AttackingReal-WorldSecurityProtocolsusing LegacyCrypto[partI]

Karthikeyan Bhargavan

+many,manyothers.(INRIA,MicrosoftResearch,LORIA,IMDEA,Univ ofPennsylvania,Univ ofMichigan,JHU)

VerifyingCryptoProtocolImplementationsinF*[partII]

Method:Type-BasedCryptographic Verification

ModularType-BasedCryptographicVerificationsymmetricencryption(AES-CBC)

cryptographicalgorithms

symmetricencryption

(RC4)

SecureRPC

anotherattack

TLS1.2

activeadversaries

securityprotocols

cryptographicconstructions

encryptthen-MAC

fragment-MAC-encode-then-encrypt

typedinterfaces:cryptographicassumptions

typedinterfaces:attackermodels

someattack

someattack

someattack

MAC(SHA1)

typedinterfaces:securityguarantees

INT-CMA IND-CPA

authenticatedencryption

securechannel

BasisforVerification:Refinementtypes

BasisforVerification:Refinementtypes// Sample type and value declarations in F7type nat = n:int{ 0 <= n }val read: n:nat -> b:bytes{ Length(b) <= n }

// Sample cryptographic library interface in F7module AEStype keytype block = b:bytes{ Length(b)=16 }val encrypt: k:key -> p:block -> c:block {c=AES(k,p)} val decrypt: k:key -> c:block -> p:block {c=AES(k,p)}

ModularTyping&RuntimeSafety

Safetymeansthatalllogicalrefinementsholdatruntime.

F*:refinementtypechecking forF#• WeprogramandspecifyinF*• Weverifymodules

againstinterfaces:F*typechecks &callsZ3,anSMTsolver,oneachlogicalproofobligation

RPC.fsti

RPC.fst

RPC.fsi

Type(F*)

Prove(Z3)

Compile(F#)

Erasetypes

AE.fst

Lib.fst

somecryptographicimplementation

Samplemodularverification(protocol)

RPCprotocolusingAuthenticatedEncryption

Formatting

activeadversaries

securityprotocols

anytypedF#program

SecureRPC

Bytes

systemlibraries

AdversaryModel

applicationcode

anytypedF7program

authenticatedencryption messageformat

RPCAPI

Networking

Samplemodularverification(crypto)

RPCusingEncrypt-then-MAC

cryptographicschemes

Formatting

activeadversaries

securityprotocols

MACauthentication

anytypedF#program

SecureRPC

Bytes

systemlibraries

AdversaryModel

applicationcode

anytypedF7program

cryptographicconstructions

probabilisticcomputationalindistinguishability

Encrypt-then-MAC

AES-CBCencryption

authenticatedencryption messageformat

RPCAPI

≈IDEALIND-CPA

≈IDEALINT-CMA

Networking

Sample Typed Interface for Cryptography

MAC : integrity

Samplefunctionality:

MessageAuthenticationCodesmodule MACtype text = bytes val macsizetype key = bytestype mac = bytes

val GEN : unit -> keyval MAC : key -> text -> macval VERIFY: key -> text -> mac -> bool

basicF#interface

ThisinterfacesaysnothingonthesecurityofMACs.

module MACtype text = bytes val macsizetype keytype mac = bytes

val GEN : unit -> keyval MAC : key -> text -> macval VERIFY: key -> text -> mac -> bool

MACkeysareabstract

Samplefunctionality:

MessageAuthenticationCodes

module MACtype text = bytes val macsizetype keytype mac = b:bytes{Length(b)=macsize}

val GEN : unit -> keyval MAC : key -> text -> macval VERIFY: key -> text -> mac -> bool

MACsarefixedsized

MACkeysareabstract

Samplefunctionality:

MessageAuthenticationCodes

module MACtype text = bytes val macsizetype keytype mac = b:bytes{Length(b)=macsize}predicate Msg of key * textval GEN : unit -> keyval MAC : k:key -> t:text{Msg(k,t)} -> macval VERIFY: k:key -> t:text -> mac

-> b:bool{ b=true ) Msg(k,t)}

idealF7interface

“AllverifiedmessageshavebeenMACed”

MACkeysareabstract

MACsarefixedsized

Msg isspecifiedbyprotocolsusingMACs

Samplefunctionality:

MessageAuthenticationCodes

module MACopen System.Security.Cryptographylet macsize = 20let GEN() = randomBytes 16let MAC k t = (new HASHMACSHA1(k)).ComputeHash tlet VERIFY k t m = (MAC k t = m)

module MACtype text = bytes val macsizetype keytype mac = b:bytes{Length(b)=macsize}predicate Msg of key * textval GEN : unit -> keyval MAC : k:key -> t:text{Msg(k,t)} -> macval VERIFY: k:key -> t:text -> mac

-> b:bool{ b=true ) Msg(k,t)}

idealF7interface

MACkeysareabstract

MACsarefixedsized

Msg isspecifiedbyprotocolsusingMACs

concreteF#implementation(using.NET)

“AllverifiedmessageshavebeenMACed”

Thiscan’tbetrue!(collisions)

Samplefunctionality:

MessageAuthenticationCodes

Samplecomputationalassumption:

ResistancetoChosen-MessageExistentialForgeryAttacks(INT-CMA)

module INT_CMA_Gameopen MacLet private k = GEN()let private log = ref []let mac t =

log := t::!logMAC k t

let verify t m =let v = VERIFY k t m inif v && not (mem t !log) then FORGERYv

CMAgame(codedinF#)

ComputationalSafetyaprobabilisticpolytime programcallingmac andverify forgesaMAConlywithnegligibleprobability²

protocoladversarytypedagainstRPCinterface

ComputationalSafetyforMACsconcretesystem

RPCprotocol

Mac

sampleprotocoltypedagainstidealMACinterface

Idealfilter

errorcorrectionmakingVERIFYreturnsfalseonforgeriesIdealMAC

Mac

Anyp.p.t.adversary

RPCprotocol

Anyp.p.t.adversary

F#interfaceF#interface

idealsystem

secureRPC

concretealgorithmassumed INT-CMAcomputationally

safetoo,withprobability1– 1/𝛆

perfectlysafebytyping

≈

INT-CM

Aadversary

Sampleidealfunctionality:

SupportingKeyCompromisemodule MACtype text = bytes val macsizetype keytype mac = b:bytes{Length(b)=macsize}predicate Msg of key * textval GEN : unit -> keyval MAC : k:key -> t:text{Msg(k,t)} -> macval VERIFY: k:key -> t:text -> mac

-> b:bool{ b=true ) Msg(k,t)}

val keysizetype keybytes = b:bytes{Length(b)=keysize}val LEAK: k:key{!t. Msg(k,t)} -> b:keybytesval COERCE: b:keybytes{…} -> k:key{…}

idealF7interface

“AllverifiedmessageshavebeenMACed”

MACkeysareabstract

MACsarefixedsized

Msg isspecifiedbyprotocolsusingMACs

MACkeyshaveconcreterepresentations

Itissafetoturnkeysintobyteswhenallmessagesareverifiable

Sample Typed Interface for Cryptography

encryption : secrecy

PerfectSecrecybyTyping

• Secrecyisexpressedusingobservationalequivalencesbetweensystemsthatdifferontheirsecrets

• Weprove(probabilistic,informationtheoretic)secrecy bytyping,relyingontypeabstraction

PlaintextModules

• Encryptionisparameterizedbyamodulethatabstractlydefineplaintexts,withinterfacemodule Plaintextval size: inttype plaintype repr = b:bytes{Length(b)=size}val coerce : repr -> plain // turning bytes into secretsval leak : plain -> repr // breaking secrecy!

val respond: plain -> plain // sample protocol code

Ifweremovetheleakfunction,wegetsecrecybytyping

Thesizeofplaintextisfixed(aswecannothideit)

Plainmayalsoimplementanyprotocolfunctionsthatoperatesonsecrets

Ifweremovethecoercefunction,wegetintegritybytyping

IdealInterfaceforAuthenticatedEncryption

• Relyingonbasiccryptographicassumptions(IND-CPA,INT-CTXT)itsidealimplementationneveraccessesplaintexts!Formally,idealAEistypedusinganabstractplain typeENC k p encryptsinsteadzerostoc&andlogs(k,c,p)DEC k c returnsSome(p) when(k,c,p) isinthelog,orNone

module AEopen Plaintexttype keytype cipher = b:bytes{Length(b)= size + 16}

val GEN: unit-> keyval ENC: key -> plain -> cipherval DEC: key -> cipher -> plain option

TowardsTLS:addingTypeIndexes

• WithinTLS,wekeeptrackofmanykeys,fordifferentalgorithms&sessions

• Weusefineridealfunctionalitiesthatprovideconditionalsecurity onlyfor“good”keys– generatedbyalgorithmsassumedcomputationallystrong;and– forsessionsbetweenhonest participants

(notthosewiththeadversary)

module AEopen Plaintype (algorithm, sessionID) key(…)val GEN: a:algorithm -> s:sessionID -> (a,s) keyval LEAK: a:algorithm -> s:sessionID

{Weak(a) or Corrupt(s)} -> (a,s) key -> bytesval COERCE: a:algorithm -> s:sessionID

{Weak(a) or Corrupt(s)} -> bytes -> (a,s) key

Thetypeofthekeygeneratedforthisalgorithmusedonlyforthissession

AnIdealInterfaceforCCA2-SecureEncryption

• Itsidealimplementationencryptszerosinsteadofplaintextssoitneveraccessesplaintextrepresentations,andcanbetypedparametrically

module PKENCopen Plainval pksize: inttype skeytype pkey = b:bytes{ PKey(b) Æ}

val ciphersize: inttype cipher = b:bytes{Length(b)=ciphersize}

val GEN: unit -> pkey * skeyval ENC: pkey -> plain -> cipherval DEC: skey -> cipher -> plain

TypedSecrecyfromCCA2-SecureEncryption

Variants:CPA&Authentication• WithCPA-secureencryption,wehaveaweaker idealinterface

thatdemandsciphertext integritybeforedecryption

• Withauthenticatedencryption,wehaveastronger idealinterfacethatensureplaintextintegrity(muchasMACs)

predicate Encrypted of key * cipher

val ENC: k:key -> plain -> c:cipher{Encrypted(k,c)}val DEC: k:key -> c:cipher{Encrypted(k,c)} -> plain

predicate Msg of key * plain // defined by protocol

val ENC: k:key -> p:plain{Msg(k,p)} -> cipherval DEC: k:key -> cipher -> p:plain{Msg(k,p)} option

Verifying a TLSimplementation

28

TLS protocol overviewClient Server

29

Common TLS configurationsClient Server

30

TLS negotiationClient Server

TransportLayerSecurity(Review)

• Interleavingoffourprotocolsontopoftherecordlayer

RecordLayer

Handshakeprotocol

Changeciphersuite

Alertprotocol

App.dataprotocol

authenticatedencryptionwithadditionaldata

stateful authenticatedencryption

fragment;compress

dispatch

CSKa Ke

CS’Ka’Ke’

TCP/IP

plainfragments

encryptedfragments

I/Obytestreams

Application

webpages

freshkeysforeachnewepoch

data

data

SessionsandConnections

• Sessions(S)areforkeyestablishment• Connectionsarefortransportingrecords(AE),

withinaseriesof“epochs”,possiblywithdifferentciphersuites andcertificates

newS finished rehandshake S’ close

resumeS data alert(fatal)

TCP TCP

TCP’

firstepoch(sameciphersuite &keys)

CCS CCS

nexthandshakeinterleavedwithdata

firsthandshake(unprotected)

abbreviatedhandshake

datadata

DHGroup

DH

CRE

PRF

RSA

Cert

Sig

SessionDB

StAE

LHAE

Enc

MAC

Record

Dispatch

TCP

Untyped Adversary

Encode

LHAEPlain

StPlain

TLSFragment

AlertDatastream

Handshake(andCCS)

TLSInfoTLSConstants

Handshake/CCS

TLSRecord

AppData

Base Bytes

Untyped APIAdversary

RPC

RPCPlainApplication

TLSAPI

AlertProtocol

AppDataProtocol

Nonce

TLS

CoreCrypto

RSAKey

Auth

AuthPlain

Extensions

1

2

3 4

5

67

Range

8

9Error

ModularArchitectureformiTLS

agilelength-hiding stateful

Authenticated Encryptionfor fragment streamswith additional data

DHGroup

DH

CRE

PRF

RSA

Cert

Sig

SessionDB

StAE

LHAE

Enc

MAC

Record

Dispatch

TCP

Untyped Adversary

Encode

LHAEPlain

StPlain

TLSFragment

AlertDatastream

Handshake(andCCS)

TLSInfoTLSConstants

Handshake/CCS

TLSRecord

AppData

Base Bytes

Untyped APIAdversary

RPC

RPCPlainApplication

TLSAPI

AlertProtocol

AppDataProtocol

Nonce

TLS

CoreCrypto

RSAKey

Auth

AuthPlain

Extensions

1

2

3 4

5

67

Range

8

9Error

ModularArchitectureformiTLS

MAC

Fragment;MAC;Encode;thenEncryptplaintextmessagesentbytheapplication

fragment tobesentlater

fragment

padMACfragment

sentearlier

fragmenting&paddingareunder-specified

IVencryptedrecord.header

sent/receivedonTCPconnection

• TLSdecodesthedecryptedtextbefore authentication;potentiallyleakingsecretinformation(via“paddingoracles”)

• Securityreliesonjointciphertext integrity(INT-CTXT)Theproofisadhoc(forCBC)anddependson|MAC|>|Block|(recentattack&proofbyPatersonetal.atASIACRYPT’11)

contenttype&sequencenumber

contenttype&sequencenumber

Fragment-then-Compress?

• Largemessagesareslicedintomanyfragments

• Whenencoded,eachfragmentisindependently compressed

• Aneavesdroppercanrecordthesequenceoffragmentciphertext lengths,andobtainprecisemessagefingerprints– leakingmuchmorethan

thetotalmessagelength

maxfragmentlength(16KB)

lengthsobservedonthenetwork

(16KB)

Fragment-then-Compress?

• Experimentaldata:downloadingsongsoverHTTPS:

Anotherrecentattackexploiting

compressionwithchosenplaintexts

Ourapproach:disablecompression,then

Hidesecretlengthswithinpublicranges• Theapplicationchoosesitsownplaintextrange,

e.g.anysecretURLofsize0..200bytes

•0

• Fragmentationandpaddingdependsonlyontherange&ciphersuite,notonthesecretmessagelength&content

Formally,weindexourtypeofplaintextfragmentsbytheirrange&sequencenumberinthestreamtoo.Bytyping,wecheckthat

AbstractPlaintextFragments

• Abstractplaintextfragmentsareindexedby– keyinfo includingnegotiatedalgorithmsandconnectioninfo– range forthe(secret)plaintextlength– additionaldata,encodinge.g.TLSversion&fragmentnumber

• Typeabstractionyieldsconditional securityforplaintextswithsafekeyinfo

module PlainAEADtype (;ki:KeyInfo) data = b:bytes{…}type (;ki:KeyInfo,rg:range,ad:data) fragment

val leak:ki:KeyInfo{not(Safe(ki))} -> rg:range -> ad:data -> (;ki,rg,ad) fragment -> b:bytes{Length(b) in rg}

val coerce:ki:KeyInfo{not(Safe(ki))} -> rg:range -> ad:data -> b:bytes{Length(b) in rg} ->(;ki,rg,ad) fragment

module PlainAEADtype (;ki:KeyInfo) data = b:bytes{…}type (;ki:KeyInfo,rg:range,ad:data) fragment

val LEAK:ki:KeyInfo{not(Safe(ki))} -> rg:range -> ad:data -> (;ki,rg,ad) fragment -> b:bytes{Length(b) in rg}

val COERCE:ki:KeyInfo{not(Safe(ki))} -> rg:range -> ad:data -> b:bytes{Length(b) in rg} ->(;ki,rg,ad) fragment

AuthenticatedEncryptioninTLS

• encryption&decryptionwithasafeindexdonotaccesstheplaintextbytes(IND-CPA)

• decryptionwithasafeindexsucceedsoncorrectly-encryptedciphertexts,returnsanerrorotherwise (INT-CTXT)

module AEADval encrypt:ki:KeyInfo -> (;ki)key -> ad:(;ki)data ->rg:range -> p:(;ki,rg,ad) fragment -> c:(;ki) cipher { CTXT(ki,ad,p,c) }

val decrypt:ki:KeyInfo -> (;ki)key -> ad:(;ki)data -> c:cipher{CipherLength(ki,c)} -> rg:range * r:(;ki,rg,ad) fragment option{ Safe(ki) => !p. r = Some(p) <=> CTXT(ki,ad,p,c) }

Handshakes

44

TLS_RSA_WITH_AES_128_CBC_SHA

Client Server

45

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Client Server

46

Cryptographic core of TLS

47

Cryptography of TLS ‘as it is’

48

Cryptographic security goals

completes

Agreement: a cert ms, k tag

Authenticity:

Confidentiality:

49

KEM

DHGroup

DH

KEF

KDF/MAC

RSA

Cert

Sig

SessionDB StAE

LHAE

Enc

MAC

Record

Dispatch

TCP

Untyped Adversary

Encode

LHAEPlain

StPlain

TLSFragmentAlertDatastreamHandshake (and CCS)

TLSInfoTLSConstants

Handshake/CCS

TLSRecord

AppData

Base Bytes

Untyped APIAdversary

RPC

RPCPlainApplication

TLS API

AlertProtocol

AppDataProtocol

Nonce

TLS

CoreCrypto

RSAKey

Auth

AuthPlain

Extensions

1

2

3 4 5

6 7

Range

8

9Error

The concrete implementation

50

Security of master secret KEM

51

Security of master secret KEM

52

Sufficient assumptions on the pms-KEM

53

Sufficient assumptions on the pms-KEM

54

Sufficient assumptions on the pms-KEM

Main TLS API

TheTLSAPI&idealfunctionality

• OurAPIissimilarbutmoreinformativethanmainstreamAPIs– Werunonthecaller’sthread,

lettingtheapplicationdothescheduling&multiplexing– Wegivemorecontrol totheapplicationcode,

andreflectmoreinformationfromtheunderlyingTLSstate(lengths,fragmentation,authorizationqueries)

• Moreprecisesecuritytheorems• Moreflexibilityforexperiments&testing

• Wecanimplementsafe&simpleAPIsontopofit• SampleapplicationsusingourAPI

• SecureRPCs(withoneconnectionpercall)• Password-basedclientauthentication• BasicHTTPSclientsandservers(forinteroperabilitytesting)

ourmainTLSAPI(outline)

type cn // for each local instance of the protocol

// creating new client and server instancesval connect: TcpStream -> params -> (;Client) nullCn Resultval accept: TcpStream -> params -> (;Server) nullCn Result

// triggering new handshakes, and closing connectionsval rehandshake: c:cn{Role(c)=Client} -> cn Resultval request: c:cn{Role(c)=Server} -> cn Resultval shutdown: c:cn -> TcpStream Result

// writing data type (;c:cn,data:(;c) msg_o) ioresult_o =| WriteComplete of c':cn| WritePartial of c':cn * rest:(;c') msg_o| MustRead of c':cnval write: c:cn -> data:(;c) msg_o -> (;c,data) ioresult_o

// reading data type (;c:cn) ioresult_i =| Read of c':cn * data:(;c) msg_i| CertQuery of c':cn| Handshake of c':cn| Close of TcpStream| Warning of c':cn * a:alertDescription| Fatal of a:alertDescription val read : c:cn -> (;c) ioresult_i

Eachapplicationprovidesitsownplaintextmodulefordatastreams:• Typingensures

secrecyandauthenticityatsafeindexes

Eachapplicationcreatesandrunssession&connectionsinparallel• Parametersselect

ciphersuites andcertificates

• Resultsprovidedetailedinformationontheprotocolstate

ourverifiedmodularTLSimplementation

TLS.fs7

Bytes,Networklib.fs

CryptographicProvider

cryptographicassumptions

Mainresult:concreteTLSandidealTLSareindistinguishable

OurtypedidealAPIforTLSthusyieldsapplicationsecuritybytyping

ourverifiedmodularTLSimplementation

TLS.fs7

Bytes,Networklib.fs

anytypedF#program

Mainresult:concreteTLSandidealTLSareindistinguishable

OurtypedidealAPIforTLSthusyieldsapplicationsecuritybytyping

applicationdatastreams

TLSapplicationverifiedbytyping

CryptographicProvider

cryptographicassumptions

“Untyped”idealAPIforTLS

Ideal/Concretestream.fs

indistinguishabilityforallPPTadversaries

plaintypedinterface(attackermodel)

ourverifiedmodularTLSimplementation

TLS.fs7

anytypedF#program

TLSproxywithbytes-onlyAPI

Bytes,Networklib.fs

anytypedF#program

TLS_Adv.fs7

CryptographicProvider

cryptographicassumptions

SecurityforRPC

overTLS

RPCPayloadplain.fs

activeadversaries

ourverifiedmodularTLSimplementation

TLS.fs7

anytypedF#program

RPCrpc.fs

Bytes,Networklib.fs

RpcAdv.fs

applicationcode

anytypedF#program

anytypedF#program

CryptographicProvider

cryptographicassumptions

Interoperability&Performance

WerunclientsagainstanOpenSSL 1.0.1eserverforvariousciphersuites• Howmanyhandshakespersecond?• Howmuchdatatransferredpersecond?

miTLS verifiedcodebaseandpapers

https://github.com/mitls/mitls-fstarhttps://mitls.org/