An extensive formal analysis of multi-factor authentication protocols

International audiencePasswords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms used in so-called multi-factor authentication protocols. In this paper we define a detailed threat model for this kind of protocols: while in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malwares, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols-variants of Google 2-step and FIDO's U2F. The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the PROVERIF tool for automated protocol analysis. Our analysis highlights weaknesses and strengths of the different protocols, and allows us to suggest several small modifications of the existing protocols which are easy to implement, yet improve their security in several threat scenarios

Verifpal: Cryptographic Protocol Analysis for the Real World

Verifpal is a new automated modeling framework and verifier for cryptographic protocols, optimized with heuristics for common-case protocol specifications, that aims to work better for real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. In order to achieve this, Verifpal introduces a new, intuitive language for modeling protocols that is easier to write and understand than the languages employed by existing tools. Its formal verification paradigm is also designed explicitly to provide protocol modeling that avoids user error. Verifpal is able to model protocols under an active attacker with unbounded sessions and fresh values, and supports queries for advanced security properties such as forward secrecy or key compromise impersonation. Furthermore, Verifpal\u27s semantics have been formalized within the Coq theorem prover, and Verifpal models can be automatically translated into Coq as well as into ProVerif models for further verification. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3 as well as the first formal model for the DP-3T pandemic-tracing protocol, which we present in this work. Through Verifpal, we show that advanced verification with formalized semantics and sound logic can exist without any expense towards the convenience of real-world practitioners

An Extensive Formal Analysis of Multi-factor Authentication Protocols

International audiencePasswords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms in so-called multi-factor authentication protocols. In this article, we define a detailed threat model for this kind of protocol: While in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malware, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols—variants of Google 2-step and FIDO’s U2F (Yubico’s Security Key token). The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the P ROVERIF tool for automated protocol analysis. To validate our model and attacks, we demonstrate their feasibility in practice, even though our experiments are run in a laboratory environment. Our analysis highlights weaknesses and strengths of the different protocols. It allows us to suggest several small modifications of the existing protocols that are easy to implement, as well as an extension of Google 2-step that improves security in several threat scenarios

Provable Security Analysis of FIDO2

We carry out the first provable security analysis of the new FIDO2 protocols, the promising FIDO Alliance\u27s proposal for a standard for passwordless user authentication. Our analysis covers the core components of FIDO2: the W3C’s Web Authentication (WebAuthn) specification and the new Client-to-Authenticator Protocol (CTAP2). Our analysis is modular. For WebAuthn and CTAP2, in turn, we propose appropriate security models that aim to capture their intended security goals and use the models to analyze their security. First, our proof confirms the authentication security of WebAuthn. Then, we show CTAP2 can only be proved secure in a weak sense; meanwhile we identify a series of its design flaws and provide suggestions for improvement. To withstand stronger yet realistic adversaries, we propose a generic protocol called sPACA and prove its strong security; with proper instantiations sPACA is also more efficient than CTAP2. Finally, we analyze the overall security guarantees provided by FIDO2 and WebAuthn+sPACA based on the security of its components. We expect that our models and provable security results will help clarify the security guarantees of the FIDO2 protocols. In addition, we advocate the adoption of our sPACA protocol as a substitute of CTAP2 for both stronger security and better performance

Exploration of the Security and Usability of the FIDO2 Authentication Protocol

Gemstone Team PASSFast IDentity Online (FIDO) is a passwordless authentication protocol for the web that leverages public key cryptography and trusted devices to avoid shared secrets on servers. The current version of FIDO, FIDO2, has become widespread and is directly integrated into popular systems such as Windows Hello and Android OS. This thesis details two contributions to the advancement of FIDO2. The first is a modification to the protocol which uses Trusted Execution Environments to resolve security vulnerabilities in the Client To Authenticator Protocol Version 2 (CTAP2), which is a component of FIDO2. It is formally demonstrated that this modification provides a stronger security assumption than CTAP2. The second contribution is an outline of procedures and resources for future researchers to carry out a study of the usability of FIDO2 authenticators via a within-subjects experiment. In the study, subjects register an account on a custom web app using both passwords and FIDO2 credentials. The web app collects metrics about user behavior such as timing information for authentication sessions. Over the course of a week, subjects log in to the same web app every day using both authentication methods. Subjects complete entrance and exit surveys based on the System Usability Scale (SUS) according to their experiences. The surveys and user metrics would then be analyzed to determine whether users perceive FIDO2 as more usable than passwords

Towards secure communication and authentication: Provable security analysis and new constructions

Secure communication and authentication are some of the most important and practical topics studied in modern cryptography. Plenty of cryptographic protocols have been proposed to accommodate all sorts of requirements in different settings and some of those have been widely deployed and utilized in our daily lives. It is a crucial goal to provide formal security guarantees for such protocols. In this thesis, we apply the provable security approach, a standard method used in cryptography to formally analyze the security of cryptographic protocols, to three problems related to secure communication and authentication. First, we focus on the case where a user and a server share a secret and try to authenticate each other and establish a session key for secure communication, for which we propose the first user authentication and key exchange protocols that can tolerate strong corruptions on the client-side. Next, we consider the setting where a public-key infrastructure (PKI) is available and propose models to thoroughly compare the security and availability properties of the most important low-latency secure channel establishment protocols. Finally, we perform the first provable security analysis of the new FIDO2 protocols, the promising proposed standard for passwordless user authentication from the Fast IDentity Online (FIDO) Alliance to replace the world's over-reliance on passwords to authenticate users, and design new constructions to achieve stronger security.Ph.D