33 research outputs found
An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols
Coercion resistance is an important and one of the most intricate security
requirements of electronic voting protocols. Several definitions of coercion
resistance have been proposed in the literature, including definitions based on
symbolic models. However, existing definitions in such models are rather
restricted in their scope and quite complex.
In this paper, we therefore propose a new definition of coercion resistance
in a symbolic setting, based on an epistemic approach. Our definition is
relatively simple and intuitive. It allows for a fine-grained formulation of
coercion resistance and can be stated independently of a specific, symbolic
protocol and adversary model. As a proof of concept, we apply our definition to
three voting protocols. In particular, we carry out the first rigorous analysis
of the recently proposed Civitas system. We precisely identify those conditions
under which this system guarantees coercion resistance or fails to be coercion
resistant. We also analyze protocols proposed by Lee et al. and Okamoto.Comment: An extended version of a paper from IEEE Symposium on Security and
Privacy (S&P) 200
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
BrowserID is a complex, real-world Single Sign-On (SSO) System for web
applications recently developed by Mozilla. It employs new HTML5 features (such
as web messaging and web storage) and cryptographic assertions to provide
decentralized login, with the intent to respect users' privacy. It can operate
in a primary and a secondary identity provider mode. While in the primary mode
BrowserID runs with arbitrary identity providers (IdPs), in the secondary mode
there is one IdP only, namely Mozilla's default IdP.
We recently proposed an expressive general model for the web infrastructure
and, based on this web model, analyzed the security of the secondary IdP mode
of BrowserID. The analysis revealed several severe vulnerabilities.
In this paper, we complement our prior work by analyzing the even more
complex primary IdP mode of BrowserID. We do not only study authentication
properties as before, but also privacy properties. During our analysis we
discovered new and practical attacks that do not apply to the secondary mode:
an identity injection attack, which violates a central authentication property
of SSO systems, and attacks that break an important privacy promise of
BrowserID and which do not seem to be fixable without a major redesign of the
system. Some of our attacks on privacy make use of a browser side channel that
has not gained a lot of attention so far.
For the authentication bug, we propose a fix and formally prove in a slight
extension of our general web model that the fixed system satisfies all the
requirements we consider. This constitutes the most complex formal analysis of
a web application based on an expressive model of the web infrastructure so
far.
As another contribution, we identify and prove important security properties
of generic web features in the extended web model to facilitate future analysis
efforts of web standards and web applications.Comment: arXiv admin note: substantial text overlap with arXiv:1403.186
The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines
Web-based single sign-on (SSO) services such as Google Sign-In and Log In
with Paypal are based on the OpenID Connect protocol. This protocol enables
so-called relying parties to delegate user authentication to so-called identity
providers. OpenID Connect is one of the newest and most widely deployed single
sign-on protocols on the web. Despite its importance, it has not received much
attention from security researchers so far, and in particular, has not
undergone any rigorous security analysis.
In this paper, we carry out the first in-depth security analysis of OpenID
Connect. To this end, we use a comprehensive generic model of the web to
develop a detailed formal model of OpenID Connect. Based on this model, we then
precisely formalize and prove central security properties for OpenID Connect,
including authentication, authorization, and session integrity properties.
In our modeling of OpenID Connect, we employ security measures in order to
avoid attacks on OpenID Connect that have been discovered previously and new
attack variants that we document for the first time in this paper. Based on
these security measures, we propose security guidelines for implementors of
OpenID Connect. Our formal analysis demonstrates that these guidelines are in
fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend
the web model presented in arXiv:1411.7210, arXiv:1403.1866,
arXiv:1508.01719, and arXiv:1601.0122
An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System
The web constitutes a complex infrastructure and as demonstrated by numerous
attacks, rigorous analysis of standards and web applications is indispensable.
Inspired by successful prior work, in particular the work by Akhawe et al. as
well as Bansal et al., in this work we propose a formal model for the web
infrastructure. While unlike prior works, which aim at automatic analysis, our
model so far is not directly amenable to automation, it is much more
comprehensive and accurate with respect to the standards and specifications. As
such, it can serve as a solid basis for the analysis of a broad range of
standards and applications.
As a case study and another important contribution of our work, we use our
model to carry out the first rigorous analysis of the BrowserID system (a.k.a.
Mozilla Persona), a recently developed complex real-world single sign-on system
that employs technologies such as AJAX, cross-document messaging, and HTML5 web
storage. Our analysis revealed a number of very critical flaws that could not
have been captured in prior models. We propose fixes for the flaws, formally
state relevant security properties, and prove that the fixed system in a
setting with a so-called secondary identity provider satisfies these security
properties in our model. The fixes for the most critical flaws have already
been adopted by Mozilla and our findings have been rewarded by the Mozilla
Security Bug Bounty Program.Comment: An abridged version appears in S&P 201
Implementing a Unification Algorithm for Protocol Analysis with XOR
In this paper, we propose a unification algorithm for the theory which
combines unification algorithms for E\_{\std} and E\_{\ACUN} (ACUN
properties, like XOR) but compared to the more general combination methods uses
specific properties of the equational theories for further optimizations. Our
optimizations drastically reduce the number of non-deterministic choices, in
particular those for variable identification and linear orderings. This is
important for reducing both the runtime of the unification algorithm and the
number of unifiers in the complete set of unifiers. We emphasize that obtaining
a ``small'' set of unifiers is essential for the efficiency of the constraint
solving procedure within which the unification algorithm is used. The method is
implemented in the CL-Atse tool for security protocol analysis
A Constraint-Based Algorithm for Contract-Signing Protocols
Research on the automatic analysis of cryptographic protocols has so far mainly concentrated on reachability properties, such as secrecy and authentication. Only recently it was shown that certain game-theoretic security properties, such as balance for contract-signing protocols, are decidable in a Dolev-Yao style model with a bounded number of sessions but unbounded message size. However, this result does not provide a practical algorithm as it merely bounds the size of attacks. In this paper, we prove that game-theoretic security properties can be decided based on standard constraint solving procedures. This paves the way for extending existing implementations and tools for reachability properties to deal with game-theoretic security properties
Automata-based Analysis of Recursive Cryptographic Protocols
Cryptographic protocols can be divided into (1) protocols where the protocol steps are simple from a computational point of view and can thus be modeled by simple means, for instance, single rewrite rules---we call these protocols non-looping---and (2) protocols, such as group protocols, where the protocol steps are complex and typically involve an iterative or recursive computation---we call them recursive. While many results on the decidability of security are known for non-looping protocols, only little is known for recursive protocols. In this paper, we prove decidability of security (w.r.t.~the standard Dolev-Yao intruder) for a core class of recursive protocols and undecidability for several extensions. The key ingredient of our protocol model are specifically designed tree transducers which work over infinite signatures and have the ability to generate new constants (which allow us to mimic key generation). The decidability result is based on an automata-theoretic construction which involves a new notion of regularity, designed to work well with the infinite signatures we use
Infinite State AMC-Model Checking for Cryptographic Protocols
Only very little is known about the automatic analysis of cryptographic protocols for game-theoretic security properties. In this paper, we therefore study decidability and complexity of the model checking problem for AMC-formulas over infinite state concurrent game structures induced by cryptographic protocols and the Dolev-Yao intruder. We show that the problem is NEXPTIME-complete when making reasonable assumptions about protocols and for an expressive fragment of AMC, which contains, for example, all properties formulated by Kremer and Raskin in fair ATL for contract-signing and non-repudiation protocols. We also prove that our assumptions on protocols are necessary to obtain decidability
Universally Composable Symmetric Encryption
For most basic cryptographic tasks, such as public key
encryption, digital signatures, authentication, key
exchange, and many other more sophisticated tasks, ideal
functionalities have been formulated in the
simulation-based security approach, along with their
realizations. Surprisingly, however, no such functionality
exists for symmetric encryption, except for a more abstract
Dolev-Yao style functionality. In this paper, we fill this
gap. We propose two functionalities for symmetric
encryption, an unauthenticated and an authenticated
version, and show that they can be implemented based on
standard cryptographic assumptions for symmetric encryption
schemes, namely IND-CCA security and authenticated
encryption, respectively. We also illustrate the usefulness
of our functionalities in applications, both in
simulation-based and game-based security settings
The IITM Model: a Simple and Expressive Model for Universal Composability
The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model.
In this work, we propose a coherent model for universal composability, called the IITM model (``Inexhaustible Interactive Turing Machine\u27\u27). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages.
Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications.
Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model