Formal Verification for Real-World Cryptographic Protocols and Implementations Nadim Kobeissi
Total Page:16
File Type:pdf, Size:1020Kb
Formal Verification for Real-World Cryptographic Protocols and Implementations Nadim Kobeissi To cite this version: Nadim Kobeissi. Formal Verification for Real-World Cryptographic Protocols and Implementations. Computer Science [cs]. INRIA Paris; Ecole Normale Supérieure de Paris - ENS Paris, 2018. English. tel-03245433v1 HAL Id: tel-03245433 https://hal.inria.fr/tel-03245433v1 Submitted on 22 Dec 2018 (v1), last revised 1 Jun 2021 (v4) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. institut national de recherche en informatique et automatique accredited by école normale supérieure doctoral thesis Formal Verification for Real-World Cryptographic Protocols and Implementations Author: Supervisors: Nadim Kobeissi Karthikeyan Bhargavan Bruno Blanchet Referees: Examiners: Stéphanie Delaune – irisa, rennes Cas Cremers – cispa-helmholtz center, saarbruecken Tamara Rezk – inria, sophia antipolis Stéphanie Delaune – irisa, rennes Antoine Delignat-Lavaud – microsoft research, cambridge Ralf Küsters – university of stuttgart, stuttgart David Pointcheval – école normale supérieure, paris A thesis submitted in fulfillment of the requirements for the degree of Doctor of Computer Science from the ED386 école doctorale and defended on december 10th, 2018 2 3 There is always some madness in love. But there is also always some reason in madness. And those who were seen dancing were thought to be insane by those who could not hear the music. Friedrich Nietzsche Thanks to God that he gave me stubbornness when I know I am right. John Adams إلى أبي، حسن. 4 Abstract Individuals and organizations are increasingly relying on the Web and on user-facing applications for use cases such as online banking, secure messaging, document shar- ing and electronic voting. To protect the confidentiality and integrity of these com- munications, these systems depend on authentication and authorization protocols, on application-level cryptographic constructions and on transport-layer cryptographic pro- tocols. However, combining these varied mechanisms to achieve high-level security goals is error-prone and has led to many attacks even on sophisticated and well-studied applications. This thesis aims to develop methods and techniques for reasoning about, designing and implementing cryptographic protocols and secure application components rele- vant to some of the most frequently used cryptographic protocols and applications. We investigate and formalize various notions of expected guarantees and evaluate whether some of the most popular secure channel protocols, such as secure messaging protocols and transport protocols often operating at the billion-user scale, are capable of meeting these goals. In this thesis, we ask: can existing major paradigms for formal protocol verification serve as guidelines for the assessment of existing protocols, the prototyping of pro- tocols being designed, and the conception of entirely new protocols, in a way that is meaningful and reflective of their expected real-world properties? And can we develop novel frameworks for formal verification and more secure implementation based on these foundations? We propose new formal models in both symbolic and computational formal verifi- cation frameworks for these protocols and applications. In some of the presented work, we obtain a verification methodology that starts from the protocol and ends at the im- plementation code. In other parts of our work, we develop a dynamic framework for generating formal verification models for any secure channel protocol described in a lightweight syntax. Ultimately, this thesis presents formal verification approaches for existing protocols reaching towards their implementation as well as methods for pro- totyping and formally verifying new protocols as they are being drafted and designed. 5 6 Acknowledgments Being able to work on this research at INRIA has been the most essential opportunity that I have been given in my life. Furthermore, no more essential opportunity will ever arise in my life, since my future will undeniably be rooted in what I’ve been allowed to work on at INRIA, in the researchers of INRIA taking me in and teaching me the posture and adroitness necessary for good research. Being at INRIA has taught me much more than the proper formal analysis of cryp- tographic protocols. It taught me just how difficult and uncompromising true scientific rigor can be and the importance of a diligent and forward-looking work ethic. It also taught me patience, helped me expand my perspective with regards to the viewpoints of others and my sense of good faith during teamwork. It helped me mature into some- one less sure of his intuition while nevertheless radically strengthening that intuition in the same process. The researchers at INRIA are part of an institution that morally and intellectually is larger than life, where the bottom line, the net product ends up being uncompromising research pushed forward with equal amounts of passion and prudence. I hope that I can carry with me what I’ve been given at INRIA by imparting the insights of what I’ve been able to work on and the values that determine how the work is to be done. Most of the contributions herein that can be considered my own are largely due to my acting as a sort of highly opinionated melting pot for Karthik’s decades-long vision for Web security, Antoine’s first explaining to me that, in F?, “types are proofs”, Bruno’s unnerving, laser-like focus and rigor — I could go on to cover every member of the PROSECCO research group in words that seem inflated but aren’t really. Being at INRIA taught me how to think. Working with these people taught me more than I could have ever learned on my own and made me into more than I could have hoped to become. I am also deeply grateful for Cedric and Antoine’s hosting me at Microsoft Research for the duration of my internship and most of all for actually letting me call my in- ternship project “QuackyDucky”, even keeping that name after integrating it into the Project Everest stack well after my departure. I would have never received this oppor- tunity were it not for the trust and good faith that Graham, Harry and Philippe put in me during my first year. Their confidence was pivotal in my being given a chance to learn how to do actual science. Regarding the thesis committee, who likely already groaned at the prospect of yet another big thesis to read and are even more apprehensive about it after reading this warm, fuzzy essay, I can promise you cookies at the defense. As for Karthik, what I owe him is beyond evaluation. 7 8 Contents Abstract 5 Acknowledgments 7 Contents 12 Introduction 13 1 Formal Verification for Secure Messaging 31 1.1 A Security Model for Encrypted Messaging ............... 32 1.1.1 Threat Model ............................ 33 1.1.2 Security Goals ........................... 33 1.2 Symbolic Verification with ProVerif .................... 34 1.2.1 Secret Chats in Telegram ..................... 35 1.2.2 Towards Automated Verification ................. 36 1.3 Formally Verifying SP ........................... 36 1.3.1 Protocol Overview ......................... 36 1.3.2 Protocol Verification ........................ 38 1.3.3 Other Protocols: OTR ....................... 41 1.4 Cryptographic Proofs with CryptoVerif ................. 42 1.4.1 Assumptions ............................ 42 1.4.2 Indifferentiability of HKDF .................... 43 1.4.3 Protocol Model ........................... 50 1.4.4 Security Goals ........................... 50 1.4.5 Results ............................... 51 1.5 Conclusion and Related Work ....................... 51 2 Formal Verification for Transport Layer Security 53 2.0.1 Our Contributions ......................... 54 2.1 A Security Model for TLS ......................... 54 2.2 TLS 1.3 1-RTT: Simpler, Faster Handshakes ............... 55 2.2.1 Security Goals for TLS ...................... 55 2.2.2 A Realistic Threat Model for TLS ................ 57 2.2.3 Modeling the Threat Model in ProVerif ............. 59 2.2.4 Modeling and Verifying TLS 1.2 in ProVerif ........... 60 2.2.5 Verification Effort ......................... 62 2.2.6 1-RTT Protocol Flow ....................... 62 2.2.7 Modeling 1-RTT in ProVerif ................... 64 2.2.8 1-RTT Security Goals ....................... 65 2.2.9 Verifying 1-RTT in Isolation ................... 66 9 10 CONTENTS 2.2.10 Verifying TLS 1.3 1-RTT composed with TLS 1.2 ........ 66 2.3 0-RTT with Semi-Static Diffie-Hellman .................. 67 2.3.1 Protocol Flow ............................ 67 2.3.2 Verification with ProVerif ..................... 68 2.3.3 Unknown Key Share Attack on DH-based 0-RTT in QUIC, OPTLS, and TLS 1.3 ............................ 69 2.4 Pre-Shared Keys for Resumption and 0-RTT .............. 69 2.4.1 Protocol Flow ............................ 70 2.4.2 Verifying PSK-based Resumption ................. 71 2.4.3 An Attack on 0-RTT Client Authentication ........... 71 2.4.4 The Impact of Replay on 0-RTT and 0.5-RTT ......... 72 2.5 Computational Analysis of TLS 1.3