The Design and Analysis of Real-World Cryptographic Protocols Samuel Scott Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2017 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson and Prof. Simon R. Blackburn. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Samuel Scott October, 2017 2 Acknowledgements First of all I would like to sincerely thank my supervisor Kenny Paterson. Kenny is the most dedicated researcher I have met, and despite being incredibly busy would always take the time to help me when it mattered most. Thanks to Kenny, I had the great fortune to work with many other incredible peo- ple, including all of my wonderful co-authors. In particular, I want to thank Tom Ristenpart, who has been a pleasure to work with, and for inviting me to work on Pythia, which led to working with the amazing Ari Juels, Rahul Chatterjee, and Adam Everspaugh. Similarly, thanks to Eric Rescorla for taking me on as an intern at Mozilla. Not only was Mozilla a fantastic experience, but it led to the rewarding collaboration with Cas Cremers, Marko Horvat, Thyla van der Merwe, and Jonathan Hoyland, all of whom I have shared many laughs with over the years. I also want to thank Simon Blackburn for supervising me in my first year, who was a fantastic supervisor and a pleasure to work with, and I am incredibly grateful to have had the chance to work with Martin Albrecht and Rachel Player. Thank you to the EPSRC and Royal Holloway for conceiving of and funding this PhD programme. Of course, none of this would have been possible without the support and encour- agement of my wife Yiran. Thank you for pushing me to undertake a PhD when I first had doubts, for keeping me sane when deadlines loomed, and cooking amazing food when I was stressed. I want to thank everyone at Royal Holloway for all the good times we spent together, and many unforgettable memories. Special mention to Thalia and Dan, who I've known since the MSc programme, Thalia for all the tea and cake, and Dan who was responsible for me first enquiring about doing a PhD. Finally I thank all my friends and family, wonderful people to whom I owe a lot, especially thanks to my Dad who has been a role model for me in everything I do. 3 Abstract Designing cryptographic protocols for use in the real world is a challenging task, requiring a fine balance between practicality and security. Ad hoc con- structions are often catastrophically broken, and even well-studied protocols regularly do not stand up to the test of time. We look at some of the ways cryptographic protocols are designed and analysed, applying these techniques to a variety of real-word scenarios. Our first scenario considers password storage, introducing a new primitive called a verifiable, partially oblivious PRF. We analyse the suitability of this primitive to the application in question, provide formal security proofs, and evaluate an example instantiation. The second scenario introduces a new security model to better understand the domain of key rotation for authenticated encryption. This is an area highly relevant to modern practices of storing data encrypted in the cloud. By intro- ducing this new security model, we show that existing solutions fall short of achieving any meaningful security properties, and suggest some simple fixes. Finally, we implement and prove a new construction which meets our strongest definition, and analyse its practicality. Finally, to contrast with the computational approach in previous chapters, we additionally consider symbolic approaches to security analysis, using the formal verification tool Tamarin to prove security properties of the latest draft of the TLS 1.3 specification. Our results show formal method complement other approaches nicely, and provide a new perspective. 4 Contents 1 Introduction 11 1.1 Motivation................................ 11 1.1.1 Password Storage......................... 12 1.1.2 Key Rotation for Authenticated Encryption.......... 13 1.1.3 Transport Layer Security (TLS)................ 14 1.2 Thesis Structure............................. 15 1.3 Associated Publications......................... 16 2 Background 18 2.1 Notation.................................. 18 2.2 Computational Analysis......................... 19 2.2.1 Concrete Security........................ 19 2.2.2 Symmetric Encryption...................... 20 2.2.3 Pseudorandom Functions.................... 27 2.2.4 Random Oracle Model...................... 29 2.2.5 Diffie–Hellman.......................... 30 2.3 Symbolic Analysis............................ 36 2.3.1 Tamarin Prover.......................... 37 2.3.2 Cryptographic primitives.................... 38 2.3.3 Dolev-Yao Attacker....................... 40 2.3.4 Properties and Proofs...................... 40 2.3.5 Authentication Properties.................... 45 2.3.6 Symbolic Diffie–Hellman..................... 46 2.3.7 Strengths and Weaknesses of Symbolic Analysis........ 47 2.4 Summary................................. 49 3 The Pythia PRF Service 51 3.1 Introduction................................ 51 3.2 Overview and Challenges........................ 55 3.3 Partially-oblivious PRFs......................... 59 5 CONTENTS 3.4 The Pythia Service Design....................... 62 3.4.1 Implementation.......................... 64 3.4.2 Performance........................... 65 3.5 Additional Pythia API Details..................... 69 3.6 Formal Security Analyses........................ 71 3.6.1 Unpredictability Security.................... 73 3.6.2 Pseudorandomness Security................... 75 3.6.3 Relationship with Fully Oblivious PRFs............ 80 3.7 Password Onions............................. 83 3.7.1 Facebook Password Onion.................... 84 3.7.2 Pythia Password Onion.................... 85 3.8 Hardened Brainwallets.......................... 88 3.8.1 A Pythia-hardened Brainwallet................ 89 3.8.2 Threshold Security........................ 91 3.9 Related Work............................... 92 3.10 Conclusion................................ 95 4 Key Rotation for Authenticated Encryption 97 4.1 Introduction................................ 97 4.2 Updatable AE.............................. 102 4.3 Motivating Scenarios........................... 105 4.3.1 Untrusted Server......................... 106 4.3.2 Client-Side Security....................... 106 4.3.3 Key Revocation.......................... 107 4.4 Confidentiality and Integrity for Updatable Encryption........ 108 4.4.1 Message Confidentiality..................... 109 4.4.2 Ciphertext Integrity....................... 114 4.5 Practical Updatable AE Schemes.................... 115 4.5.1 Authenticated Encryption.................... 115 4.5.2 (In-)Security of AE-hybrid Construction............ 116 4.5.3 Improving AE-hybrid...................... 121 4.6 XOR-KEM: A Bidirectional Updatable AE Scheme.......... 125 4.7 Indistinguishability of Re-encryptions................. 130 4.8 Revisiting the BLMR Scheme...................... 134 4.8.1 Negative Result about Provable UP-IND Security of BLMR. 136 4.9 An Updatable AE Scheme with Re-encryption Indistinguishability. 139 4.9.1 Security of ReCrypt....................... 142 4.9.2 Implementation and Performance................ 148 6 CONTENTS 4.10 Conclusion and Open Problems..................... 152 5 Tamarin Analysis of TLS 1.3 154 5.1 Introduction................................ 154 5.1.1 Contributions........................... 156 5.1.2 Related Work........................... 157 5.1.3 Chapter Organisation...................... 158 5.2 TLS 1.3.................................. 158 5.2.1 New Mechanisms......................... 158 5.2.2 Stated Goals and Security Properties.............. 164 5.2.3 Changes Since draft-10 ..................... 165 5.3 Modelling the Protocol.......................... 166 5.3.1 A Comprehensive Model..................... 167 5.3.2 Closely Modelling the Specification............... 171 5.3.3 Advanced Features........................ 174 5.4 Encoding the Threat Model and the Security Properties....... 176 5.4.1 Threat Model........................... 176 5.4.2 Security Properties........................ 177 5.5 Enabling Client Authentication in PSK Mode............. 181 5.5.1 The Attack............................ 181 5.5.2 Underlying Cause and Mitigation................ 184 5.5.3 Resulting Fix........................... 185 5.6 Analysis and Results........................... 185 5.6.1 Positive Results.......................... 186 5.6.2 Possible Mismatch Between Client and Server View..... 188 5.7 The Relation Between Our Model and the TLS 1.3 Specification.. 191 5.8 Conclusions................................ 192 6 Concluding Remarks 195 Bibliography 198 7 List of Figures 2.1 Left: The IND-CPA game. Right: The INT-CTXT game....... 23 2.2 The basic station-to-station (STS) protocol............... 33 3.1 Diagram of PRF derivations enabled by Pythia............ 56 3.2 The partially-oblivious PRF protocol used in Pythia......... 60 3.3 The unblinded PRF protocol supported by Pythia.......... 61 3.4 Throughput of PRF-Srv requests and a static page request