Truncating TLS Connections to Violate Beliefs in Web Applications

We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application’s state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts

Truncating TLS Connections to Violate Beliefs in Web Applications

This document extends https://hal.inria.fr/hal-00863371v1We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts. Update (October 18, 2014). This technical report revisits our earlier work (2013) and shows that Google remain vulnerable to the attacks that we disclosed

Analysis and mitigation of new network attack types

Network security is an area that needs to be constantly monitored. New forms of network attacks are being discovered and can be divided into several categories. New forms of computer vulnerability can be monitored in various ways. It is important to rapidly discover ways to eliminate vulnerabilities and prevent their abuse. In the thesis, we have set ourselves the aim to conduct a review of recent network attacks and seek measures to prevent them. For this purpose, we have produced a short overview of network attacks. More specifically, we analyzed denial of service attacks and security vulnerabilities which have been discovered in recent years in the SSL / TLS protocol. To demonstrate how easy it is to implement a network attack with modern tools, we carried out an attack using the Heartbleed vulnerability and prepared instructions for eliminating the vulnerability

Implementation-level Analysis of the JavaScript Helios Voting Client

We perform the first automated security analysis of the actual JavaScript implementation of the Helios voting client, a state-of-the-art, web-based, open-audit voting system that is continuously being deployed for real-life elections. While its concept has been exhaustively analyzed by the security community, we actively analyze its actual JavaScript implementation. Automatically ascertaining the security of a large-scale JavaScript implementation comes with major technical challenges. By creating a sequence of program transformations, we overcome these challenges, thereby making the Helios JavaScript client accessible to existing static analysis techniques. We then automatically analyze the transformed client using graph slicing, reducing an approximately 7 million node graph representing the information flow of the client’s implementation to a handful of potentially harmful flows, each individually consisting of less than 40 nodes. Our interpretation of this analysis results in the exposure of two thus far undiscovered vulnerabilities affecting the live version of Helios: a serious cross-site scripting attack leading to arbitrary script execution and a browser-dependent execution path that results in ballots being sent in plaintext. These attacks can be mitigated with minor adaptations to Helios. Moreover, our program transformations result in a version of Helios with fewer external dependencies and, accordingly, a reduced attack surface

Secure Channels and Termination: The Last Word on TLS

Secure channels are one of the most pivotal building blocks of cryptography today. Internet connections, secure messaging, protected IoT data, etc., all rely upon the security of the underlying channel. In this work we define channel protocols, as well as security for channels constructed from stateful length-hiding authenticated encryption (stLHAE) schemes. Furthermore, we initiate the concept of secure termination where, upon receipt of a signifying message, a receiver is guaranteed to have received every message that has been sent, and will ever be sent, on the channel. We apply our results to real-world protocols, linking the channel environment to previous analyses of TLS 1.2, and demonstrating that TLS 1.2 achieves secure termination via fatal alerts and close_notify messages, per the specification of the Alert Protocol

Authentication with Weaker Trust Assumptions for Voting Systems

Some voting systems are reliant on external authentication services. Others use cryptography to implement their own. We combine digital signatures and non-interactive proofs to derive a generic construction for voting systems with their own authentication mechanisms, from systems that rely on external authentication services. We prove that our construction produces systems satisfying ballot secrecy and election verifiability, assuming the underlying voting system does. Moreover, we observe that works based on similar ideas provide neither ballot secrecy nor election verifiability. Finally, we demonstrate applicability of our results by applying our construction to the Helios voting system

Implementing and Proving the TLS 1.3 Record Layer

International audienceThe record layer is the main bridge between TLS applications and internal sub-protocols. Its corefunctionality is an elaborate form of authenticated encryption: streams of messages for each sub-protocol(handshake, alert, and application data) are fragmented, multiplexed, and encrypted with optionalpadding to hide their lengths. Conversely, the sub-protocols may provide fresh keys or signal streamtermination to the record layer.Compared to prior versions, TLS 1.3 discards obsolete schemes in favor of a common construction forAuthenticated Encryption with Associated Data (AEAD), instantiated with algorithms such as AESGCMand ChaCha20-Poly1305. It differs from TLS 1.2 in its use of padding, associated data and nonces.It also encrypts the content-type used to multiplex between sub-protocols. New protocol features suchas early application data (0-RTT and 0.5-RTT) and late handshake messages require additional keysand a more general model of stateful encryption.We build and verify a reference implementation of the TLS record layer and its cryptographic algorithmsin F?, a dependently typed language where security and functional guarantees can be specifiedas pre- and post-conditions. We reduce the high-level security of the record layer to cryptographic assumptionson its ciphers. Each step in the reduction is verified by typing an F? module; for each stepthat involves a cryptographic assumption, this module precisely captures the corresponding game.We first verify the functional correctness and injectivity properties of our implementations of onetimeMAC algorithms (Poly1305 and GHASH) and provide a generic proof of their security given thesetwo properties. We show the security of a generic AEAD construction built from any secure onetimeMAC and PRF. We extend AEAD, first to stream encryption, then to length-hiding, multiplexedencryption. Finally, we build a security model of the record layer against an adversary that controls theTLS sub-protocols. We compute concrete security bounds for the AES_128_GCM, AES_256_GCM,and CHACHA20_POLY1305 ciphersuites, and derive recommended limits on sent data before re-keying.We plug our implementation of the record layer into the miTLS library, confirm that they interoperatewith Chrome and Firefox, and report initial performance results. Combining our functional correctness,security, and experimental results, we conclude that the new TLS record layer (as described in RFCsand cryptographic standards) is provably secure, and we provide its first verified implementation

A foundation for secret, verifiable elections

Many voting systems rely on art, rather than science, to ensure that votes are freely made, with equal influence. Such systems build upon creativity and skill, rather than scientific foundations. These systems are routinely broken in ways that compromise free-choice or permit undue influence. Breaks can be avoided by proving that voting systems satisfy formal notions of voters voting freely and of detecting undue influence. This manuscript provides a detailed technical introduction to a definition of ballot secrecy by Smyth that formalises the former notion and a definition of verifiability by Smyth, Frink & Clarkson that formalises the latter. The definitions are presented in the computational model of cryptography: Ballot secrecy is expressed as the inability to distinguish between an instance of the voting system in which voters cast some votes, from another instance in which the voters cast a permutation of those votes. Verifiability decomposes into individual verifiability, which is expressed as the inability to cause a collision between ballots, and universal verifiability, which is expressed as the inability to cause an incorrect election outcome to be accepted. The definitions are complimented with simple examples that demonstrate the essence of these properties and detailed proofs are constructed to show how secrecy and verifiability can be formally proved. Finally, the Helios and Helios Mixnet voting systems are presented as case studies to provide an understanding of state-of-the-art systems that are being used for binding elections