DOCSLIB.ORG

This Document Includes Text Contributed by Nikos Mavrogiannopoulos, Simon Josefsson, Daiki Ueno, Carolin Latze, Alfredo Pironti, Ted Zlatanov and Andrew Mcdonald

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
This Document Includes Text Contributed by Nikos Mavrogiannopoulos, Simon Josefsson, Daiki Ueno, Carolin Latze, Alfredo Pironti, Ted Zlatanov and Andrew Mcdonald This document includes text contributed by Nikos Mavrogiannopoulos, Simon Josefsson, Daiki Ueno, Carolin Latze, Alfredo Pironti, Ted Zlatanov and Andrew McDonald. Several corrections are due to Patrick Pelletier and Andreas Metzler. ISBN 978-1-326-00266-4 Copyright © 2001-2015 Free Software Foundation, Inc. Copyright © 2001-2019 Nikos Mavrogiannopoulos Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". Contents Preface xiii 1. Introduction to GnuTLS1 1.1. Downloading and installing.............................1 1.2. Installing for a software distribution........................2 1.3. Overview.......................................3 2. Introduction to TLS and DTLS5 2.1. TLS Layers......................................5 2.2. The Transport Layer.................................5 2.3. The TLS record protocol...............................6 2.3.1. Encryption algorithms used in the record layer..............6 2.3.2. Compression algorithms and the record layer...............8 2.3.3. On record padding..............................8 2.4. The TLS alert protocol...............................9 2.5. The TLS handshake protocol............................ 10 2.5.1. TLS ciphersuites............................... 11 2.5.2. Authentication................................ 11 2.5.3. Client authentication............................. 11 2.5.4. Resuming sessions.............................. 12 2.6. TLS extensions.................................... 12 2.6.1. Maximum fragment length negotiation................... 12 2.6.2. Server name indication............................ 12 2.6.3. Session tickets................................ 13 2.6.4. HeartBeat................................... 13 2.6.5. Safe renegotiation.............................. 14 2.6.6. OCSP status request............................. 15 2.6.7. SRTP..................................... 16 2.6.8. False Start.................................. 17 2.6.9. Application Layer Protocol Negotiation (ALPN)............. 17 2.6.10. Extensions and Supplemental Data..................... 18 2.7. How to use TLS in application protocols...................... 18 2.7.1. Separate ports................................ 18 2.7.2. Upward negotiation............................. 19 2.8. On SSL 2 and older protocols............................ 20 3. Authentication methods 21 3.1. Certificate authentication.............................. 21 3.1.1. X.509 certificates............................... 21 3.1.2. OpenPGP certificates............................ 36 3.1.3. Raw public-keys............................... 36 3.1.4. Advanced certificate verification...................... 37 iii Contents 3.1.5. Digital signatures............................... 38 3.2. More on certificate authentication......................... 39 3.2.1. PKCS #10 certificate requests....................... 39 3.2.2. PKIX certificate revocation lists...................... 42 3.2.3. OCSP certificate status checking...................... 45 3.2.4. OCSP stapling................................ 49 3.2.5. Managing encrypted keys.......................... 51 3.2.6. Invoking certtool............................... 55 3.2.7. Invoking ocsptool............................... 76 3.2.8. Invoking danetool.............................. 81 3.3. Shared-key and anonymous authentication..................... 87 3.3.1. PSK authentication............................. 87 3.3.2. SRP authentication............................. 89 3.3.3. Anonymous authentication......................... 92 3.4. Selecting an appropriate authentication method.................. 93 3.4.1. Two peers with an out-of-band channel.................. 93 3.4.2. Two peers without an out-of-band channel................ 93 3.4.3. Two peers and a trusted third party.................... 93 4. Abstract key types and Hardware security modules 101 4.1. Abstract key types.................................. 101 4.1.1. Public keys.................................. 102 4.1.2. Private keys.................................. 104 4.1.3. Operations.................................. 107 4.2. System and application-specific keys........................ 110 4.2.1. System-specific keys............................. 110 4.2.2. Application-specific keys........................... 111 4.3. Smart cards and HSMs................................ 112 4.3.1. Initialization................................. 112 4.3.2. Manual initialization of user-specific modules............... 113 4.3.3. Accessing objects that require a PIN.................... 114 4.3.4. Reading objects................................ 116 4.3.5. Writing objects................................ 119 4.3.6. Low Level Access............................... 120 4.3.7. Using a PKCS #11 token with TLS.................... 120 4.3.8. Verifying certificates over PKCS #11.................... 121 4.3.9. Invoking p11tool............................... 121 4.4. Trusted Platform Module (TPM).......................... 133 4.4.1. Keys in TPM................................. 134 4.4.2. Key generation................................ 134 4.4.3. Using keys.................................. 135 4.4.4. Invoking tpmtool............................... 136 5. How to use GnuTLS in applications 141 5.1. Introduction...................................... 141 5.1.1. General idea................................. 141 iv Contents 5.1.2. Error handling................................ 142 5.1.3. Common types................................ 143 5.1.4. Debugging and auditing........................... 143 5.1.5. Thread safety................................. 145 5.1.6. Running in a sandbox............................ 145 5.1.7. Sessions and fork............................... 146 5.1.8. Callback functions.............................. 146 5.2. Preparation...................................... 147 5.2.1. Headers.................................... 147 5.2.2. Initialization................................. 147 5.2.3. Version check................................. 147 5.2.4. Building the source.............................. 148 5.3. Session initialization................................. 149 5.4. Associating the credentials.............................. 149 5.4.1. Certificates.................................. 149 5.4.2. Raw public-keys............................... 156 5.4.3. SRP...................................... 156 5.4.4. PSK...................................... 158 5.4.5. Anonymous.................................. 160 5.5. Setting up the transport layer............................ 160 5.5.1. Asynchronous operation........................... 164 5.5.2. Reducing round-trips............................. 165 5.5.3. Zero-roundtrip mode............................. 166 5.5.4. Anti-replay protection............................ 167 5.5.5. DTLS sessions................................ 168 5.5.6. DTLS and SCTP............................... 169 5.6. TLS handshake.................................... 170 5.7. Data transfer and termination............................ 171 5.8. Buffered data transfer................................ 173 5.9. Handling alerts.................................... 174 5.10. Priority strings.................................... 176 5.11. Selecting cryptographic key sizes.......................... 179 5.12. Advanced topics................................... 180 5.12.1. Virtual hosts and credentials........................ 180 5.12.2. Session resumption.............................. 181 5.12.3. Certificate verification............................ 185 5.12.4. TLS 1.2 re-authentication.......................... 188 5.12.5. TLS 1.3 re-authentication and re-key.................... 189 5.12.6. Parameter generation............................ 190 5.12.7. Deriving keys for other applications/protocols............... 192 5.12.8. Channel bindings............................... 193 5.12.9. Interoperability................................ 193 5.12.10.Compatibility with the OpenSSL library.................. 194 v Contents 6. GnuTLS application examples 203 6.1. Client examples.................................... 203 6.1.1. Client example with X.509 certificate support............... 203 6.1.2. Datagram TLS client example....................... 206 6.1.3. Using a smart card with TLS........................ 208 6.1.4. Client with resume capability example................... 211 6.1.5. Client example with SSH-style certificate verification........... 214 6.2. Server examples.................................... 216 6.2.1. Echo server with X.509 authentication................... 216 6.2.2. DTLS echo server with X.509 authentication............... 220 6.3. More advanced client and servers.......................... 227 6.3.1. Client example with anonymous authentication.............. 227 6.3.2. Using a callback to select the certificate to use.............. 229 6.3.3. Obtaining session information........................ 233 6.3.4. Advanced certificate verification...................... 235 6.3.5. Client example with PSK authentication.................. 238 6.3.6. Client example with SRP authentication.................. 241 6.3.7. Legacy client example with X.509 certificate support........... 243 6.3.8. Client example using the C++ API.................... 246 6.3.9. Echo server with PSK authentication...................
Load more

Recommended publications
  • Treasury X.509 Certificate Policy [TREASURYCP].” It Only Addresses Where an OLT PKI’S Requirements Differ from the Requirements for Basic Assurance in [TREASURYCP]
    UNCLASSIFIED UNITED STATES DEPARTMENT OF THE TREASURY DEPARTMENT OF THE TREASURY PUBLIC KEY INFRASTRUCTURE (PKI) X.509 CERTIFICATE POLICY VERSION 3.4 April 27, 2021 PKI Policy Management Authority (PMA) DATE DANIEL W. WOOD 1 UNCLASSIFIED DOCUMENT VERSION CONTROL Version Date Author(s) Description Reason For Change Bring the Treasury PKI Policy into Department of the compliance with FPKIPA change Treasury PKI Policy in 2.0 January 2008 James Schminky proposal requiring all cross certified RFC PKI Policies to be in RFC 3647 3647 format. format. As a result of mapping the Treasury Errata changes to sections PKI Policy to Federal Policy, a 2.2.1, 2.1 March 17, 2009 James Schminky number of minor changes and 4.8, 4.912, 5.5, and omissions where identified and 7.1.3. corrected. As a result of the PMA annual Errata changes to sections review a number of minor 5.6, and 6.3.2. Change corrections, Federal Bridge proposal changes to 2.4, 2.2 March 11, 2010 James Schminky Certification Authority (FBCA) 4.2.2, 5.1, 5.1.1 5.1.2.1, Policy Change Proposal Number: 5.4.4, 5.4.5, 6.1.6, 6.5.1, 2009-02 and 2010-01, and Treasury and 6.7. Change Proposal Change proposal changes As a result of FBCA Policy Change 2.3 April 15, 2010 James Schminky to 8.1 and 8.4. Proposal Number: 2010-02. Changes Proposal As a result of FBCA Policy Change Changes to 1.3.1.8, Proposal Numbers; 2010-3 thru 8 2.4 March 22, 2011 James Schminky 3.1.1&.2, 3.1.5, 3.2.3.1, and CPCA policy Change Proposal 4.7, 6.1.5, 8.1, and 9.4.3.
    [Show full text]
  • Effective Cryptography What’S Wrong with All These Crypto Apis?
    Effective Cryptography What’s Wrong With All These Crypto APIs? Thorsten Groetker, CTO Utimaco, Inc. Utimaco IS Business Unit· Aachen, Germany · ©2015 Page 1 Outline § What I mean by Effective Cryptography § Crypto APIs § Security § Ease of Use § Runtime Performance § Predictions § CryptoScript in a Nutshell § Outlook Utimaco IS Business Unit· Aachen, Germany · ©2015 Page 2 Effective Cryptography Definition in a Nutshell Cryptography is effective if it is Li lingues es membres del sam familie. Lor separat existentie es 1. Secure unJCE/JCA myth. Por scientie, musica , sport etc, litot li sam vocabular. Li lingues differe solmen in li grammaticaOpenSSL, li pronunciation e li pluEVP commun vocabules. Omnicos directe al desirabilite de un nov lingua franca: On refusa continuar payar custosi traductores. At solmen va esser necessi 2. Efficient far uniform grammaticaPKCS#11, pronunciation e plu sommun paroles. Ma quande lingues coalesce, li grammatica del resultant lingue es plu CAPIsimplic e regulari quam ti del coalescent lingues. Li nov lingua CNG a. Time to Result franca va esser plu simplic e regulari quam li existent Bouncy linguesCastle. I b. Performance What’s wrong with all these crypto APIs? (Focused on Hardware Security Modules) Utimaco IS Business Unit· Aachen, Germany · ©2015 Page 3 Problem #1: Security PKCS#11 § Numerous key extraction attacks known § Jolyon Clulow “On the Security of PKCS#11” § Tookan project (e.g., “Attacking and Fixing PKCS#11 Security Tokens”) § CVE entries (not necessarily sporting “PKCS#11” in the text)
    [Show full text]
  • Using Frankencerts for Automated Adversarial Testing of Certificate
    Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker ∗ y Suman Janay Baishakhi Rayz Sarfraz Khurshidy Vitaly Shmatikovy ∗Google yThe University of Texas at Austin zUniversity of California, Davis Abstract—Modern network security rests on the Secure Sock- many open-source implementations of SSL/TLS are available ets Layer (SSL) and Transport Layer Security (TLS) protocols. for developers who need to incorporate SSL/TLS into their Distributed systems, mobile and desktop applications, embedded software: OpenSSL, NSS, GnuTLS, CyaSSL, PolarSSL, Ma- devices, and all of secure Web rely on SSL/TLS for protection trixSSL, cryptlib, and several others. Several Web browsers against network attacks. This protection critically depends on include their own, proprietary implementations. whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. In this paper, we focus on server authentication, which We design, implement, and apply the first methodology for is the only protection against man-in-the-middle and other large-scale testing of certificate validation logic in SSL/TLS server impersonation attacks, and thus essential for HTTPS implementations. Our first ingredient is “frankencerts,” synthetic and virtually any other application of SSL/TLS. Server authen- certificates that are randomly mutated from parts of real cer- tication in SSL/TLS depends entirely on a single step in the tificates and thus include unusual combinations of extensions handshake protocol. As part of its “Server Hello” message, and constraints. Our second ingredient is differential testing: if the server presents an X.509 certificate with its public key.
    [Show full text]
  • Libressl Presentatie2
    Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is LibreSSL • A fork of OpenSSL 1.0.1g • Being worked on extensively by a number of OpenBSD developers What is OpenSSL • OpenSSL is an open source SSL/TLS crypto library • Currently the de facto standard for many servers and clients • Used for securing http, smtp, imap and many others Alternatives • Netscape Security Services (NSS) • BoringSSL • GnuTLS What is Heartbleed • Heartbleed was a bug leaking of private data (keys) from both client and server • At this moment known as “the worst bug ever” • Heartbeat code for DTLS over UDP • So why was this also included in the TCP code? • Not the reason to create a fork Why did this happen • Nobody looked • Or at least didn’t admit they looked Why did nobody look • The code is horrible • Those who did look, quickly looked away and hoped upstream could deal with it Why was the code so horrible • Buggy re-implementations of standard libc functions like random() and malloc() • Forces all platforms to use these buggy implementations • Nested #ifdef, #ifndefs (up to 17 layers deep) through out the code • Written in “OpenSSL C”, basically their own dialect • Everything on by default Why was it so horrible? crypto_malloc • Never frees memory (Tools like Valgrind, Coverity can’t spot bugs) • Used LIFO recycling (Use after free?) • Included debug malloc by default, logging private data • Included the ability to replace malloc/free at runtime #ifdef trees • #ifdef, #elif, #else trees up to 17 layers deep • Throughout the complete source • Some of which could never be reached • Hard to see what is or not compiled in 1.
    [Show full text]
  • Lattice-Based Cryptography - a Comparative Description and Analysis of Proposed Schemes
    Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen Thesis submitted for the degree of Master in Informatics: programming and networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2017 Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen c 2017 Einar Løvhøiden Antonsen Lattice-based cryptography - A comparative description and analysis of proposed schemes http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Acknowledgement I would like to thank my supervisor, Leif Nilsen, for all the help and guidance during my work with this thesis. I would also like to thank all my friends and family for the support. And a shoutout to Bliss and the guys there (you know who you are) for providing a place to relax during stressful times. 1 Abstract The standard public-key cryptosystems used today relies mathematical problems that require a lot of computing force to solve, so much that, with the right parameters, they are computationally unsolvable. But there are quantum algorithms that are able to solve these problems in much shorter time. These quantum algorithms have been known for many years, but have only been a problem in theory because of the lack of quantum computers. But with recent development in the building of quantum computers, the cryptographic world is looking for quantum-resistant replacements for today’s standard public-key cryptosystems. Public-key cryptosystems based on lattices are possible replacements. This thesis presents several possible candidates for new standard public-key cryptosystems, mainly NTRU and ring-LWE-based systems.
    [Show full text]
  • Encryption Procedure
    Encrypting Software for Transmission to NIST 1. Scope NIST requires that all software submitted by the participants be signed and encrypted. Signing is done with the participant’s private key, and encrypting is done with the NIST project public key, which is published at http://www.nist.gov/itl/iad/ig/encrypt.cfm. NIST will validate all submitted materials using the participant’s public key, and the authenticity of that key will be verified using the key fingerprint. This fingerprint must be submitted to NIST as part of the signed participant agreement. By encrypting the submissions, we ensure privacy; by signing the submission, we ensure authenticity (the software actually belongs to the submitter). NIST will not take ownership of any submissions that are not signed and encrypted. All cryptographic operations (signing and encrypting) shall be performed with software that implements the OpenPGP standard, as described in Internet RFC 4880. The freely available Gnu Privacy Guard (GPG) software, available at www.gnupg.org, is one such implementation. 2. Submission of software to NIST NIST requires that all software submitted by the participants be signed and encrypted. Two keys pairs are needed: • Signing is done with the software provider's private key, and • Encryption is done with the NIST project public key, which is available at http://www.nist.gov/itl/iad/ig/encrypt.cfm 2.1. Project Specific Parameters The values for the project specific parameters (ProjectName, ProjectPublicKey, and ProjectEmail) mentioned in this document are found at http://www.nist.gov/itl/iad/ig/encrypt.cfm 1 2.2. Creating participant cryptographic key pair The steps below show how to create a public/private key pair and fingerprint using the GPG software.
    [Show full text]
  • Rigorous Cache Side Channel Mitigation Via Selective Circuit Compilation
    RiCaSi: Rigorous Cache Side Channel Mitigation via Selective Circuit Compilation B Heiko Mantel, Lukas Scheidel, Thomas Schneider, Alexandra Weber( ), Christian Weinert, and Tim Weißmantel Technical University of Darmstadt, Darmstadt, Germany {mantel,weber,weissmantel}@mais.informatik.tu-darmstadt.de, {scheidel,schneider,weinert}@encrypto.cs.tu-darmstadt.de Abstract. Cache side channels constitute a persistent threat to crypto implementations. In particular, block ciphers are prone to attacks when implemented with a simple lookup-table approach. Implementing crypto as software evaluations of circuits avoids this threat but is very costly. We propose an approach that combines program analysis and circuit compilation to support the selective hardening of regular C implemen- tations against cache side channels. We implement this approach in our toolchain RiCaSi. RiCaSi avoids unnecessary complexity and overhead if it can derive sufficiently strong security guarantees for the original implementation. If necessary, RiCaSi produces a circuit-based, hardened implementation. For this, it leverages established circuit-compilation technology from the area of secure computation. A final program analysis step ensures that the hardening is, indeed, effective. 1 Introduction Cache side channels are unintended communication channels of programs. Cache- side-channel leakage might occur if a program accesses memory addresses that depend on secret information like cryptographic keys. When these secret-depen- dent memory addresses are loaded into a shared cache, an attacker might deduce the secret information based on observing the cache. Such cache side channels are particularly dangerous for implementations of block ciphers, as shown, e.g., by attacks on implementations of DES [58,67], AES [2,11,57], and Camellia [59,67,73].
    [Show full text]
  • Hardware Based Compression in Ceph OSD with BTRFS
    Hardware Based Compression in Ceph OSD with BTRFS Weigang Li ([email protected]) Tushar Gohad ([email protected]) Data Center Group Intel Corporation 2016 Storage Developer Conference. © Intel Corp. All Rights Reserved. Credits This work wouldn’t have been possible without contributions from – Reddy Chagam ([email protected]) Brian Will ([email protected]) Praveen Mosur ([email protected]) Edward Pullin ([email protected]) 2 2016 Storage Developer Conference. © Intel Corp. All Rights Reserved. Agenda Ceph A Quick Primer Storage Efficiency and Security Features Offload Mechanisms – Software and Hardware Compression in Ceph OSD with BTRFS Compression in BTRFS and Ceph Hardware Acceleration with QAT PoC implementation Performance Results Key Takeaways 3 2016 Storage Developer Conference. © Intel Corp. All Rights Reserved. Ceph Open-source, object-based scale-out storage system Software-defined, hardware-agnostic – runs on commodity hardware Object, Block and File support in a unified storage cluster Highly durable, available – replication, erasure coding Replicates and re-balances dynamically 4 Image source: http://ceph.com/ceph-storage 2016 Storage Developer Conference. © Intel Corp. All Rights Reserved. Ceph Scalability – CRUSH data placement, no single POF Enterprise features – snapshots, cloning, mirroring Most popular block storage for Openstack use cases 10 years of hardening, vibrant community 5 Source: http://www.openstack.org/assets/survey/April-2016-User-Survey-Report.pdf 2016 Storage Developer Conference. © Intel Corp. All Rights Reserved. Ceph: Architecture OSD OSD OSD OSD OSD btrfs xfs ext4 POSIX Backend Backend Backend Backend Backend Bluestore KV DISK DISK DISK DISK DISK Commodity Servers M M M 6 2016 Storage Developer Conference.
    [Show full text]
  • GNUPG Open Source Encryption on HP Nonstop
    GNUPG Open Source Encryption on HP NonStop Damian Ward NonStop Solutions Architect / BITUG Vice Chairman Confidential Introduction What am I going to talk about today • About Me • About VocaLink • History of encryption • PGP to GNUPG • PGP encryption walkthrough • Installing GNUPG • Use Case • Questions..? Please feel free to ask as we go through the presentation. Confidential 2 Introduction About your presenter • Damian Ward • 20+ years HP NonStop and Payments experience • Career spanning: − Operations, Application Programming, System Management, Programme Management, Technical Specialist, Solutions Architect, Enterprise Architect, Infrastructure Architect • Specialities: − HP NonStop systems and architecture, Enterprise Architecture, Encryption, Availability Management, ATM Systems, Payments Processing, Capacity Planning, System modelling, Fraud, Mobile and Internet technologies, Programming, Emerging Technologies and Robotics • BITUG Vice Chairman 2011 • BITUG Chairman 2012 Confidential 3 Introduction VocaLink: cards processing landscape Direct connection to in house processing system Indirect ATM acquirer and card issuer connection (via VocaLinkCSB) FIS Connex Advantage Connections to Mobile Switch with resillient Operators Indirect ATM connection (via third telecommunication party processor) connections to each customer Connections to Direct connection overseas to Post Office via TNS CSB schemes and systems ATM and POS international banks acquiring and issuing connections via gateway connections to international schemes Confidential
    [Show full text]
  • Implementing PKI Services on Z/OS
    Front cover Implementing PKI Services on z/OS Installation of PKI and all of its prerequistes on z/OS An example of the PKI Exit PKI’s use of ICSF to store Master Key Chris Rayns Theo Antoff Jack Jones Patrick Kappeler Vicente Ranieri Roland Trauner ibm.com/redbooks International Technical Support Organization Implementing PKI Services on z/OS February 2004 SG24-6968-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (February 2004) This edition applies to z/OS Version 1, Release 3. © Copyright International Business Machines Corporation 2004. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this redbook. ix Become a published author . x Comments welcome. xi Chapter 1. Security Server PKI Services. 1 1.1 Overview of digital certificate. 2 1.2 The PKIX standards . 4 1.2.1 CA hierarchy . 6 1.2.2 The X.509 certificate and Certificate Revocation List . 9 1.2.3 The x.509 v3 certificate extension fields . 14 1.2.4 Certificate and CRL appearance. 17 1.3 The z/OS PKI Services . 21 1.3.1 Security Server PKI Services in z/OS . 21 1.3.2 Prerequisite products . 22 1.3.3 Requests supported by z/OS PKI Services. 23 1.3.4 Browser and server certificates. 24 1.3.5 The z/OS PKI Services architecture . 26 1.4 Security Server PKI Services enhancement in z/OS V1R4.
    [Show full text]
  • Black-Box Security Analysis of State Machine Implementations Joeri De Ruiter
    Black-box security analysis of state machine implementations Joeri de Ruiter 18-03-2019 Agenda 1. Why are state machines interesting? 2. How do we know that the state machine is implemented correctly? 3. What can go wrong if the implementation is incorrect? What are state machines? • Almost every protocol includes some kind of state • State machine is a model of the different states and the transitions between them • When receiving a messages, given the current state: • Decide what action to perform • Which message to respond with • Which state to go the next Why are state machines interesting? • State machines play a very important role in security protocols • For example: • Is the user authenticated? • Did we agree on keys? And if so, which keys? • Are we encrypting our traffic? • Every implementation of a protocol has to include the corresponding state machine • Mistakes can lead to serious security issues! State machine example Confirm transaction Verify PIN 0000 Failed Init Failed Verify PIN 1234 OK Verified Confirm transaction OK State machines in specifications • Often specifications do not explicitly contain a state machine • Mainly explained in lots of prose • Focus usually on happy flow • What to do if protocol flow deviates from this? Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
    [Show full text]
  • Scalable Verification for Outsourced Dynamic Databases Hwee Hwa PANG Singapore Management University, [email protected]
    Singapore Management University Institutional Knowledge at Singapore Management University Research Collection School Of Information Systems School of Information Systems 8-2009 Scalable Verification for Outsourced Dynamic Databases Hwee Hwa PANG Singapore Management University, [email protected] Jilian ZHANG Singapore Management University, [email protected] Kyriakos MOURATIDIS Singapore Management University, [email protected] DOI: https://doi.org/10.14778/1687627.1687718 Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research Part of the Databases and Information Systems Commons, and the Numerical Analysis and Scientific omputC ing Commons Citation PANG, Hwee Hwa; ZHANG, Jilian; and MOURATIDIS, Kyriakos. Scalable Verification for Outsourced Dynamic Databases. (2009). Proceedings of the VLDB Endowment: VLDB'09, August 24-28, Lyon, France. 2, (1), 802-813. Research Collection School Of Information Systems. Available at: https://ink.library.smu.edu.sg/sis_research/876 This Conference Proceeding Article is brought to you for free and open access by the School of Information Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore Management University. For more information, please email [email protected]. Scalable Verification for Outsourced Dynamic Databases HweeHwa Pang Jilian Zhang Kyriakos Mouratidis School of Information Systems Singapore Management University fhhpang, jilian.z.2007, [email protected] ABSTRACT receive updated price quotes early could act ahead of their com- Query answers from servers operated by third parties need to be petitors, so the advantage of data freshness would justify investing verified, as the third parties may not be trusted or their servers may in the computing infrastructure.
    [Show full text]