verified models and reference implementations for the tls
play

Verified Models and Reference Implementations for the TLS 1.3 - PowerPoint PPT Presentation

Dec 18, 2022 •155 likes •640 views

TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate Bruno Blanchet INRIA Paris Bruno.Blanchet@inria.fr Joint work with Karthikeyan Bhargavan and Nadim

  1. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate Bruno Blanchet INRIA Paris Bruno.Blanchet@inria.fr Joint work with Karthikeyan Bhargavan and Nadim Kobeissi June 2017 Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 1 / 45

  2. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 2 / 45

  3. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Why did we need a new protocol? Security: remove broken legacy crypto constructions Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 2 / 45

  4. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Attacks against TLS 1.2 RC4 Keystream biases [Mar’13] Lucky13 MAC-Encode-Encrypt CBC [Mar’13] POODLE SSLv3 MAC-Encode-Encrypt [Dec’14] FREAK Export-grade 512-bit RSA [Mar’15] LOGJAM Export-grade 512-bit DH [May’15] SLOTH RSA-MD5 signatures [Jan’16] DROWN SSLv2 PSA-PKCS#1v1.5 Enc [Mar’16] SWEET32 3DES Encryption [Oct’16] Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 3 / 45

  5. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Why did we need a new protocol? Security: remove broken legacy crypto constructions Efficiency: reduce handshake roundtrip latency 0-RTT when the client and server have a pre-shared key 0.5-RTT Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 4 / 45

  6. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Transport Layer Security (TLS) 1.3 Next version of the most popular secure channel protocol. Completely redesigned from TLS 1.2 After 20 drafts, on the verge of standardization Why did we need a new protocol? Security: remove broken legacy crypto constructions Efficiency: reduce handshake roundtrip latency 0-RTT when the client and server have a pre-shared key 0.5-RTT These are potentially contradictory goals Needs extensive security analysis before deployment! The IETF called for academics to formally analyze the protocol drafts. Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 4 / 45

  7. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Analyzing TLS 1.3 Many published analyses for intermediate TLS 1.3 drafts Cryptography proofs (of drafts 5,9,10) [Dowling et al. CCS’15, Krawczyk et al. EuroS&P’16, Li et al. S&P’16] Symbolic protocol analysis (of draft 10) [Cremers et al. S&P’16] Verified implementation (of draft 18 record protocol) [Bhargavan et al. S&P’17] Symbolic and computational proofs (of draft 18) [Bhargavan et al. S&P’17; this talk] Are we done? Is it secure? If we deploy TLS 1.3, will it expose new attacks? Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 5 / 45

  8. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion TLS 1.2 and its proofs: a checkered history Historically, published proofs of TLS missed many attacks Large gaps between simplified models and the deployed protocol 1 Proofs ignored “ugly” implementation details e.g. AES-CBC padding, RSA-PKCS#1v1.5 padding 2 Proofs relied on strong crypto assumptions on primitives e.g. collision resistant hash functions, strong Diffie-Hellman groups 3 Proofs ignored composition with obsolete/unpopular modes e.g. SSLv2, EXPORT ciphers, renegotiation How do we ensure that TLS 1.3 proofs do not fall into these traps? Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 6 / 45

  9. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Our approach Use automated verification tools to handle protocol complexity Easy to extend as protocol evolves, or as we model new features Symbolically analyze protocol against known attack vectors Find or prove the absence of downgrade attacks to TLS 1.2 (using ProVerif) Build a mechanically-checked cryptographic proof of TLS 1.3 Explore the crypto assumptions needed by TLS 1.3 (using CryptoVerif) Synchronize verified models with RFC and its implementations Extract ProVerif model from an interoperable implementation (RefTLS) Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 7 / 45

  10. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Our vision: one model, three tasks Protocol fix TLS 1.3 Model Potential CryptoVerif ProVerif attack Reference im- Other TLS plementation libraries Symbolic Cryptographic proof proof Interop testing (Inspired by: Verified interoperable implementations of security protocols, TOPLAS 2008.) Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 8 / 45

  11. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Our current toolchain Protocol fix TLS 1.3 Core protocol code Model extraction manual edits TLS 1.3 TLS 1.3 Symbolic model Crypto model Potential Reference im- Other TLS CryptoVerif ProVerif plementation attack libraries Symbolic Cryptographic proof proof Interop testing Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 9 / 45

  12. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Symbolic analysis to find downgrade (and other) attacks Recent attacks on legacy crypto in TLS: RC4 Keystream biases [Mar’13] Lucky13 MAC-Encode-Encrypt CBC [Mar’13] POODLE SSLv3 MAC-Encode-Encrypt [Dec’14] FREAK Export-grade 512-bit RSA [Mar’15] LOGJAM Export-grade 512-bit DH [May’15] SLOTH RSA-MD5 signatures [Jan’16] DROWN SSLv2 PSA-PKCS#1v1.5 Enc [Mar’16] Legacy crypto remains in TLS libraries for backwards compatibility. Is TLS 1.3 secure, if it is deployed alongside older versions of TLS? Can a man-in-the-middle downgrade TLS 1.3 peers to use legacy crypto? Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 10 / 45

  13. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 11 / 45

  14. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks e.g. a weak Diffie-Hellman group behaves like a trivial 1-element group d h i d e a l ( element , b i t s t r i n g ) : element . fun equation f o r a l l x : b i t s t r i n g , y : b i t s t r i n g ; d h i d e a l ( d h i d e a l (G, x ) , y ) = d h i d e a l ( d h i d e a l (G, y ) , x ) . fun dh exp ( group , element , b i t s t r i n g ) : element reduc f o r a l l g : group , e : element , x : b i t s t r i n g ; dh exp (WeakDH, e , x ) = BadElement otherwise f o r a l l g : group , e : element , x : b i t s t r i n g ; dh exp ( StrongDH , BadElement , x ) = BadElement g : group , e : element , x : b i t s t r i n g ; otherwise f o r a l l dh exp ( StrongDH , e , x ) = d h i d e a l ( e , x ) . Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 11 / 45

  15. TLS 1.3 ProVerif CryptoVerif Implementation Conclusion Modeling weak crypto in ProVerif Classic symbolic (Dolev-Yao) protocol models idealize crypto Perfect black-boxes that cannot be opened without relevant key We model agile crypto primitives parameterized by algorithm Given a strong algorithm, the primitive behaves ideally Given a weak algorithm, the primitive completely breaks e.g. a weak Diffie-Hellman group behaves like a trivial 1-element group Similarly, we model strong and weak authenticated encryption, hash functions, MACs, RSA encryption and signatures. Our model is overly conservative, it may not indicate real exploits Our goal is to verify TLS 1.3 against future attacks on legacy crypto Bruno Blanchet (INRIA) TLS 1.3 Verification June 2017 12 / 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software

Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software

Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software Institute, Madrid, Spain September 30, 2014 Motivation Loss of trust in Internet Implementation bugs (HeartBleed) Logical bugs (Triple

670 views • 38 slides
First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt 1) Kazuhiko Sakaguchi 1)2) 1) National Institute of Advanced Industrial Science and Technology, Japan 2) University of Tsukuba Motivation

352 views • 21 slides
ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e Platzer Computer Science Department, Carnegie Mellon University RV14, Sept. 24, 2014 Simplex for Hybrid System Models Stefan Mitsch ,

844 views • 50 slides
Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e Platzer Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop, Dec. 12, 2014 For Details, see ModelPlex paper at

504 views • 27 slides
VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer 1 , Yong Kiam Tan 1 , Stefan Mitsch 1 , Magnus O. Myreen 2 , and Andr e Platzer 1 Carnegie Mellon University 1 Chalmers University of Technology 2

672 views • 44 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Fully Verified J AVA C ARD API Reference Implementation Wojciech Mostowski woj@cs.ru.nl Radboud

Fully Verified J AVA C ARD API Reference Implementation Wojciech Mostowski woj@cs.ru.nl Radboud

Fully Verified J AVA C ARD API Reference Implementation Wojciech Mostowski woj@cs.ru.nl Radboud University Nijmegen Background & Motivation Full specification and implementation for the verification of J AVA C ARD applets reasoning

736 views • 28 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
The OAIS Reference Model: current implementations Michael Day, UKOLN, University of Bath

The OAIS Reference Model: current implementations Michael Day, UKOLN, University of Bath

The OAIS Reference Model: current implementations Michael Day, UKOLN, University of Bath m.day@ukoln.ac.uk Chinese-European Workshop on Digital Preservation, Beijing, China, 14-16 July 2004 http://www.ukoln.ac.uk/ Presentation outline

508 views • 28 slides
Towards Correct Transformation: From High-Level Models to Time- Triggered Implementations H.

Towards Correct Transformation: From High-Level Models to Time- Triggered Implementations H.

Towards Correct Transformation: From High-Level Models to Time- Triggered Implementations H. GUESMI (3) , B. BEN HEDIA (1) , S. BLIUDZE (2) , M. JAN (1) and S. BENSALEM (3) (1) CEA, LIST, Embedded Real Time Systems Laboratory, 91191

169 views • 15 slides
Operating Systems in Haskell: Implementations, Models, Proofs Andrew Tolmach Invited Professor,

Operating Systems in Haskell: Implementations, Models, Proofs Andrew Tolmach Invited Professor,

Operating Systems in Haskell: Implementations, Models, Proofs Andrew Tolmach Invited Professor, INRIA Rocquencourt The Programatica Project Portland State University Iavor Diatchki, Thomas Hallgren, Bill Harrison, Jim Hook, Tom Harke, Brian

826 views • 55 slides
Compiling Distributed System Models into Implementations with PGo Finn Hackett, Ivan Beschastnikh

Compiling Distributed System Models into Implementations with PGo Finn Hackett, Ivan Beschastnikh

Compiling Distributed System Models into Implementations with PGo Finn Hackett, Ivan Beschastnikh Renato Costa, Matthew Do PGo Go Modular PlusCal GoLang Execution PGo PGo TLC PCal Model PlusCal TLA+ Checking Translator 1 Motivation

721 views • 68 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and

Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and

Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and Marco Di Natale IEEE-ICRA 2013, Workshop On Software Development and Integration in Robotics May 6th, 2013 TeCIP Institute, Scuola Superiore

733 views • 23 slides
Examples and Implementations [Bayesian approach to Latent Class Models: Definition, Simulation,

Examples and Implementations [Bayesian approach to Latent Class Models: Definition, Simulation,

BIOSTAT 830 GRAPHICAL MODELS Problem Set 4 Case Study: Latent Class Models Note: 1. Due 11:59PM, December 21, 2016. 2. Electronic submission to your instructors email. 3. You are VERY MUCH encouraged to form teams to discuss proofs and

545 views • 3 slides
Models for Models for Retrieval and Browsing Retrieval and Browsing - Structural Models and

Models for Models for Retrieval and Browsing Retrieval and Browsing - Structural Models and

Models for Models for Retrieval and Browsing Retrieval and Browsing - Structural Models and Browsing Berlin Chen 2004 Reference : 1. Modern Information Retrieval , chapter 2 Taxonomy of Classic IR Models Set Theoretic Fuzzy Extended Boolean

837 views • 29 slides
A Component-based Environment for Android Apps Alexander Senier FOSDEM, Brussels, 2020-02-02

A Component-based Environment for Android Apps Alexander Senier FOSDEM, Brussels, 2020-02-02

A Component-based Environment for Android Apps Alexander Senier FOSDEM, Brussels, 2020-02-02 Smartphone Trust Challenges Privilege Escalation 2020-02-02 2 Media Frameworks are not getting simpler. How do we avoid such fatal errors?

742 views • 28 slides
Binder: A System to Aggregate Mul5ple Internet Gateways in

Binder: A System to Aggregate Mul5ple Internet Gateways in

Binder: A System to Aggregate Mul5ple Internet Gateways in Community Networks Marwan Fayed Luca Boccassi (Cisco) and Mahesh Marina How to solve

445 views • 13 slides
Bottle Binder Nikki Akraboff Chris Becker Chris Desrochers Batya Fellman Katie

Bottle Binder Nikki Akraboff Chris Becker Chris Desrochers Batya Fellman Katie

R e d Bottle Binder Nikki Akraboff Chris Becker Chris Desrochers Batya Fellman Katie Matlack Keith Molina Ilan Moyer Matt Robertson Alex St. Claire Problem and Customer n villages in Ecuador Need for

403 views • 7 slides
SSReflect in Coq 8.10 New intro patterns and support for rewriting under binders rik

SSReflect in Coq 8.10 New intro patterns and support for rewriting under binders rik

SSReflect in Coq 8.10 New intro patterns and support for rewriting under binders rik Martin-Dorel 1 Enrico Tassi 2 1 IRIT, Universit Toulouse 3, France 2 Inria, Universit Cte dAzur, France September 8th, 2019 The 10th Coq Workshop

1.1k views • 32 slides
https://www.github.com/betatim/openrefineder https://www.github.com/betatim/openrefineder

https://www.github.com/betatim/openrefineder https://www.github.com/betatim/openrefineder

https://www.github.com/betatim/openrefineder https://www.github.com/betatim/openrefineder https://mybinder.org/v2/gh/betatim/openrefineder/master code from git repo will https://mybinder.org/v2/gh/betatim/openrefineder/master code from git repo

807 views • 8 slides
Importing External PSKs for TLS draft-ietf-tls-external-psk-importer David Benjamin, Christopher

Importing External PSKs for TLS draft-ietf-tls-external-psk-importer David Benjamin, Christopher

Importing External PSKs for TLS draft-ietf-tls-external-psk-importer David Benjamin, Christopher A. Wood IETF 106 - TLS WG - Singapore Changes since -00 1. Replace ImportedIdentity (label, hash) tuple with (target protocol, target KDF) tuple.

163 views • 5 slides
Simulation of Powder Spreading Process for Binder Jetting Additive Manufacturing Guanxiong Miao,

Simulation of Powder Spreading Process for Binder Jetting Additive Manufacturing Guanxiong Miao,

Simulation of Powder Spreading Process for Binder Jetting Additive Manufacturing Guanxiong Miao, Wenchao Du, Zhijian (ZJ) Pei, Chao Ma Texas A&M University, College Station, TX 77843 Simulation of Powder Spreading Process for Additive

374 views • 8 slides
OCF Binding Prototype Dsseldorf Face to Face, July 2017 Michael McCool

OCF Binding Prototype Dsseldorf Face to Face, July 2017 Michael McCool

OCF Binding Prototype Dsseldorf Face to Face, July 2017 Michael McCool <michael.mccool@intel.com> Outline Prototype: What was done Architecture Issues Suggestions Next steps 2 Goals Consume OCF metadata

471 views • 13 slides

More recommend