noise explorer
play

Noise Explorer Fully automated modeling, analysis and verification - PowerPoint PPT Presentation

Dec 31, 2023 •338 likes •586 views

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols IACR Real World Crypto Nadim Kobeissi Symposium 2019 Karthikeyan Bhargavan San Jose, California Noise Protocol Framework: What is it? A

  1. Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols IACR Real World Crypto Nadim Kobeissi Symposium 2019 Karthikeyan Bhargavan San Jose, California

  2. Noise Protocol Framework: What is it? A Framework for Secure Channel Example Noise Handshake Pattern Protocols NK: • Based on Diffie-Hellman key <- s agreement. ... • Simple language for describing -> e, es messages. <- e, ee • From message description, complex state transformations are derived. • Author: Trevor Perrin. 2

  3. Trevor Perrin’s Talk at RWC2018 https://youtu.be/3gipxdJ22iM 3

  4. Understanding the Notation Handshake Pattern Notation Example Noise Handshake Pattern • s, e : local static and ephemeral key IK: pairs. Automatically generated when <- s they appear in a message. ... • ss, se, es, ee : Diffie-Hellman operations. Automatically mixed into -> e, es, s, ss state. <- e, ee, se • Once we have shared secret agreement, encryption on certain payload elements kicks in automatically. 4

  5. Handshake State Machine State Transformation Functions Example Noise Handshake Pattern • Defined cryptographic operations: XX: EncryptAndHash, HKDF , etc. -> e • Defined local state objects: <- e, ee, s, es CipherState, SymmetricState, HandshakeState . -> s, se • Defined state transformations when processing tokens in messages: MixHash, MixKey , etc. 5

  6. Popular Adaptations of Noise WhatsApp WireGuard XX: IKpsk2: -> e <- s <- e, ee, s, es ... -> s, se -> e, es, s, ss IK: <- e, ee, se, psk <- s ... -> e, es, s, ss <- e, ee, se 6

  7. Security Goals in the Noise Specification Grade Based System Example Noise Handshake Pattern • Authentication: three grades: KN: • 0, 1, 2 -> s • Confidentiality: six grades: ... • 0, 1, 2, 3, 4, 5 -> e 0 0 • Identity hiding: <- e, ee, se 0 3 • Not currently evaluated by Noise Explorer. -> 2 1 <- 0 5 7

  8. Security Goals in the Noise Specification Authentication Grades Example Noise Handshake Pattern • Authentication 0 : No authentication. KN: • “This payload may have been sent by any -> s party, including an active attacker.” • Authentication 1 : Sender ... authentication vulnerable to KCI. -> e 0 0 • “If the recipient's long -term private key has been compromised, this authentication can be <- e, ee, se 0 3 forged.” -> 2 1 • Authentication 2 : Sender authentication resistant to KCI. <- 0 5 • “Assuming the corresponding private keys are secure, this authentication cannot be forged.” 8

  9. Security Goals in the Noise Specification Confidentiality Grades Example Noise Handshake Pattern • Confidentiality 0 : No confidentiality. KN: “This payload is sent in cleartext.” • -> s • Confidentiality 1 : Encryption to ephemeral recipient. ... “This payload has forward secrecy, since encryption • involves an ephemeral-ephemeral DH ("ee"). However, -> e 0 0 the sender has not authenticated the recipient, so this payload might be sent to any party, including an active <- e, ee, se 0 3 attacker.” • Confidentiality 2 : Forward secrecy for sender -> 2 1 compromise only, vulnerable to replay. “If the recipient's static private key is compromised, <- 0 5 • even at a later date, this payload can be decrypted. This message can also be replayed, since there's no ephemeral contribution from the recipient.” 9

  10. Security Goals in the Noise Specification Confidentiality Grades Example Noise Handshake Pattern • Confidentiality 3 : Weak forward secrecy. KN: “The recipient's alleged ephemeral public key may have • been forged by an active attacker. In this case, the attacker could later compromise the recipient's static -> s private key to decrypt the payload.” • Confidentiality 4 : Weak forward secrecy if ... sender’s private key was compromised. -> e 0 0 “If the sender's static private key was previously • compromised, the recipient's alleged ephemeral public key may have been forged by an active attacker. In this <- e, ee, se 0 3 case, the attacker could later compromise the intended recipient's static private key to decrypt the payload.” -> 2 1 • Confidentiality 5 : Strong forward secrecy. “Assuming the ephemeral private keys are secure, and • <- 0 5 the recipient is not being actively impersonated by an attacker that has stolen its static private key, this payload cannot be decrypted.” 10

  11. So Many Security Goals! 50+ Handshake Patterns in the Noise Allows for Use-Case Specific Spec Alone Protocols • How do we verify all of these protocols • TLS isn’t (and shouldn’t be) the answer against (50+ · 10) = 500+ security to everything. queries? • How can we ascertain which security promises any Noise Handshake Pattern can give? 11

  12. 12

  13. Noise Explorer: Design and Formally Verify Noise Handshake Pattern any • Desig ign n Nois ise Protoc ocol ols: Immediate to- • Nois ise Explorer Compendium dium: Formal spec validity checks, helpful verification results for 50+ Noise visualizations. Handshake Patterns. • Gen ener erat ate e Model els for Forma mal • NEW: Gen ener erat ate e Imp mplem emen entations tations: Verif ific icatio ion: Symbolic models for Generates full implementations of your ProVerif. Noise Handshake Pattern in JS and Go. • Top-level processes. • Sophisticated queries for all security goals. • Compromised principal (Charlie). 13

  14. What is Formal Verification with ProVerif? Automated formal verification… …with ProVerif. • Beating the “code first, specify later” (if • Developed at INRIA Paris by Bruno ever) methodology. Blanchet and team. • Two main in models: Symbolic model • Check it out: and computational model. http://prosecco.gforge.inria.fr/personal /bblanche/proverif/ • We use the symbolic model, where we can model protocol flows and try to • I defended my Ph.D. thesis last month, find contradictions to security queries. which has many, many, many uses of ProVerif: https://hal.inria.fr/tel- 01950884 14

  15. Generating Applied Pi Models for ProVerif Components to Model Diffie-Hellman in ProVerif • In ProVerif, all cryptographic primitives fun dhexp(key, key):key. are perfect symbolic black-boxes with equation forall a:key, b:key; no algebraic properties. dhexp(b, dhexp(a, g)) = dhexp(a, dhexp(b, g)). 15

  16. Generating Applied Pi Models for ProVerif Components to Model AEAD in ProVerif • In ProVerif, all cryptographic primitives fun encrypt(key, nonce, bitstring, are perfect symbolic black-boxes with bitstring):bitstring. no algebraic properties. • Encryption is a PRP, hashing is a PRF, fun decrypt(key, nonce, bitstring, etc. bitstring):aead reduc forall k:key, n:nonce, ad:bitstring, plaintext:bitstring; decrypt(k, n, ad, encrypt(k, n, ad, plaintext)) = aeadpack(true, ad, plaintext). 16

  17. Generating Applied Pi Models for ProVerif State Management in ProVerif Components to Model letfun mixKeyAndHash(ss:symmetricstate, • In ProVerif, all cryptographic primitives input_key_material:key) = are perfect symbolic black-boxes with let (cs:cipherstate, ck:key, no algebraic properties. h:bitstring) = symmetricstateunpack(ss) in • Encryption is a PRP, hashing is a PRF, let (ck:key, temp_h:key, etc. temp_k:key) = hkdf(ck, input_key_material) in • Common state management library for let (cs:cipherstate, temp_ck:key, all generated models. h:bitstring) = symmetricstateunpack(mixHash(symmetricstat epack(cs, ck, h), key2bit(temp_h))) in symmetricstatepack(initializeKey(t emp_k), ck, h). 17

  18. Our Findings • Analysis of 50+ Noise Handshake Patterns. • We contribute a formally verified set of groundings for all security goals. • We show that if pattern validity rules are not followed, subtle attacks can be found. 18

  19. Contributions to Noise Specification Improvements to Revision 34: • More well-defined pattern validity rules and security grades. • Higher assurance for fundamental pattern security grades. • New security grades for all 23 deferred patterns. 19

  20. Noise Versus TLS: Lines of Code Lines of Code 300000 250000 200000 150000 100000 50000 0 BORINGSSL BEARSSL NOISEEXP: IK 20

  21. Time for a Demonstration! Aspects that will be demonstrated: 1. Pattern designer and validator: https://noiseexplorer.com/ 2. Automatically generated formal verification results: https://noiseexplorer.com/patterns/IK/ (as an example) 3. Detailed analysis results: https://noiseexplorer.com/patterns/IK/A.html (as an example) 21

  22. The Future of Noise Small, Use-Case Specific Protocols Upcoming Work in Noise • Entire library is ~1,000 LoC, specific • Signatures. Handshake Patterns can be smaller. • Stateful hashing and symmetric (Great post by David Wong: crypto overhaul. https://cryptologie.net/article/446/qui • NoiseSocket, NLS. c-crypto-and-simple-state-machines/) • Implementations that generate • Much smaller and more use-case implementations? specific state machine than TLS or similar. 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EXPLORER+300 Compact for individual usage EXPLORER+ 300 The smallest EXPLORER terminal:

EXPLORER+300 Compact for individual usage EXPLORER+ 300 The smallest EXPLORER terminal:

EXPLORER+300 Compact for individual usage EXPLORER+ 300 The smallest EXPLORER terminal: Weighs only 1.4 kg A single-user terminal: Ideal if your primarily need voice, or moderate speed internet access Compact:

203 views • 6 slides
EXPLORER+325 COMPACT VOICE AND BROADBAND SOLUTION FOR VEHICLES EXPLORER+ 325 Instant

EXPLORER+325 COMPACT VOICE AND BROADBAND SOLUTION FOR VEHICLES EXPLORER+ 325 Instant

EXPLORER+325 COMPACT VOICE AND BROADBAND SOLUTION FOR VEHICLES EXPLORER+ 325 Instant communication: Simply place the antenna on the roof, connect the antenna and your PC to the EXPLORER terminal, switch on the IP Handset and the vehicle

270 views • 10 slides
Introducing EXPLORER 710 Slide 2 - the bar is raised Cobham plc 2 Introducing the EXPLORER 710

Introducing EXPLORER 710 Slide 2 - the bar is raised Cobham plc 2 Introducing the EXPLORER 710

Introducing EXPLORER 710 Slide 2 - the bar is raised Cobham plc 2 Introducing the EXPLORER 710 A state of the art BGAN setting new standards in terms of speed, size and features. Radical improvement in video quality - the first and

110 views • 8 slides
EXPLORER+700 When versatility &amp; high-speed matters EXPLORER+ 700 Versatility:

EXPLORER+700 When versatility &amp; high-speed matters EXPLORER+ 700 Versatility:

EXPLORER+700 When versatility &amp; high-speed matters EXPLORER+ 700 Versatility: Provides multiple interfaces to support a wide range of applications. Ideal for video streaming applications and large file transfer. Smaller

286 views • 10 slides
Sylvia Earle An American marine biologist, explorer, explorer, author, and lecturer Who is she?

Sylvia Earle An American marine biologist, explorer, explorer, author, and lecturer Who is she?

Sylvia Earle An American marine biologist, explorer, explorer, author, and lecturer Who is she? Since 1988 Dr. Sylvia Alice Earle has been a National Geographic explorer-in-residence. Earle was the first female chief scientist of the U.S

203 views • 8 slides
Visioning Committee Air Quality and Noise January 23, 2020 Noise Data Noise is evaluated on

Visioning Committee Air Quality and Noise January 23, 2020 Noise Data Noise is evaluated on

Visioning Committee Air Quality and Noise January 23, 2020 Noise Data Noise is evaluated on intensity, duration, and area impacted S ource: FAA Noise Contour Map 2 ICAO Aircraft Certification - Noise Reference Points (1476 ft.) (6562

670 views • 24 slides
EXPLORER+500 Performance and portability combined EXPLORER+ 500 The most used BGAN terminal

EXPLORER+500 Performance and portability combined EXPLORER+ 500 The most used BGAN terminal

EXPLORER+500 Performance and portability combined EXPLORER+ 500 The most used BGAN terminal in the Inmarsat world: Unmatched in deployed quantities. Powerful: Ideal combination of performance and portability. Simultaneous

505 views • 14 slides
&amp; Grid5000 Grid eXplorer eXplorer Grid Plates-formes de Grilles exprimentales

&amp; Grid5000 Grid eXplorer eXplorer Grid Plates-formes de Grilles exprimentales

Grid'5000 and Grid eXplorer 1 GdX GdX Grid5000 &amp; Grid5000 Grid eXplorer eXplorer Grid Plates-formes de Grilles exprimentales mutualises lchelle nationale ACI GRID &amp; ACI MD Franck Cappello INRIA fci@lri.fr

415 views • 26 slides
The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave

The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave

The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave amplifiers Enrico Rubiola, Rodolphe Boudot, Yannick Gruson FEMTO-ST Institute, Besanon, France CNRS and Universit de Franche Comt TimeNav 07

731 views • 27 slides
EXPLORER+727 Comprehensive communication hub for vehicles EXPLORER+ 727 High-speed

EXPLORER+727 Comprehensive communication hub for vehicles EXPLORER+ 727 High-speed

EXPLORER+727 Comprehensive communication hub for vehicles EXPLORER+ 727 High-speed broadband-on-the-move: Automatically tracks satellite positions enabling high-speed connectivity while on-the-move. Simultaneous 432 kbps data and phone

412 views • 11 slides
NOISE AT WORK AWARENESS SESSION FOR WORKERS WHAT IS NOISE Noise is all around us at home,

NOISE AT WORK AWARENESS SESSION FOR WORKERS WHAT IS NOISE Noise is all around us at home,

LIFE NEEDS SOUND NOISE AT WORK AWARENESS SESSION FOR WORKERS WHAT IS NOISE Noise is all around us at home, at leisure and at work If noise is too loud and we are exposed for too long it can damage our hearing and afgect our safety at

249 views • 14 slides
= x ... What is a Statistic ? What are Statistic s ? A quantity that is computed

= x ... What is a Statistic ? What are Statistic s ? A quantity that is computed

Why do we need statistics? CS533 Modeling and Performance 1. Noise, noise, noise, noise, noise! Evaluation of Network and Computer Systems Statistics for Performance Evaluation OK not really this type of noise (Chapters 12-15) Why Do

774 views • 20 slides
3D and environment Noise visualization Noise visualization Philippe Royer Noise, air and non

3D and environment Noise visualization Noise visualization Philippe Royer Noise, air and non

3D and environment Noise visualization Noise visualization Philippe Royer Noise, air and non - ionising radiation division REPUBLIQUE Service de l'air, du bruit et des rayonnements non ionisants ET CANTON DE GENEVE Rsum de la

611 views • 22 slides
1 Noise related activities of State Health Office (LGA) Noise related activities of State Health

1 Noise related activities of State Health Office (LGA) Noise related activities of State Health

WG 42: NOISE Noise typology Environmental noise Environment and Health road, rail and air traffic industries, constriction and public work Aspects of Noise neighborhood ventilation systems, office machines, home appliances Leisure

568 views • 3 slides
Noises Jaanus Jaggo Noise Noise is a function: noise(coordinate) -&gt; value Pseudo-random:

Noises Jaanus Jaggo Noise Noise is a function: noise(coordinate) -&gt; value Pseudo-random:

Noises Jaanus Jaggo Noise Noise is a function: noise(coordinate) -&gt; value Pseudo-random: gives the appearance of randomness Determinism: same input gives the same result every time White noise ? Dimensions ? Dimensions Better noise

555 views • 18 slides
Noises Jaanus Jaggo Noise Noise is a function: noise(coordinate) -&gt; value Pseudo-random:

Noises Jaanus Jaggo Noise Noise is a function: noise(coordinate) -&gt; value Pseudo-random:

Noises Jaanus Jaggo Noise Noise is a function: noise(coordinate) -&gt; value Pseudo-random: gives the appearance of randomness Determinism: same input gives the same result every time White noise ? Dimensions ? Dimensions Better noise

837 views • 20 slides
Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1

Alternating Permutations Richard P. Stanley M.I.T. Alternating Permutations p. 1 Definitions A sequence a 1 , a 2 , . . . , a k of distinct integers is alternating if a 1 &gt; a 2 &lt; a 3 &gt; a 4 &lt; , and reverse alternating if

1.14k views • 98 slides
Cross-validation and the Bootstrap In the section we discuss two resampling methods:

Cross-validation and the Bootstrap In the section we discuss two resampling methods:

Cross-validation and the Bootstrap In the section we discuss two resampling methods: cross-validation and the bootstrap. These methods refit a model of interest to samples formed from the training set, in order to obtain additional

688 views • 44 slides
Today Simplest.. Load balance: m balls in n bins. n k n k n ne k For

Today Simplest.. Load balance: m balls in n bins. n k n k n ne k For

Today Simplest.. Load balance: m balls in n bins. n k n k n ne k For simplicity: n balls in n bins. k ! k k k Round robin: load 1 ! Load balancing. Centralized! Not so good. = n ( n 1 ) ( n

421 views • 3 slides
StatisticalNLP Ingeneral,wewanttoplaceadistributionoversentences

StatisticalNLP Ingeneral,wewanttoplaceadistributionoversentences

LanguageModels StatisticalNLP Ingeneral,wewanttoplaceadistributionoversentences Spring2010 Basic/classicsolution:n*grammodels

409 views • 4 slides
Results on potential algebras: contraction algebras and Sklyanin algebras N.K.Iyudu Malta, March

Results on potential algebras: contraction algebras and Sklyanin algebras N.K.Iyudu Malta, March

Results on potential algebras: contraction algebras and Sklyanin algebras N.K.Iyudu Malta, March 2018 1 We consider finiteness conditions and ques- tions of growth of noncommutative algebras, known as A con s. They appear in M.Wemyss work on

214 views • 17 slides
The Probabilistic Method Week 4: The Basic Method Joshua Brody CS49/Math59 Fall 2015 images

The Probabilistic Method Week 4: The Basic Method Joshua Brody CS49/Math59 Fall 2015 images

The Probabilistic Method Week 4: The Basic Method Joshua Brody CS49/Math59 Fall 2015 images source: wikipedia, google Clicker Question What does it mean for a tournament to have property S k ? (A) There is a set of k players that beat all

679 views • 19 slides
New Online Algorithms for Story Scheduling in Web Advertising Susanne Albers Achim Paen TU

New Online Algorithms for Story Scheduling in Web Advertising Susanne Albers Achim Paen TU

New Online Algorithms for Story Scheduling in Web Advertising Susanne Albers Achim Paen TU Munich HU Berlin Online advertising Worldwide online ad spending 2012/13: $ 100 billion Expected to surpass print ad spending soon Display

744 views • 27 slides
Lecture 13 Jan-Willem van de Meent Four Types of Clustering 1. Centroid-based (K-means,

Lecture 13 Jan-Willem van de Meent Four Types of Clustering 1. Centroid-based (K-means,

Unsupervised Machine Learning and Data Mining DS 5230 / DS 4420 - Fall 2018 Lecture 13 Jan-Willem van de Meent Four Types of Clustering 1. Centroid-based (K-means, K-medoids) Notion of Clusters: Voronoi tesselation Four Types of

611 views • 42 slides

More recommend