17 research outputs found
Contraction Hierarchies für kontinuierliche Graphsimplifizierung
Mithilfe von Contraction Hierarchies lassen sich kürzeste Pfade eines Graphen effizient finden. Hierbei findet vor der eigentlichen Suche des kürzesten Pfades eine Vorverarbeitung statt, deren zentrale Operation die Kontraktion von Knoten ist. Hierbei wird der entsprechende Knoten zunächst aus dem Graphen entfernt; falls dadurch die kürzeste-Wege-Distanz der benachbarten Knoten vergrößert wird, werden dem Graphen neue Kanten, sogenannte Shortcuts, hinzugefügt.
Durch die iterative Entfernung der Knoten kann jedoch auch eine Simplifizierung des Originalgraphen durchgeführt werden. Hierzu werden in dieser Arbeit verschiedene Kontraktionsreihenfolgen untersucht. Die betrachteten Kriterien zur Sortierung der Knoten sind die Edge Difference, die räumliche Dichte der Knoten, die durchschnittliche Kantendistanz der zum Knoten inzidenten Kanten sowie (bei Knoten vom Grad zwei) der Winkel der zum Knoten inzidenten Kanten. Hierzu wird ein Verfahren erläutert, mit dem die unterschiedlichen Kriterien miteinander kombiniert werden können.
Des Weiteren wird ein Verfahren vorgestellt, mit dem aus der Ausgabe der Vorverarbeitung ein simplifizierter Graph erzeugt werden kann. Dabei werden Knoten abhängig vom Zeitpunkt ihrer Kontraktion aus dem Graphen entfernt. Von den verbleibenden Kanten werden zu lange Shortcuts rekursiv entpackt, d.h. durch die ursprünglichen Kanten ersetzt
Formal security analysis of the OpenID FAPI 2.0 Security Profile with FAPI 2.0 Message Signing, FAPI-CIBA, Dynamic Client Registration and Management : technical report
Building on our recent formal security analysis of the FAPI 2.0 Security Profile, we here extend the analysis effort to FAPI 2.0 Message Signing, combined with Dynamic Client Registration, Dynamic Client Management, and FAPI-CIBA. Overall, we model an ecosystem which uses all these profiles and extensions in parallel.
Like the previous work on the FAPI 2.0 Security Profile, this analysis is based on the Web Infrastructure Model, a Dolev-Yao style model of the web infrastructure - in fact, it is the most comprehensive and detailed model of the web infrastructure to date. We identify several attacks, propose fixes and prove the fixed protocols secure with respect to authorization, authentication, session integrity for both authorization and authentication, and non-repudiation for the messages covered by FAPI 2.0 Message Signing. The attacks and proposed fixes have been reported to the responsible FAPI Working Group at the OpenID Foundation, and fixes have since been incorporated into the specifications
Formal Security Analysis of the OpenID FAPI 2.0: Accompanying a Standardization Process
In recent years, the number of third-party services that can access highly-sensitive data has increased steadily, e.g., in the financial sector, in eGovernment applications, or in high-assurance identity services. Protocols that enable this access must provide strong security guarantees.
A prominent and widely employed protocol for this purpose is the OpenID Foundation\u27s FAPI protocol. The FAPI protocol is already in widespread use, e.g., as part of the UK\u27s Open Banking standards and Brazil\u27s Open Banking Initiative as well as outside of the financial sector, for instance, as part of the Australian government\u27s Consumer Data Rights standards.
Based on lessons learned from FAPI 1.0, the OpenID Foundation has developed a completely new protocol, called FAPI 2.0. The specifications of FAPI 2.0 include a concrete set of security goals and attacker models under which the protocol aims to be secure.
Following an invitation from the OpenID Foundation\u27s FAPI Working Group (FAPI WG), we have accompanied the standardization process of the FAPI 2.0 protocol by an in-depth formal security analysis. In this paper, we report on our analysis and findings.
Our analysis incorporates the first formal model of the FAPI 2.0 protocol and is based on a detailed model of the web infrastructure, the Web Infrastructure Model, originally proposed by Fett, Küsters, and Schmitz. Our analysis has uncovered several types of attacks on the protocol, violating the aforementioned security goals set by the FAPI WG. We subsequently have worked with the FAPI WG to fix the protocol, resulting in several changes to the specifications. After adapting our model to the changed specifications, we have proved the security properties to hold under the strong attacker model defined by the FAPI WG
The Grant Negotiation and Authorization Protocol: Attacking, Fixing, and Verifying an Emerging Standard
The Grant Negotiation and Authorization Protocol (GNAP) is an emerging authorization and authentication protocol which aims to consolidate and unify several use-cases of OAuth 2.0 and many of its common extensions while providing a higher degree of security. OAuth 2.0 is an essential cornerstone of the security of authorization and authentication for the Web, IoT, and beyond, and is used, among others, by many global players, like Google, Facebook, and Microsoft. Because of historically grown limitations and issues of OAuth 2.0 and its various extensions, prominent members of the OAuth community decided to create GNAP, a new and completely resigned authorization and authentication protocol. Given GNAP\u27s advantages over OAuth 2.0 and its support within the OAuth community, GNAP is expected to become at least as important as OAuth 2.0.
In this paper, we present the first formal security analysis of GNAP. We build a detailed formal model of GNAP, based on the Web Infrastructure Model (WIM) of Fett, Küsters, and Schmitz. Based on this model, we provide formal statements of the key security properties of GNAP, namely, authorization, authentication, and session integrity for both authorization and authentication. In the process of trying to prove these properties, we have discovered several attacks on GNAP. We present these attacks as well as modifications to the protocol that prevent them. These modifications have been incorporated into the GNAP specification after discussion with the GNAP working group. We give the first formal security guarantees for GNAP, by proving that GNAP, with our modifications applied, satisfies the mentioned security properties.
GNAP was still an early draft when we started our analysis, but is now on track to be adopted as an IETF standard. Hence, our analysis is just in time to help ensure the security of this important emerging standard
A Formal Security Analysis of the W3C Web Payment APIs: Attacks and Verification
Payment is an essential part of e-commerce. Merchants usually rely on third-parties, so-called payment processors, who take care of transferring the payment from the customer to the merchant. How a payment processor interacts with the customer and the merchant varies a lot. Each payment processor typically invents its own protocol that has to be integrated into the merchant’s application and provides the user with a new, potentially unknown and confusing user experience.
Pushed by major companies, including Apple, Google, Mastercard, and Visa, the W3C is currently developing a new set of standards to unify the online checkout process and “streamline the user’s payment experience”. The main idea is to integrate payment as a native functionality into web browsers, referred to as the Web Payment APIs. While this new checkout process will indeed be simple and convenient from an end-user perspective, the technical realization requires rather significant changes to browsers.
Many major browsers, such as Chrome, Firefox, Edge, Safari, and Opera, already implement these new standards, and many payment processors, such as Google Pay, Apple Pay, or Stripe, support the use of Web Payment APIs for payments. The ecosystem is constantly growing, meaning that the Web Payment APIs will likely be used by millions of people worldwide.
So far, there has been no in-depth security analysis of these new standards. In this paper, we present the first such analysis of the Web Payment APIs standards, a rigorous formal analysis. It is based on the Web Infrastructure Model (WIM), the most comprehensive model of the web infrastructure to date, which, among others, we extend to integrate the new payment functionality into the generic browser model.
Our analysis reveals two new critical vulnerabilities that allow a malicious merchant to over-charge an unsuspecting customer. We have verified our attacks using the Chrome implementation and reported these problems to the W3C as well as the Chrome developers, who have acknowledged these problems. Moreover, we propose fixes to the standard, which by now have been adopted by the W3C and Chrome, and prove that the fixed Web Payment APIs indeed satisfy strong security properties
The Grant Negotiation and Authorization Protocol : attacking, fixing, and verifying an emerging standard
The Grant Negotiation and Authorization Protocol (GNAP) is an emerging authorization and authentication protocol which aims to consolidate and unify several use-cases of OAuth 2.0 and many of its common extensions while providing a higher degree of security. OAuth 2.0 is an essential cornerstone of the security of authorization and authentication for the Web, IoT, and beyond, and is used, among others, by many global players, like Google, Facebook, and Microsoft. Historical limitations of OAuth 2.0 and its extensions have led prominent members of the OAuth community to create GNAP, a newly designed protocol for authorization and authentication. Given GNAP's advantages over OAuth 2.0 and its support within the OAuth community, GNAP is expected to become at least as important as OAuth 2.0.
In this work, we present the first formal security analysis of GNAP. We build a detailed formal model of GNAP, based on the Web Infrastructure Model (WIM) of Fett, Küsters, and Schmitz, and provide formal statements of the key security properties of GNAP, namely authorization, authentication, and session integrity. We discovered several attacks on GNAP in the process of trying to prove these properties. We present these attacks, as well as changes to the protocol that prevent them. These modifications have been incorporated into the GNAP specification after discussion with the GNAP working group. We give the first formal security guarantees for GNAP, by proving that GNAP, with our modifications applied, satisfies the mentioned security properties.
GNAP was still an early draft when we began our analysis, but is now on track to be adopted as an IETF standard. Hence, our analysis is just in time to help ensure the security of this important emerging standard
DY* : A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code
International audienceWe present DY*, a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the F* programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. DY* is built as a library of F* modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using F*. The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds
Layered symbolic security analysis in DY*
While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer below it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY* protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F* modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY* with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest
Layered Symbolic Security Analysis in DY
While cryptographic protocols are often analyzed in isolation, they are typically deployed within a stack of protocols, where each layer relies on the security guarantees provided by the protocol layer below it, and in turn provides its own security functionality to the layer above. Formally analyzing the whole stack in one go is infeasible even for semi-automated verification tools, and impossible for pen-and-paper proofs. The DY protocol verification framework offers a modular and scalable technique that can reason about large protocols, specified as a set of F modules. However, it does not support the compositional verification of layered protocols since it treats the global security invariants monolithically. In this paper, we extend DY with a new methodology that allows analysts to modularly analyze each layer in a way that compose to provide security for a protocol stack. Importantly, our technique allows a layer to be replaced by another implementation, without affecting the proofs of other layers. We demonstrate this methodology on two case studies. We also present a verified library of generic authenticated and confidential communication patterns that can be used in future protocol analyses and is of independent interest
Security analysis of the OpenID financial-grade API
The OpenID Financial-grade API provides a mechanism for accessing data and resources that need a high degree of protection, such as in the context of financial applications.
As a profile of the OAuth 2.0 Authorization Framework designed for high-risk scenarios, the Financial-grade API aims at being secure even if the procedure is attacked at several points leading to wrongly configured endpoints, the leakage of tokens and even whole requests and responses. To achieve this degree of security, several additional mechanisms are used, which protect against the usage of leaked tokens and protect messages against modification.
We modeled both the Read-Only Profile and the Read-Write Profile of the Financial-grade API in the FKS Web Model, including all underlying assumptions that might affect the security of the flows. Through formal analysis, we discovered several attacks not only on mechanisms specific to the Financial-grade API but also on more general concepts of OAuth, namely, Token Binding and the Proof Key for Code Exchange extension.
We provide mitigations against these attack scenarios and show that the modified flows are secure as specified by our security definitions. More precisely, these modified flows prevent an attacker from logging in under the identity of an honest user and accessing protected resources belonging to the honest user.Die OpenID Financial-grade API bietet ein Verfahren für den Zugriff auf Daten und Ressourcen, die ein hohes Maß an Schutz benötigen, beispielsweise im Rahmen von Finanzanwendungen.
Als ein Profil des OAuth 2.0 Authorization Frameworks wurde die Financial-grade API für risikobehaftete Szenarien entworfen und zielt darauf ab, sicher zu sein, trotz Angriffen auf verschiedenen Bereichen, die zu falsch eingestellten Endpunkten, zum Bekanntwerden von Tokens und sogar ganzen Anfragen und Antworten führen können. Um diesen Grad an Sicherheit zu erreichen, werden zusätzliche Verfahren verwendet, die vor der Verwendung von entwendeten Tokens sowie vor Veränderung von Nachrichten schützen.
Wir haben sowohl das Read-Only, als auch das Read-Write Profil der Financial-grade API im FKS Webmodell modelliert, mit allen Annahmen, die die Sicherheit des Verfahrens beeinflussen könnten. Durch formale Analyse entdeckten wir mehrere Angriffe, die nicht nur die Financial-grade API betreffen, sondern allgemeinere Konzepte von OAuth, nämlich Token Binding und die Proof Key for Code Exchange Erweiterung.
Wir erläutern Maßnahmen, mit denen diese Angriffe verhindert werden können und zeigen, dass die modifizierten Verfahren sicher sind im Sinne unserer Sicherheitsdefinitionen. Genauer gesagt wird verhindert, dass sich ein Angreifer unter der Identität eines ehrlichen Benutzers anmeldet und Ressourcen eines ehrlichen Benutzers verwendet