No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach
... Formal security proofs of cryptographic protocols and cryptosystems are generally classified into two categories: (1) computational proofs, which make precise computational assumptions and show the complexity of breaking the cryptosystem reduces to the complexity of breaking the assumptions; (2) symbolic or Dolev-Yao proofs, which rely on algebraic abstractions of primitives and directly reason about the actions of a channel-controlling attacker. In general, both methods can be used to provide complementary benefits as some attacks may arise from one approach but not the other [64]. A full breakdown of the differences between the two approaches is discussed in greater detail in [32]. ...
... Signal. The Signal protocol has seen ample formal analysis since its inception in 2013, including both symbolic [65] [64] [27] [31] and computational [13] [39] analysis. These analyses demonstrated the post-compromise and forward secrecy guarantees of the double ratchet scheme and the authentication and security guarantees of the X3DH handshake in the manual, computational setting [39] and the symbolic, mechanized setting [64] [12]. ...
... TAMARIN has been used to analyze Apple iMessage [15], TLS 1.3 [42], the EMV standard [22], and The Noise protocol suite [57]. Similarly PROVERIF has been used to analyze Signal [64] and TLS 1.3 [28]. Other symbolic cryptanalysis tools such as SCYTHER [44] and AVISPA [97] have also been historically used for this purpose. ...
Secure instant group messaging applications such as WhatsApp, Facebook Messenger, Matrix, and the Signal Application have become ubiquitous in today's internet, cumulatively serving billions of users. Unlike WhatsApp, for example, Matrix can be deployed in a federated manner, allowing users to choose which server manages their chats. To account for this difference in architecture, Matrix employs two novel cryptographic protocols: Olm, which secures pairwise communications, and Megolm, which relies on Olm and secures group communications. Olm and Megolm are similar to and share security goals with Signal and Sender Keys, which are widely deployed in practice to secure group communications. While Olm, Megolm, and Sender Keys have been manually analyzed in the computational model, no symbolic analysis nor mechanized proofs of correctness exist. Using mechanized proofs and computer-aided analysis is important for cryptographic protocols, as hand-written proofs and analysis are error-prone and often carry subtle mistakes. Using Verifpal, we construct formal models of Olm and Megolm, as well as their composition. We prove various properties of interest about Olm and Megolm, including authentication, confidentiality, forward secrecy, and post-compromise security. We also mechanize known limitations, previously discovered attacks, and trivial attacker wins from the specifications and previous literature. Finally, we model Sender Keys and the composition of Signal with Sender Keys in order to draw a comparison with Olm, Megolm, and their composition. From our analysis we conclude the composition of Olm and Megolm has comparable security to the composition of Signal and Sender Keys if Olm pre-keys are signed, and provably worse post-compromise security if Olm pre-keys are not signed.
... However, we have seen these messaging systems are vulnerable to malicious attacks due to the improper implementations and imbalance between "usability first" or "privacy first". These attacks include server-based attacks, such as vulnerability of Apple's iMessage [11] and Signal Protocol [12]. Moreover, researchers have been able to decipher the message database at end-users' devices of major messaging apps like WhatsApp, WeChat and Viber [13], [14], [15], [16]. ...
... [ Table IV and Algorithm-1 (lines [8][9][10][11][12][13][14]] M 5 . A member (A Q1 ) of the channel sends a request to the node (Q 1 ) for federating with a new node (Q 2 ) for the channel. ...
In last two decades, messaging systems have gained widespread popularity both in the enterprise and consumer sectors. Many of these systems used secure protocols like end-to-end encryption to ensure strong security in one-to-one communication. However, the majority of them rely on centralized servers, which allows them to use their users' personal data. Also, it allows the government to track and regulate their citizens' activities, which poses significant threats to "digital freedom". Also, these systems have failed to achieve security attributes like confidentiality, integrity, and privacy for group communications. In this paper, we present a novel blockchain-based secure messaging system named Quarks that overcomes the security pitfalls of the existing systems and eliminates centralized control. We have analyzed our architecture with security models to demonstrate the system's reliability and usability. We have developed a Proof of Concept (PoC) of the Quarks system leveraging Distributed Ledger Technology (DLT) and conducted load testing on that. We noticed that our PoC system achieves all the desired attributes that are prevalent in a traditional centralized messaging scheme despite the limited capacity of the development and testing environment. Therefore, this assures us of the applicability of such systems in the near future if scaled up properly.
... Other works focus on Signal for group communication [CPZ20] and multi-device [CDDF20,WBPE21]. The work of [KBB17] use ProVerif and CryptoVerif to analyze a modified version of the Signal protocol while their main goal is to provide a methodology for automated verification toward secure messaging protocols in general. Their work is compatible with a potential security analysis of our protocol; however, in this manuscript we take the complementary approach of providing a computational security analysis of Signal, as the one provided by [CGCD + 17]. ...
... Our choice of design for quantifying the PCS is the computational model. Yet, automated verification could also be possible (as long as global parameters can be managed) and we consider this line of research for future works.Also, the work of[KBB17] provides a methodology for automated verification of messaging protocols. It is inspirational since their approach could be used for SAMURAI.Extending the model for deep attestation. ...
Post-Compromise Security (PCS) is a property of secure-channelestablishment schemes which limits the security breach of anadversary that has compromised one of the endpoints to a certainnumber of messages, after which the channel heals. An attractiveproperty, especially in view of Snowden's revelation ofmass-surveillance, PCS features in prominent messaging protocolssuch as Signal.In this thesis, we first present two variants of Signal which improvethe PCS property. Moreover, by viewing PCS as a spectrum, rather thana binary property which schemes might or might not have, in the secondpart of the thesis we introduce a framework for quantifying andcomparing PCS security, with respect to a broad taxonomy ofadversaries. The generality and flexibility of our approach allows usto model the healing speed of a broad class of protocols, includingSignal and our variant SAMURAI, but also an identity-based messagingprotocol named SAID, and even a composition of 5G handoverprotocols. We also apply the results obtained for this last example inorder to provide a quick fix, which massively improves itspost-compromise security.The last part of this thesis is dedicated to the question of deepattestation in virtualized infrastructures. Deep attestation is aparticular case of remote attestation, i.e., verifying the integrityof a platform in the presence of a remote server. We focus on theremote attestation of hypervisors and their hosted virtual machines(VM), for which two solutions are currently supported by ETSI(European Telecommunications Standards Institute). The first issingle-channel attestation, requiring for each VM an attestation ofthat VM and the underlying hypervisor through the physical TPM. Thesecond, multi-channel attestation, allows to attest VMs via virtualTPMs and separately from the hypervisor -- this is faster and requiresless overall attestations, but the server cannot verify the linkbetween VM and hypervisor attestations, which is naturally availablefor single-channel attestation.We design a new approach which provides linked remote attestationwhich achieves the best of both worlds: we benefit from the efficiencyof multi-channel attestation while simultaneously allowingattestations to be linked. Moreover, we formalize a security model fordeep attestation and prove the security of our approach. Ourcontribution is agnostic of the precise underlying secure component(which could be instantiated as a TPM or something equivalent) and canbe of independent interest.
... Still, EasyCrypt requires users to indicate all intermediate games and write proofs of indistinguishability manually, the tool only checks them. This makes EasyCrypt struggle for large protocols like TLS and Signal, that can be treated in CryptoVerif [BBK17;KBB17]. However, [BBK17] Bhargavan et al., "Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate" implementation in EasyCrypt [DKO21]. ...
... [Bla12]). CryptoVerif itself has been used to [Bla12] Blanchet, "Security Protocol Verification: Symbolic and Computational Models" analyse modern protocols like Signal [KBB17] and TLS 1.3 [BBK17]. We conclude this chapter by comparing our results with closely related work; Table 3.1 provides a condensed, high-level overview. ...
Cryptographic protocols are one of the foundations for the trust people put in computer systems nowadays, be it online banking, any web or cloud services, or secure messaging. One of the best theoretical assurances for cryptographic protocol security is reached through proofs in the computational model. Writing such proofs is prone to subtle errors that can lead to invalidation of the security guarantees and, thus, to undesired security breaches. Proof assistants strive to improve this situation, have got traction, and have increasingly been used to analyse important real-world protocols and to inform their development. Writing proofs using such assistants requires a substantial amount of work. It is an ongoing endeavour to extend their scope through, for example, more automation and detailed modelling of cryptographic building blocks. This thesis shows on the example of the CryptoVerif proof assistant and two case studies, that mechanized cryptographic proofs are practicable and useful in analysing and designing complex real-world protocols.The first case study is on the free and open source Virtual Private Network (VPN) protocol WireGuard that has recently found its way into the Linux kernel. We contribute proofs for several properties that are typical for secure channel protocols. Furthermore, we extend CryptoVerif with a model of unprecedented detail of the popular Diffie-Hellman group Curve25519 used in WireGuard.The second case study is on the new Internet standard Hybrid Public Key Encryption (HPKE), that has already been picked up for use in a privacy-enhancing extension of the TLS protocol (ECH), and in the Messaging Layer Security secure group messaging protocol. We accompanied the development of this standard from its early stages with comprehensive formal cryptographic analysis. We provided constructive feedback that led to significant improvements in its cryptographic design. Eventually, we became an official co-author. We conduct a detailed cryptographic analysis of one of HPKE's modes, published at Eurocrypt 2021, an encouraging step forward to make mechanized cryptographic proofs more accessible to the broader cryptographic community.The third contribution of this thesis is of methodological nature. For practical purposes, security of implementations of cryptographic protocols is crucial. However, there is frequently a gap between a cryptographic security analysis and an implementation that have both been based on a protocol specification: no formal guarantee exists that the two interpretations of the specification match, and thus, it is unclear if the executable implementation has the guarantees proved by the cryptographic analysis. In this thesis, we close this gap for proofs written in CryptoVerif and implementations written in F*. We develop cv2fstar, a compiler from CryptoVerif models to executable F* specifications using the HACL* verified cryptographic library as backend. cv2fstar translates non-cryptographic assumptions about, e.g., message formats, from the CryptoVerif model to F* lemmas. This allows to prove these assumptions for the specific implementation, further deepening the formal link between the two analysis frameworks. We showcase cv2fstar on the example of the Needham-Schroeder-Lowe protocol. cv2fstar connects CryptoVerif to the large F* ecosystem, eventually allowing to formally guarantee cryptographic properties on verified, efficient low-level code.
... Given the significance and difficulty of this task, many researchers have endeavored to establish robust foundations for the automated, computeraided design and implementation of cryptographic protocols. Over the years, two approaches have been developed: symbolic and computational approaches [51]- [53]. Symbolic and computational models differ significantly in their approach to analyzing cryptographic protocols. ...
Many companies providing mobile and web-based internet services deploy various middleboxes, including network and security appliances, to enhance network functionality and security. In particular, security appliances such as web application firewalls and intrusion detection/prevention systems are frequently used to inspect transmitted data for security threats. However, the common practice of installing server certificates on middleboxes for encrypted traffic inspection introduces the risk of exposing secret keys. To address this, this paper proposes the middlebox-delegated TLS (mdTLS) protocol, a novel approach leveraging proxy signatures. mdTLS eliminates the need for direct server certificate installation on middleboxes, instead enabling each middlebox to perform network traffic auditing with its own unique certificate. This delegation of certificate authority, facilitated by proxy signature techniques, prevents certificate duplication and streamlines the certificate issuance process, thereby enhancing performance. Implementation results based on OpenSSL demonstrate that mdTLS reduces latency by approximately 25% in key and certificate generation within a general communication environment. Furthermore, similar performance gains are observed when mdTLS is applied to a Snort security appliance. The protocol’s security is formally verified using the Tamarin Prover, confirming its adherence to established TLS security properties and the additional security properties derived from the proxy signature scheme.
... While protocol verification traditionally focuses on the specification layer, monitoring is only one of many approaches to ensure that an implementation adheres to a specification satisfying the demanded security properties. Other techniques include code verification (e.g., via separation logic [38]), verified compilers and code generation (cv2ocaml [12], cv2fstar [26], [4]), type checking (F* [39]), model extraction [1,25,31], (automated) theorem-proving [24], as well as refinement from specification [9,33,7]. All of these are static, which (at least in theory) can ensure security once and for all and thus avoid runtime overhead. ...
There exists a verification gap between formal protocol specifications and their actual implementations, which this work aims to bridge via monitoring for compliance to the formal specification. We instrument the networking and cryptographic library the application uses to obtain a stream of events. This is possible even without source code access. We then use an efficient algorithm to match these observations to traces that are valid in the specification model. In contrast to prior work, our algorithm can handle non-determinism and thus, multiple sessions. It also achieves a low overhead, which we demonstrate on the WireGuard reference implementation and a case study from prior work. We find that the reference Tamarin model for WireGuard can be used with little change: We only need to specify wire formats and correct some small inaccuracies that we discovered while conducting the case study. We also provide a soundness result for our algorithm that ensures it accepts only event streams that are valid according to the specification model.
... Para uma análise mais formal da segurança do WhatsApp, pode-se consultar [1,3,8]. ...
Em 2016, WhatsApp implementou o sistema de criptografia fim-a-fim Signal Protocol para proteger todos os dados transmitidos, de forma a previnir que acessos terceiros não-autorizados possam obter informações. Entretanto, apesar do sistema de criptografia ser open-source, a sua implementação foi pouco divulgada pela empresa. O propósito deste trabalho é estudar a implementação deste sistema para garantir que o WhatsApp o utiliza corretamente e que não consegue obter acesso ao conteúdo das mensagens de seus usuários. Para isso, utilizou-se uma injeção de código em um dispositivo Android para capturar mensagens e chaves e encaminhar estas para um sistema terceiro baseado no Signal Protocol. Os resultados mostram que a empresa utiliza o sistema apropriadamente, sem acesso às chaves privadas dos usuários e ao conteúdo das mensagens.
... Proverif [44] is a π-algorithm based automated cryptographic protocol verification tool developed by Bruno Blanchet using the Prolog language. ProVerif has been widely used for the formal verification of cryptographic protocols [45]- [50]. ...
Authentication in low-latency Internet of Things (IoT) networks must satisfy three requirements, namely, high security and privacy preservation, high scalability, and low authentication time. These requirements arise because devices in IoT networks must operate in a secure and scalable manner despite being limited in computational resources. Existing authentication mechanisms focus on the security and privacy of IoT networks but neglect the importance of scalability and authentication time. Therefore, existing authentication mechanisms are unscalable and unsuited to low-latency IoT networks. With a focus on increasing scalability and reducing the authentication time while providing high security and privacy preservation in low-latency IoT networks, we propose a mutual authentication mechanism called Zero-Knowledge Proof-based Privacy-Preserving Mutual Authentication (Z-PMA) for IoT networks. The Z-PMA mechanism utilizes a combination of a zero-knowledge proof, an incentive mechanism, and a permissioned blockchain to provide secure, privacy-preserving, scalable, low-latency authentication for IoT networks. We develop a new approach to address the trade-off between the three requirements for authentication mechanisms for low-latency IoT networks that has the potential to improve the overall performance of these networks. A permissioned blockchain is incorporated in the approach to provide secure and immutable data storage using its distributed and unforgeable ledger. Our experimental results show that the Z-PMA mechanism reduces authentication time than existing state-of-the-art authentication mechanisms, while providing high security and privacy preservation as well as high scalability.
... Basin et al. [27] proposed a formal and comprehensive 5G AKA protocol analysis using Tamarin. Kobeissi et al. [28] implemented and analyzed a variant of the popular Signal Protocol with automated verification tools. Zhang et al. [29] presented a security analysis of the QUIC handshake protocol based on ProVerif. ...
... Signal [43] is a cryptographic protocol that can be used to provide end-to- SSH [45], also known as Secure Shell is a cryptographic network protocol often used for remote command-line, login, and remote command execution, but any network service can be secured with SSH. SSH provides a secure channel over an unsecured network by using a client-server architecture, connecting an SSH client application with an SSH server. ...
... Moreover, this tool supports advanced security properties such as forward secrecy or key compromise impersonation. We note that Verifpal has been used to verify security properties of widely deployed tools, such as Signal [18] and TLS 1.3 [4]. ...
The construction proposed by Chaum et al. (ACNS’21) introduces an extra security layer for digital wallets by allowing users to generate a “back up key” securely nested inside the secret key of a signature scheme, i.e., ECDSA. The “back up key”, which is secret, can be used to issue a “proof of ownership”, i.e., only the real owner of this secret key can generate a single proof, which is based on the WOTS+ signature scheme. The authors of proposed the formal technique for a single proof of ownership, and only informally outlined a construction to generalize it to multiple proofs. This work identifies that their proposed construction presents drawbacks, i.e., varying of signature size and signing/verifying computation complexity, limitation of linear construction, etc. Therefore we introduce WOTSwana, a generalization of , which is, more concretely, a more general scheme, i.e. an extra security layer that generates multiple proofs of ownership, and put forth a thorough formalization of two constructions: (1) one given by a linear concatenation of numerous WOTS+ private/public keys, and (2) a construction based on tree like structure, i.e., an underneath Merkle tree whose leaves are WOTS+ private/public key pairs. Furthermore, we present the security analysis for multiple proofs of ownership, showcasing that this work addresses the early mentioned drawbacks of the original construction. In particular, we extend the original security definition for . Finally, we illustrate an alternative application of our construction, by discussing the creation of an encrypted group chat messaging application.
KeywordsHash-based SignaturesPost-Quantum CryptographyECDSA
... Formal verification (FV) is a promising technique for verifying the security of protocols (e.g., TLS 1.3 [19], [22], [10], the Noise framework [26], [29], Signal [18], [16], [28], 5G authentication key exchange [9], and WPA2 [21]). Recognizing its potential, various prior attempts (e.g., [20], [14], [37], [7], [35]) have been made to prove and discover attacks in Bluetooth secure authentication pairing protocols (which allows two or multiple devices to negotiate keys). ...
... Security of Messengers: A systematization of knowledge by Unger et al. [52] provides an extensive overview of security features in many instant messaging applications. Similarly, also other studies have analyzed security features of specific subsets of messengers and their cryptographic foundations [1], [20], [21], protocols [9], [17], [24], [42], or exploited specific features such as contact discovery to crawl millions of American phone numbers [19]. ...
... It was first released in 2002, and has been continuously developed for the last 20 years. It has been used to analyze hundreds of protocols, including major deployed protocols such as TLS [28], Signal [29], Noise [30], avionic protocols [31], and the Neuchâtel voting protocol [32]. ...
We introduce new features in ProVerif, an automatic tool for verifying security protocols, and a methodology for using them. This methodology and these features are aimed at protocols which involve sophisticated data types that have strong properties, such as Merkle trees, which allow compact proofs of data presence and tree extension. Such data types are widely used in protocols in systems that use distributed ledgers and/or blockchains. With our methodology, it is possible to describe the data type quite abstractly, using ProVerif axioms, and prove the correctness of the protocol using those axioms as assumptions. Then, in separate steps, one can define one or more concrete implementations of the data type, and again use ProVerif to show that the implementations satisfy the assumptions that were coded as axioms. This helps make compositional proofs, splitting the proof burden into several manageable pieces. To enable this methodology, we introduce new capabilities in ProVerif, by extending the class of lemmas and axioms that it can reason with. Specifically, we allow user-defined predicates, attacker predicates and message predicates to appear in lemmas and axioms. We show the soundness of the implementation of this idea with respect to the semantics. We illustrate the methodology and features by providing the first formal verification of two transparency protocols which precisely models the Merkle tree data structure. The two protocols are transparent decryption and certificate transparency. Transparent decryption is a way of ensuring that decryption operations are visible by people who are affected by them. This can be used to support privacy: it can mean that a subject is alerted to the fact that information about them has been decrypted. Certificate transparency is an Internet security standard for monitoring and auditing the issuance of digital certificates.
... Moreover, this tool supports advanced security properties such as forward secrecy or key compromise impersonation. We note that Verifpal has been used to verify security properties of widely deployed tools, such as Signal [18] and TLS 1.3 [4]. ...
The S leeve construction proposed by Chaum et al. (ACNS'21) introduces an extra security layer for digital wallets by allowing users to generate a "back up key" securely nested inside the secret key of a signature scheme, i.e., ECDSA. The "back up key", which is secret, can be used to issue a "proof of ownership", i.e., only the real owner of this secret key can generate a single proof, which is based on the WOTS+ signature scheme. The authors of S leeve proposed the formal technique for a single proof of ownership, and only informally outlined a construction to generalize it to multiple proofs. This work identifies that their proposed construction presents drawbacks, i.e., varying of signature size and signing/verifying computation complexity, limitation of linear construction , etc. Therefore we introduce WOTSwana, a generalization of S leeve , which is, more concretely, a more general scheme, i.e. an extra security layer that generates multiple proofs of ownership, and put forth a thorough formalization of two constructions: (1) one given by a linear concatenation of numerous WOTS+ private/public keys, and (2) a construction based on tree like structure, i.e., an underneath Merkle tree whose leaves are WOTS+ private/public key pairs. Furthermore, we present the security analysis for multiple proofs of ownership, showcasing that this work addresses the early mentioned drawbacks of the original construction. In particular, we extend the original security definition for S leeve. Finally, we illustrate an alternative application of our construction , by discussing the creation of an encrypted group chat messaging application.
... [52] provides an extensive overview of security features in many instant messaging applications. Similarly, also other studies have analyzed security features of specific subsets of messengers and their cryptographic foundations [1], [20], [21], protocols [9], [17], [24], [42], or exploited specific features such as contact discovery to crawl millions of American phone numbers [19]. ...
Mobile instant messengers such as WhatsApp use delivery status notifications in order to inform users if a sent message has successfully reached its destination. This is useful and important information for the sender due to the often asynchronous use of the messenger service. However, as we demonstrate in this paper, this standard feature opens up a timing side channel with unexpected consequences for user location privacy. We investigate this threat conceptually and experimentally for three widely spread instant messengers. We validate that this information leak even exists in privacy-friendly messengers such as Signal and Threema. Our results show that, after a training phase, a messenger user can distinguish different locations of the message receiver. Our analyses involving multiple rounds of measurements and evaluations show that the timing side channel persists independent of distances between receiver locations -- the attack works both for receivers in different countries as well as at small scale in one city. For instance, out of three locations within the same city, the sender can determine the correct one with more than 80% accuracy. Thus, messenger users can secretly spy on each others' whereabouts when sending instant messages. As our countermeasure evaluation shows, messenger providers could effectively disable the timing side channel by randomly delaying delivery confirmations within the range of a few seconds. For users themselves, the threat is harder to prevent since there is no option to turn off delivery confirmations.
... Cohn-Gordon et al. [1] analyzed the security of multistage key agreement protocols based on the Double Ratchet algorithm for the first time. In addition, Kobeissi et al. [23] verified the security of end-to-end cryptographic protocols like the Signal Protocol with automated tools. e Signal Protocol cannot resist MITM attacks when the key registration is insecure. ...
The Signal Protocol is one of the most popular privacy protocols today for protecting Internet chats and supports end-to-end encryption. Nevertheless, despite its many advantages, the Signal Protocol is not resistant to Man-In-The-Middle (MITM) attacks because a malicious server can distribute the forged identity-based public keys during the user registration phase. To address this problem, we proposed the IBE-Signal scheme that replaced the Extended Triple Diffie–Hellman (X3DH) key agreement protocol with enhanced Identity-Based Encryption (IBE). Specifically, the adoption of verifiable parameter initialization ensures the authenticity of system parameters. At the same time, the Identity-Based Signature (IBS) enables our scheme to support mutual authentication. Moreover, we proposed a distributed key generation mechanism that served as a risk decentralization to mitigate IBE’s key escrow problem. Besides, the proposed revocable IBE scheme is used for the revocation problem. Notably, the IND-ID-CPA security of the IBE-Signal scheme is proven under the random oracle model. Compared with the existing schemes, our scheme provided new security features of mutual authentication, perfect forward secrecy, post-compromise security, and key revocation. Experiments showed that the computational overhead is lower than that of other schemes when the Cloud Privacy Centers (CPCs) number is less than 8.
Automated formal analysis is a fundamental method for ensuring the security of cryptographic protocol design. This approach entails two stages: formal modeling and formal analysis. While significant research has been conducted on formal analysis methodologies, there remains insufficient exploration into formal modeling, which has hindered the broader dissemination and development of automated formal analysis. In this paper, we address this challenge by delving into methodologies for the synthesis of formal languages, which are instrumental in constructing formal models for security protocol analysis. Our main contribution is the development of P2FGPT (Protocol specification to Formal model Generative Pre-trained Transformer), an innovative LLM-based framework designed for generating and refining cryptographic protocol formal declarations. Unlike existing methods, P2FGPT uniquely processes Alice&Bob style specifications as input. By leveraging semantic analysis, it employs LLM to perform generative synthesis of formal languages. The framework incorporates three core components: Generator, Checker, and Modifier, each serving distinct yet complementary roles in the modeling process. To rigorously evaluate our framework, we constructed a specialized dataset derived from the ProVerif’s official demonstration documentation, ensuring the authority and reliability of the data. We conducted extensive experiments using three state-of-the-art LLMs (GLM4.0, Llama3-8b, Qwen2.5-7b) to validate the framework’s effectiveness across different model architectures. The experimental results show that the framework can generate formal description efficiently and accurately, enabling protocol designers or analyzers to rapidly construct formal models. This work represents a significant advancement in applying LLM to cryptographic protocol analysis. By automating the construction of formal models, P2FGPT not only addresses the long-standing challenge of formal modeling but also lays a foundation for future research in automated formal analysis. Our framework provides researchers and practitioners a way to improve the efficiency and scalability of security protocol design and verification.
With privacy becoming more important today, this paper presents ”ZeroTrace,” a messaging app built to keep your chats safe and temporary. The app starts with a login screen where you can choose between using a phone number or Google to sign in. For the phone option, you enter your number, get a code from Firebase, and type it in to prove it’s you, then set up your profile. With Google, you pick your account and go straight to profile setup, where you add your name, photo, and a short bio, saved in Firestore. The main screen shows your chats and a button to pick contacts, letting you start secure talks in a chat window. You can send texts, files, pictures, videos, or voice notes—all locked with AES-256-GCM encryption, stored in Firestore and Firebase Storage, and unlocked only by the receiver. Your device keeps a copy for later. Once the receiver sees a message or file, it gets a 12-hour timer before it’s deleted by a Firebase tool that checks every hour, keeping things private. You can also manage your profile, delete your account, or log out from a settings page, and if you log in again, Firebase remembers you. By mixing strong encryption and smart storage, ZeroTrace offers a safe, easy way to message, better than most apps, fitting today’s security needs..
WhatsApp, a widely used instant messaging application, has become a valuable source of digital evidence in forensic investigations. This review article explores the forensic analysis techniques, challenges, and future directions associated with WhatsApp. It covers the extraction and analysis of data from various sources, including mobile devices, cloud backups, and network traffic. The article discusses the challenges faced by forensic examiners, such as encryption, data volatility, and the need for proper validation of tools. It also highlights the importance of keeping up with the latest updates and changes in WhatsApp’s features and security measures. The future directions for WhatsApp forensics are explored, focusing on the development of more advanced and efficient analysis techniques, the need for standardization, and the importance of international cooperation in addressing cross-border investigations. This review provides insights for forensic examiners, researchers, and legal professionals involved in cases requiring WhatsApp evidence.
Today, two-party secure messaging is well-understood and widely adopted, e.g., Signal and WhatsApp. Multiparty protocols for secure group messaging are less mature and many protocols with different tradeoffs exist. Generally, such protocols require parties to first agree on a shared secret group key and then periodically update it while preserving forward secrecy (FS) and post compromise security (PCS).
We present a new framework, called a key lattice, for managing keys in concurrent group messaging. Our framework can be seen as a “key management” layer that enables concurrent group messaging when secure pairwise channels are available. Security of group messaging protocols defined using the key lattice incorporates both FS and PCS simply and naturally. Our framework combines both FS and PCS into directional variants of the same abstraction, and additionally avoids dependence on time-based epochs.
Current formal approaches have been successfully used to find design flaws in many security protocols. However, it is still challenging to automatically analyze protocols due to their large or infinite state spaces. In this paper, we propose SmartVerif, a novel and general framework that pushes the limit of automation capability of Tamarin, a state-of-the-art protocol verifier. The primary technical contribution is the
dynamic
strategy inside SmartVerif, which can be used to smartly search proof trees. Different from the existing static strategies, our dynamic strategy can automatically optimize itself according to the security protocols without any human intervention. We implement the strategy by modifying Tamarin and introducing a reinforcement learning algorithm to avoid non-terminating paths in the proof tree. Besides, to improve SmartVerif, we add multiple extracted information for training the reinforcement learning network and design a submodule of Non-termination Estimation to collect training data precisely and rapidly. Experimental results show that SmartVerif can automatically verify all security protocols studied in this paper. The case study validates the efficiency of our dynamic strategy. The experimental results also demonstrate the effectiveness of our extracted information, and the accuracy of the submodule of Non-termination Estimation.
The Signal protocol is used by billions of people for instant messaging in applications such as Facebook Messenger, Google Messages, Signal, Skype, and WhatsApp. However, advances in quantum computing threaten the security of the cornerstone of this protocol: the Diffie-Hellman key exchange. There actually are resistant alternatives, called post-quantum secure, but replacing the Diffie-Hellman key exchange with these new primitives requires a deep revision of the associated security proof. While the security of the current Signal protocol has been extensively studied with hand-written proofs and computer-verified symbolic analyses, its quantum-resistant variants lack symbolic security analyses.
In this work, we present the first symbolic security model for post-quantum variants of the Signal protocol. Our model focuses on the core state machines of the two main sub-protocols of Signal: the X3DH handshake, and the so-called double ratchet protocol. Then we show, with an automated proof using the Tamarin prover, that instantiated with the Hashimoto-Katsumata-Kwiatkowski-Prest post-quantum Signal’s handshake from PKC’21, and the Alwen-Coretti-Dodis KEM-based double ratchet from EUROCRYPT’19, the resulting post-quantum Signal protocol has equivalent security properties to its current classical counterpart.
Internet users rely on the protocols they use to protect their private information including their identity and the websites they visit. Formal verification of these protocols can detect subtle bugs that compromise these protections at design time, but is a challenging task as it involves probabilistic reasoning about random sampling, cryptographic primitives, and concurrent execution. Existing approaches either reason about symbolic models of the protocols that sacrifice precision for automation, or reason about more precise computational models that are harder to automate and require cryptographic expertise. In this paper we propose a novel approach to verifying privacy-preserving protocols that is more precise than symbolic models yet more accessible than computational models. Our approach permits direct-style proofs of privacy, as opposed to indirect game-based proofs in computational models, by formalizing privacy as indistinguishability of possible network traces induced by a protocol. We ease automation by leveraging insights from the distributed systems verification community to create sound synchronous models of concurrent protocols. Our verification framework is implemented in F* as a library we call Waldo. We describe two large case studies of using Waldo to verify indistinguishability; one on the Encrypted Client Hello (ECH) extension of the TLS protocol and another on a Private Information Retrieval (PIR) protocol. We uncover subtle flaws in the TLS ECH specification that were missed by other models.
Ensuring trust within the healthcare system and addressing privacy and security challenges in the Internet of Medical Things (IoMT) is of paramount importance. Based on our preliminary analysis results of Masud et al.’s authentication protocol, we propose an improved solution building upon their protocol. Our improved protocol incorporates various security measures to enhance its security. To validate the effectiveness of our improved protocol, we employ a comprehensive range of heuristic and formal security analysis methods. Comparative evaluations with other relevant protocols reveal that our proposed solution achieves satisfactory operational performance in resource-constrained IoMT scenarios.
The Transport Layer Security (TLS) 1.0 protocol has been formally verified with CafeInMaude Proof Generator (CiMPG) and Proof Assistant (CiMPA), where CafeInMaude is the second major implementation of CafeOBJ, a direct successor of OBJ3, a canonical algebraic specification language. The properties concerned are the secrecy property of pre-master secrets and the correspondence (or authentication) property from both server and client points of view. We need to use several lemmas to formally verify that TLS 1.0 enjoys the properties. CiMPG takes proof scores written in CafeOBJ and infers proof scripts that can be checked by CiMPA. Proof scores are prone to human errors and CiMPG can be regarded as a proof score checker in that if the proof scripts inferred by CiMPG from proof scores are successfully executed with CiMPA, it is guaranteed that no human error is lurking in the proof scores. We have used the existing proof scores to show that TLS 1.0 enjoys the two properties. We needed to revise the proof scores so that CiMPG can handle them. Through the revision process, we discovered that one additional lemma is required for the revised proof scores. There are about 20 proof scores and each proof score is large. It is not reasonable to handle all proof scores at the same time with CiMPG. Thus, we handled each proof score one by one with CiMPG. There is one proof score that it took a long time to handle with CiMPG. For that proof score, we handled each induction case one by one to reduce the time taken. We describe how to revise the existing proof scores, how to find the new lemma, the lemma, how to handle each proof score one by one, and how to handle each induction case one by one as tips on checking existing large proof scores with CiMPG and CiMPA.
Automated verification has become an essential part in the security evaluation of cryptographic protocols. In this context privacy-type properties are often modelled by indistinguishability statements, expressed as behavioural equivalences in a process calculus. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives -- those that can be represented by a subterm convergent destructor rewrite system. We also implemented the procedure in a new tool, DeepSec. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.
Seminal works by Cohn-Gordon, Cremers, Dowling, Garratt, and Stebila [EuroS &P 2017] and Alwen, Coretti and Dodis [EUROCRYPT 2019] provided the first formal frameworks for studying the widely-used Signal Double Ratchet (DR for short) algorithm. In this work, we develop a new Universally Composable (UC) definition FDR that we show is provably achieved by the DR protocol. Our definition captures not only the security and correctness guarantees of the DR already identified in the prior state-of-the-art analyses of Cohn-Gordon et al. and Alwen et al., but also more guarantees that are absent from one or both of these works. In particular, we construct six different modified versions of the DR protocol, all of which are insecure according to our definition FDR, but remain secure according to one (or both) of their definitions. For example, our definition is the first to fully capture CCA-style attacks possible immediately after a compromise—attacks that, as we show, the DR protocol provably resists, but were not fully captured by prior definitions. We additionally show that multiple compromises of a party in a short time interval, which the DR is expected to be able to withstand, as we understand from its whitepaper, nonetheless introduce a new non-trivial (albeit minor) weakness of the DR. Since the definitions in the literature (including our FDR above) do not capture security against this more nuanced scenario, we define a new stronger definition FTR that does. Finally, we provide a minimalistic modification to the DR (that we call the Triple Ratchet, or TR for short) and show that the resulting protocol securely realizes the stronger functionality FTR. Remarkably, the modification incurs no additional communication cost and virtually no additional computational cost. We also show that these techniques can be used to improve communication costs in other scenarios, e.g. practical Updatable Public Key Encryption schemes and the re-randomized TreeKEM protocol of Alwen et al. [CRYPTO 2020] for Secure Group Messaging.
Due to the mobile and pervasive nature of IoT networks, even more frequently, multiple IoT networks managed by different network administrators share the same spectrum and operate in the same area, leading to packet losses and degradation of the Quality of Service (QoS). Assuming the use of the widespread IEEE 802.15.4 communication technology, the most straightforward solution would be to allow the networks to share the local Radio Scheduling Table (RST) to optimize channel access. However, exchanging the RST can leak several key information, such as the topology of the network, the number of devices, and the channel access patterns. To address such problems, we present PRM, the first scheme for discovering in advance potential interferences among IEEE 802.15.4 networks, without exposing the whole RST to untrusted parties. Our solution adapts a protocol for Private Set Intersection , while combining it with an innovative iterative set division algorithm, making the whole solution feasible on constrained devices of the IoT domain. Our experimental performance assessment, carried out on heterogeneous devices, shows that PRM can discover colliding channel assignments in less than 1 sec. on more capable embedded devices (e.g., the Raspberry PI), while also being feasible for more constrained platforms (e.g., the ESPCopter), depending on the amount of used radio resources.
The continuous adoption of Near Field Communication (NFC) tags offers many new applications whose security is essential (e.g., contactless payments). In order to prevent flaws and attacks, we develop in this article a framework allowing us to analyse the underlying security protocols, taking into account the location of the agents and the transmission delay when exchanging messages. We propose two reduction results to render automatic verification possible relying on the existing verification tool ProVerif . Our first result allows one to consider a unique topology to catch all possible attacks. The second result simplifies the security analysis when considering Terrorist fraud. Then, based on these results, we perform a comprehensive case study analysis (27 protocols), in which we obtain new proofs of security for some protocols and detect attacks on some others.
The Internet of Things (IoT) provides convenience for our daily lives via a huge number of devices. However, due to low-resource and poor computing capability, these devices have a high number of firmware vulnerabilities. Software verification is a powerful solution to ensure the correctness and security of IoT firmware programs. Unfortunately, due to the complex semantics and syntax of program languages (typically C), applying software verification in IoT firmware faces the tradeoff between efficiency and accuracy. One of the fundamental reasons is that verification methods cannot support verifying state transitions on the memory space caused by pointer operations well. To this end, by combining sparse value flow (SVF) analysis into model checking and optimizing computational redundancy among them, we design a novel points-to-sensitive model checker, called PCHECKER, which can provide a highly precise and efficient verification for IoT firmware programs. We first design a spatial flow model to effectively describe state behaviors of a C program both on the symbolic and memory space. We then propose a counterexample-guided model checking algorithm that can dynamically refine abstract precisions and update nondeterministic points-to relations. With a set of C benchmarks containing a variety of pointer operations and other complex C features, our experiments have shown that compared with state of the art (SOTA), PCHECKER can achieve outstanding results in the verification tasks of C programs that its verification accuracy is 95.9%, and its average verification time of each line of code is 1.27 ms, which are both better than existing model checkers.
Program verification consists in analyzing a computer program as a formal artifact in order to prove the absence of certain categories of bugs before execution. But to use a program verification framework, one has to first translate the original source code of the program to verify in the formal language of the framework. Moreover, one might use different verification frameworks to prove increasingly specialized properties about the program. To answer the need for multiple translations of the source program to various program verification frameworks with different proof paradigms, we advocate for the use of proof-oriented domain-specific languages. These domain-specific languages should act as a frontend to proof backends, with a language design that incorporates and distributes the proof obligations between provers. Moreover, the original program has often already been translated from informal domain-specific requirements that act as its specification. To close the top layer of the chain of trust, we claim that proof-oriented domain-specific language can help domain experts review the program specification at the base of formally verified implementation developments. This dissertation discusses the design and usefulness of proof-oriented domain-specific languages in five case studies. These case studies range from the domain of cryptographic implementations to legal expert systems, and often target real-world high-assurance software. Each of the case study gives its name to a chapter of this dissertation. LibSignal* is a verified implementation of the Signal cryptographic protocol for the Web. Hacspec is a domain-specific language for cryptographic specifications in Rust. Steel is a separation-logic-powered program verification framework for the F* proof assistant. Mlang is a compiler for a tax computation domain-specific language used by the French tax authority. Finally, Catala is a novel language for encoding legislative specifications into executable and analyzable artifacts.
TLS was designed as a transparent channel abstraction to allow developers with no cryptographic expertise to protect their application against attackers that may control some clients, some servers, and may have the capability to tamper with network connections. However, the security guarantees of TLS fall short of those of a secure channel, leading to a variety of attacks. We show how some widespread false beliefs about these guarantees can be exploited to attack popular applications and defeat several standard authentication methods that rely too naively on TLS. We present new client impersonation attacks against TLS renegotiations, wireless networks, challenge-response protocols, and channel-bound cookies. Our attacks exploit combinations of RSA and Diffie-Hellman key exchange, session resumption, and renegotiation to bypass many recent countermeasures. We also demonstrate new ways to exploit known weaknesses of HTTP over TLS. We investigate the root causes for these attacks and propose new countermeasures. At the protocol level, we design and implement two new TLS extensions that strengthen the authentication guarantees of the handshake. At the application level, we develop an exemplary HTTPS client library that implements several mitigations, on top of a previously verified TLS implementation, and verify that their composition provides strong, simple application security.
This is a preliminary version of a technical report accompanying a conference submission of the same title. It differs from the submission in the following main regards. (1) Expanded section 4, where we provide more details on our JavaScript semantics and background on Lambda JS. (2) Expanded section 5, where we provide more details on our verified runtime JSVerify, more details on the heap invariant used in our theory, and more description of the light translation as well. We also improved on some of the syntactic conventions, which helped facilitate the mechanized proof of JSVerify in F . This makes some of definitions look superficially different, although they remain essentially unchanged. For example, rather than overload stub functions in the Abs heap, we now separate them into their own heap compartment called Stub. This makes the proofs easier, although the main ideas remain unchanged. (3) Expanded section 7, with all the details on our applicative bisimulation machinery—we had alluded to these results in the submission, but lacked the space to present it in detail. (4) Appendix A provides a definition of F for reference, including exceptions, fatal errors and primitive support for state. (5) Appendix B presents the formal light translation in its entirety. We then prove (1) the monadic type preservation theorem for the light translation and (2) the forward simulation theorem. While all the technical details are available in this version, we expect to continue improving this long version of the paper. The main edits we still anticipate include (primarily in Section 8) providing a detailed step-through of the runs of the defensive wrappers. Abstract Many tools allow programmers to develop applications in high-level languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such positive guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program prop-erties. Relying on type-based invariants and applicative bisimilar-ity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equiva-lent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.
We present new attacks and robust countermeasures for security-sensitive components, such as single sign-on APIs and client-side cryptographic libraries, that need to be safely deployed on untrusted web pages. We show how failing to isolate such components leaves them vulnerable to attacks both from the hosting website and other components running on the same page. These attacks are not prevented by browser security mechanisms alone, because they are caused by code interacting within the same origin. To mitigate these attacks, we propose to combine fine-grained component isolation at the JavaScript level with cryptographic mechanisms. We present Defensive JavaScript (DJS), a subset of the language that guarantees the behavior integrity of scripts even when loaded in a hostile environment. We give a sound type system, type inference tool, and build defensive libraries for cryptography and data encodings. We show the effectiveness of our solution by implementing several applications using defensive patterns that fix some of our original attacks. We present a model extraction tool to analyze the security properties of our applications using a cryptographic protocol verifier.
This paper presents JavaSPI, a "model-driven" development framework that allows the user to reliably develop security protocol implementations in Java, starting from abstract models that can be verified formally. The main novelty of this approach stands in the use of Java as both a modeling language and the implementation language. By using the SSL handshake protocol as a reference example, this paper illustrates the JavaSPI framework.
The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still as- suming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgû ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce min- imal changes to the plain Merkle-Damgû ard construction and are easily implementable in practice.
Quite often on the Internet, cryptography is used to protect private, personal communications. However, most commonly, systems such as PGP are used, which use long-lived encryption keys (subject to compromise) for confidentiality, and digital signatures (which provide strong, and in some jurisdictions, legal, proof of authorship) for authenticity. In this paper, we argue that most social communications online should have just the opposite of the above two properties; namely, they should have perfect forward secrecy and repudiability. We present a protocol for secure online communication, called "off-the-record messaging", which has properties better-suited for casual conversation than do systems like PGP or S/MIME. We also present an implementation of off-the-record messaging as a plugin to the Linux GAIM instant messaging client. Finally, we discuss how to achieve similar privacy for high-latency communications such as email.
This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems nd a nice and rich practical instantiation with the Die-Hellman problems. Then, we see how the gap problems nd natural applications in cryptography, namely for proving the security of very ecien t schemes, but also for solving a more than 10-year old open security problem: the Chaum's undeniable signature.
Many tools allow programmers to develop applications in high-level languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.
Telegram is a popular messaging app which supports end-to-end encrypted communication. In Spring 2015 we performed an audit of Telegram's Android source code. This short paper summarizes our findings. Our main discovery is that the symmetric encryption scheme used in Telegram -- known as MTProto -- is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message.
We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack. At the same time, we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist.
The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes.
TypeScript is an extension of JavaScript intended to enable easier development of large-scale JavaScript applications. While every JavaScript program is a TypeScript program, TypeScript offers a module system, classes, interfaces, and a rich gradual type system. The intention is that TypeScript provides a smooth transition for JavaScript programmers—well-established JavaScript programming idioms are supported without any major rewriting or annotations. One interesting consequence is that the TypeScript type system is not statically sound by design. The goal of this paper is to capture the essence of TypeScript by giving a precise definition of this type system on a core set of constructs of the language. Our main contribution, beyond the familiar advantages of a robust, mathematical formalization, is a refactoring into a safe inner fragment and an additional layer of unsafe rules.
Motivated by recent revelations of widespread state surveillance of personal communication, many solutions now claim to offer secure and private messaging. This includes both a large number of new projects and many widely adopted tools that have added security features. The intense pressure in the past two years to deliver solutions quickly has resulted in varying threat models, incomplete objectives, dubious security claims, and a lack of broad perspective on the existing cryptographic literature on secure communication. In this paper, we evaluate and systematize current secure messaging solutions and propose an evaluation framework for their security, usability, and ease-of-adoption properties. We consider solutions from academia, but also identify innovative and promising approaches used 'in-the-wild' that are not considered by the academic literature. We identify three key challenges and map the design landscape for each: trust establishment, conversation security, and transport privacy. Trust establishment approaches offering strong security and privacy features perform poorly from a usability and adoption perspective, whereas some hybrid approaches that have not been well studied in the academic literature might provide better trade-offs in practice. In contrast, once trust is established, conversation security can be achieved without any user involvement in most two-party conversations, though conversations between larger groups still lack a good solution. Finally, transport privacy appears to be the most difficult problem to solve without paying significant performance penalties.
Social sign-on and social sharing are becoming an ever more popular feature of web applications. This success is largely due to the APIs and support offered by prominent social networks, such as Facebook, Twitter, and Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol. A formal analysis of these protocols must account for malicious websites and common web application vulnerabilities, such as cross-site request forgery and open redirectors. We model several configurations of the OAuth 2.0 protocol in the applied pi-calculus and verify them using ProVerif. Our models rely on WebSpi, a new library for modeling web applications and web-based attackers that is designed to help discover concrete website attacks. Our approach is validated by finding dozens of previously unknown vulnerabilities in popular websites such as Yahoo and Word Press, when they connect to social networks such as Twitter and Facebook.
The web constitutes a complex infrastructure and as demonstrated by numerous
attacks, rigorous analysis of standards and web applications is indispensable.
Inspired by successful prior work, in particular the work by Akhawe et al. as
well as Bansal et al., in this work we propose a formal model for the web
infrastructure. While unlike prior works, which aim at automatic analysis, our
model so far is not directly amenable to automation, it is much more
comprehensive and accurate with respect to the standards and specifications. As
such, it can serve as a solid basis for the analysis of a broad range of
standards and applications.
As a case study and another important contribution of our work, we use our
model to carry out the first rigorous analysis of the BrowserID system (a.k.a.
Mozilla Persona), a recently developed complex real-world single sign-on system
that employs technologies such as AJAX, cross-document messaging, and HTML5 web
storage. Our analysis revealed a number of very critical flaws that could not
have been captured in prior models. We propose fixes for the flaws, formally
state relevant security properties, and prove that the fixed system in a
setting with a so-called secondary identity provider satisfies these security
properties in our model. The fixes for the most critical flaws have already
been adopted by Mozilla and our findings have been rewarded by the Mozilla
Security Bug Bounty Program.
The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression func- tion is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision- resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construc- tion meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damg˚ ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damg˚ ard con- struction and are easily implementable in practice.
The MQV protocol of Law, Menezes, Qu, Solinas and Van- stone is possibly the most e-cient of all known authenticated Di-e- Hellman protocols based on public-key authentication. In addition to great performance, the protocol has been designed to achieve a remark- able list of security properties. As a result MQV has been widely stan- dardized, and has recently been chosen by the NSA as the key exchange mechanism underlying \the next generation cryptography to protect US government information". Onequestionthathadnotbeensettledsofariswhethertheprotocolcan be proven secure in a rigorous model of key-exchange security. In order to provide an answer to this question we analyze the MQV protocol in theCanetti-Krawczykformalmodelofkeyexchange.Disappointingly,we show (by presenting explicit attacks) that virtually none of the stated security goals of MQV is actually satisfled in this model. On the basis of these flndings, we present HMQV, a carefully designed variant of MQV, that provides with the same superb performance and functionalityoftheoriginalprotocolbutforwhichalltheMQV'ssecurity goals can be formally proven to hold in the random oracle model under the computational Di-e-Hellman assumption. We base the design and proof of HMQV in a new form of \challenge- responsesignatures"thathavethepropertythatboththechallengerand signercancomputethe samesignature;theformerbyhavingchosenthe challengeandthelatterbyknowingtheprivatesignaturekey.Hence,by simplyexchangingchallenges(intheformofDHvalues),twopartiescan compute the same signature from which a common authenticated key is then derived.
We present a new mechanized prover for secrecy properties of security protocols. In contrast to most previous provers, our tool does not rely on the Dolev-Yao model, but on the computational model. It produces proofs presented as sequences of games; these games are formalized in a probabilistic polynomial-time process calculus. Our tool provides a generic method for specifying security properties of the cryptographic primitives, which can handle shared-key and public-key encryption, signatures, message authentication codes, and hash functions. Our tool produces proofs valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. We have implemented our tool and tested it on a number of examples of protocols from the literature.
When a message is transformed into a ciphertext in a way designed to protect both its privacy and authenticity, there may be additional information, such as a packet header, that travels alongside the ciphertext (at least conceptually) and must get authenticated with it. We formalize and investigate this authenticated-encryption with associated-data (AEAD) problem. Though the problem has long been addressed in cryptographic practice, it was never provided a definition or even a name. We do this, and go on to look at efficient solutions for AEAD, both in general and for the authenticated-encryption scheme OCB. For the general setting we study two simple ways to turn an authenticated-encryption scheme that does not support associated-data into one that does: nonce stealing and ciphertext translation. For the case of OCB we construct an AEAD-scheme by combining OCB and the pseudorandom function PMAC, using the same key for both algorithms. We prove that, despite "interaction" between the two schemes when using a common key, the combination is sound. We also consider achieving AEAD by the generic composition of a nonce-based, privacy-only encryption scheme and a pseudorandom function.
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most efficient of all known authenticated Diffie-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying “the next generation cryptography to protect US government information”. One question that has not been settled so far is whether the protocol can be proven secure in a rigorous model of key-exchange security. In order to provide an answer to this question we analyze the MQV protocol in the Canetti-Krawczyk model of key exchange. Unfortunately, we show that MQV fails to a variety of attacks in this model that invalidate its basic security as well as many of its stated security goals. On the basis of these findings, we present HMQV, a carefully designed variant of MQV, that provides the same superb performance and functionality of the original protocol but for which all the MQV’s security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption. We base the design and proof of HMQV on a new form of “challenge-response signatures”, derived from the Schnorr identification scheme, that have the property that both the challenger and signer can compute the same signature; the former by having chosen the challenge and the latter by knowing the private signature key.
In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multi-purpose KDFs. In practice, most KDFs (including those widely standardized) follow ad-hoc approaches that treat cryptographic hash functions as perfectly random functions. In this paper we close some gaps between theory and practice by contributing to the study and engineering of KDFs in several ways. We provide detailed rationale for the design of KDFs based on the extract-then-expand approach; we present the first general and rigorous definition of KDFs and their security that we base on the notion of computational extractors; we specify a concrete fully practical KDF based on the HMAC construction; and we provide an analysis of this construction based on the extraction and pseudorandom properties of HMAC. The resultant KDF design can support a large variety of KDF applications under suitable assumptions on the underlying hash function; particular attention and effort is devoted to minimizing these assumptions as much as possible for each usage scenario.
Beyond the theoretical interest in modeling KDFs, this work is intended to address two important and timely needs of cryptographic applications: (i) providing a single hash-based KDF design that can be standardized for use in multiple and diverse applications, and (ii) providing a conservative, yet efficient, design that exercises much care in the way it utilizes a cryptographic hash function. (The HMAC-based scheme presented here, named HKDF, is being standardized by the IETF.)
We show that, in the ideal-cipher model, triple encryption (the cascade of three independently-keyed blockciphers) is more secure than single or double encryption, thereby resolving a long-standing open problem. Our result demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary's maximal advantage against triple encryption is small until it asks about 278 queries. Our proof uses code- based game-playing in an integral way, and is facilitated by a framework for such proofs that we provide.
We investigate a sufficient condition for constructing authenticated key exchange (AKE) protocols which satisfy security in
the extended Canetti-Krawczyk (eCK) model proposed by LaMacchia, Lauter and Mityagin. To the best of our knowledge, this is
the first approach for providing secure protocols based on the condition. With this condition, we propose a construction of
two-pass AKE protocols, and the resulting two-pass AKE protocols are constructed with a single static key and a single ephemeral.
In addition, the security proof does not require the Forking Lemma, which degrades the security of a protocol relative to
the security of the underlying problem where it is used in the security proof. Therefore, these imply that the protocols constructed
with the condition have an advantage in efficiency such as sizes of storage and communication data. The security of the resulting
protocols is proved under the gap Diffie-Hellman assumption in the random oracle model.
This paper explains the design and implementation of a high-security elliptic-curve-Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with or without the side benefits).KeywordsDiffie-Hellmanelliptic curvespoint multiplicationnew curvenew softwarehigh conjectured securityhigh speedconstant timeshort keys
JavaScript has become the most widely used language for client-side web programming. The dynamic nature of JavaScript makes understanding its code notoriously difficult, leading to buggy programs and a lack of adequate static-analysis tools. We believe that logical reasoning has much to offer JavaScript: a simple description of program behaviour, a clear understanding of module boundaries, and the ability to verify security contracts. We introduce a program logic for reasoning about a broad subset of JavaScript, including challenging features such as prototype inheritance and "with". We adapt ideas from separation logic to provide tractable reasoning about JavaScript code: reasoning about easy programs is easy; reasoning about hard programs is possible. We prove a strong soundness result. All libraries written in our subset and proved correct with respect to their specifications will be well-behaved, even when called by arbitrary JavaScript code.
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations - a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
We define the weight of an integer N to be the smallest w such that N can be represented asw i=1 � i2 ci ,w ith� 1 ,...,� w ∈{ 1, −1} .S ince arithmetic modulo a prime of low weight is particularly efficient, it is tempt- ing to use such primes in cryptographic protocols. In this paper we consider the difficulty of the discrete logarithm problem modulo a prime N of low weight, as well as the difficulty of factoring an integer N of low weight. We describe a version of the number field sieve which handles both problems. In the case that w = 2, the method is the same as the special number field sieve, which runs conjecturally in time exp(((32/9)1/3 + o(1))(log N )1/3(log log N )2/3 )f or N →∞ .F or f ixed w> 2, we conjecture that there is a constant ξ less than (32/9)1/3((2w − 3)/(w − 1))1/3 such that the running time of the algorithm
We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation is for debugging and formal verification. We develop our approach for protocols written in F#, a dialect of ML, and verify them by compilation to ProVerif, a resolution-based theorem prover for cryptographic protocols. We establish the correctness of this compilation scheme, and we illustrate our approach with protocols for Web Services security.
We present a new mechanized prover for secrecy properties of cryptographic protocols. In contrast to most previous provers, our tool does not rely on the Dolev-Yao model, but on the computational model. It produces proofs presented as sequences of games; these games are formalized in a probabilistic polynomial-time process calculus. Our tool provides a generic method for specifying security properties of the cryptographic primitives, which can handle sharedand public-key encryption, signatures, message authentication codes, and hash functions. Our tool produces proofs valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. We have implemented our tool and tested it on a number of examples of protocols from the literature.
HMAC was proved in (3) to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compro- mise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when im- plemented with hash functions whose (weak) collision resistance is com- promised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suf- flces to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost uni- versal, where again the value lies in the fact that known attacks do not invalidate the assumptions made.
This paper is brief tutorial on a technique for structuring security proofs as sequences games.
We study the interaction of the "new" construct with a rich but common form of (first-order) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programming-language contexts. Specifically, we introduce a simple, general extension of the pi calculus with value passing, primitive functions, and equations among terms. We develop semantics and proof techniques for this extended language and apply them in reasoning about some security protocols.
Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.
Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.
The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most e#cient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet tra#c in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.
Defensive JavaScript - building and verifying secure web components
- K Bhargavan
- A Delignat-Lavaud
- S Maffeis
Telegram MTProto protocol
- N Durov
A 2^64 attack on Telegram, and why a super villain doesn't need it to read your telegram chats
- A Rad
- J Rizzo
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)
- D Gillmor
AUTHSCAN: automatic extraction of web authentication protocols from implementations
- G Bai
- J Lei
- G Meng
- S S Venkatraman
- P Saxena
- J Sun
AUTHSCAN: automatic extraction of web authentication protocols from implementations
- bai
Defensive JavaScript - building and verifying secure web components
- bhargavan