Kaistan ulkopuolisten todennuskanavien arviointi

One of the challenges in entirely wireless communication systems is authentication. In pervasive computing and peer-to-peer networks, it is often not possible to rely on the existence of a trusted third party or other infrastructure. Therefore, ad hoc verification of keys via an out-of-band (OOB) channel is often the only way to achieve authentication. Nimble out-of-band for EAP (EAP-NOOB) protocol is intended for bootstrapping security between IoT devices with no provisioned authentication credentials and minimal user interface. The protocol supports a user-assisted OOB channel to mutually authenticate the key-exchange performed over an insecure wireless network between the peer and the server. The protocol allows peers to scan for available networks and, based on the results, generate multiple dynamic OOB messages. The user then delivers one of these messages to the server to register the device and authenticate the key-exchange. We implemented the OOB channels using NFC, QR codes and sound with EAP-NOOB as the bootstrapping protocol. The implementation requires an auxiliary device such as the user's smartphone. We evaluated the usability and security as well as the benefits and limitations of the OOB channels. Our results show that NFC and QR codes are capable in displaying multiple OOB messages while the sound-based channel is suitable for one or two messages due to its lower bandwidth. When the peer device generates multiple OOB messages, the process becomes more complex for the user who needs to browse through them and identify the correct server. However, we showed that this cumbersome step can be removed with the help of a mobile application. Furthermore, we identified vulnerabilities in each technology when used as an OOB channel. While some of these vulnerabilities can be mitigated with the mobile application, some require more refined solutions.Yksi täysin langattomien järjestelmien haasteista on todennus. Sulautetussa tietotekniikassa sekä vertaisverkkoissa ei usein voida luottaa maailmanlaajuisesti luotettavan kolmannen osapuolen olemassaoloon. Siksi salausavainten ad hoc-varmennus erillistä tiedonsiirtokanavaa (OOB) käyttäen on usein ainoa ratkaisu turvallisen kommunikaation käynnistämiseksi. Se luo resilienssiä eri hyökkäyksiä vastaan tuomalla järjestelmään toisen, itsenäisen tiedonsiirtokanavan. EAP-NOOB protokolla on tarkoitettu IoT-laitteille, joilla on minimaalinen käyttöliittymä eikä esiasennettuja avaimia. EAP-NOOB tukee käyttäjäavustettua OOB-tiedonsiirtokanavaa, jota käytetään todentamaan suojaamattomassa verkossa suoritettu laitteen ja palvelimen keskinäinen salausavainten vaihto. Protokolla sallii laitteiden kartoittaa käytettävissä olevia verkkoja ja tuottaa sen perusteella dynaamisia todennusviestejä, jotka käyttäjä toimittaa palvelimelle laitteen rekisteröimiseksi. Tässä työssä tutkittiin EAP-NOOB protokollan OOB kanavaa käyttäen NFC:tä, QR-koodeja ja ääntä. Todennusviestin lukeminen laitteelta vaatii käyttäjältä älypuhelimen. Työssä arvioitiin toteutettujen todennuskanavien käytettävyyttä, tietoturvaa, hyötyjä sekä näitä rajoittavia tekijöitä. Työn tulokset osoittavat, että NFC ja QR-koodit soveltuvat näyttämään useita OOB-viestejä. Sen sijaan äänipohjainen kanava soveltuu vain yhdelle tai kahdelle viestille hitaamman tiedonsiirron johdosta. Kun IoT-laite tuottaa useita OOB-viestejä, käyttäjäkokemus muuttuu monimutkaisemmaksi, koska käyttäjän on tunnistettava oikea viesti ja palvelin. Työssä osoitetaan, että tämä käyttäjälle hankala vaihe voidaan välttää erillisellä mobiilisovelluksella. Lisäksi työssä tunnistettiin toteutettujen tiedonsiirtomenetelmien haavoittuvuuksia, kun niitä käytettiin OOB-kanavana. Vaikka osa näistä haavoittuvuuksista voidaan eliminoida mobiilisovelluksen avulla, jotkut niistä vaativat tehokkaampia ratkaisuja

Security Analysis of the Consumer Remote SIM Provisioning Protocol

Remote SIM provisioning (RSP) for consumer devices is the protocol specified by the GSM Association for downloading SIM profiles into a secure element in a mobile device. The process is commonly known as eSIM, and it is expected to replace removable SIM cards. The security of the protocol is critical because the profile includes the credentials with which the mobile device will authenticate to the mobile network. In this paper, we present a formal security analysis of the consumer RSP protocol. We model the multi-party protocol in applied pi calculus, define formal security goals, and verify them in ProVerif. The analysis shows that the consumer RSP protocol protects against a network adversary when all the intended participants are honest. However, we also model the protocol in realistic partial compromise scenarios where the adversary controls a legitimate participant or communication channel. The security failures in the partial compromise scenarios reveal weaknesses in the protocol design. The most important observation is that the security of RSP depends unnecessarily on it being encapsulated in a TLS tunnel. Also, the lack of pre-established identifiers means that a compromised download server anywhere in the world or a compromised secure element can be used for attacks against RSP between honest participants. Additionally, the lack of reliable methods for verifying user intent can lead to serious security failures. Based on the findings, we recommend practical improvements to RSP implementations, to future versions of the specification, and to mobile operator processes to increase the robustness of eSIM security.Comment: 33 pages, 8 figures, Associated ProVerif model files located at https://github.com/peltona/rsp_mode

Requirements for a Lightweight AKE for OSCORE: IETF Internet Draft

draft-ietf-lake-reqs-04This document compiles the requirements for a lightweight authenticated key exchange protocol for OSCORE. This draft has completed a working group last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are considered sufficiently stable for the working group to proceed with its work. It is not currently planned to publish this draft as an RFC

A multifaceted formal analysis of end-to-end encrypted email protocols and cryptographic authentication enhancements

Largely owing to cryptography, modern messaging tools (e.g., Signal) have reached a considerable degree of sophistication, balancing advanced security features with high usability. This has not been the case for email, which however, remains the most pervasive and interoperable form of digital communication. As sensitive information (e.g., identification documents, bank statements, or the message in the email itself) is frequently exchanged by this means, protecting the privacy of email communications is a justified concern which has been emphasized in the last years. A great deal of effort has gone into the development of tools and techniques for providing email communications with privacy and security, requirements that were not originally considered. Yet, drawbacks across several dimensions hinder the development of a global solution that would strengthen security while maintaining the standard features that we expect from email clients. In this thesis, we present improvements to security in email communications. Relying on formal methods and cryptography, we design and assess security protocols and analysis techniques, and propose enhancements to implemented approaches for end-to-end secure email communication. In the first part, we propose a methodical process relying on code reverse engineering, which we use to abstract the specifications of two end-to-end security protocols from a secure email solution (called pEp); then, we apply symbolic verification techniques to analyze such protocols with respect to privacy and authentication properties. We also introduce a novel formal framework that enables a system's security analysis aimed at detecting flaws caused by possible discrepancies between the user's and the system's assessment of security. Security protocols, along with user perceptions and interaction traces, are modeled as transition systems; socio-technical security properties are defined as formulas in computation tree logic (CTL), which can then be verified by model checking. Finally, we propose a protocol that aims at securing a password-based authentication system designed to detect the leakage of a password database, from a code-corruption attack. In the second part, the insights gained by the analysis in Part I allow us to propose both, theoretical and practical solutions for improving security and usability aspects, primarily of email communication, but from which secure messaging solutions can benefit too. The first enhancement concerns the use of password-authenticated key exchange (PAKE) protocols for entity authentication in peer-to-peer decentralized settings, as a replacement for out-of-band channels; this brings provable security to the so far empirical process, and enables the implementation of further security and usability properties (e.g., forward secrecy, secure secret retrieval). A second idea refers to the protection of weak passwords at rest and in transit, for which we propose a scheme based on the use of a one-time-password; furthermore, we consider potential approaches for improving this scheme. The hereby presented research was conducted as part of an industrial partnership between SnT/University of Luxembourg and pEp Security S.A

Authentication and Key Exchange in Mobile Ad Hoc Networks

Over the past decade or so, there has been rapid growth in wireless and mobile applications technologies. More recently, an increasing emphasis has been on the potential of infrastructureless wireless mobile networks that are easy, fast and inexpensive to set up, with the view that such technologies will enable numerous new applications in a wide range of areas. Such networks are commonly referred to as mobile ad hoc networks (MANETs). Exchanging sensitive information over unprotected wireless links with unidentified and untrusted endpoints demand the deployment of security in MANETs. However, lack of infrastructure, mobility and resource constraints of devices, wireless communication links and other unique features of MANETs induce new challenges that make implementing security a very difficult task and require the design of specialized solutions. This thesis is concerned with the design and analysis of security solutions for MANETs. We identify the initial exchange of authentication and key credentials, referred to as pre-authentication, as well as authentication and key exchange as primary security goals. In particular, the problem of pre-authentication has been widely neglected in existing security solutions, even though it is a necessary prerequisite for other security goals. We are the first to classify and analyze different methods of achieving pairwise pre-authentication in MANETs. Out of this investigation, we identify identity-based cryptographic (IBC) schemes as well-suited to secure MANET applications that have no sufficient security solutions at this time. We use pairing-based IBC schemes to design an authentication and key exchange framework that meets the special requirements of MANETs. Our solutions are comprised of algorithms that allow for efficient and secure system set up, pre-authentication, mutual authentication, key establishment, key renewal, key revocation and key escrow prevention. In particular, we present the first fully self-organized key revocation scheme for MANETs that does not require any trusted third party in the network. Our revocation scheme can be used to amend existing IBC solutions, be seamlessly integrated in our security framework and even be adopted to conventional public key solutions for MANETs. Our scheme is based on propagated accusations and once the number of received accusations against a node reaches a defined threshold, the keys of the accused nodes are revoked. All communications are cryptographically protected, but unlike other proposed schemes, do not require computationally demanding digital signatures. Our scheme is the first that efficiently and securely enables nodes to revoke their own keys. Additionally, newly joining nodes can obtain previous accusations without performing computationally demanding operations such as verifying digital signatures. Several security and performance parameters make our scheme adjustable to the hostility of the MANET environment and the degree of resource constraints of network and devices. In our security analysis we show how security parameters can be selected to prevent attacks by colluding nodes and roaming adversaries. In our proposed security framework, we utilize special properties of pairing-based keys to design an efficient and secure method for pairwise pre-authentication and a set of ID-based authenticated key exchange protocols. In addition, we present a format for ID-based public keys that, unlike other proposed formats, allows key renewal before the start of a new expiry interval. Finally, we are the first to discuss the inherent key escrow property of IBC schemes in the context of MANETs. Our analysis shows that some special features of MANETs significantly limit the escrow capabilities of key generation centers (KGCs). We propose a novel concept of spy nodes that can be utilized by KGCs to increase their escrow capabilities and analyze the probabilities of successful escrow attacks with and without spy nodes. In summary, we present a complete authentication and key exchange framework that is tailored for MANET applications that have previously lacked such security solutions. Our solutions can be implemented using any pairing-based IBC scheme. The component design allows for the implementation of single schemes to amend existing solutions that do not provide certain functionalities. The introduction of several security and performance parameters make our solutions adjustable to different levels of resource constraints and security needs. In addition, we present extensions that make our solutions suitable for applications with sporadic infrastructure access as envisioned in the near future

Misbinding attacks on secure device pairing and bootstrapping

In identity misbinding attacks against authenticated key-exchange protocols, a legitimate but compromised participant manipulates the honest parties so that the victim becomes unknowingly associated with a third party. These attacks are well known, and resistance to misbinding is considered a critical requirement for security protocols on the Internet. In the context of device pairing, on the other hand, the attack has received little attention outside the trusted-computing community. This paper points out that most device pairing protocols are vulnerable to misbinding. Device pairing protocols are characterized by lack of a-priory information, such as identifiers and cryptographic roots of trust, about the other endpoint. Therefore, the devices in pairing protocols need to be identified by the user's physical access to them. As case studies for demonstrating the misbinding vulnerability, we use Bluetooth and a protocol that registers new IoT devices to authentication servers on wireless networks.We have implemented the attacks.We also show how the attacks can be found in formal models of the protocols with carefully formulated correspondence assertions. The formal analysis yields a new type of double misbinding attack. While pairing protocols have been extensively modelled and analyzed, misbinding seems to be an aspect that has not previously received sufficient attention. Finally, we discuss potential ways to mitigate the threat and its significance to security of pairing protocols.Peer reviewe

Formal verification of misbinding attacks on secure device pairing and bootstrapping

In identity misbinding attacks against authenticated key-exchange protocols, a legitimate but compromised participant manipulates the honest parties so that the victim becomes unknowingly associated with a third party. These attacks are well known, and resistance to misbinding is considered a critical requirement for security protocols on the Internet. In the context of device pairing, on the other hand, the attack has received little attention outside the trusted-computing community. This paper points out that most device pairing protocols are vulnerable to misbinding. Device pairing protocols are characterized by lack of a-priory information, such as identifiers and cryptographic roots of trust, about the other endpoint. Therefore, the devices in pairing protocols need to be identified by the user's physical access to them. As case studies for demonstrating the misbinding vulnerability, we use Bluetooth and protocols that register new Internet of Things (IoT) devices to authentication servers on wireless networks. We have implemented the attacks. We also show how the attacks can be found in formal models of the protocols with carefully formulated correspondence assertions. The formal analysis yields a new type of double misbinding attack. While pairing protocols have been extensively modelled and analyzed, misbinding seems to be an aspect that has not previously received sufficient attention. Finally, we discuss potential ways to mitigate the threat and its significance to security of pairing protocols.Peer reviewe

Salausprotokollien formaali verifiointi ja standardointi

Secure communication over open networks is fundamental to many modern information systems. Previously centralized architectures now depend on distributed computing and inter-system communication over the Internet. Consequently, the need for secure, reliable, and efficient cryptographic protocols has grown significantly. The demand is further amplified by the emergence of new technologies, such as the Internet of Things, that require previously autonomous devices to interact or connect to remote servers. Numerous security breaches have shown that design flaws in these increasingly complex systems can be challenging to detect and sometimes go unnoticed for years. This thesis demonstrates how formal verification can be used during the development and standardization process of cryptographic protocols to avoid critical security flaws and to detect issues. Formal verification methods provide a way of analyzing the security of a protocol even before it has been implemented or deployed. These methods can be used to ensure that, at the very least, common vulnerabilities and design flaws are avoided. This is particularly important for standards organizations since revising an already standardized protocol is slow and complicated. This thesis evaluates the security of widely deployed protocols and work-in-progress drafts presented to organizations such as the Internet Engineering Task Force (IETF) and the 3rd Generation Partnership Project (3GPP). Specifically, we use two state-of-the-art verification tools, ProVerif and Tamarin prover, to model cryptographic protocols and verify their intended security goals. We identify an identity misbinding attack in device pairing and bootstrapping protocols. Our case study discovers multiple variations of the attack in Bluetooth, Device Provisioning Protocol (DPP), Wi-Fi Direct, and Nimble Out-of-Band Authentication for EAP (EAP-NOOB). Furthermore, we argue that the same attacks are possible for all protocols in this category since they do not require pre-distributed credentials and instead rely on physical access for authentication. We also comprehensively analyze the security of two protocols designed for mobile networks: the consumer Remote SIM Provisioning (RSP) protocol and 5G handover. Finally, we present a case study of a recently standardized device bootstrapping protocol, EAP-NOOB, and explain howformal verification was used throughout the standardization process to understand the security goals and identify potential weaknesses in the design.Suojattu viestintä avoimissa verkoissa on olennaista monille nykyaikaisille tietojärjestelmille. Aiemmin keskitetyt arkkitehtuurit ovat entistä riippuvaisempia hajautetuista järjestelmistä ja niiden välisestä tiedonsiirrosta Internetin välityksellä. Tämän seurauksena turvallisten, luotettavien ja tehokkaiden salausprotokollien tarve on kasvanut merkittävästi. Kysyntää lisää entisestään uusien teknologioiden, kuten esineiden internetin, ilmaantuminen. Aiemmin itsenäisten laitteiden vaaditaan nyt toimivan vuorovaikutuksessa keskenään tai muodostavan yhteyden etäpalvelimiin. Lukuisat tietoturvahyökkäykset ovat osoittaneet, että yhä monimutkaisempien järjestelmien tietoturvariskien havaitseminen on vaikeaa ja ne voivat jäädä huomaamatta jopa vuosien ajan. Tämä väitöskirja osoittaa, kuinka formaalia verifiointia voidaan käyttää kryptografisten protokollien kehitys- ja standardointiprosessin aikana kriittisten haavoittuvuuksien välttämiseen ja ongelmien havaitsemiseen. Formaalit verifiointimenetelmät mahdollistavat protokollien tietoturvan analysoinnin jo ennen niiden käyttöönottoa. Näillä menetelmillä voidaan varmistaa, että ainakin yleiset haavoittuvuudet ja suunnitteluvirheet vältetään. Tämä on erityisen tärkeää standardointiorganisaatioille, kuten Internet Engineering Task Force (IETF) ja 3rd Generation Partnership Project (3GPP), koska jo standardoidun protokollan päivittäminen on hidasta ja monimutkaista. Tässä väitöskirjassa arvioidaan sekä laajalti käytettyjen protokollien että työn alla olevien luonnosten turvallisuutta. Käytämme kahta viimeisintä tekniikkaa edustavaa verifiointityökalua, ProVerif ja Tamarin prover, mallintamaan kryptografisia protokollia ja analysoimaan niiden tietoturvaa. Identifioimme identiteettien väärinsitomisen mahdollistavan hyökkäyksen laitteiden yhdistämiseen käytettävissä protokollissa. Tapaustutkimuksemme esittelee useita muunnelmia hyökkäyksestä protokollissa, kuten Bluetooth, Device Provisioning Protocol (DPP), Wi-Fi Direct ja Nimble Out-of-Band Authentication for EAP (EAP-NOOB). Lisäksi osoitamme, että samat hyökkäykset ovat mahdollisia kaikissa vastaavissa protokollissa, jotka käyttävät fyysistä hallintaa identiteettien todennusta varten. Analysoimmemyös kattavasti kahden mobiiliverkoissa käytettyjen protokollien (Remote SIM Provisioning ja 5G handover) turvallisuutta. Lopuksi esittelemme äskettäin standardoidun EAP-NOOB protokollan ja kerromme, kuinka formaalia verifiointia käytettiin sen standardointiprosessin ajan tietoturvatavoitteiden ymmärtämiseen ja mahdollisten haavoittuvuuksien tunnistamiseen