DOCSLIB.ORG

The Design and Analysis of Real-World Cryptographic Protocols

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Design and Analysis of Real-World Cryptographic Protocols The Design and Analysis of Real-World Cryptographic Protocols Samuel Scott Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2017 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson and Prof. Simon R. Blackburn. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Samuel Scott October, 2017 2 Acknowledgements First of all I would like to sincerely thank my supervisor Kenny Paterson. Kenny is the most dedicated researcher I have met, and despite being incredibly busy would always take the time to help me when it mattered most. Thanks to Kenny, I had the great fortune to work with many other incredible peo- ple, including all of my wonderful co-authors. In particular, I want to thank Tom Ristenpart, who has been a pleasure to work with, and for inviting me to work on Pythia, which led to working with the amazing Ari Juels, Rahul Chatterjee, and Adam Everspaugh. Similarly, thanks to Eric Rescorla for taking me on as an intern at Mozilla. Not only was Mozilla a fantastic experience, but it led to the rewarding collaboration with Cas Cremers, Marko Horvat, Thyla van der Merwe, and Jonathan Hoyland, all of whom I have shared many laughs with over the years. I also want to thank Simon Blackburn for supervising me in my first year, who was a fantastic supervisor and a pleasure to work with, and I am incredibly grateful to have had the chance to work with Martin Albrecht and Rachel Player. Thank you to the EPSRC and Royal Holloway for conceiving of and funding this PhD programme. Of course, none of this would have been possible without the support and encour- agement of my wife Yiran. Thank you for pushing me to undertake a PhD when I first had doubts, for keeping me sane when deadlines loomed, and cooking amazing food when I was stressed. I want to thank everyone at Royal Holloway for all the good times we spent together, and many unforgettable memories. Special mention to Thalia and Dan, who I've known since the MSc programme, Thalia for all the tea and cake, and Dan who was responsible for me first enquiring about doing a PhD. Finally I thank all my friends and family, wonderful people to whom I owe a lot, especially thanks to my Dad who has been a role model for me in everything I do. 3 Abstract Designing cryptographic protocols for use in the real world is a challenging task, requiring a fine balance between practicality and security. Ad hoc con- structions are often catastrophically broken, and even well-studied protocols regularly do not stand up to the test of time. We look at some of the ways cryptographic protocols are designed and analysed, applying these techniques to a variety of real-word scenarios. Our first scenario considers password storage, introducing a new primitive called a verifiable, partially oblivious PRF. We analyse the suitability of this primitive to the application in question, provide formal security proofs, and evaluate an example instantiation. The second scenario introduces a new security model to better understand the domain of key rotation for authenticated encryption. This is an area highly relevant to modern practices of storing data encrypted in the cloud. By intro- ducing this new security model, we show that existing solutions fall short of achieving any meaningful security properties, and suggest some simple fixes. Finally, we implement and prove a new construction which meets our strongest definition, and analyse its practicality. Finally, to contrast with the computational approach in previous chapters, we additionally consider symbolic approaches to security analysis, using the formal verification tool Tamarin to prove security properties of the latest draft of the TLS 1.3 specification. Our results show formal method complement other approaches nicely, and provide a new perspective. 4 Contents 1 Introduction 11 1.1 Motivation................................ 11 1.1.1 Password Storage......................... 12 1.1.2 Key Rotation for Authenticated Encryption.......... 13 1.1.3 Transport Layer Security (TLS)................ 14 1.2 Thesis Structure............................. 15 1.3 Associated Publications......................... 16 2 Background 18 2.1 Notation.................................. 18 2.2 Computational Analysis......................... 19 2.2.1 Concrete Security........................ 19 2.2.2 Symmetric Encryption...................... 20 2.2.3 Pseudorandom Functions.................... 27 2.2.4 Random Oracle Model...................... 29 2.2.5 Diffie–Hellman.......................... 30 2.3 Symbolic Analysis............................ 36 2.3.1 Tamarin Prover.......................... 37 2.3.2 Cryptographic primitives.................... 38 2.3.3 Dolev-Yao Attacker....................... 40 2.3.4 Properties and Proofs...................... 40 2.3.5 Authentication Properties.................... 45 2.3.6 Symbolic Diffie–Hellman..................... 46 2.3.7 Strengths and Weaknesses of Symbolic Analysis........ 47 2.4 Summary................................. 49 3 The Pythia PRF Service 51 3.1 Introduction................................ 51 3.2 Overview and Challenges........................ 55 3.3 Partially-oblivious PRFs......................... 59 5 CONTENTS 3.4 The Pythia Service Design....................... 62 3.4.1 Implementation.......................... 64 3.4.2 Performance........................... 65 3.5 Additional Pythia API Details..................... 69 3.6 Formal Security Analyses........................ 71 3.6.1 Unpredictability Security.................... 73 3.6.2 Pseudorandomness Security................... 75 3.6.3 Relationship with Fully Oblivious PRFs............ 80 3.7 Password Onions............................. 83 3.7.1 Facebook Password Onion.................... 84 3.7.2 Pythia Password Onion.................... 85 3.8 Hardened Brainwallets.......................... 88 3.8.1 A Pythia-hardened Brainwallet................ 89 3.8.2 Threshold Security........................ 91 3.9 Related Work............................... 92 3.10 Conclusion................................ 95 4 Key Rotation for Authenticated Encryption 97 4.1 Introduction................................ 97 4.2 Updatable AE.............................. 102 4.3 Motivating Scenarios........................... 105 4.3.1 Untrusted Server......................... 106 4.3.2 Client-Side Security....................... 106 4.3.3 Key Revocation.......................... 107 4.4 Confidentiality and Integrity for Updatable Encryption........ 108 4.4.1 Message Confidentiality..................... 109 4.4.2 Ciphertext Integrity....................... 114 4.5 Practical Updatable AE Schemes.................... 115 4.5.1 Authenticated Encryption.................... 115 4.5.2 (In-)Security of AE-hybrid Construction............ 116 4.5.3 Improving AE-hybrid...................... 121 4.6 XOR-KEM: A Bidirectional Updatable AE Scheme.......... 125 4.7 Indistinguishability of Re-encryptions................. 130 4.8 Revisiting the BLMR Scheme...................... 134 4.8.1 Negative Result about Provable UP-IND Security of BLMR. 136 4.9 An Updatable AE Scheme with Re-encryption Indistinguishability. 139 4.9.1 Security of ReCrypt....................... 142 4.9.2 Implementation and Performance................ 148 6 CONTENTS 4.10 Conclusion and Open Problems..................... 152 5 Tamarin Analysis of TLS 1.3 154 5.1 Introduction................................ 154 5.1.1 Contributions........................... 156 5.1.2 Related Work........................... 157 5.1.3 Chapter Organisation...................... 158 5.2 TLS 1.3.................................. 158 5.2.1 New Mechanisms......................... 158 5.2.2 Stated Goals and Security Properties.............. 164 5.2.3 Changes Since draft-10 ..................... 165 5.3 Modelling the Protocol.......................... 166 5.3.1 A Comprehensive Model..................... 167 5.3.2 Closely Modelling the Specification............... 171 5.3.3 Advanced Features........................ 174 5.4 Encoding the Threat Model and the Security Properties....... 176 5.4.1 Threat Model........................... 176 5.4.2 Security Properties........................ 177 5.5 Enabling Client Authentication in PSK Mode............. 181 5.5.1 The Attack............................ 181 5.5.2 Underlying Cause and Mitigation................ 184 5.5.3 Resulting Fix........................... 185 5.6 Analysis and Results........................... 185 5.6.1 Positive Results.......................... 186 5.6.2 Possible Mismatch Between Client and Server View..... 188 5.7 The Relation Between Our Model and the TLS 1.3 Specification.. 191 5.8 Conclusions................................ 192 6 Concluding Remarks 195 Bibliography 198 7 List of Figures 2.1 Left: The IND-CPA game. Right: The INT-CTXT game....... 23 2.2 The basic station-to-station (STS) protocol............... 33 3.1 Diagram of PRF derivations enabled by Pythia............ 56 3.2 The partially-oblivious PRF protocol used in Pythia......... 60 3.3 The unblinded PRF protocol supported by Pythia.......... 61 3.4 Throughput of PRF-Srv requests and a static page request
Load more

Recommended publications
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Globalsign Certification Practice Statement That Addresses the Methods and Rules by Which Certificates Are Delivered for the Domain of the Globalsign Top Roots
    GlobalSign Certificate Policy Date: March 31st 2013 Version: v.4.5 GlobalSign Certificate Policy Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 7 ACKNOWLEDGMENTS .............................................................................................................................. 7 1.0 INTRODUCTION.............................................................................................................................. 9 1.1 OVERVIEW ............................................................................................................................................ 9 1.1.1 Additional requirements for TrustedRoot Issuer CAs ................................................................ 11 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................... 11 1.3 PKI PARTICIPANTS ................................................................................................................................ 12 1.3.1 Certification Authorities (“Issuer CAs”) ..................................................................................... 12 1.3.2 Registration Authorities ............................................................................................................ 12 1.3.3
    [Show full text]
  • Public Key Infrastructure (KMI/PKI)
    UNCLASSIFIED Supporting Infrastructure IATF Release 3.1September 2002 Chapter 8 Supporting Infrastructure A principal tenet of the Defense-in-Depth philosophy is to provide defenses against cyber intrusions and attacks, and deal effectively with and recover from attacks that penetrate those defenses. The supporting infrastructures are a set of interrelated activities and infrastructures providing security services to enable and manage the framework’s technology solutions. Currently, the Defense-in-Depth strategy defines two supporting infrastructures: • Key Management Infrastructure/Public Key Infrastructure (KMI/PKI). For the generation, distribution, and management of security credentials, such as keys and certificates. • Detect and Respond. For providing warnings, detecting and characterizing suspected cyber attacks, coordinating effective responses, and performing investigative analyses of attacks. Today’s information infrastructures are not sufficiently secure to provide the full range of services needed to defend against the threats anticipated for the Global Information Grid (GIG). Thus, the Defense-in-Depth strategy provides overlays of information assurance (IA) features to realize an effective defense. Key management (including public key management) is fundamental to many IA protection technologies. Because our ability to provide airtight protection is neither technically nor economically feasible, we must reinforce those protection technologies with capabilities to detect, respond to, and recover from cyber attacks that penetrate those protections. Cryptography-enabled services rely on KMI or PKI to provide a trustworthy foundation. The KMI/PKI supporting infrastructure focuses on the technologies, services, and processes used to manage public key certificates and symmetric cryptography. As shown in Figure 8-1, the KMI/PKI infrastructure touches most portions of the networked environment.
    [Show full text]
  • Application-Specific Key Management Guidance
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-57 Part 3 Title: Recommendation for Key Management – Part 3: Application-Specific Key Management Guidance Publication Date(s): December 2009 Withdrawal Date: January 2015 Withdrawal Note: SP 800-57 Part 3 is superseded in its entirety by the publication of SP 800-57 Part 3 Revision 1 (January 2015). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-57 Part 3 Revision 1 Title: Recommendation for Key Management – Part 3: Application-Specific Key Management Guidance Author(s): Elaine Barker and Quynh Dang Publication Date(s): January 2015 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-53 Part 3 Revision 1 (as of July 15, 2015) attached publication: Related information: http://csrc.nist.gov/groups/ST/toolkit/key_management.html Withdrawal N/A announcement (link): Date updated: JuůLJϭϱ, 2015 NIST Special Publication 800-57 RECOMMENDATION FOR KEY MANAGEMENT Part 3: Application-Specific Key Management Guidance Elaine Barker William Burr Alicia Jones Timothy Polk Scott Rose Miles Smid Quynh Dang 1 NIST Special Publication 800-57 RECOMMENDATION FOR KEY MANAGEMENT Part 3: Application-Specific Key Management Guidance Elaine Barker William Burr Alicia Jones Timothy Polk Scott Rose Quynh Dang National Institute of Standards and Technology Miles Smid Orion Security Solutions December 2009 U.S.
    [Show full text]
  • Cybersecurity Solutions
    National Security Agency/ Central Security Service CYBERSECURITY SOLUTIONS KEY MANAGEMENT REQUIREMENTS ANNEX V1.0 Version 1.0 26 June 2018 Key Management Requirements Annex CHANGE HISTORY Title Version Date Change Summary Commercial Solutions for 1.0 June 26, 2018 Initial release of the CSfC Key Classified (CSfC) Key Management Requirements Annex. Management Requirements Annex 1 CYBERSECURITY SOLUTIONS June 2018 Key Management Requirements Annex TABLE OF CONTENTS 1 Key Management Requirements .......................................................................................................... 4 1.1 Distribution of Certificate Revocation Lists .................................................................................. 9 1.2 Wireless Key and Certificate Management................................................................................. 10 1.2.1 MA CP .................................................................................................................................. 10 1.2.2 WLAN CP ............................................................................................................................. 11 1.3 MACsec Connectivity Association Keys ....................................................................................... 11 2 Remote Rekey of End User Device (EUD) Certificates ........................................................................ 11 3 Key Management General Requirements ........................................................................................... 12 3.1 PKI
    [Show full text]
  • Cryptographic Key Infrastructure for Security Services Protecting Tt&C And
    C RYPTOGRAPHIC K EY I NFRASTRUCTURE FOR S E C U R I T Y S E R VI C E S P R O T E C T I N G TT&C A N D P A Y L O A D L I N K S O F S PA C E M ISSIONS ESTEC/CONTRACT NO. 4000103681 May 2011 – April 2014 MARCIO JULIATO, DEPT. OF ECE, UNIV. OF WATERLOO CATHERINE GEBOTYS, DEPT. OF ECE, UNIV. OF WATERLOO IGNACIO AGUILAR SANCHEZ, ESTEC, ESA 1 Table of Contents Table of Contents ............................................................................................................ 2 List of Acronyms ............................................................................................................. 5 List of Figures .................................................................................................................. 7 List of Tables .................................................................................................................... 8 Chapter 1 : Report Summary ................................................................................................. 9 1.1 Introduction ............................................................................................................... 10 1.2 Background ............................................................................................................... 10 1.3 Purpose and Scope ..................................................................................................... 12 1.4 Programme Outline .................................................................................................... 12 1.5 Output ......................................................................................................................
    [Show full text]
  • Recommendation for Key Management, Part 3: Application
    NIST Special Publication 800-57 Part 3 Revision 1 Recommendation for Key Management Part 3: Application-Specific Key Management Guidance Elaine Barker Quynh Dang This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-57 Part 3 Revision 1 Recommendation for Key Management Part 3: Application-Specific Key Management Guidance Elaine Barker Quynh Dang Computer Security Division Information Technology Laboratory This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1 January 2015 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]