ABSTRACT
The standard definition of security for digital signatures - existential unforgeability - does not ensure certain properties that protocol designers might expect. For example, in many modern signature schemes, one signature may verify against multiple distinct public keys. It is left to protocol designers to ensure that the absence of these properties does not lead to attacks.
Modern automated protocol analysis tools are able to provably exclude large classes of attacks on complex real-world protocols such as TLS~1.3 and 5G. However, their abstraction of signatures (implicitly) assumes much more than existential unforgeability, thereby missing several classes of practical attacks.
We give a hierarchy of new formal models for signature schemes that captures these subtleties, and thereby allows us to analyse (often unexpected) behaviours of real-world protocols that were previously out of reach of symbolic analysis. We implement our models in the Tamarin Prover, yielding the first way to perform these analyses automatically, and validate them on several case studies. In the process, we find new attacks on DRKey and SOAP's WS-Security, both protocols which were previously proven secure in traditional symbolic models.
Supplemental Material
- Jee Hea An, Yevgeniy Dodis, and Tal Rabin. 2002. On the Security of Joint Signature and Encryption. In Advances in Cryptology - EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28 - May 2, 2002, Proceedings (Lecture Notes in Computer Science), Lars R. Knudsen (Ed.), Vol. 2332. Springer, 83--107. https://doi.org/10.1007/3--540--46035--7_6Google Scholar
- Michael Backes, Dennis Hofheinz, and Dominique Unruh. 2009. CoSP: a general framework for computational soundness proofs. In Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9--13, 2009, Ehab Al-Shaer, Somesh Jha, and Angelos D. Keromytis (Eds.). ACM, 66--78. https://doi.org/10.1145/1653662.1653672Google ScholarDigital Library
- Michael Backes, Sebastian Mö dersheim, Birgit Pfitzmann, and Luca Viganò. 2006. Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario. In Foundations of Software Science and Computation Structures, 9th International Conference, FOSSACS 2006, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2006, Vienna, Austria, March 25--31, 2006, Proceedings. 428--445. https://doi.org/10.1007/11690634_29Google Scholar
- Joonsang Baek and Kwangjo Kim. 2000. Remarks on the unknown key share attacks., Vol. 83, 12 (2000), 2766--2769.Google Scholar
- Gergei Bana and Rohit Chadha. 2016. Verification Methods for the Computationally Complete Symbolic Attacker Based on Indistinguishability. IACR Cryptology ePrint Archive, Vol. 2016 (2016), 69. http://eprint.iacr.org/2016/069Google Scholar
- Gergei Bana and Hubert Comon-Lundh. 2012. Towards Unconditional Soundness: Computationally Complete Symbolic Attacker. In Principles of Security and Trust (2012), Pierpaolo Degano and Joshua D. Guttman (Eds.). Springer Berlin Heidelberg, 189--208.Google ScholarDigital Library
- Gilles Barthe, Benjamin Gré goire, Sylvain Heraud, and Santiago Zanella Bé guelin. 2011. Computer-Aided Security Proofs for the Working Cryptographer. In Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14--18, 2011. Proceedings (Lecture Notes in Computer Science), Phillip Rogaway (Ed.), Vol. 6841. Springer, 71--90. https://doi.org/10.1007/978--3--642--22792--9_5Google Scholar
- David A. Basin, Jannik Dreier, Lucca Hirschi, Sasa Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15--19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 1383--1396. https://doi.org/10.1145/3243734.3243846Google ScholarDigital Library
- David A. Basin, Andreas Lochbihler, and S. Reza Sefidgar. 2017. CryptHOL: Game-based Proofs in Higher-order Logic. IACR Cryptology ePrint Archive, Vol. 2017 (2017), 753. http://eprint.iacr.org/2017/753Google Scholar
- Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. J. Cryptographic Engineering, Vol. 2, 2 (2012), 77--89. https://doi.org/10.1007/s13389-012-0027--1Google ScholarCross Ref
- Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. 2017a. Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22--26, 2017. IEEE Computer Society, 483--502. https://doi.org/10.1109/SP.2017.26Google ScholarCross Ref
- Karthikeyan Bhargavan, Ricardo Corin, Cé dric Fournet, and Andrew D. Gordon. 2004. Secure sessions for web services. In Proceedings of the 1st ACM Workshop On Secure Web Services, SWS 2004, Fairfax, VA, USA, October 29, 2004. 56--66. https://doi.org/10.1145/1111348.1111355Google ScholarDigital Library
- Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Nadim Kobeissi. 2017b. Formal Modeling and Verification for Domain Validation and ACME. In Financial Cryptography and Data Security - 21st International Conference, FC 2017, Sliema, Malta, April 3--7, 2017, Revised Selected Papers (Lecture Notes in Computer Science), Aggelos Kiayias (Ed.), Vol. 10322. Springer, 561--578. https://doi.org/10.1007/978--3--319--70972--7_32Google Scholar
- Karthikeyan Bhargavan, Cé dric Fournet, and Andrew D. Gordon. 2006. Verified Reference Implementations of WS-Security Protocols. In Web Services and Formal Methods, Third International Workshop, WS-FM 2006 Vienna, Austria, September 8--9, 2006, Proceedings. 88--106. https://doi.org/10.1007/11841197_6Google Scholar
- Karthikeyan Bhargavan, Cé dric Fournet, Andrew D. Gordon, and Riccardo Pucella. 2003. TulaFale: A Security Tool for Web Services. In Formal Methods for Components and Objects, Second International Symposium, FMCO 2003, Leiden, The Netherlands, November 4--7, 2003, Revised Lectures. 197--222. https://doi.org/10.1007/978--3--540--30101--1_9Google Scholar
- Karthikeyan Bhargavan, Cé dric Fournet, Andrew D. Gordon, and Stephen Tse. 2008. Verified interoperable implementations of security protocols. ACM Trans. Program. Lang. Syst., Vol. 31, 1 (2008), 5:1--5:61. https://doi.org/10.1145/1452044.1452049Google ScholarDigital Library
- Simon Blake-Wilson and Alfred Menezes. 1999. Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol. In Public Key Cryptography, Second International Workshop on Practice and Theory in Public Key Cryptography, PKC '99, Kamakura, Japan, March 1--3, 1999, Proceedings (Lecture Notes in Computer Science), Hideki Imai and Yuliang Zheng (Eds.), Vol. 1560. Springer, 154--170. https://doi.org/10.1007/3--540--49162--7_12Google ScholarCross Ref
- Bruno Blanchet. 2001. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11--13 June 2001, Cape Breton, Nova Scotia, Canada. IEEE Computer Society, 82--96. https://doi.org/10.1109/CSFW.2001.930138Google ScholarDigital Library
- Bruno Blanchet and David Pointcheval. 2006. Automated Security Proofs with Sequences of Games. In Advances in Cryptology - CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20--24, 2006, Proceedings (Lecture Notes in Computer Science), Cynthia Dwork (Ed.), Vol. 4117. Springer, 537--554. https://doi.org/10.1007/11818175_32Google Scholar
- Bruno Blanchet, Ben Smyth, Vincent Cheval, and Marc Sylvestre. 2018. ProVerif 2.00: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial. (2018). Version from 2018-05--16.Google Scholar
- Jens-Matthias Bohli, Stefan Rö hrich, and Rainer Steinwandt. 2006. Key substitution attacks revisited: Taking into account malicious signers. Int. J. Inf. Sec., Vol. 5, 1 (2006), 30--36. https://doi.org/10.1007/s10207-005-0071--2Google ScholarDigital Library
- Dan Boneh, Emily Shen, and Brent Waters. 2006. Strongly Unforgeable Signatures Based on Computational Diffie-Hellman. In Public Key Cryptography - PKC 2006, 9th International Conference on Theory and Practice of Public-Key Cryptography, New York, NY, USA, April 24--26, 2006, Proceedings (Lecture Notes in Computer Science), Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin (Eds.), Vol. 3958. Springer, 229--240. https://doi.org/10.1007/11745853_15Google Scholar
- Yannick Chevalier and Mounira Kourjieh. 2007. Key Substitution in the Symbolic Analysis of Cryptographic Protocols. In FSTTCS 2007: Foundations of Software Technology and Theoretical Computer Science, 27th International Conference, New Delhi, India, December 12--14, 2007, Proceedings (Lecture Notes in Computer Science), Vikraman Arvind and Sanjiva Prasad (Eds.), Vol. 4855. Springer, 121--132. https://doi.org/10.1007/978--3--540--77050--3_10Google ScholarCross Ref
- Cas Cremers and Martin Dehnel-Wild. 2019. Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. In Network and Distributed Systems Symposium (NDSS 2019) (2019). (To appear).Google ScholarCross Ref
- Cas Cremers, Martin Dehnel-Wild, and Kevin Milner. 2017a. Secure Authentication in the Grid: A Formal Analysis of DNP3: SAv5. In Computer Security - ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11--15, 2017, Proceedings, Part I (Lecture Notes in Computer Science), Simon N. Foley, Dieter Gollmann, and Einar Snekkenes (Eds.), Vol. 10492. Springer, 389--407. https://doi.org/10.1007/978--3--319--66402--6_23Google Scholar
- Cas Cremers, Marko Horvat, Jonathan Hoyland, Sam Scott, and Thyla van der Merwe. 2017b. A Comprehensive Symbolic Analysis of TLS 1.3. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM, 1773--1788. https://doi.org/10.1145/3133956.3134063Google ScholarDigital Library
- Cas Cremers, Marko Horvat, Sam Scott, and Thyla van der Merwe. 2016. Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22--26, 2016. IEEE Computer Society, 470--485. https://doi.org/10.1109/SP.2016.35Google Scholar
- Cas Cremers and Dennis Jackson. 2019. Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman. IEEE CSF, Vol. 19 (2019).Google ScholarCross Ref
- Christian Decker and Roger Wattenhofer. 2014. Bitcoin Transaction Malleability and MtGox. In Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7--11, 2014. Proceedings, Part II (Lecture Notes in Computer Science), Miroslaw Kutylowski and Jaideep Vaidya (Eds.), Vol. 8713. Springer, 313--326. https://doi.org/10.1007/978--3--319--11212--1_18Google Scholar
- Antoine Delignat-Lavaud, Cé dric Fournet, Markulf Kohlweiss, Jonathan Protzenko, Aseem Rastogi, Nikhil Swamy, Santiago Zanella Bé guelin, Karthikeyan Bhargavan, Jianyang Pan, and Jean Karim Zinzindohoue. 2017. Implementing and Proving the TLS 1.3 Record Layer. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22--26, 2017. IEEE Computer Society, 463--482. https://doi.org/10.1109/SP.2017.58Google ScholarCross Ref
- Whitfield Diffie, Paul C. van Oorschot, and Michael J. Wiener. 1992. Authentication and Authenticated Key Exchanges. Des. Codes Cryptography, Vol. 2, 2 (1992), 107--125. https://doi.org/10.1007/BF00124891Google ScholarDigital Library
- Shaddin F Doghmi, Joshua D Guttman, and F Javier Thayer. 2007. Searching for shapes in cryptographic protocols. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems (2007). Springer, 523--537.Google ScholarCross Ref
- Santiago Escobar, Catherine Meadows, and José Meseguer. 2009. Maude-NPA: Cryptographic protocol analysis modulo equational properties. In Foundations of Security Analysis and Design V. Springer, 1--50.Google Scholar
- Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. 1988. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput., Vol. 17, 2 (1988), 281--308. https://doi.org/10.1137/0217017Google ScholarDigital Library
- Felix Gü nther and Bertram Poettering. 2015. Linkable Message Tagging: Solving the Key Distribution Problem of Signature Schemes. In Information Security and Privacy - 20th Australasian Conference, ACISP 2015, Brisbane, QLD, Australia, June 29 - July 1, 2015, Proceedings (Lecture Notes in Computer Science), Ernest Foo and Douglas Stebila (Eds.), Vol. 9144. Springer, 195--212. https://doi.org/10.1007/978--3--319--19962--7_12Google Scholar
- ISO Central Secretary. 1999. Information technology security techniques - key management - Part 3: Mechanisms using asymmetric techniques.Google Scholar
- Dennis Jackson, Cas Cremers, Katriel Cohn-Gordon, and Ralf Sasse. 2019. Supplementary Materials and Models. https://people.cispa.io/cas.cremers/downloads/archives/Tamarin_better_signatures.zipGoogle Scholar
- Tibor Jager, Saqib A. Kakvi, and Alexander May. 2018. On the Security of the PKCS#1 v1.5 Signature Scheme. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15--19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 1195--1208. https://doi.org/10.1145/3243734.3243798Google ScholarDigital Library
- jedisct1. 2016. It's possible to forge messages that cryptosignopen verifies if the public key is zero. https://github.com/jedisct1/libsodium/issues/112 Retrieved Feburary 2nd, 2019 from Issue 112 jedisct1/libsodium.Google Scholar
- Simon Josefsson and Ilari Liusvaara. 2017. Edwards-Curve Digital Signature Algorithm (EdDSA). RFC, Vol. 8032 (2017), 1--60. https://doi.org/10.17487/RFC8032Google Scholar
- B. Kaliski, J. Jonsson, and A. Rusch. 2016. PKCS# 1: RSA Cryptography Specifications Version 2.2, Section 9.2, Note 2. Technical Report.Google Scholar
- Jonathan Katz and Yehuda Lindell. 2014. Introduction to Modern Cryptography, Second Edition .CRC Press.Google ScholarDigital Library
- Tiffany Hyun-Jin Kim, Cristina Basescu, Limin Jia, Soo Bum Lee, Yih-Chun Hu, and Adrian Perrig. 2016. Lightweight source authentication and path validation. In ACM SIGCOMM Computer Communication Review (2014), Vol. 44. ACM, 271--282.Google Scholar
- Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. 2017. Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach. In 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26--28, 2017. IEEE, 435--450. https://doi.org/10.1109/EuroSP.2017.38Google Scholar
- Christina Lindenberg, Kai Wirt, and Johannes A. Buchmann. 2006. Formal Proof for the Correctness of RSA-PSS. IACR Cryptology ePrint Archive, Vol. 2006 (2006), 11. http://eprint.iacr.org/2006/011Google Scholar
- Alfred Menezes and Nigel P. Smart. 2004. Security of Signature Schemes in a Multi-User Setting. Des. Codes Cryptography, Vol. 33, 3 (2004), 261--274. https://doi.org/10.1023/B:DESI.0000036250.18062.3fGoogle ScholarDigital Library
- Adrian Perrig, Pawel Szalachowski, Raphael M. Reischuk, and Laurent Chuat. 2017. SCION: A Secure Internet Architecture .Springer International Publishing AG. https://doi.org/10.1007/978--3--319--67080--5Google ScholarCross Ref
- Thomas Pornin and Julien P. Stern. 2005. Digital Signatures Do Not Guarantee Exclusive Ownership. In Applied Cryptography and Network Security, Third International Conference, ACNS 2005, New York, NY, USA, June 7--10, 2005, Proceedings (Lecture Notes in Computer Science), John Ioannidis, Angelos D. Keromytis, and Moti Yung (Eds.), Vol. 3531. 138--150. https://doi.org/10.1007/11496137_10Google Scholar
- Benedikt Schmidt, Simon Meier, Cas J. F. Cremers, and David A. Basin. 2012. Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties. In 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25--27, 2012, Stephen Chong (Ed.). IEEE Computer Society, 78--94. https://doi.org/10.1109/CSF.2012.25Google Scholar
- Jacques Stern, David Pointcheval, John Malone-Lee, and Nigel P. Smart. 2002. Flaws in Applying Proof Methodologies to Signature Schemes. In Advances in Cryptology - CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18--22, 2002, Proceedings (Lecture Notes in Computer Science), Moti Yung (Ed.), Vol. 2442. Springer, 93--110. https://doi.org/10.1007/3--540--45708--9_7Google Scholar
- Tamarin Team. 2016. Tamarin-Prover Manual -- Security Protocol Analysis in the Symbolic Model.Google Scholar
- Serge Vaudenay. 2003. The Security of DSA and ECDSA. In Public Key Cryptography - PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, January 6--8, 2003, Proceedings. 309--323. https://doi.org/10.1007/3--540--36288--6_23Google Scholar
- Fuyuan Zhang, Limin Jia, Cristina Basescu, Tiffany Hyun-Jin Kim, Yih-Chun Hu, and Adrian Perrig. 2014. Mechanized network origin and path authenticity proofs. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014). ACM, 346--357.Google ScholarDigital Library
- Jean-Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL*: A verified modern cryptographic library. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1789--1806.Google ScholarDigital Library
Index Terms
- Seems Legit: Automated Analysis of Subtle Attacks on Protocols that Use Signatures
Recommendations
Verification of security protocols with lists: From length one to unbounded length
Security and Trust PrinciplesWe present a novel, simple technique for proving secrecy properties for security protocols that manipulate lists of unbounded length, for an unbounded number of sessions. More specifically, our technique relies on the Horn clause approach used in the ...
Formal Verification of a Post-quantum Signal Protocol with Tamarin
Verification and Evaluation of Computer and Communication SystemsAbstractThe Signal protocol is used by billions of people for instant messaging in applications such as Facebook Messenger, Google Messages, Signal, Skype, and WhatsApp. However, advances in quantum computing threaten the security of the cornerstone of ...
Verification Method of Key-Exchange Protocols With a Small Amount of Input Using Tamarin Prover
ASSS '21: Proceedings of the 2021 International Symposium on Advanced Security on Software and SystemsWe propose an automatic verification method for cryptographic protocols. Our method can verify whether or not the key-exchange protocol satisfies main security properties, requiring only the protocol specification as its input. The specification ...
Comments