verifpal
play

Verifpal Cryptographic protocol analysis for students and engineers - PowerPoint PPT Presentation

Oct 18, 2023 •105 likes •319 views

Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM Brussels, February 2020 What is Formal Verification? Using software tools in order to obtain guarantees on the security of cryptographic components.

  1. Verifpal Cryptographic protocol analysis for students and engineers Nadim Kobeissi FOSDEM Brussels, February 2020

  2. What is Formal Verification? • Using software tools in order to obtain guarantees on the security of cryptographic components. • Protocols have unintended behaviors when confronted with an active attacker: formal verification can prove security under certain active attacker scenarios! • Primitives can act in unexpected ways given certain inputs: formal verification: formal verification can prove functional correctness of implementations! Verifpal: Cryptographic protocol analysis for 1 students and engineers – Nadim Kobeissi

  3. Formal Verification Today Code and Implementations: F* Protocols: ProVerif, Tamarin • Exports type checks to the Z3 theorem • Take models of protocols (Signal, prover. TLS) and find contradictions to queries. • Can produce provably functionally • “Can the attacker decrypt Alice’s first correct software implementations of primitives (e.g. Curve25519 in message to Bob?” HACL*). • Are limited to the “symbolic model”, • Can produce provably functionally CryptoVerif works in the correct protocol implementations “computational model”. (Signal*). Verifpal: Cryptographic protocol analysis for 2 students and engineers – Nadim Kobeissi

  4. Symbolic Verification Overview • Main tools: ProVerif, Tamarin. • User writes a model of a protocol in action: • Signal AKE, bunch of messages between Alice and Bob, • TLS 1.3 session between a server and a bunch of clients, • ACME for Let’s Encrypt (with domain name ownership confirmation…) • User writes queries: • “Can someone impersonate the server to the clients?” • “Can a client hijack another client’s simultaneous connection to the server?” • ProVerif and Tamarin try to find contradictions. Verifpal: Cryptographic protocol analysis for 3 students and engineers – Nadim Kobeissi

  5. Symbolic Verification is Wonderful • Many papers published in the past 4 years: symbolic verification proving (and finding attacks) in Signal, TLS 1.3, Noise, Scuttlebutt, Bluetooth, 5G and much more! • This is a great way to work, allowing practitioners to reason better about their protocols before/as they are implemented. Why isn’t it used more? Verifpal: Cryptographic protocol analysis for 4 students and engineers – Nadim Kobeissi

  6. Tamarin and ProVerif: Examples rule Get_pk: letfun writeMessage_a(me:principal, them:principal, [ !Pk(A, pk) ] hs:handshakestate, payload:bitstring, sid:sessionid) = --> let (ss:symmetricstate, s:keypair, e:keypair, rs:key, re:key, [ Out(pk) ] psk:key, initiator:bool) = handshakestateunpack(hs) in Tamarin let (ne:bitstring, ns:bitstring, ciphertext:bitstring) = (empty, // Protocol empty, empty) in rule Init_1: (also not fully let e = generate_keypair(key_e(me, them, sid)) in [ Fr(~ekI), !Ltk($I, ltkI) ] automated) let ne = key2bit(getpublickey(e)) in --> let ss = mixHash(ss, ne) in [ Init_1( $I, $R, ~ekI ) let ss = mixKey(ss, getpublickey(e)) in , Out( <$I, $R, 'g' ^ ~ekI, sign{'1', $I, $R,'g' ^ ~ekI }ltkI> ) ] let ss = mixKey(ss, dh(e, rs)) in rule Init_2: let s = generate_keypair(key_s(me)) in let Y = 'g' ^ z // think of this as a group element check ProVerif in […] [ Init_1( $I, $R, ~ekI ) , !Pk($R, pk(ltkR)) event(RecvMsg(bob, alice, stagepack_c(sid_b), m)) ==> , In( <$R, $I, Y, sign{'2', $R, $I, Y }ltkR> ) (event(SendMsg(alice, c, stagepack_c(sid_a), m))) || ] ((event(LeakS(phase0, alice))) && (event(LeakPsk(phase0, alice, --[ SessionKey($I,$R, Y ^ ~ekI) bob)))) || ((event(LeakS(phase0, bob))) && , ExpR(z) (event(LeakPsk(phase0, alice, bob)))); ]-> [ InitiatorKey($I,$R, Y ^ ~ekI) ] Verifpal: Cryptographic protocol analysis for 5 students and engineers – Nadim Kobeissi

  7. Verifpal: A New Symbolic Verifier 1. An intuitive language for modeling protocols. 2. Modeling that avoids user error. 3. Analysis output that’s easy to understand. 4. Integration with developer workflow. Verifpal: Cryptographic protocol analysis for 6 students and engineers – Nadim Kobeissi

  8. A New Approach to Symbolic Verification User-focused approach… …without losing strength • An intuitive language for modeling • Can reason about advanced protocols protocols. (eg. Signal, Noise) out of the box. • Modeling that avoids user error. • Can analyze for forward secrecy, key compromise impersonation and other • Analysis output that’s easy to advanced queries. understand. • Unbounded sessions, fresh values, and • Integration with developer workflow. other cool symbolic model features. Verifpal: Cryptographic protocol analysis for 7 students and engineers – Nadim Kobeissi

  9. Verifpal Language: Simple and Intuitive Verifpal: Cryptographic protocol analysis for 8 students and engineers – Nadim Kobeissi

  10. Verifpal Language: Primitives • Unlike ProVerif, primitives are built-in . • Users cannot define their own primitives. • Bug, not a feature: eliminate user error on the primitive level. • Verifpal not targeting users interested in their own primitives (use ProVerif, it’s great!) Verifpal: Cryptographic protocol analysis for 9 students and engineers – Nadim Kobeissi

  11. Verifpal Language: Primitives • Unlike ProVerif, primitives are built-in . • Users cannot define their own primitives. • Bug, not a feature: eliminate user error on the primitive level. • Verifpal not targeting users interested in their own primitives (use ProVerif, it’s great!) Verifpal: Cryptographic protocol analysis for 10 students and engineers – Nadim Kobeissi

  12. Verifpal Language: Primitives • Unlike ProVerif, primitives are built-in . • Users cannot define their own primitives. • Bug, not a feature: eliminate user error on the primitive level. • Verifpal not targeting users interested in their own primitives (use ProVerif, it’s great!) Verifpal: Cryptographic protocol analysis for 11 students and engineers – Nadim Kobeissi

  13. Signal in Verifpal: State Initialization • Alice wants to initiate a chat with Bob. • Bob’s signed pre-key and one-time pre- key are modeled. Verifpal: Cryptographic protocol analysis for 12 students and engineers – Nadim Kobeissi

  14. Signal in Verifpal: Key Exchange • Alice receives Bob’s key information and derives the master secret. Verifpal: Cryptographic protocol analysis for 13 students and engineers – Nadim Kobeissi

  15. Signal in Verifpal: Messaging Verifpal: Cryptographic protocol analysis for 14 students and engineers – Nadim Kobeissi

  16. Signal in Verifpal: Queries and Results • Typical confidential and authentication queries for messages sent between Alice and Bob. • All queries pass! No contradictions! • Not surprising: Signal is correctly modeled, long-term public keys are guarded; signature verification is checked. Verifpal: Cryptographic protocol analysis for 15 students and engineers – Nadim Kobeissi

  17. Protocols Analyzed with Verifpal • Signal secure messaging protocol. • Scuttlebutt decentralized protocol. • ProtonMail encrypted email service. • Telegram secure messaging protocol. Verifpal: Cryptographic protocol analysis for 16 students and engineers – Nadim Kobeissi

  18. Verifpal in the Classroom • Verifpal User Manual: easiest way to learn how to model and analyze protocols on the planet. • NYU test run: huge success. 20-year-old American undergraduates with no background whatsoever in security were modeling protocols in the first two weeks of class and understanding security goals/analysis results. Verifpal: Cryptographic protocol analysis for 17 students and engineers – Nadim Kobeissi

  19. Verifpal in the Classroom • Upcoming Eurocrypt 2020 affiliated event : https://verifpal.com/eurocrypt2020/ – Verifpal tutorial! • Verifpal has a place in your undergraduate classroom and will do a better job teaching students about protocols and models than anything else in the world. Verifpal: Cryptographic protocol analysis for 18 students and engineers – Nadim Kobeissi

  20. Verifpal Extensions • Visual Studio Code: currently syntax highlighting, but much more planned in the future. • Vim: syntax highlighting. Verifpal: Cryptographic protocol analysis for 19 students and engineers – Nadim Kobeissi

  21. Try Verifpal Today Verifpal is released as free and open source software, under version 3 of the GPL. Check out Verifpal today: verifpal.com Support Verifpal development: verifpal.com/donate Verifpal: Cryptographic protocol analysis for students and engineers – Nadim Kobeissi 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dependability in the Web Service Architecture Ferda Tartanoglu INRIA ARLES Research Project In

Dependability in the Web Service Architecture Ferda Tartanoglu INRIA ARLES Research Project In

Dependability in the Web Service Architecture Ferda Tartanoglu INRIA ARLES Research Project In Collaboration with : Valrie I ssarny - INRIA Alexander Romanovsky - University of Newcastle Upon Tyne Nicole Levy - Universit De Versailles

358 views • 17 slides
Principles of Software Construction: Objects, Design, and Concurrency Concurrency: Motivation

Principles of Software Construction: Objects, Design, and Concurrency Concurrency: Motivation

Principles of Software Construction: Objects, Design, and Concurrency Concurrency: Motivation and Primitives Christian Kstner Bogdan Vasilescu School of Computer Science 15-214 1 Administrivia (1) Signup procedure and deadline for

1.12k views • 67 slides
Stanisaw Ambroszkiew icz the leader of the enTish team IPI PAN, Polish Academy of Sciences

Stanisaw Ambroszkiew icz the leader of the enTish team IPI PAN, Polish Academy of Sciences

Stanisaw Ambroszkiew icz the leader of the enTish team IPI PAN, Polish Academy of Sciences and Institute of Informatics, University of Podlasie, Poland 1 According to SOA paradigm the clients requests y (tasks) are to be realized

350 views • 12 slides
Stefano Chessa Zigbee Standard for wireless sensor networks Developed and promoted by the

Stefano Chessa Zigbee Standard for wireless sensor networks Developed and promoted by the

Stefano Chessa Zigbee Standard for wireless sensor networks Developed and promoted by the ZigBee alliance Applications: Home automation (domotics, ambient assisted living,...) Health care Consumer electronics

1.57k views • 117 slides
Massively Parallel Ray Tracing Masahiro Fujita , LTE Inc. Kenji Ono, The University of Tokyo, and

Massively Parallel Ray Tracing Masahiro Fujita , LTE Inc. Kenji Ono, The University of Tokyo, and

Massively Parallel Ray Tracing Masahiro Fujita , LTE Inc. Kenji Ono, The University of Tokyo, and Riken Sunday, November 13, 2011 Agenda Motivation and Challenges Architecture Result Conclusion Future work Sunday, November

865 views • 40 slides
Parham Solaimani, Ph.D. BeDataDriven BV The Hague, The Netherlands What is Renjin R interpreter

Parham Solaimani, Ph.D. BeDataDriven BV The Hague, The Netherlands What is Renjin R interpreter

Parham Solaimani, Ph.D. BeDataDriven BV The Hague, The Netherlands What is Renjin R interpreter in Java running in JVM Run and scale with could Platform-as-a-Service Use Enterprise Integrate into existing Development Environment Java

288 views • 25 slides
RSP Optimisation Techniques M.I. Ali http://intizarali.org @intizarali ali.intizar@insight-

RSP Optimisation Techniques M.I. Ali http://intizarali.org @intizarali ali.intizar@insight-

Tutorial on RDF Stream Processing 2016 M.I. Ali, J-P Calbimonte, D. Dell'Aglio, E. Della Valle, and A. Mauri http://streamreasoning.org/events/rsp2016 RSP Optimisation Techniques M.I. Ali http://intizarali.org @intizarali

986 views • 60 slides
Top-k Web Service Composition in the Context of User Preferences Karim Benouaret 1 , Djamal

Top-k Web Service Composition in the Context of User Preferences Karim Benouaret 1 , Djamal

Top-k Web Service Composition in the Context of User Preferences Karim Benouaret 1 , Djamal Benslimane 1 , Allel Hadjali 2 1 LIRIS, University of Lyon {karim.benouaret, djamal.benslimane}@liris.cnrs.fr 2 IRISA, Rennes1 University

752 views • 21 slides
CS184c: Computer Architecture [Parallel and Multithreaded] Day 10: May 8, 2001 Synchronization

CS184c: Computer Architecture [Parallel and Multithreaded] Day 10: May 8, 2001 Synchronization

CS184c: Computer Architecture [Parallel and Multithreaded] Day 10: May 8, 2001 Synchronization CALTECH cs184c Spring2001 -- DeHon Today Synchronization Primitives Algorithms Performance coarse vs. fine grained

558 views • 23 slides
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian -

Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian -

Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian - tlavian@ieee.org Phil Wang, Ramesh Durairaj, Jennifer Rasimas, Doan Hoang, Franco Travostino. Nortel Networks, Advanced Technology Labs Open Source -

956 views • 34 slides
Available for Public Use Available for Public Use Available for Public Use

Available for Public Use Available for Public Use Available for Public Use

Available for Public Use Available for Public Use Available for Public Use Acronym Meaning FCC Federal Communications Commission HCF Healthcare Connect Fund FY Funding Year HCP Health Care Provider (the site receiving

917 views • 65 slides
Governing Provider Relationships: Tips for Protecting Your Deal After the Ink Is Dry Bob Kriss

Governing Provider Relationships: Tips for Protecting Your Deal After the Ink Is Dry Bob Kriss

Governing Provider Relationships: Tips for Protecting Your Deal After the Ink Is Dry Bob Kriss Partner 312.701.7165 rkriss@mayerbrown.com Brad Peterson Partner 312.701.8586 bpeterson @mayerbrown.com February 28, 2017 Technology

680 views • 27 slides
NCAR Strategic Plan 2020-2024 Overarching Theme: Delivering Science with Impact

NCAR Strategic Plan 2020-2024 Overarching Theme: Delivering Science with Impact

The Next NCAR Strategic Plan 2020-2024 Working in Partnership with the Research Community Scott W. McIntosh Interim NCAR Director Members of the NCAR Executive Committee 8 January 2019 Discussion with AMS Community NCAR Strategic Plan 2020-2024

371 views • 15 slides
E NGAGING P RACTICE IN STEM VIA U NIVERSITY -C OMMUNITY C OLLABORATIONS Presented by California

E NGAGING P RACTICE IN STEM VIA U NIVERSITY -C OMMUNITY C OLLABORATIONS Presented by California

D EVELOPING E FFECTIVE AND E NGAGING P RACTICE IN STEM VIA U NIVERSITY -C OMMUNITY C OLLABORATIONS Presented by California State University Long Beach, Department of Science Education Project supported by the California State University

536 views • 16 slides
SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH

SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH

Enabling Grids for E-sciencE SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are

272 views • 25 slides
Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian

Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian

Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian Brussels, 02. February 2013 Andreas Tille (Debian) Debian Med Brussels, 02. February 2013 1 / 12 What is Debian Med? practice management system

610 views • 39 slides
A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard

A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard

Computer Science A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard West, Xin Qi Boston University RTSS 2004 RTSS 2004 Motivating Applications Computer Science Multimedia &amp; weakly-hard

406 views • 25 slides
Imagining the Future and the Role of Human- Centered Design

Imagining the Future and the Role of Human- Centered Design

Imagining the Future and the Role of Human- Centered Design in Smart Service Systems Paul Maglio, University of California, Merced John Carroll, Penn

479 views • 15 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed application - a software system in which components communicate over the network and coordinate their actions in order to achieve a common goal.

1.01k views • 33 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

199 views • 5 slides
Session 9 Introduction to Servlets Lecture Objectives Understand the foundations for

Session 9 Introduction to Servlets Lecture Objectives Understand the foundations for

Internet Programming Session 9 Servlet Intro Session 9 Introduction to Servlets Lecture Objectives Understand the foundations for client/server Web interactions Understand the servlet life cycle 2 Robert Kelly, 2018 1

494 views • 18 slides
Objectives Review: HTML Forms Intro to Java Server-side Web Technology April 26, 2019

Objectives Review: HTML Forms Intro to Java Server-side Web Technology April 26, 2019

Objectives Review: HTML Forms Intro to Java Server-side Web Technology April 26, 2019 Sprenkle - CS335 1 Review: HTML Forms What attribute is required in a form form tag? What attribute is optional? What attribute do we use to

730 views • 13 slides
Adv. Web Technologies 1) Servlets (introduction) Emmanuel Benoist Fall Term 2016-17 Berner

Adv. Web Technologies 1) Servlets (introduction) Emmanuel Benoist Fall Term 2016-17 Berner

Adv. Web Technologies 1) Servlets (introduction) Emmanuel Benoist Fall Term 2016-17 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Java Servlets Introduction HttpServlets Class

590 views • 33 slides

More recommend