aenc(b,k),k) = b. fun hash(bitstring) : bitstring. fun pk(privkey):pubkey. fun sign(bitstring,privkey): bitstring. reduc forall b:bitstring,sk:privkey; verify(sign(b,sk),pk(sk)) = b.

23 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

HTTP server

◮ implemented by HttpServer process ◮ possess private and public keys for TLS sessions

in serverIdentities

◮ table also has server name flag xdr for XORS

let HttpServer() = !in(net,(b:Browser,o:Origin,m:bitstring)); get serverIdentities(=o,pk_P,sk_P,xdrp) in let (k:symkey,httpReq(u,hs,req)) = reqdec(o,m,sk_P) in if origin(u) = o then let corr = mkCorrelator(k) in

• ut(httpServerRequest,(u,hs,req,corr));

in(httpServerResponse, (=u,resp:HttpResponse,cookieOut:Cookie,=corr));

• ut(net,(o,b,respenc(o,httpResp(resp,cookieOut,xdrp),k))).

24 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

Browser

◮ implemented by HttpClient process identified

by b and associated with a user

◮ handles user- and page-triggered requests

and responses (including redirections) and their encryption/decryption

◮ browserRequest channel for URL bar, pageClick for

links and included contents, ajaxRequest for AJAX

◮ cookies, local storage maintained in global

table indexed by browser, origin and for cookies, path

25 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

HttpClient code for sending a request req to URI u

from page p, with referrer ref and AJAX flag aj:

let o = origin(u) in let p = path(u) in get cookies(=b,=o,=slash(),cs) in get cookies(=b,=o,=p,cp) in let header = headers(ref, cookiePair(cs,cp), aj) in get publicKey(=o,pk_host) in let m = httpReq(u,header,req) in let (k:symkey,e:bitstring) = reqenc(o,m,pk_host) in

• ut(net,(b, o, e));

Headers include cookies cs for path “✴" and cp for path p and the AJAX flag aj

26 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

Cookies

◮ can be accessed from the JS on a page from

the private getCookieStorage and

setCookieStorage channels

◮ can have the secure or HTTP-only flags

JavaScript of page p on browser b wants to set cookies dc and store ns in local storage is:

in (setCookieStorage(b),(p:Page,dc:Cookie,ns:Data)); get pageOrigin(=p,o,h,ref) in get cookies(=b,=o,=h,ck) in insert cookies(b,o,h, updatedomcookie(ck,securejs(dc),insecurejs(dc))); insert storage(b,o,ns) updatedomcookie prevents JavaScript from

updating HTTP-only cookies from ck.

27 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

Web client model

The client side of a web application is modeled by a process that accesses the browser channels

pageClick, ajaxRequest, getCookieStorage and setCookieStorage

Attacker model

◮ public network channel net enables the

standard Dolev-Yao network attacker

◮ a compromised server has its private key

released

◮ XSS and code injection attacks are modeled

by a process AttackerProxy forwarding messages from a public channel to the (normally secret) browser interface channels

28 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model

Verification

Security goals written as correspondence assertions between user-defined events: ∀M1, ...Mk. e(M1, ...Mk) ⇒ ϕ

Incompleteness

WebSpi not an exhaustive browser model: it can find attacks but not prove that no attack exists!

29 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Analysis of cloud storage services

Real-world applications

◮ ConfiChair: conference management service ◮ SpiderOak: encrypted cloud file storage ◮ 1password: password manager

30 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Analysis of cloud storage services

Real-world applications

◮ ConfiChair: conference management service ◮ SpiderOak: encrypted cloud file storage ◮ 1password: password manager

30 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Analysis of cloud storage services

Real-world applications

◮ ConfiChair: conference management service ◮ SpiderOak: encrypted cloud file storage ◮ 1password: password manager

30 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

ConfiChair

31 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

ConfiChair login page

Login page

◮ LoginApp: server listening for requests on ✴❧♦❣✐♥ ◮ LoginUserAgent: JS and HTML of login page. ◮ waits for user to type username and password ◮ derives credential and sends it with username

to LoginApp over HTTPS

let loginURI = uri(https(), confichair, loginPath(), noParams()) in

• ut(browserRequest(b),(loginURI, httpGet()));

in (newPage(b),(p:Page,=loginURI,d:bitstring)); get userData(=confichair, uid, pwd, paper) in let cred = kdf1(pwd) in in (getCookieStorage(b),(=p,cookiePair(cs,ch),od:Data));

• ut (setCookieStorage(b),(p,ch,storePassword(pwd)));

event LoginInit(confichair, b, uid);

• ut(pageClick(b),(p,loginURI,

httpPost(loginFormReply(uid,cred))))

32 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

ConfiChair conference pages

Conference pages

◮ server-side ConferenceApp and client-side

ConferenceUserAgent processes

◮ ConferencesUserAgent first retrieves user’s

keypurse using AJAX

◮ keypurse decrypted with stored key and

stored in local storage

let keypurseURI = uri(https(), confichair, keyPursePath(), nullParams()) in

• ut (ajaxRequest(b),(p,keypurseURI,httpGet()));

in (ajaxResponse(b),(=p,=keypurseURI,JSON(x))); in (getCookieStorage(b), (=p,cookiePair(cs,ch),storePassword(pwd))); let keypurse(k) = adec(x, kdf2(pwd)) in

• ut (setCookieStorage(b),(p,ch,storeKeypurse(k))))

33 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

ConfiChair conference pages

Conference pages

At any point, user may request a paper to be downloaded and decrypted using key in keypurse

let paperURI = uri(https(), h, paperPath(), nullParams()) in

• ut (ajaxRequest(b),(p,paperURI,httpGet()));

in (ajaxResponse(b),(=p,=paperURI,JSON(y))); in (getCookieStorage(b), (=p,cookiePair(cs,ch),storeKeypurse(k))); let paper = adec(y,k) in event PaperReceived(paper))

34 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

ConfiChair security goals

Security goals

◮ Login authentication:

event(LoginAuthorized(confichair,id,u,c)) = ⇒event(LoginInit(confichair,b,id))

◮ Secrecy of papers:

in(paperChannel, paper:bitstring); get userData(h, uId, k, =paper) in event PaperLeak(uId,paper). query u:Id,p:bitstring; event(PaperLeak(id,p))

35 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

ConfiChair attacker

XSS vulnerability in Role Page

❤tt♣✿✴✴❝♦♥❢✐❝❤❛✐r✳♦r❣✴❄s❡t✲r♦❧❡❂❁s❝r✐♣t❃❙❁✴s❝r✐♣t❃

If requested role is invalid, returned error page contains the unsanitized requested role name. In RoleUserAgent, the page identifier is released

let roleURI = uri(https(), h, changeRolePath(), roleParams(x)) in

• ut(browserRequest(b),(roleURI, httpGet()));

in (newPage(b),(p:Page,=roleURI,y:bitstring));

• ut(pub, p)

36 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Result of verification

Authentication goal is broken

Attacker can read the user’s password from local storage and leak it to a malicious website

Paper privacy is broken

Attacker can read the paper decryption key from local storage and leak it to a malicious website ... in previous ProVerif analysis, same goals were valid against cloud attacker model.

37 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Fixing ConfiChair

Attack mitigation

◮ Can fix XSS, but there could be others ◮ Stored derived key rather than password ◮ Re-encrypt keypurse in local storage using

fresh key set by server in secure cookie only

• n paths that require the keypurse

◮ Solution requires tricks not covered by WebSpi

to actually work (block same-origin framing and AJAX).

◮ Proper solution is to use DJS

38 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Fixing ConfiChair

Attack mitigation

◮ Can fix XSS, but there could be others ◮ Stored derived key rather than password ◮ Re-encrypt keypurse in local storage using

fresh key set by server in secure cookie only

• n paths that require the keypurse

◮ Solution requires tricks not covered by WebSpi

to actually work (block same-origin framing and AJAX).

◮ Proper solution is to use DJS

38 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Fixing ConfiChair

Attack mitigation

◮ Can fix XSS, but there could be others ◮ Stored derived key rather than password ◮ Re-encrypt keypurse in local storage using

fresh key set by server in secure cookie only

• n paths that require the keypurse

◮ Solution requires tricks not covered by WebSpi

to actually work (block same-origin framing and AJAX).

◮ Proper solution is to use DJS

38 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Fixing ConfiChair

Attack mitigation

◮ Can fix XSS, but there could be others ◮ Stored derived key rather than password ◮ Re-encrypt keypurse in local storage using

fresh key set by server in secure cookie only

• n paths that require the keypurse

◮ Solution requires tricks not covered by WebSpi

to actually work (block same-origin framing and AJAX).

◮ Proper solution is to use DJS

38 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Fixing ConfiChair

Attack mitigation

◮ Can fix XSS, but there could be others ◮ Stored derived key rather than password ◮ Re-encrypt keypurse in local storage using

fresh key set by server in secure cookie only

• n paths that require the keypurse

◮ Solution requires tricks not covered by WebSpi

to actually work (block same-origin framing and AJAX).

◮ Proper solution is to use DJS

38 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

SpiderOak

User

Server SpiderOak

session JSON listing

Attacker

JSONP query JSON listing

39 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

SpiderOak

User

Server SpiderOak

session JSON listing

Attacker

JSONP query JSON listing

39 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

SpiderOak

User

Server SpiderOak

session JSON listing

Attacker

JSONP query JSON listing

39 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

SpiderOak

Query

❤tt♣s✿✴✴s♣✐❞❡r♦❛❦✳❝♦♠✴st♦r❛❣❡✴❁✉✸✷❃✴❄❝❛❧❧❜❛❝❦❂❢

Result

❢✭④ ✧st❛ts✧✿ ④ ✧❢✐rst♥❛♠❡✧✿ ✧✳✳✳✧✱ ✧❧❛st♥❛♠❡✧✿ ✧✳✳✳✧✱ ✧❞❡✈✐❝❡s✧✿ ✳✳✳✱ ⑥✱ ✧❞❡✈✐❝❡s✧✿ ❬ ❬✧♣❝✶✧✱ ✧♣❝✶✴✧❪✱❬✧❧❛♣t♦♣✧✱ ✧❧❛♣t♦♣✴✧❪✱✳✳✳ ❪ ⑥✮

40 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

SpiderOak

Query

❤tt♣s✿✴✴s♣✐❞❡r♦❛❦✳❝♦♠✴st♦r❛❣❡✴❁✉✸✷❃✴s❤❛r❡s

Result

④ ✧s❤❛r❡❴r♦♦♠s✧ ✿ ❬ ✧✉r❧✧ ✿ ✧✴❜r♦✇s❡✴s❤❛r❡✴❁✐❞❃✴❁❦❡②❃✧✱ ✧r♦♦♠❴❦❡②✧ ✿ ✧❁❦❡②❃✧✱ ✧r♦♦♠❴❞❡s❝r✐♣t✐♦♥✧ ✿ ✧✧ ✱ ✧r♦♦♠❴♥❛♠❡✧✿ ✧❁r♦♦♠❃✧ ❪✱ ✧s❤❛r❡❴✐❞✧ ✿ ✧❁✐❞❃✧✱ ✧s❤❛r❡❴✐❞❴❜✸✷✧ ✿ ✧❁✉✸✷❃✧ ⑥

41 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model: SpiderOak

SpiderOak model

◮ Share rooms (implementing the link sharing

protocol) use AJAX to retrieve share keys stored on server

◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by

leaking its own content

◮ CSRF is modeled by the application and

login/session design

◮ File secrecy fails due to decryption keys of

shared files being leaked

Mitigation

Besides the CSRF/JSONP problem, the attack is made possible by bad management of the sharing keys.

42 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model: SpiderOak

SpiderOak model

◮ Share rooms (implementing the link sharing

protocol) use AJAX to retrieve share keys stored on server

◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by

leaking its own content

◮ CSRF is modeled by the application and

login/session design

◮ File secrecy fails due to decryption keys of

shared files being leaked

Mitigation

Besides the CSRF/JSONP problem, the attack is made possible by bad management of the sharing keys.

42 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model: SpiderOak

SpiderOak model

◮ Share rooms (implementing the link sharing

protocol) use AJAX to retrieve share keys stored on server

◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by

leaking its own content

◮ CSRF is modeled by the application and

login/session design

◮ File secrecy fails due to decryption keys of

shared files being leaked

Mitigation

Besides the CSRF/JSONP problem, the attack is made possible by bad management of the sharing keys.

42 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model: SpiderOak

SpiderOak model

◮ Share rooms (implementing the link sharing

protocol) use AJAX to retrieve share keys stored on server

◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by

leaking its own content

◮ CSRF is modeled by the application and

login/session design

◮ File secrecy fails due to decryption keys of

shared files being leaked

Mitigation

Besides the CSRF/JSONP problem, the attack is made possible by bad management of the sharing keys.

42 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model: SpiderOak

SpiderOak model

◮ Share rooms (implementing the link sharing

protocol) use AJAX to retrieve share keys stored on server

◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by

leaking its own content

◮ CSRF is modeled by the application and

login/session design

◮ File secrecy fails due to decryption keys of

shared files being leaked

Mitigation

Besides the CSRF/JSONP problem, the attack is made possible by bad management of the sharing keys.

42 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

1Password

User

Content Server ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ 1Password

google.com p Hacker p

Friend ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮

google → bad

43 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

1Password

User

Content Server ❜❛❞✳❝♦♠ ❊◆❈✭✉✱ ♣✮ 1Password

google.com p Hacker p

Friend ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮

google → bad

43 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

1Password

User

Content Server ❜❛❞✳❝♦♠ ❊◆❈✭✉✱ ♣✮ 1Password

bad.com p Hacker p

Friend ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮

google → bad

43 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

1Password

User

Content Server ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ 1Password

google.com p Hacker p

Friend ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮

google → bad

43 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

WebSpi model: 1Password

1Password model

"Plaintext release" protocol without metadata

• integrity. Even in the cloud attacker model,

authentication fails.

in (extensionChannel(b),pg:Page); get pageOrigin(=pg,o,h,u) in get keychainStore(=pr,uuid,location,=o,cipher) in get userInteraction(=pr,mp) in let k = pbkdf2(mp,uuid) in let (id:Id,pass:Secret) = adec(cipher,k) in

• ut (extensionChannel(b), (pg,id,pass))

44 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

1Password phishing attack

Server Attacker 1Password

User

session Phishing URL Google password

45 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

1Password phishing attack

Server Attacker 1Password

User

session Phishing URL Google password

45 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

1Password phishing attack

❤tt♣✿✴✴❣♦♦❣❧❡✳❝♦♠✿①①①❅❜❛❞✳❝♦♠

Server Attacker 1Password

User

session Phishing URL Google password

45 / 46 ∨

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web

Motivations Formal analysis of cryptographic web applications

Protocols of cryptographic web applications

Generic encrypted storage protocol Web encrypted cloud storage Web attacker model

Formal verification

WebSpi model ConfiChair SpiderOak 1Password

Web attacks on encrypted cloud storage

Web attacks on encrypted cloud storage

Name Alternate Login IC1 XSS CSRF Red.2 Frm.3 Dropbox OAuth ★ ✦ ✦ ★ ★ SpiderOak HTTP Auth ★ ★ ✦ ★ ★ LastPass YubiKey ★ ✦ ✦ ★ ★ PassPack YubiKey ★ ★ ✦ ★ ✦ ConfiChair None ✦ ✦ ✦ ✦ ✦ Helios OAuth, OpenID ✦ ✦ ✦ ✦ ✦

1Insecure Cookie 2Open redirector 3Can be framed 46 / 46 ∨