Formal Verification for Real-World Cryptographic Protocols and Implementations Nadim Kobeissi

Total Page:16

File Type:pdf, Size:1020Kb

Formal Verification for Real-World Cryptographic Protocols and Implementations Nadim Kobeissi Formal verification for real-world cryptographic protocols and implementations Nadim Kobeissi To cite this version: Nadim Kobeissi. Formal verification for real-world cryptographic protocols and implementations. Cryptography and Security [cs.CR]. Université Paris sciences et lettres, 2018. English. NNT : 2018PSLEE065. tel-03245433v4 HAL Id: tel-03245433 https://tel.archives-ouvertes.fr/tel-03245433v4 Submitted on 1 Jun 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Préparée à Inria Paris Dans le cadre d'une cotutelle avec École Normale Supérieure — PSL Vérification formelle des protocoles et des implementations cryptographiques Formal Verification for Real-World Cryptographic Protocols and Implementations Soutenue par Composition du jury : Nadim Kobeissi David Pointcheval Le 10 décembre 2018 Directeur de recherche, ENS Paris Président Stéphanie Delaune Directeur de recherche, IRISA Rennes Rapporteur École doctorale no386 Tamara Rezk Directeur de recherche, Inria Sophia An- Rapporteur École Doctorale de Sci- tipolis ences Mathématiques de Cas Cremers Paris-Centre Directeur de recherche, CISPA- Examinateur Helmholtz Center Saarbrücken Stéphanie Delaune Directeur de recherche, IRISA Rennes Examinateur Spécialité Antoine Delignat-Lavaud Sciences Informatiques Chercheur, Microsoft Research Cam- Examinateur bridge Ralf Küsters Directeur de recherche, Université de Examinateur Stuttgart David Pointcheval Directeur de recherche, ENS Paris Examinateur Karthikeyan Bhargavan Directeur de recherche, Inria Paris Directeur de thèse Bruno Blanchet Directeur de recherche, Inria Paris Directeur de thèse 1 There is always some madness in love. But there is also always some reason in madness. And those who were seen dancing were thought to be insane by those who could not hear the music. Friedrich Nietzsche Thanks to God that he gave me stubbornness when I know I am right. John Adams .نسح،يبأىلإ 2 Abstract Individuals and organizations are increasingly relying on the Web and on user- facing applications for use cases such as online banking, secure messaging, doc- ument sharing and electronic voting. To protect the confidentiality and in- tegrity of these communications, these systems depend on authentication and authorization protocols, on application-level cryptographic constructions and on transport-layer cryptographic protocols. However, combining these varied mech- anisms to achieve high-level security goals is error-prone and has led to many attacks even on sophisticated and well-studied applications. This thesis aims to develop methods and techniques for reasoning about, de- signing and implementing cryptographic protocols and secure application com- ponents relevant to some of the most frequently used cryptographic protocols and applications. We investigate and formalize various notions of expected guaran- tees and evaluate whether some of the most popular secure channel protocols, such as secure messaging protocols and transport protocols often operating at the billion-user scale, are capable of meeting these goals. In this thesis, we ask: can existing major paradigms for formal protocol veri- fication serve as guidelines for the assessment of existing protocols, the prototyp- ing of protocols being designed, and the conception of entirely new protocols, in a way that is meaningful and reflective of their expected real-world properties? And can we develop novel frameworks for formal verification and more secure implementation based on these foundations? We propose new formal models in both symbolic and computational for- mal verification frameworks for these protocols and applications. In some of the presented work, we obtain a verification methodology that starts from the protocol and ends at the implementation code. In other parts of our work, we develop a dynamic framework for generating formal verification models for any secure channel protocol described in a lightweight syntax. Ultimately, this thesis presents formal verification approaches for existing protocols reaching towards their implementation as well as methods for prototyping and formally verifying new protocols as they are being drafted and designed. 3 4 Acknowledgments Being able to work on this research at INRIA has been the most essential op- portunity that I have been given in my life. Furthermore, no more essential opportunity will ever arise in my life, since my future will undeniably be rooted in what I’ve been allowed to work on at INRIA, in the researchers of INRIA taking me in and teaching me the posture and adroitness necessary for good research. Being at INRIA has taught me much more than the proper formal analysis of cryptographic protocols. It taught me just how difficult and uncompromising true scientific rigor can be and the importance of a diligent and forward-looking work ethic. It also taught me patience, helped me expand my perspective with regards to the viewpoints of others and my sense of good faith during teamwork. It helped me mature into someone less sure of his intuition while nevertheless radically strengthening that intuition in the same process. The researchers at INRIA are part of an institution that morally and intellectually is larger than life, where the bottom line, the net product ends up being uncompromising research pushed forward with equal amounts of passion and prudence. I hope that I can carry with me what I’ve been given at INRIA by imparting the insights of what I’ve been able to work on and the values that determine how the work is to be done. Most of the contributions herein that can be considered my own are largely due to my acting as a sort of highly opinionated melting pot for Karthik’s decades-long vision for Web security, Antoine’s first explaining to me that, in F?, “types are proofs”, Bruno’s unnerving, laser-like focus and rigor — I could go on to cover every member of the PROSECCO research group in words that seem inflated but aren’t really. Being at INRIA taught me how to think. Working with these people taught me more than I could have ever learned on my own and made me into more than I could have hoped to become. I am also deeply grateful for Cedric and Antoine’s hosting me at Microsoft Research for the duration of my internship and most of all for actually letting me call my internship project “QuackyDucky”, even keeping that name after integrating it into the Project Everest stack well after my departure. I would have never received this opportunity were it not for the trust and good faith that Graham, Harry and Philippe put in me during my first year. Their confidence was pivotal in my being given a chance to learn how to do actual science. Regarding the thesis committee, who likely already groaned at the prospect 5 6 of yet another big thesis to read and are even more apprehensive about it after reading this warm, fuzzy essay, I can promise you cookies at the defense. As for Karthik, what I owe him is beyond evaluation. Contents Abstract 3 Acknowledgments 5 Contents 10 Introduction 11 1 Formal Verification for Secure Messaging 33 1.1 A Security Model for Encrypted Messaging . 35 1.1.1 Threat Model . 35 1.1.2 Security Goals . 36 1.2 Symbolic Verification with ProVerif . 37 1.2.1 Secret Chats in Telegram . 37 1.2.2 Towards Automated Verification . 39 1.3 Formally Verifying SP . 39 1.3.1 Protocol Overview . 40 1.3.2 Protocol Verification . 42 1.3.3 Other Protocols: OTR . 45 1.4 Cryptographic Proofs with CryptoVerif . 46 1.4.1 Assumptions . 46 1.4.2 Indifferentiability of HKDF . 48 1.4.3 Protocol Model . 55 1.4.4 Security Goals . 56 1.4.5 Results . 57 1.5 Conclusion and Related Work . 57 2 Formal Verification for Transport Layer Security 59 2.0.1 Our Contributions . 60 2.1 A Security Model for TLS . 60 2.2 TLS 1.3 1-RTT: Simpler, Faster Handshakes . 61 2.2.1 Security Goals for TLS . 63 2.2.2 A Realistic Threat Model for TLS . 64 2.2.3 Modeling the Threat Model in ProVerif . 66 2.2.4 Modeling and Verifying TLS 1.2 in ProVerif . 67 7 8 CONTENTS 2.2.5 Verification Effort . 69 2.2.6 1-RTT Protocol Flow . 71 2.2.7 Modeling 1-RTT in ProVerif . 72 2.2.8 1-RTT Security Goals . 73 2.2.9 Verifying 1-RTT in Isolation . 74 2.2.10 Verifying TLS 1.3 1-RTT composed with TLS 1.2 . 75 2.3 0-RTT with Semi-Static Diffie-Hellman . 75 2.3.1 Protocol Flow . 76 2.3.2 Verification with ProVerif . 76 2.3.3 Unknown Key Share Attack on DH-based 0-RTT in QUIC, OPTLS, and TLS 1.3 . 76 2.4 Pre-Shared Keys for Resumption and 0-RTT . 78 2.4.1 Protocol Flow . 79 2.4.2 Verifying PSK-based Resumption . 79 2.4.3 An Attack on 0-RTT Client Authentication . 80 2.4.4 The Impact of Replay on 0-RTT and 0.5-RTT . 81 2.5 Computational Analysis of TLS 1.3 Draft-18 . 82 2.5.1 Cryptographic Assumptions . 82 2.5.2 Lemmas on Primitives and on the Key Schedule . 84 2.5.3 Verifying 1-RTT Handshakes without Pre-Shared Keys . 85 2.5.4 Verifying Handshakes with Pre-Shared Keys . 91 2.5.5 Verifying the Record Protocol . 95 2.5.6 A Composite Proof for TLS 1.3 Draft-18 . 96 2.5.7 Conclusion .
Recommended publications
  • Cryptography
    Pattern Recognition and Applications Lab CRYPTOGRAPHY Giorgio Giacinto [email protected] University of Cagliari, Italy Spring Semester 2019-2020 Department of Electrical and Electronic Engineering Cryptography and Security • Used to hide the content of a message • Goals – Confidentiality – Authenticity – Integrity • The text is modified by an encryption function – An interceptor should not be able to understand all or part of the message content http://pralab.diee.unica.it 2 Encryption/Decryption Process Key Key (Optional) (Optional) Original Plaintext Encryption Ciphertext Decryption Plaintext http://pralab.diee.unica.it 3 Keys and Locks http://pralab.diee.unica.it 4 Keys L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M http://pralab.diee.unica.it 5 Keys L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M http://pralab.diee.unica.it 6 Steganography - = http://pralab.diee.unica.it https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1 7 Definitions • Cryptography algorithm C = E(K,M) A function E with two inputs – a message M – a key K that outputs – the encrypted message C The algorithm is based on a shared secret between the sender and the receiver K The Encryption Key http://pralab.diee.unica.it 8 Symmetric
    [Show full text]
  • Cryptography
    56 Protecting Information With Cryptography Chapter by Peter Reiher (UCLA) 56.1 Introduction In previous chapters, we’ve discussed clarifying your security goals, determining your security policies, using authentication mechanisms to identify principals, and using access control mechanisms to enforce poli- cies concerning which principals can access which computer resources in which ways. While we identified a number of shortcomings and prob- lems inherent in all of these elements of securing your system, if we re- gard those topics as covered, what’s left for the operating system to worry about, from a security perspective? Why isn’t that everything? There are a number of reasons why we need more. Of particular im- portance: not everything is controlled by the operating system. But per- haps you respond, you told me the operating system is all-powerful! Not really. It has substantial control over a limited domain – the hardware on which it runs, using the interfaces of which it is given control. It has no real control over what happens on other machines, nor what happens if one of its pieces of hardware is accessed via some mechanism outside the operating system’s control. But how can we expect the operating system to protect something when the system does not itself control access to that resource? The an- swer is to prepare the resource for trouble in advance. In essence, we assume that we are going to lose the data, or that an opponent will try to alter it improperly. And we take steps to ensure that such actions don’t cause us problems.
    [Show full text]
  • An Advance Visual Model for Animating Behavior of Cryptographic Protocols
    An Advance Visual Model for Animating Behavior of Cryptographic Protocols Mabroka Ali Mayouf Maeref1*, Fatma Alghali2, Khadija Abied2 1 Sebha University, Faculty of Science, Department of Computer Science, P. O. Box 18758 Sebha, Libya, Libyan. 2 Sebha University of Libya, Sebha, Libya. * Corresponding author. Tel.: 00218-925132935; email: [email protected] Manuscript submitted February 13, 2015; accepted July 5, 2015. doi: 10.17706/jcp.10.5.336-346 Abstract: Visual form description benefits from the ability of visualization to provide precise and clear description of object behavior especially if the visual form is extracted from the real world. It provides clear definition of object and the behavior of that object. Although the current descriptions of cryptographic protocol components and operations use a different visual representation, the cryptographic protocols behaviors are not actually reflected. This characteristic is required and included within our proposed visual model. The model uses visual form and scenario-based approach for describing cryptographic protocol behavior and thus increasing the ability to describe more complicated protocol in a simple and easy way. Key words: Animation, cryptographic protocols, interactive tool, visualization. 1. Introduction Cryptographic protocols (CPs) mostly combine both theory and practice [1], [2]. These cause protocol complexity describing and understanding. Therefore, separating the mathematical part from the protocol behavior should provide feeling of how the protocol works, thus increasing the ability to describe and to gain confidence in reflecting more complicated information about CPs, as well as to generate interest to know about other more complex protocol concepts. Several researchers realized the use of visual model and animation techniques to reflect the explanation of the learning objectives and their benefits [3]-[11].
    [Show full text]
  • N2N: a Layer Two Peer-To-Peer VPN
    N2N: A Layer Two Peer-to-Peer VPN Luca Deri1, Richard Andrews2 ntop.org, Pisa, Italy1 Symstream Technologies, Melbourne, Australia2 {deri, andrews}@ntop.org Abstract. The Internet was originally designed as a flat data network delivering a multitude of protocols and services between equal peers. Currently, after an explosive growth fostered by enormous and heterogeneous economic interests, it has become a constrained network severely enforcing client-server communication where addressing plans, packet routing, security policies and users’ reachability are almost entirely managed and limited by access providers. From the user’s perspective, the Internet is not an open transport system, but rather a telephony-like communication medium for content consumption. This paper describes the design and implementation of a new type of peer-to- peer virtual private network that can allow users to overcome some of these limitations. N2N users can create and manage their own secure and geographically distributed overlay network without the need for central administration, typical of most virtual private network systems. Keywords: Virtual private network, peer-to-peer, network overlay. 1. Motivation and Scope of Work Irony pervades many pages of history, and computing history is no exception. Once personal computing had won the market battle against mainframe-based computing, the commercial evolution of the Internet in the nineties stepped the computing world back to a substantially rigid client-server scheme. While it is true that the today’s Internet serves as a good transport system for supplying a plethora of data interchange services, virtually all of them are delivered by a client-server model, whether they are centralised or distributed, pay-per-use or virtually free [1].
    [Show full text]
  • Biting Into Forbidden Fruit
    Biting into the forbidden fruit Lessons from trusting Javascript crypto Krzysztof Kotowicz, OWASP Appsec EU, June 2014 About me • Web security researcher • HTML5 • UI redressing • browser extensions • crypto • I was a Penetration Tester @ Cure53 • Information Security Engineer @ Google Disclaimer: “My opinions are mine. Not Google’s”. Disclaimer: All the vulns are fixed or have been publicly disclosed in the past. Introduction JS crypto history • Javascript Cryptography Considered Harmful http://matasano.com/articles/javascript- cryptography/ • Final post on Javascript crypto http://rdist.root.org/2010/11/29/final-post-on- javascript-crypto/ JS crypto history • Implicit trust in the server to deliver the code • SSL/TLS is needed anyway • Any XSS can circumvent the code • Poor library quality • Poor crypto support • No secure keystore • JS crypto is doomed to fail Doomed to fail? Multiple crypto primitives libraries, symmetric & asymmetric encryption, TLS implementation, a few OpenPGP implementations, and a lot of user applications built upon them. Plus custom crypto protocols. https://crypto.cat/ https://www.mailvelope.com/ http://openpgpjs.org/ JS crypto is a fact • Understand it • Look at the code • Find the vulnerabilities • Analyze them • Understand the limitations and workarounds • Answer the question: can it be safe? JS crypto vulns in the wild • Language issues • Caused by a flaw of the language • Web platform issues • Cased by the web • Other standard bugs • out of scope for this presentation Language issues Language issues matter
    [Show full text]
  • A History of End-To-End Encryption and the Death of PGP
    25/05/2020 A history of end-to-end encryption and the death of PGP Hey! I'm David, a security engineer at the Blockchain team of Facebook (https://facebook.com/), previously a security consultant for the Cryptography Services of NCC Group (https://www.nccgroup.com). I'm also the author of the Real World Cryptography book (https://www.manning.com/books/real-world- cryptography?a_aid=Realworldcrypto&a_bid=ad500e09). This is my blog about cryptography and security and other related topics that I Ûnd interesting. A history of end-to-end encryption and If you don't know where to start, you might want to check these popular the death of PGP articles: posted January 2020 - How did length extension attacks made it 1981 - RFC 788 - Simple Mail Transfer Protocol into SHA-2? (/article/417/how-did-length- extension-attacks-made-it-into-sha-2/) (https://tools.ietf.org/html/rfc788) (SMTP) is published, - Speed and Cryptography the standard for email is born. (/article/468/speed-and-cryptography/) - What is the BLS signature scheme? (/article/472/what-is-the-bls-signature- This is were everything starts, we now have an open peer-to-peer scheme/) protocol that everyone on the internet can use to communicate. - Zero'ing memory, compiler optimizations and memset_s (/article/419/zeroing-memory- compiler-optimizations-and-memset_s/) 1991 - The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations The US government introduces the 1991 Senate Bill 266, (/article/461/the-9-lives-of-bleichenbachers- which attempts to allow "the Government to obtain the cat-new-cache-attacks-on-tls- plain text contents of voice, data, and other implementations/) - How to Backdoor Di¸e-Hellman: quick communications when appropriately authorized by law" explanation (/article/360/how-to-backdoor- from "providers of electronic communications services di¸e-hellman-quick-explanation/) and manufacturers of electronic communications - Tamarin Prover Introduction (/article/404/tamarin-prover-introduction/) service equipment".
    [Show full text]
  • Daniel Nashed "CSI Domino" Diagnostic Collection & NSD Analysis
    "CSI Domino" Diagnostic Collection & NSD Analysis Daniel Nashed AdminCamp 2016 – Sept. 19-21 in Gelsenkirchen About the presenter ● Nash!Com – German IBM® Business Partner/ISV – Member of The Penumbra group -- an international consortium of selected Business Partners pooling their talent and resources ● Focused on Cross-Platform C-API, IBM® Domino® Infrastructure, Administration, Integration, Troubleshooting and IBM® Traveler – Platform Focus: Microsoft® Windows® 32/64, Linux® and IBM AIX® ● Author of the Domino on Linux®/UNIX® Start Script – Note: Working on RHEL7 + SLES 12 “systemd” support Agenda ● Introduction – What is „Serviceability“ ● Automatic Data Collection (ADC), Configuration Collector ● NSD, Memcheck – Server Crashes, Hangs, Annotation of NSDs ● Memory Management ● Advanced Methods – Semaphore Debugging – Memory Dumps ● Performance Troubleshooting ● Q&A – Any time Useful Software & Tools ● Software – Notes Peek – Lotus Notes Diagnostics (LND) – 7Zip – open source ZIP tool – Ultraedit (commerical but great) or Notepad++ (free) – NashCom Tools ● nshcrash ● Nshmem ● C-API Toolkit – Great source of information What is Serviceability? ● RAS = Reliability Availability Serviceability ● RAS is the effort to improve the Domino Product suite so that: – Client/Server doesn’t crash or hang as often (Reliability) – Client/Server performs well, Server is available to clients (Availability) – The ability to quickly pin-point and fix problems (Serviceability) ● Ongoing effort in each incremental release – Some features are even back-ported
    [Show full text]
  • PCI Assessment Evidence of PCI Policy Compliance
    PCI Assessment Evidence of PCI Policy Compliance CONFIDENTIALITY NOTE: The information contained in this report document is for the Prepared for: exclusive use of the client specified above and may contain confidential, privileged and non-disclosable information. If the recipient of this report is not the client or Prospect or Customer addressee, such recipient is strictly prohibited from reading, photocopying, distributing or otherwise using this report or its contents in any way. Prepared by: Your Company Name Evidence of PCI Policy Compliance PCI ASSESSMENT Table of Contents 1 - Overview 1.1 - Security Officer 1.2 - Overall Risk 2 - PCI DSS Evidence of Compliance 2.1 - Install and maintain firewall to protect cardholder data 2.1.1.1 - Requirements for firewall at each Internet connections and between DMZ and internal network zone 2.1.1.2 - Business justification for use of all services, protocols and ports allowed 2.1.2 - Build firewall and router configurations that restrict connections between untrusted networks and the cardholder data environment 2.1.2.1 - Restrict inbound and outbound to that which is necessary for the cardholder data environment 2.1.2.3 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet 2.1.2.4 - Implement stateful inspection (also known as dynamic packet filtering) 2.1.2.5 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet 2.2 - Prohibition of vendor-supplied default password for systems and security parameters 2.2.1
    [Show full text]
  • A Survey on Potential Privacy Leaks of GPS Information in Android Applications
    UNLV Theses, Dissertations, Professional Papers, and Capstones May 2015 A Survey on Potential Privacy Leaks of GPS Information in Android Applications Srinivas Kalyan Yellanki University of Nevada, Las Vegas Follow this and additional works at: https://digitalscholarship.unlv.edu/thesesdissertations Part of the Library and Information Science Commons Repository Citation Yellanki, Srinivas Kalyan, "A Survey on Potential Privacy Leaks of GPS Information in Android Applications" (2015). UNLV Theses, Dissertations, Professional Papers, and Capstones. 2449. http://dx.doi.org/10.34917/7646102 This Thesis is protected by copyright and/or related rights. It has been brought to you by Digital Scholarship@UNLV with permission from the rights-holder(s). You are free to use this Thesis in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s) directly, unless additional rights are indicated by a Creative Commons license in the record and/ or on the work itself. This Thesis has been accepted for inclusion in UNLV Theses, Dissertations, Professional Papers, and Capstones by an authorized administrator of Digital Scholarship@UNLV. For more information, please contact [email protected]. A SURVEY ON POTENTIAL PRIVACY LEAKS OF GPS INFORMATION IN ANDROID APPLICATIONS By Srinivas Kalyan Yellanki Bachelor of Technology, Information Technology Jawaharlal Nehru Technological University, India 2013 A thesis submitted in partial fulfillment
    [Show full text]
  • The First Collision for Full SHA-1
    The first collision for full SHA-1 Marc Stevens1, Elie Bursztein2, Pierre Karpman1, Ange Albertini2, Yarik Markov2 1 CWI Amsterdam 2 Google Research [email protected] https://shattered.io Abstract. SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks. Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the GIT versioning system for integrity and backup purposes. A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past eleven years due to the high complexity and computational cost of the attack. In this paper, we demonstrate that SHA-1 collision attacks have finally become practical by providing the first known instance of a collision. Furthermore, the prefix of the colliding messages was carefully chosen so that they allow an attacker to forge two PDF documents with the same SHA-1 hash yet that display arbitrarily-chosen distinct visual contents. We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 263:1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years. As a result while the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search.
    [Show full text]
  • FPGA Parallel-Pipelined AES-GCM Core for 100G Ethernet Applications
    FPGA Parallel-Pipelined AES-GCM Core for 100G Ethernet Applications Luca Henzen and Wolfgang Fichtner Integrated Systems Laboratory, ETH Zurich, Switzerland E-mail: {henzen, fw}@iis.ee.ethz.ch Abstract—The forthcoming IEEE 802.3ba Ethernet standard Exploiting the parallelization of four cores plus the extensive will provide data transmission at a bandwidth of 100 Gbit/s. Cur- utilization of pipelining, we were able to design three different rently, the fastest cryptographic primitive approved by the U.S. National Institute for Standard and Technology, that combines 100G AES-GCM implementations for Xilinx Virtex-5 FPGAs. data encryption and authentication, is the Galois/Counter Mode (GCM) of operation. If the feasibility to increase the speed of the II. GCM AUTHENTICATED ENCRYPTION GCM up to 100 Gbit/s on ASIC technologies has already been The GCM is a block cipher mode of operation that is demonstrated, the FPGA implementation of the GCM in secure able to encrypt or decrypt data, providing at the same time 100G Ethernet network systems arises some important structural issues. In this paper, we report on an efficient FPGA architecture authentication and data integrity . In practice, it combines a of the GCM combined with the AES block cipher. With the block cipher in the counter mode with universal hashing over parallelization of four pipelined AES-GCM cores we were able the binary field GF(2128). In this work, we used the Advanced to reach the speed required by the new Ethernet standard. Encryption Standard (AES) [4] for encryption and decryption, Furthermore, the time-critical binary field multiplication of the authentication process relies on four pipelined 2-step Karatsuba- supporting key sizes of 128, 192 and 256bits.
    [Show full text]
  • Wsemail: a Retrospective on a System for Secure Internet Messaging Based on Web Services
    WSEmail: A Retrospective on a System for Secure Internet Messaging Based on Web Services Michael J. May Kevin D. Lux Kinneret Academic College University of Pennsylvania, Rowan University [email protected] [email protected] Carl A. Gunter University of Illinois Urbana-Champaign [email protected] Abstract 1 Introduction Web services are a mature technology nearing their Web services offer an opportunity to redesign a va- twentieth birthday. They have created the founda- riety of older systems to exploit the advantages of a tion for highly interoperable distributed systems to flexible, extensible, secure set of standards. In this communicate over the Internet using standardized work we revisit WSEmail, a system proposed over protocols (e.g. SOAP, JSON) and security mech- ten years ago to improve email by redesigning it as anisms (e.g. OAuth (IETF RFC 6749), XMLD- a family of web services. WSEmail offers an alterna- SIG [5]). Legacy systems and protocols must be tive vision of how instant messaging and email ser- reevaluated to see how they can benefit from mod- vices could have evolved, offering security, extensi- ern architectures, standards, and tools. As a case bility, and openness in a distributed environment in- study of such an analysis and redesign, we present stead of the hardened walled gardens that today's an expanded study of WSEmail [20], electronic mail rich messaging systems have become. WSEmail's ar- redesigned as a family of web services we first imple- chitecture, especially its automatic plug-in download mented and presented in 2005. feature allows for rich extensions without changing the base protocol or libraries.
    [Show full text]