10 research outputs found
Automated analysis of security protocols with global state
Security APIs, key servers and protocols that need to keep the status of
transactions, require to maintain a global, non-monotonic state, e.g., in the
form of a database or register. However, most existing automated verification
tools do not support the analysis of such stateful security protocols -
sometimes because of fundamental reasons, such as the encoding of the protocol
as Horn clauses, which are inherently monotonic. A notable exception is the
recent tamarin prover which allows specifying protocols as multiset rewrite
(msr) rules, a formalism expressive enough to encode state. As multiset
rewriting is a "low-level" specification language with no direct support for
concurrent message passing, encoding protocols correctly is a difficult and
error-prone process. We propose a process calculus which is a variant of the
applied pi calculus with constructs for manipulation of a global state by
processes running in parallel. We show that this language can be translated to
msr rules whilst preserving all security properties expressible in a dedicated
first-order logic for security properties. The translation has been implemented
in a prototype tool which uses the tamarin prover as a backend. We apply the
tool to several case studies among which a simplified fragment of PKCS\#11, the
Yubikey security token, and an optimistic contract signing protocol
Analysis of Key Wrapping APIs:Generic Policies, Computational Security
International audienceWe present an analysis of key wrapping APIs with generic policies. We prove that certain minimal conditions on policies are sufficient for keys to be indistinguishable from random in any execution of an API. Our result captures a large class of API policies, including both the hierarchies on keys that are common in the scientific literature and the non-linear dependencies on keys used in PKCS#11. Indeed, we use our result to propose a secure refinement of PKCS#11, assuming that the attributes of keys are transmitted as authenticated associated data when wrapping and that there is an enforced separation between keys used for wrapping and keys used for other cryptographic purposes. We use the Computationally Complete Symbolic Attacker developed by Bana and Comon. This model enables us to obtain computational guarantees using a simple proof with a high degree of modularity
How to wrap it up - A formally verified proposal for the use of authenticated wrapping in PKCS#11
Being the most widely used and comprehensive standard for hardware security modules, cryptographic tokens and smart cards, PKCS#11 has been the subject of academic study for years. PKCS#11 provides a key store that is separate from the application, so that, ideally, an application never sees a key in the clear. Again and again, researchers have pointed out the need for an import/export mechanism that ensures the integrity of the permissions associated to a key. With version 2.40, for the first time, the standard included authenticated deterministic encryption schemes. The interface to this operation is insecure, however, so that an application can get the key in the clear, subverting the purpose of using a hardware security module. This work proposes a formal model for the secure use of authenticated deterministic encryption in PKCS#11, including concrete API changes to allow for secure policies to be implemented. Owing to the authenticated encryption mechanism, the policy we propose provides more functionality than any policy proposed so far and can be implemented without access to a random number generator. Our results cover modes of operation that rely on unique initialisation vectors (IVs), like GCM or CCM, but also modes that generate synthetic IVs. We furthermore provide a proof for the deduction soundness of our modelling of deterministic encryption in Böhl et.al.'s composable deduction soundness framework
Automated analysis of security protocols with global state
Security APIs, key servers and protocols that need to keep the status of transactions, require to maintain a global, non-monotonic state, e.g., in the form of a database or register. However, most existing automated verification tools do not support the analysis of such stateful security protocols - sometimes because of fundamental reasons, such as the encoding of the protocol as Horn clauses, which are inherently monotonic. A notable exception is the recent tamarin prover which allows specifying protocols as multiset rewrite (msr) rules, a formalism expressive enough to encode state. As multiset rewriting is a "low-level" specification language with no direct support for concurrent message passing, encoding protocols correctly is a difficult and error-prone process. We propose a process calculus which is a variant of the applied pi calculus with constructs for manipulation of a global state by processes running in parallel. We show that this language can be translated to msr rules whilst preserving all security properties expressible in a dedicated first-order logic for security properties. The translation has been implemented in a prototype tool which uses the tamarin prover as a backend. We apply the tool to several case studies among which a simplified fragment of PKCS#11, the Yubikey security token, and an optimistic contract signing protocol
Analysis of low-level implementations of cryptographic protocols
This thesis examines the vulnerabilities due to low-level implementation deficiencies
of otherwise secure communication protocols in smart-cards. Smart-cards are considered
to be one of the most secure, tamper-resistant, and trusted devices for implementing
confidential operations, such as authentication, key management, encryption
and decryption for financial, communication, security and data management purposes.
The self-containment of smart-cards makes them resistant to attacks as they do not
depend on potentially vulnerable external resources. As such, smart-cards are often
incorporated in formally-verified protocols that require strong security of the cryptographic
computations. Such a setting consists of a smart-card which is responsible
for the execution of sensitive operations, and an Application Programming Interface
(API) which implements a particular protocol. For the smart-card to execute any kind
of operation there exists a confidential low-level communication with the API, responsible
for carrying out the protocol specifications and requests. This communication is
kept secret on purpose by some vendors, under the assumption that hiding implementation
details enhances the system’s security. The work presented in this thesis analyses
such low-level protocol implementations in smart-cards, especially those whose implementation
details are deliberately kept secret. In particular, the thesis consists of
a thorough analysis of the implementation of PKCS#11 and Bitcoin smart-cards with
respect to the low-level communication layer. Our hypothesis is that by focusing on
reverse-engineering the low-level implementation of the communication protocols in
a disciplined and generic way, one can discover new vulnerabilities and open new attack
vectors that are not possible when looking at the highest levels of implementation,
thereby compromising the security guarantees of the smart-cards.
We present REPROVE, a system that automatically reverse-engineers the low-level
communication of PKCS#11 smart-cards, deduces the card’s functionalities and translates
PKCS#11 cryptographic functions into communication steps. REPROVE deals
with both standard-conforming and proprietary implementations, and does not require
access to the card. We use REPROVE to reverse-engineer seven commercially available
smart-cards. Moreover, we conduct a security analysis of the obtained models and
expose a set of vulnerabilities which would have otherwise been unknown.
To the best of our knowledge, REPROVE is the first system to address proprietary
implementations and the only system that maps cryptographic functions to communication
steps and on-card operations. To that end, we showcase REPROVE’s usefulness
to a security ecosystem by integrating it with an existing tool to extract meaningful
state-machines of the card’s implementations. To conduct a security analysis of the
results we obtained, we define a threat model that addresses low-level PKCS#11 implementations.
Our analysis indicates a series of implementation errors that leave the
cards vulnerable to attacks. To that end, we showcase how the discovered vulnerabilities
can be exploited by presenting practical attacks.
The results we obtained from the PKCS#11 smart-card analysis showed that proprietary
implementations commonly hide erroneous behaviours. To test the assumption
that the same practice is also adopted by other protocols, we further examine the low-level
implementation of the only available smart-card based Bitcoin wallets, LEDGER.
We extract the different protocols that the LEDGER wallets implement and conduct a
through analysis. Our results indicate a set of vulnerabilities that expose the wallets
as well as the processed transactions to multiple threats. To that end, we present how
we successfully mounted attacks on the LEDGER wallets that lead to the loss of the
wallet’s ownership and consequently loss of the funds. We address the lack of well-defined
security properties that Bitcoin wallets should conform to by introducing a
general threat model. We further use that threat model to propose a lightweight fix that
can be adopted by other, not necessarily smart-card-based, wallets
A little more conversation, a little less action, a lot more satisfaction: Global states in ProVerif
International audienceProVerif is a popular tool for the fully automatic analysis of security protocols, offering very good support to detect flaws or prove security. One exception is the case of protocols with global states such as counters, tables, or more generally, memory cells. ProVerif fails to analyse such protocols, due to its internal abstraction. Our key idea is to devise a generic transformation of the security properties queried to ProVerif. We prove the soundness of our transformation and implement it into a front-end GSVerif. Our experiments show that our front-end (combined with ProVerif) outperforms the few existing tools, both in terms of efficiency and protocol coverage. We successfully apply our tool to a dozen of protocols of the literature, yielding the first fully automatic proof of a security API and a payment protocol of the literature
A little more conversation, a little less action, a lot more satisfaction: Global states in ProVerif
ProVerif is a popular tool for the fully automatic analysis of security protocols, offering very good support to detect flaws or prove security. One exception is the case of protocols with global states such as counters, tables, or more generally, memory cells. ProVerif fails to analyse such protocols, due to its internal abstraction. Our key idea is to devise a generic transformation of the security properties queried to ProVerif. We prove the soundness of our transformation and implement it into a front-end GSVerif. Our experiments show that our front-end (combined with ProVerif) outperforms the few existing tools, both in terms of efficiency and protocol coverage. We successfully apply our tool to a dozen of protocols of the literature, yielding the first fully automatic proof of a security API and a payment protocol of the literature
Investigating the role of micro RNAs in retinal development and as agents of degeneration
Micro RNAs (miRNAs) are potent post-transcriptional regulators of gene expression, which play a myriad of roles throughout human development and are key regulators of retinal development, as well as being implicated in retinal disease. The exact roles played by miRNAs in these processes are imperfectly understood. The miR-182, 96, 183 Sensory Cluster is a sensory organ-specific miRNA family and the most highly expressed miRNA family in the murine retina, yet the developmental roles it plays remain unclear. Whilst miRNA dysregulation is associated with certain retinopathies, whether dysregulation is a disease marker or plays a causative role in photoreceptor death, is unknown. This thesis investigated miRNA expression and function in human retinal development and the genetic retinopathy Type I Usher syndrome. Human pluripotent stem cell-derived retinal organoids provided a human tissue model for this study. A CRISPR-Cas9 gene editing platform was applied to modify the genome in hPSCs and investigate the effect on organoid development; Sensory Cluster knockout hESC lines and both patient and isogenic control TypeI Usher patient-derived iPSC lines were generated and analysed. Sensory Cluster function was interrogated using a gain and loss-of-function approach; over expression by miRNA mimic treatment was shown to lead to an increase in expression of certain photoreceptor maturation markers; Sensory Cluster knockout organoids were analysed using morphological and transcriptomic analyses. The molecular phenotype of Type I Usher in vitro was also interrogated using RNAseq. Type I Usher patient organoids displayed reduced expression of photoreceptor-associated genes, including the Sensory Cluster, but these findings were not recapitulated in organoids generated from a wider panel of Type I hPSC lines. These studies provide insight into the role of the Sensory Cluster in the human retina and the value of gene edited hPSCs to analyse human gene function. It also highlighted the heterogeneity between organoid differentiations and hPSC lines