keys to the cloud formal analysis and concrete
play

Keys to the Cloud: Formal Analysis and Concrete Application-level - PowerPoint PPT Presentation

Nov 18, 2023 •115 likes •1.19k views

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web Storage Crypto on the Web Motivations Formal analysis of cryptographic web

  1. Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46

  2. Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46

  3. Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46

  4. Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46

  5. Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis The pros ◮ Data stored encrypted server-side ◮ Decryption and data handling all in the Application-level browser (good publicity) Crypto on the Web Motivations ◮ Server may not know user’s key/password Formal analysis of cryptographic web applications ◮ ... almost no server-side computation Protocols of cryptographic web applications Generic encrypted storage The cons protocol Web encrypted cloud storage Web attacker model ◮ Web client is even more critical (long term key Formal verification storage/caching) WebSpi model ConfiChair ◮ ...but still as easy to attack SpiderOak 1Password ◮ Chicken-egg problem of decryption and Web attacks on encrypted cloud application scripts storage ∨ 3 / 46

  6. Keys to the Cloud Application-level encryption Bansal, Bhargavan, Delignat-Lavaud, Maffeis Name Key Derivation Encryption Integrity Metadata Integrity Sharing ✦ ✦ (PKI) Application-level Wuala PBKDF2 AES, RSA HMAC Crypto on the Web ✦ ✦ SpiderOak PBKDF2 AES, RSA HMAC ★ ★ Motivations BoxCryptor PBKDF2 AES None Formal analysis of cryptographic ★ ✦ (PKI) CloudFogger PBKDF2 AES, RSA None web applications ★ ✦ 1Password PBKDF2-SHA1 AES None Protocols of ★ ✦ LastPass PBKDF2-SHA256 AES, RSA None cryptographic web ✦ ✦ PassPack SHA256 AES None applications ★ ✦ RoboForm PBKDF2 AES, DES None ✦ ★ Generic encrypted storage Clipperz SHA256 AES SHA256 protocol ✦ ✦ (PKI) ConfiChair PBKDF2 RSA, AES SHA1 Web encrypted cloud storage Helios N/A El Gamal SHA256 Zero-Knowledge Proof N/A Web attacker model Formal verification Table : Example encrypted web storage applications WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 4 / 46

  7. Formal analysis of cryptographic web Keys to the Cloud Bansal, Bhargavan, applications Delignat-Lavaud, Maffeis Research questions Application-level Crypto on the Web ◮ Can a web attack be used to break a Motivations Formal analysis of cryptographic web applications provably secure protocol? Protocols of cryptographic web ◮ Can cryptography be used to prevent or applications mitigate web attacks? Generic encrypted storage protocol Web encrypted cloud storage ◮ Can we build a formal model that covers Web attacker model Formal verification both the cryptographic and web protocols of WebSpi model an application? ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 5 / 46

  8. Formal analysis of cryptographic web Keys to the Cloud Bansal, Bhargavan, applications Delignat-Lavaud, Maffeis Research questions Application-level Crypto on the Web ◮ Can a web attack be used to break a Motivations Formal analysis of cryptographic web applications provably secure protocol? Protocols of cryptographic web ◮ Can cryptography be used to prevent or applications mitigate web attacks? Generic encrypted storage protocol Web encrypted cloud storage ◮ Can we build a formal model that covers Web attacker model Formal verification both the cryptographic and web protocols of WebSpi model an application? ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 5 / 46

  9. Formal analysis of cryptographic web Keys to the Cloud Bansal, Bhargavan, applications Delignat-Lavaud, Maffeis Research questions Application-level Crypto on the Web ◮ Can a web attack be used to break a Motivations Formal analysis of cryptographic web applications provably secure protocol? Protocols of cryptographic web ◮ Can cryptography be used to prevent or applications mitigate web attacks? Generic encrypted storage protocol Web encrypted cloud storage ◮ Can we build a formal model that covers Web attacker model Formal verification both the cryptographic and web protocols of WebSpi model an application? ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 5 / 46

  10. Keys to the Cloud Previous works Bansal, Bhargavan, Delignat-Lavaud, Maffeis Chetan Bansal, Karthikeyan Bhargavan and Sergio Maffeis Application-level Crypto on the Web Discovering Concrete Attacks on Website Motivations Formal analysis of cryptographic Authrorization by Formal Analysis web applications CSF 2012 Protocols of cryptographic web applications Antoine Delignat-Lavaud and Karthikeyan Generic encrypted storage protocol Bhargavan Web encrypted cloud storage Web attacker model Web-based attacks on host-proof encrypted Formal verification storage WebSpi model ConfiChair WOOT, Usenix 2012 SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 6 / 46

  11. Keys to the Cloud This work Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Motivations Combine extended website model (WebSpi) with Formal analysis of cryptographic web applications protocol model to find attacks on cryptographic Protocols of cryptographic web web applications. applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 7 / 46

  12. Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46

  13. Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46

  14. Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46

  15. Keys to the Cloud Generic encrypted storage protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis Components Application-level Crypto on the Web ◮ u uses app a synchronized with server b Motivations Formal analysis of cryptographic ◮ u has passphrase p , encryption/mac keys K web applications and K ′ and shared secret s u , b derived from p Protocols of cryptographic web applications ◮ a uses a set of db = ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol ◮ a and b keep db synchronized with Sync and Web encrypted cloud storage Web attacker model Update Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 8 / 46

  16. Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic web applications Login ( u , s u , b ); Get ( m ) Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model ( m , e , h ) Formal verification Mac K ′ ( m , e ) = h WebSpi model ConfiChair SpiderOak store[u] 1Password local db = ( m , e , h ) Web attacks on encrypted cloud storage ∨ 9 / 46

  17. Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic web applications Login ( u , s u , b ); Get ( m ) Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model ( m , e , h ) Formal verification Mac K ′ ( m , e ) = h WebSpi model ConfiChair SpiderOak store[u] 1Password local db = ( m , e , h ) Web attacks on encrypted cloud storage ∨ 9 / 46

  18. Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic web applications Login ( u , s u , b ); Get ( m ) Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model ( m , e , h ) Formal verification Mac K ′ ( m , e ) = h WebSpi model ConfiChair SpiderOak store[u] 1Password local db = ( m , e , h ) Web attacks on encrypted cloud storage ∨ 9 / 46

  19. Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); Get ( m ) web applications Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage ( m , e , h ) Web attacker model Mac K ′ ( m , e ) = h Formal verification store[u] WebSpi model ConfiChair SpiderOak local db = ( m , e , h ) 1Password Web attacks on encrypted cloud storage ∨ 9 / 46

  20. Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); Get ( m ) web applications Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage ( m , e , h ) Web attacker model Mac K ′ ( m , e ) = h Formal verification store[u] WebSpi model ConfiChair SpiderOak local db = ( m , e , h ) 1Password Web attacks on encrypted cloud storage ∨ 9 / 46

  21. Keys to the Cloud Synchronize protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); Get ( m ) web applications Protocols of cryptographic web Data ( m , e , h ) applications Generic encrypted storage protocol Web encrypted cloud storage ( m , e , h ) Web attacker model Mac K ′ ( m , e ) = h Formal verification store[u] WebSpi model ConfiChair SpiderOak local db = ( m , e , h ) 1Password Web attacks on encrypted cloud storage ∨ 9 / 46

  22. Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46

  23. Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46

  24. Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46

  25. Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Formal analysis of cryptographic Login ( u , s u , b ); web applications Protocols of cryptographic web applications Up ( m , Enc K ( x ) , Mac K ′ ( x )) Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak store[u] 1Password Updated ( m , x ) Web attacks on encrypted cloud storage ∨ 10 / 46

  26. Keys to the Cloud Update protocol Bansal, Bhargavan, Delignat-Lavaud, Maffeis User u ( K , K ′ ) Application-level TLS Crypto on the Web Application a Server b Motivations Login ( u , s u , b ); Formal analysis of cryptographic web applications Protocols of cryptographic web Up ( m , Enc K ( x ) , Mac K ′ ( x )) applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification store[u] WebSpi model ConfiChair SpiderOak Updated ( m , x ) 1Password Web attacks on encrypted cloud storage ∨ 10 / 46

  27. Keys to the Cloud Attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Attacker model Motivations Formal analysis of cryptographic ◮ comprimised server web applications Protocols of ◮ network attacker cryptographic web applications ◮ stolen/hijacked device Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 11 / 46

  28. Keys to the Cloud Web login protocol Bansal, Bhargavan, Delignat-Lavaud, Web Login and Key Derivation: Login ( u , p , b ) Maffeis user on browser a navigates to ❤tt♣s✿✴✴❜✴❧♦❣✐♥ a and b establish TLS connection c : TLS → b ( − ) , TLS ← b ( − ) c c TLS → b ( Request ( ✴❧♦❣✐♥ )) 1. a → b c TLS ← b ( Response ( LoginForm )) 2. b → a c Application-level user enters username u and passphrase p Crypto on the Web a derives and stores K = kdf p A u iter , K ′ = kdf p B u iter Motivations Formal analysis of cryptographic a derives secret u , b = kdf p C u iter web applications TLS → b ( Request ( ✴❧♦❣✐♥ , ✉s❡r = ✉ & s❡❝r❡t = secret u , b )) 3. a → b Protocols of c cryptographic web b verifies that s❡❝r❡t = secret u , b applications b generates a cookie sid u , b Generic encrypted storage b stores ( sid u , b , u ) protocol Web encrypted cloud storage TLS ← b ( Response [ sid u , b ]( LoginSuccess ())) 4. b → a Web attacker model c a stores ( b , sid u , b ) Formal verification WebSpi model ConfiChair SpiderOak 1Password In the browser Web attacks on ◮ Need to store K and K ′ encrypted cloud storage ◮ Cookie-based session [ sid u , b ] ∨ 12 / 46

  29. Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46

  30. Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46

  31. Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46

  32. Keys to the Cloud Cryptography in the browser Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser crypto and key storage Application-level Crypto on the Web ◮ JS crypto considered harmful Motivations Formal analysis of cryptographic web applications ◮ Some services (SpiderOak) just cache the Protocols of cryptographic web passphrase on the server applications Generic encrypted storage ◮ sessionStorage exposes keys to full origin protocol Web encrypted cloud storage ◮ DJS and WebCryptoAPI can help Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 13 / 46

  33. Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications decryption script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data 1Password Web attacks on encrypted cloud storage ∨ 14 / 46

  34. Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic CSRF App Website web applications Server authentication Protocols of cryptographic web encrypted data applications Hacker Generic encrypted storage decryption script protocol Web encrypted cloud storage Web attacker model XSS Formal verification WebSpi model 3rd party release ConfiChair SpiderOak 1Password Decrypted Data Web attacks on encrypted cloud storage ∨ 14 / 46

  35. Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications malicious script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data Hacker 1Password Web attacks on encrypted cloud storage ∨ 14 / 46

  36. Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications malicious script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model key Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data Hacker 1Password Web attacks on encrypted cloud storage ∨ 14 / 46

  37. Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friends? User sharing Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications decryption script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data 1Password Web attacks on encrypted cloud storage ∨ 14 / 46

  38. Keys to the Cloud Cloud file storage Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations App Website Server authentication Formal analysis of cryptographic web applications Protocols of encrypted data cryptographic web applications script Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification 3rd party release WebSpi model ConfiChair SpiderOak Decrypted Data 1Password Web attacks on encrypted cloud storage ∨ 14 / 46

  39. Keys to the Cloud Release of plaintext Bansal, Bhargavan, Delignat-Lavaud, Maffeis Automatic Form Filling for Web Login: Fill ( b ) user on browser a navigates to ❤tt♣s✿✴✴❜✴❧♦❣✐♥ Application-level a and b establish TLS connection c : TLS → b ( − ) , TLS ← b Crypto on the Web ( − ) c c Motivations TLS → b ( Request ( ✴❧♦❣✐♥ )) 1. a → b Formal analysis of cryptographic c web applications TLS ← b ( Response ( LoginForm )) 2. b → a c Protocols of a triggers browser extension x with the current page hostname cryptographic web Lookup ( b ) 3. a → x applications x looks up encdb for ( b , e , h ) Generic encrypted storage protocol x checks that mac K ′ ( b , e ) = h Web encrypted cloud storage x computes ( u , p ) = decrypt K e Web attacker model Result ( b , u , p ) 4. x → a Formal verification a fills LoginForm with ( u , p ) WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 15 / 46

  40. Keys to the Cloud Sharing by web link Bansal, Bhargavan, Delignat-Lavaud, Maffeis URL-based File Sharing: Share ( u , m ) Application-level Crypto on the Web user u sends to v the link Motivations U = ❤tt♣s✿✴✴❜✴❄✉s❡r❂ u ✫❢✐❧❡❂ m ✫❦❡②❂ K Formal analysis of cryptographic web applications user v on browser a navigates to U Protocols of TLS → b ( Request []( U )) 1. a → b cryptographic web c applications b retrieves storage [ u ] = ( m , e , h ) Generic encrypted storage b decrypts f = decrypt K e protocol TLS ← b Web encrypted cloud storage 2. b → a ( Response []( Download ( f ))) c Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 16 / 46

  41. Keys to the Cloud Browser security model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of cryptographic web applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 17 / 46

  42. Keys to the Cloud Browser security model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Same-Origin Policy Crypto on the Web Motivations Formal analysis of cryptographic Access control all based on same-origin policy web applications Protocols of (SOP) to isolate frames, cookies, ❧♦❝❛❧❙t♦r❛❣❡ ... cryptographic web applications Generic encrypted storage Origin = protocol + domain + port protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 18 / 46

  43. Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46

  44. Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46

  45. Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46

  46. Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46

  47. Keys to the Cloud Web attacker model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ◮ Code delivery ◮ XSS: data interpreted as code in JavaScript or Application-level Crypto on the Web HTML ( ❡✈❛❧✱ ✐♥♥❡r❍❚▼▲ ) Motivations Formal analysis of cryptographic web applications ◮ Session hijacking Protocols of cryptographic web ◮ CSRF: URL-triggered action initiated on user’s applications behalf by 3rd party website (XO ✐❢r❛♠❡✱ ✐♠❣✱ Generic encrypted storage protocol Web encrypted cloud storage s❝r✐♣t ...) Web attacker model ◮ Open redirectors, phishing, framing and Formal verification WebSpi model clickjacking... ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 19 / 46

  48. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46

  49. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46

  50. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46

  51. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46

  52. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis ProVerif ◮ Applied pi-calculus Application-level Crypto on the Web ◮ Computations = message-passing processes Motivations Formal analysis of cryptographic communicating over asynchronous named web applications channels Protocols of cryptographic web applications ◮ Public channels available to all processes Generic encrypted storage protocol ◮ Private channels only available to processes Web encrypted cloud storage Web attacker model that know the name Formal verification WebSpi model ◮ Processes can store and retrieve messages ConfiChair SpiderOak from local database 1Password Web attacks on encrypted cloud storage ∨ 20 / 46

  53. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis P , Q ::= process send M on channel a out(a,M);P receive message in X in(a,X);P Application-level Crypto on the Web insert M into table t insert(t,M);P Motivations retrieve table entry in X Formal analysis of cryptographic get(t,X) in P web applications fresh name with scope P new a;P Protocols of cryptographic web insert event in trace event e(M1,...,Mn);P applications Generic encrypted storage pattern matching let X=M in P protocol Web encrypted cloud storage conditional statement if p(M) then P else Q Web attacker model Formal verification run P and Q in parallel P|Q WebSpi model run unbounded number of ConfiChair !P SpiderOak copies of P in parallel 1Password Web attacks on encrypted cloud storage ∨ 21 / 46

  54. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis M , N , X ::= message Application-level Crypto on the Web channel,key,data,... a Motivations variable Formal analysis of cryptographic x web applications pair (M,N) Protocols of cryptographic web constructor or destructor f(M1,...,Mn) applications Generic encrypted storage f applied to M 1 , ..., Mn protocol Web encrypted cloud storage matching operator =M Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 22 / 46

  55. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Symbolic cryptography Cryptographic algorithms = perfect black-boxes Application-level Crypto on the Web represented by constructors and destructors. Motivations Formal analysis of cryptographic web applications fun aenc(bitstring,symkey): bitstring. Protocols of cryptographic web reduc forall b:bitstring,k:symkey; adec(aenc(b,k),k) = b. applications Generic encrypted storage protocol Web encrypted cloud storage fun hash(bitstring) : bitstring. Web attacker model fun pk(privkey):pubkey. Formal verification WebSpi model fun sign(bitstring,privkey): bitstring. ConfiChair reduc forall b:bitstring,sk:privkey; verify(sign(b,sk),pk(sk)) = b. SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 23 / 46

  56. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis HTTP server ◮ implemented by HttpServer process ◮ possess private and public keys for TLS sessions in serverIdentities Application-level Crypto on the Web ◮ table also has server name flag xdr for XORS Motivations Formal analysis of cryptographic web applications Protocols of cryptographic web let HttpServer() = applications !in(net,(b:Browser,o:Origin,m:bitstring)); Generic encrypted storage protocol get serverIdentities(=o,pk_P,sk_P,xdrp) in Web encrypted cloud storage Web attacker model let (k:symkey,httpReq(u,hs,req)) = reqdec(o,m,sk_P) in Formal verification if origin(u) = o then WebSpi model let corr = mkCorrelator(k) in ConfiChair out(httpServerRequest,(u,hs,req,corr)); SpiderOak 1Password in(httpServerResponse, Web attacks on (=u,resp:HttpResponse,cookieOut:Cookie,=corr)); encrypted cloud storage out(net,(o,b,respenc(o,httpResp(resp,cookieOut,xdrp),k))). ∨ 24 / 46

  57. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Browser ◮ implemented by HttpClient process identified by b and associated with a user Application-level Crypto on the Web ◮ handles user- and page-triggered requests Motivations Formal analysis of cryptographic and responses (including redirections) and web applications Protocols of their encryption/decryption cryptographic web applications ◮ browserRequest channel for URL bar, pageClick for Generic encrypted storage protocol links and included contents, ajaxRequest for Web encrypted cloud storage Web attacker model AJAX Formal verification WebSpi model ◮ cookies, local storage maintained in global ConfiChair SpiderOak table indexed by browser, origin and for 1Password cookies, path Web attacks on encrypted cloud storage ∨ 25 / 46

  58. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis HttpClient code for sending a request req to URI u from page p , with referrer ref and AJAX flag aj : Application-level let o = origin(u) in let p = path(u) in Crypto on the Web Motivations get cookies(=b,=o,=slash(),cs) in Formal analysis of cryptographic get cookies(=b,=o,=p,cp) in web applications Protocols of let header = headers(ref, cookiePair(cs,cp), aj) in cryptographic web get publicKey(=o,pk_host) in applications let m = httpReq(u,header,req) in Generic encrypted storage protocol let (k:symkey,e:bitstring) = reqenc(o,m,pk_host) in Web encrypted cloud storage Web attacker model out(net,(b, o, e)); Formal verification WebSpi model Headers include cookies cs for path “ ✴ " and cp for ConfiChair SpiderOak path p and the AJAX flag aj 1Password Web attacks on encrypted cloud storage ∨ 26 / 46

  59. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Cookies ◮ can be accessed from the JS on a page from the private getCookieStorage and setCookieStorage channels Application-level Crypto on the Web ◮ can have the secure or HTTP-only flags Motivations Formal analysis of cryptographic web applications Protocols of JavaScript of page p on browser b wants to set cryptographic web applications cookies dc and store ns in local storage is: Generic encrypted storage protocol in (setCookieStorage(b),(p:Page,dc:Cookie,ns:Data)); Web encrypted cloud storage Web attacker model get pageOrigin(=p,o,h,ref) in get cookies(=b,=o,=h,ck) in Formal verification insert cookies(b,o,h, WebSpi model ConfiChair updatedomcookie(ck,securejs(dc),insecurejs(dc))); SpiderOak insert storage(b,o,ns) 1Password Web attacks on encrypted cloud updatedomcookie prevents JavaScript from storage updating HTTP-only cookies from ck . ∨ 27 / 46

  60. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Web client model Maffeis The client side of a web application is modeled by a process that accesses the browser channels pageClick , ajaxRequest , getCookieStorage and Application-level Crypto on the Web setCookieStorage Motivations Formal analysis of cryptographic web applications Attacker model Protocols of cryptographic web ◮ public network channel net enables the applications Generic encrypted storage standard Dolev-Yao network attacker protocol Web encrypted cloud storage Web attacker model ◮ a compromised server has its private key Formal verification released WebSpi model ConfiChair ◮ XSS and code injection attacks are modeled SpiderOak 1Password by a process AttackerProxy forwarding Web attacks on encrypted cloud messages from a public channel to the storage (normally secret) browser interface channels ∨ 28 / 46

  61. Keys to the Cloud WebSpi model Bansal, Bhargavan, Delignat-Lavaud, Maffeis Verification Application-level Security goals written as correspondence Crypto on the Web assertions between user-defined events: Motivations Formal analysis of cryptographic web applications Protocols of ∀ M 1 , ... M k . e ( M 1 , ... M k ) ⇒ ϕ cryptographic web applications Generic encrypted storage protocol Incompleteness Web encrypted cloud storage Web attacker model WebSpi not an exhaustive browser model: it can Formal verification WebSpi model find attacks but not prove that no attack exists! ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 29 / 46

  62. Keys to the Cloud Analysis of cloud storage services Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Real-world applications Motivations Formal analysis of cryptographic ◮ ConfiChair: conference management service web applications Protocols of ◮ SpiderOak: encrypted cloud file storage cryptographic web applications ◮ 1password: password manager Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 30 / 46

  63. Keys to the Cloud Analysis of cloud storage services Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Real-world applications Motivations Formal analysis of cryptographic ◮ ConfiChair: conference management service web applications Protocols of ◮ SpiderOak: encrypted cloud file storage cryptographic web applications ◮ 1password: password manager Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 30 / 46

  64. Keys to the Cloud Analysis of cloud storage services Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Real-world applications Motivations Formal analysis of cryptographic ◮ ConfiChair: conference management service web applications Protocols of ◮ SpiderOak: encrypted cloud file storage cryptographic web applications ◮ 1password: password manager Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 30 / 46

  65. Keys to the Cloud ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of cryptographic web applications Generic encrypted storage protocol Web encrypted cloud storage Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 31 / 46

  66. Keys to the Cloud ConfiChair login page Bansal, Bhargavan, Delignat-Lavaud, Login page Maffeis ◮ LoginApp : server listening for requests on ✴❧♦❣✐♥ ◮ LoginUserAgent : JS and HTML of login page. ◮ waits for user to type username and password Application-level Crypto on the Web ◮ derives credential and sends it with username Motivations Formal analysis of cryptographic to LoginApp over HTTPS web applications Protocols of cryptographic web applications let loginURI = uri(https(), confichair, loginPath(), noParams()) in Generic encrypted storage protocol out(browserRequest(b),(loginURI, httpGet())); Web encrypted cloud storage in (newPage(b),(p:Page,=loginURI,d:bitstring)); Web attacker model get userData(=confichair, uid, pwd, paper) in Formal verification WebSpi model let cred = kdf1(pwd) in ConfiChair in (getCookieStorage(b),(=p,cookiePair(cs,ch),od:Data)); SpiderOak 1Password out (setCookieStorage(b),(p,ch,storePassword(pwd))); Web attacks on event LoginInit(confichair, b, uid); encrypted cloud storage out(pageClick(b),(p,loginURI, httpPost(loginFormReply(uid,cred)))) ∨ 32 / 46

  67. Keys to the Cloud ConfiChair conference pages Bansal, Bhargavan, Delignat-Lavaud, Conference pages Maffeis ◮ server-side ConferenceApp and client-side ConferenceUserAgent processes ◮ ConferencesUserAgent first retrieves user’s Application-level Crypto on the Web keypurse using AJAX Motivations Formal analysis of cryptographic ◮ keypurse decrypted with stored key and web applications Protocols of stored in local storage cryptographic web applications Generic encrypted storage protocol let keypurseURI = uri(https(), confichair, Web encrypted cloud storage Web attacker model keyPursePath(), nullParams()) in Formal verification out (ajaxRequest(b),(p,keypurseURI,httpGet())); WebSpi model in (ajaxResponse(b),(=p,=keypurseURI,JSON(x))); ConfiChair SpiderOak in (getCookieStorage(b), 1Password (=p,cookiePair(cs,ch),storePassword(pwd))); Web attacks on encrypted cloud let keypurse(k) = adec(x, kdf2(pwd)) in storage out (setCookieStorage(b),(p,ch,storeKeypurse(k)))) ∨ 33 / 46

  68. Keys to the Cloud ConfiChair conference pages Bansal, Bhargavan, Delignat-Lavaud, Maffeis Conference pages Application-level At any point, user may request a paper to be Crypto on the Web downloaded and decrypted using key in keypurse Motivations Formal analysis of cryptographic web applications Protocols of let paperURI = uri(https(), h, paperPath(), nullParams()) in cryptographic web applications out (ajaxRequest(b),(p,paperURI,httpGet())); Generic encrypted storage protocol in (ajaxResponse(b),(=p,=paperURI,JSON(y))); Web encrypted cloud storage in (getCookieStorage(b), Web attacker model (=p,cookiePair(cs,ch),storeKeypurse(k))); Formal verification WebSpi model let paper = adec(y,k) in event PaperReceived(paper)) ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 34 / 46

  69. Keys to the Cloud ConfiChair security goals Bansal, Bhargavan, Delignat-Lavaud, Maffeis Security goals ◮ Login authentication: Application-level Crypto on the Web event(LoginAuthorized(confichair,id,u,c)) Motivations Formal analysis of cryptographic ⇒ event(LoginInit(confichair,b,id)) web applications = Protocols of cryptographic web ◮ Secrecy of papers: applications Generic encrypted storage protocol in(paperChannel, paper:bitstring); Web encrypted cloud storage Web attacker model get userData(h, uId, k, =paper) in Formal verification event PaperLeak(uId,paper). WebSpi model query u:Id,p:bitstring; event(PaperLeak(id,p)) ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 35 / 46

  70. Keys to the Cloud ConfiChair attacker Bansal, Bhargavan, Delignat-Lavaud, Maffeis XSS vulnerability in Role Page ❤tt♣✿✴✴❝♦♥❢✐❝❤❛✐r✳♦r❣✴❄s❡t✲r♦❧❡❂❁s❝r✐♣t❃❙❁✴s❝r✐♣t❃ Application-level Crypto on the Web If requested role is invalid, returned error page Motivations Formal analysis of cryptographic contains the unsanitized requested role name. web applications Protocols of In RoleUserAgent , the page identifier is released cryptographic web applications Generic encrypted storage protocol let roleURI = uri(https(), h, changeRolePath(), roleParams(x)) in Web encrypted cloud storage Web attacker model out(browserRequest(b),(roleURI, httpGet())); Formal verification in (newPage(b),(p:Page,=roleURI,y:bitstring)); WebSpi model out(pub, p) ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 36 / 46

  71. Keys to the Cloud Result of verification Bansal, Bhargavan, Delignat-Lavaud, Maffeis Authentication goal is broken Attacker can read the user’s password from local Application-level Crypto on the Web storage and leak it to a malicious website Motivations Formal analysis of cryptographic web applications Protocols of Paper privacy is broken cryptographic web applications Attacker can read the paper decryption key from Generic encrypted storage protocol Web encrypted cloud storage local storage and leak it to a malicious website Web attacker model Formal verification ... in previous ProVerif analysis, same goals were WebSpi model ConfiChair valid against cloud attacker model. SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 37 / 46

  72. Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46

  73. Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46

  74. Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46

  75. Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46

  76. Keys to the Cloud Fixing ConfiChair Bansal, Bhargavan, Delignat-Lavaud, Maffeis Attack mitigation ◮ Can fix XSS, but there could be others Application-level Crypto on the Web ◮ Stored derived key rather than password Motivations Formal analysis of cryptographic ◮ Re-encrypt keypurse in local storage using web applications Protocols of fresh key set by server in secure cookie only cryptographic web applications on paths that require the keypurse Generic encrypted storage protocol ◮ Solution requires tricks not covered by WebSpi Web encrypted cloud storage Web attacker model to actually work (block same-origin framing Formal verification and AJAX). WebSpi model ConfiChair SpiderOak ◮ Proper solution is to use DJS 1Password Web attacks on encrypted cloud storage ∨ 38 / 46

  77. Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of SpiderOak Attacker Server cryptographic web applications JSONP query session Generic encrypted storage protocol Web encrypted cloud storage JSON listing JSON listing Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 39 / 46

  78. Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of SpiderOak Attacker Server cryptographic web applications JSONP query session Generic encrypted storage protocol Web encrypted cloud storage JSON listing JSON listing Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 39 / 46

  79. Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis User Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications Protocols of SpiderOak Attacker Server cryptographic web applications JSONP query session Generic encrypted storage protocol Web encrypted cloud storage JSON listing JSON listing Web attacker model Formal verification WebSpi model ConfiChair SpiderOak 1Password Web attacks on encrypted cloud storage ∨ 39 / 46

  80. Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis Query ❤tt♣s✿✴✴s♣✐❞❡r♦❛❦✳❝♦♠✴st♦r❛❣❡✴❁✉✸✷❃✴❄❝❛❧❧❜❛❝❦❂❢ Application-level Result Crypto on the Web Motivations ❢✭④ Formal analysis of cryptographic web applications ✧st❛ts✧✿ ④ Protocols of cryptographic web ✧❢✐rst♥❛♠❡✧✿ ✧✳✳✳✧✱ applications Generic encrypted storage ✧❧❛st♥❛♠❡✧✿ ✧✳✳✳✧✱ protocol Web encrypted cloud storage ✧❞❡✈✐❝❡s✧✿ ✳✳✳✱ Web attacker model ⑥✱ Formal verification WebSpi model ✧❞❡✈✐❝❡s✧✿ ❬ ConfiChair SpiderOak ❬✧♣❝✶✧✱ ✧♣❝✶✴✧❪✱❬✧❧❛♣t♦♣✧✱ ✧❧❛♣t♦♣✴✧❪✱✳✳✳ 1Password ❪ Web attacks on encrypted cloud ⑥✮ storage ∨ 40 / 46

  81. Keys to the Cloud SpiderOak Bansal, Bhargavan, Delignat-Lavaud, Maffeis Query ❤tt♣s✿✴✴s♣✐❞❡r♦❛❦✳❝♦♠✴st♦r❛❣❡✴❁✉✸✷❃✴s❤❛r❡s Application-level Result Crypto on the Web Motivations ④ Formal analysis of cryptographic web applications ✧s❤❛r❡❴r♦♦♠s✧ ✿ ❬ Protocols of cryptographic web ✧✉r❧✧ ✿ ✧✴❜r♦✇s❡✴s❤❛r❡✴❁✐❞❃✴❁❦❡②❃✧✱ applications Generic encrypted storage ✧r♦♦♠❴❦❡②✧ ✿ ✧❁❦❡②❃✧✱ protocol Web encrypted cloud storage ✧r♦♦♠❴❞❡s❝r✐♣t✐♦♥✧ ✿ ✧✧ ✱ Web attacker model ✧r♦♦♠❴♥❛♠❡✧✿ ✧❁r♦♦♠❃✧ Formal verification WebSpi model ❪✱ ConfiChair SpiderOak ✧s❤❛r❡❴✐❞✧ ✿ ✧❁✐❞❃✧✱ 1Password ✧s❤❛r❡❴✐❞❴❜✸✷✧ ✿ ✧❁✉✸✷❃✧ Web attacks on encrypted cloud ⑥ storage ∨ 41 / 46

  82. Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46

  83. Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46

  84. Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46

  85. Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46

  86. Keys to the Cloud WebSpi model: SpiderOak Bansal, Bhargavan, Delignat-Lavaud, SpiderOak model Maffeis ◮ Share rooms (implementing the link sharing protocol) use AJAX to retrieve share keys stored on server Application-level ◮ ❙❤❛r❡❞❘♦♦♠❆♣♣ process models JSONP by Crypto on the Web Motivations leaking its own content Formal analysis of cryptographic web applications ◮ CSRF is modeled by the application and Protocols of cryptographic web login/session design applications Generic encrypted storage protocol ◮ File secrecy fails due to decryption keys of Web encrypted cloud storage Web attacker model shared files being leaked Formal verification WebSpi model ConfiChair Mitigation SpiderOak 1Password Besides the CSRF/JSONP problem, the attack is Web attacks on encrypted cloud made possible by bad management of the storage sharing keys. ∨ 42 / 46

  87. Keys to the Cloud 1Password Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friend google → bad User ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications 1Password Protocols of Content Server cryptographic web applications ❣♦♦❣❧❡✳❝♦♠ Generic encrypted storage protocol ❊◆❈✭✉✱ ♣✮ Web encrypted cloud storage Web attacker model Formal verification WebSpi model p ConfiChair SpiderOak p 1Password google.com Hacker Web attacks on encrypted cloud storage ∨ 43 / 46

  88. Keys to the Cloud 1Password Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friend google → bad User ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications 1Password Protocols of Content Server cryptographic web applications ❜❛❞✳❝♦♠ Generic encrypted storage protocol ❊◆❈✭✉✱ ♣✮ Web encrypted cloud storage Web attacker model Formal verification WebSpi model p ConfiChair SpiderOak p 1Password google.com Hacker Web attacks on encrypted cloud storage ∨ 43 / 46

  89. Keys to the Cloud 1Password Bansal, Bhargavan, Delignat-Lavaud, Maffeis Friend google → bad User ❣♦♦❣❧❡✳❝♦♠ ❊◆❈✭✉✱ ♣✮ Application-level Crypto on the Web Motivations Formal analysis of cryptographic web applications 1Password Protocols of Content Server cryptographic web applications ❜❛❞✳❝♦♠ Generic encrypted storage protocol ❊◆❈✭✉✱ ♣✮ Web encrypted cloud storage Web attacker model Formal verification WebSpi model p ConfiChair SpiderOak p 1Password bad.com Hacker Web attacks on encrypted cloud storage ∨ 43 / 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Comments on Formal Methods Application: concrete example, many of these principles come into

Comments on Formal Methods Application: concrete example, many of these principles come into

IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 29, NO. 6, JUNE 2003 567 Comments on Formal Methods Application: concrete example, many of these principles come into sharp focus. Never have we read Christensen with more interest than in

514 views • 5 slides
Solving Problems Using Problem Solving Concrete operational: Formal operational: classification

Solving Problems Using Problem Solving Concrete operational: Formal operational: classification

Piagetian Development: Solving Problems Using Problem Solving Concrete operational: Formal operational: classification control of variables Dr. David C. Stone conservation combinatorial reasoning Department of Chemistry decentering

480 views • 4 slides
Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov

Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov

Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,. . . SEC2, Lille, June 30 th , 2015 N. Kosmatov (CEA LIST) Formal Verification for secure Cloud

597 views • 37 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal and Automated Theorem Proving and Applications. Belgrade, February 3-4, 2012. Marko Malikovi Mirko ubrilo Predrag Janii Faculty of Humanities

406 views • 27 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint

Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint

Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint Malo, September the 28th 1 Agenda Retro-futurism, Retrieving keys, Vulnerability analysis Fault enabled malware Conclusion 2 ZB

633 views • 37 slides
Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on Formal Aspects of Component Software, Besanon, France, 19 th October 2016. Prof. Dr. Holger Giese Head of the System Analysis & Modeling

704 views • 47 slides
A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Project Goals Give precise statement and formal analysis of a real world protocol Find a real world

474 views • 25 slides
nineteen service loads x load factors concrete holds no tension failure criteria is

nineteen service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel A RCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S UMMER 2018 design for maximum stresses lecture limit

641 views • 9 slides
twenty one service loads x load factors concrete holds no tension failure criteria is

twenty one service loads x load factors concrete holds no tension failure criteria is

E LEMENTS OF A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 614 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2019 design for maximum stresses

253 views • 6 slides
twenty two service loads x load factors concrete holds no tension failure criteria is

twenty two service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2018 design for maximum stresses lecture limit

346 views • 9 slides
Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020 Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on

869 views • 76 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

1 The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit Eindhoven 2 The Domain Name System solaris.hr wants to see http://www.ru.nl . Browser at solaris.hr

1.4k views • 123 slides
Appreciation for: Software Development Process By Lakeworks - Own work, GFDL,

Appreciation for: Software Development Process By Lakeworks - Own work, GFDL,

Appreciation for: Software Development Process By Lakeworks - Own work, GFDL, https://commons.wikimedia.org/w/index.php?curid=3526338 SWEN-261 Introduction to Software Engineering Department of Software Engineering Rochester Institute of

467 views • 9 slides
Phototourism Challenge Eduard Trulls (Google) Kwang Moo Yi (U. Victoria) Sri Raghu Malireddi

Phototourism Challenge Eduard Trulls (Google) Kwang Moo Yi (U. Victoria) Sri Raghu Malireddi

Phototourism Challenge Eduard Trulls (Google) Kwang Moo Yi (U. Victoria) Sri Raghu Malireddi (U. Victoria) Yuhe Jin (U. Victoria) How good is <insert-your-favorite-method-here> in practice? Current benchmarks are saturated

657 views • 45 slides
What Decision to Make In a How Interval . . . Conflict Situation under Need for a More . . .

What Decision to Make In a How Interval . . . Conflict Situation under Need for a More . . .

How Conflict . . . An Algorithm for . . . Need for Parallelization Need to Take . . . What Decision to Make In a How Interval . . . Conflict Situation under Need for a More . . . Analysis of the Problem Interval Uncertainty: What Is Known:

300 views • 19 slides
Overview of Tor issues Roger Dingledine The Tor Project https://torproject.org/ 1 Today's plan

Overview of Tor issues Roger Dingledine The Tor Project https://torproject.org/ 1 Today's plan

Overview of Tor issues Roger Dingledine The Tor Project https://torproject.org/ 1 Today's plan 0) Crash course on Tor 1) History of Tor censorship attempts 2) Attacks on low-latency anonymity 3) Tor performance issues 4)

854 views • 70 slides
Breaking e-Banking CAPTCHAs Shujun Li 1 , Syed Amier Haider Shah 2 , Muhammad Asad Usman Khan 2 ,

Breaking e-Banking CAPTCHAs Shujun Li 1 , Syed Amier Haider Shah 2 , Muhammad Asad Usman Khan 2 ,

ACSAC 26 Breaking e-Banking CAPTCHAs Shujun Li 1 , Syed Amier Haider Shah 2 , Muhammad Asad Usman Khan 2 , Syed Ali Khayam 2 , Ahmad-Reza Sadeghi 3 , Roland Schmitz 4 1 Zukunftskolleg, University of Konstanz, Germany 2 National University of

941 views • 39 slides
Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen

Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen

Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen 1 Goals of today What are smartcards and RFID tags? what can they do? what security can they provide? and what are the limits here?

1.17k views • 80 slides

More recommend