Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verified protocol implementations in F*

Published by廊 宦 Modified over 6 years ago

Similar presentations

Presentation on theme: "Verified protocol implementations in F*"— Presentation transcript:

1 Verified protocol implementations in F*
Alessandro Bruni

2 $ whoami # Alessandro Bruni – Computer Scientist
Now: Postdoc ITU (computer security, SW verification, theorem provers…) Before: Fall 2015: Garbage Prolog Dev. Center : DTU (computer sec., SW ver, ...) Contributed crypto examples to the FStar repo 2012: Research Siav SpA (process mining) Find me at: alessandrobruni.name

3 Recap: F* & Refinement types
F* = F# + Types on Steroids: Can express powerful properties on data, e.g.: val cons: n: nat -> l: ‘a list {n = List.length l} -> x: ‘a -> l’: ‘a list {n+1 = List.length l’} “Can we use refinement types for proving security of protocols?” = +

4 Heartbleed, openSSL

5 Source: XKCD

6 Source: XKCD

7 Could /that/ be prevented?
Yes Yes! Like tons of similar vulnerabilities, using a strong typing discipline Option 2: val reply: len:nat -> msg:text{length msg = len}  -> resp:text{resp = msg} Hint: not a complete solution…

8 miTLS: A Verified Reference Implementation of TLS
Uses F* dependent types to reason about the security of TLS Attacks discovered while verifying TLS: Alert 3SHAKE VHC SMACK Logjam SLOTH Quick morale: Automatic reasoning about program correctness helps to discover problems, otherwise unnoticed The more automatic checking, the better

9 Introducing: Security Games
“the only winning move is not to play” Artificial setup: Attacker given access to an Oracle, who gives him lots of information (e.g. encrypts/decrypts messages for him) minus some important bits (e.g. encryption keys) Game follows a script: the attacker and the oracle both follow the rules of the game Security proof: If the attacker has no better strategy than purely random guesses then the protocol is secure

10 Eavesdropping security (EAV)
Oracle (knows k) Eavesdropper m[0] m[1] , ( ) b = sample {0,1} encrypt(k, m[b]) guess b Eavesdropper wins the game if P(guess b) > ½ + ε

11 Uppin’ the Game: Chosen Plaintext Attacks (IND-CPA)
, ( ) m[0] m[1] b = sample {0,1} encrypt(k, m[b]) guess b We give the attacker access to encrypt(k, -) before and after the interaction with the user Still, we should have P(guess b) < ½ + ε Encryption should never return the same value twice ;)

12 Integrity of Chosen Message Attacks (INT-CMA)
Oracle (knows k) Attacker m t = sign(k, m) (m’, t’) t’ = sign(m’, k) Attacker can query the oracle for signatures, but each requested message m is logged along with its signature tag t The attacker wins the game if he can produce a new pair (m’, t’), where t’ = sign(k, m’), with probability > ε

13 Reasoning in F* Security games are recipes (programs?)
Involve interaction between parties val send: string -> IO unit val recv: unit -> IO string Express verification conditions IND-CPA Encryption: val enc: k:key -> plain -> c:cipher{Encrypted k c} val dec: k:key -> c:cipher{Encrypted k c} -> plain INT-CMA Signatures: val mac: k:key -> t:text{Oracle k t} -> tag val verify: k:key -> t:text -> tag -> b:bool{b ==> Oracle k t} Are we missing something? where the predicate ENCrypted(k,p,c) in the refinements ensures that a well-typed program never attempts to decrypt a ciphertext not produced by ENC. The interface also includes a logical as- sumption, stating that a ciphertext is the correct encryption of at most one plaintext for a given key. Authenticated

14 Introducing: Probabilistic F*
New construct: let n = sample {0,1} in n = 1 50% n = 0 50%

15 Negligible differences
let mac k t = let m = hmac_sha1 k t in log := Entry k t m :: !log; m let verify k text tag = let m = hmac_sha1 k text in let verified = (m = tag) in let found = is_Some (List.find (fun (Entry k' text' tag’) -> k = k' && text = text') !log) in verified && found let mac k t = let m = hmac_sha1 k t in m let verify k text tag = let m = hmac_sha1 k text in let verified = (m = tag) in verified Remember: val mac: k:key -> t:text{Oracle k t} -> tag val verify: k:key -> t:text -> tag -> b:bool{b ==> Oracle k t}

16 Example: RPC protocol A -> B: utf8 s, mac kAB s B -> A: utf8 t, mac kAB (s, t) assume forall k t . Oracle k (utf8 t) <==> Request t let client q =   assume Request(q)   ...   send mac k (utf8 q) let server q =   ...   if verify k (utf8 q) m     then assert Request(q)       process q

17 Demo

18 Conclusions We can build cryptographic proofs of correctness using dependent types Precisely reasoning about the correctness of programs (using types) helps discover problems (miTLS attacks) Interested in more crypto protocols? Explore /FStar/examples/crypto

Download ppt "Verified protocol implementations in F*"

Similar presentations

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Hybrid Signcryption with Outsider Security

Hybrid Signcryption with Outsider Security
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.

Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

Similar presentations

Ads by Google