Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach

Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017

Volumn , Issue , 2017, Pages 435-450

  Kobeissi, Nadim ^a   Bhargavan, Karthikeyan ^a   Blanchet, Bruno ^a  

^a INRIA PARIS   (France)

Author keywords

cryptographic protocols; formal verification; secure messaging

Indexed keywords

CALCULATIONS; CODES (SYMBOLS); COMPUTER PROGRAMMING LANGUAGES; CRYPTOGRAPHY; HIGH LEVEL LANGUAGES; PROBLEM ORIENTED LANGUAGES;

AUTOMATED VERIFICATION; COMPUTATIONAL APPROACH; CRYPTOGRAPHIC ASSUMPTIONS; CRYPTOGRAPHIC PROTOCOLS; DOMAIN SPECIFIC LANGUAGES; MESSAGING PROTOCOLS; SECURE MESSAGING; SYSTEMATIC ANALYSIS;

FORMAL VERIFICATION;

EID: 85024477053     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/EuroSP.2017.38     Document Type: Conference Paper

References (44)

1. K. Bhargavan, A. Lavaud, C. Fournet, A. Pironti, and P. Strub, "Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS," in IEEE Symposium on Security & Privacy (Oakland), 2014, pp. 98-113.
2. T. Frosch, C. Mainka, C. Bader, F. Bergsma, J. Schwenk, and T. Holz, "How secure is TextSecure?" in IEEE European Symposium on Security and Privacy (Euro S&P), 2016.
3. B. Blanchet, "Modeling and verifying security protocols with the applied pi calculus and ProVerif," Foundations and Trends in Privacy and Security, vol. 1, no. 1-2, pp. 1-135, Oct. 2016.
4. D. Dolev and A. C. Yao, "On the security of public key protocols," IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198-207, 1983.
5. B. Blanchet, "A computationally sound mechanized prover for security protocols," IEEE Transactions on Dependable and Secure Computing, vol. 5, no. 4, pp. 193-207, 2008.
6. K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis, "Language-based defenses against untrusted browser origins," in USENIX Security Symposium, 2013, pp. 653-670.
7. K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis, "Defensive JavaScript-building and verifying secure web components," in Foundations of Security Analysis and Design (FOSAD VII), 2013, pp. 88-123.
8. M. Abadi and C. Fournet, "Mobile values, new names, and secure communication," in 28th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'01). London, United Kingdom: ACM Press, Jan. 2001, pp. 104-115.
9. H. Krawczyk, "HMQV: A High-performance Secure Diffie-Hellman Protocol," in International Conference on Advances in Cryptology (CRYPTO), ser. Lecture Notes in Computer Science, V. Shoup, Ed., vol. 3621. Springer, 2005, pp. 546-566.
10. N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, "SoK: Secure Messaging," in IEEE Symposium on Security & Privacy (Oakland), 2015.
11. N. Durov, "Telegram MTProto protocol," 2015, https://core.telegram. org/mtproto.
12. O. Schirokauer, "The number field sieve for integers of low weight," Mathematics of Computation, vol. 79, no. 269, pp. 583-602, 2010.
13. D. Gillmor, "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)," 2016, IETF RFC 7919.
14. K. Bhargavan, A. Delignat-Lavaud, and A. Pironti, "Verified contributive channel bindings for compound authentication," in Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS '15), Feb 2015. [Online]. Available: http: //antoine.delignat-lavaud.fr/doc/ndss15.pdf
15. A. Rad and J. Rizzo, "A 264 attack on Telegram, and why a super villain doesn't need it to read your telegram chats." 2015.
16. J. Jakobsen and C. Orlandi, "On the cca (in)security of mtproto," Cryptology ePrint Archive, Report 2015/1177, 2015, http://eprint.iacr. org/2015/1177.
17. N. Borisov, I. Goldberg, and E. A. Brewer, "Off-the-record communication, or, why not to use PGP," in Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES 2004, Washington, DC, USA, October 28, 2004, V. Atluri, P. F. Syverson, and S. D. C. di Vimercati, Eds. ACM, 2004, pp. 77-84. [Online]. Available: http://doi.acm.org/10.1145/1029179.1029200
18. N. Wilcox, Z. Wilcox-O'Hearn, D. Hopwood, and D. Bacon, "Report of Security Audit of Cryptocat," 2014, https://leastauthority.com/blog/ least authority performs security audit for cryptocat.html.
19. P. A. Gardner, S. Maffeis, and G. D. Smith, "Towards a program logic for JavaScript," SIGPLAN Not., vol. 47, no. 1, pp. 31-44, Jan. 2012. [Online]. Available: http://doi.acm.org/10.1145/2103621.2103663
20. K. Bhargavan, C. Fournet, A. D. Gordon, and S. Tse, "Verified interoperable implementations of security protocols," ACM Transactions on Programming Languages and Systems, vol. 31, no. 1, 2008.
21. Joyent Inc. and the Linux Foundation, "Node.js," 2016, https://nodejs. org/en/.
22. H. Krawczyk, "Cryptographic extraction and key derivation: The HKDF scheme," in Advances in Cryptology (CRYPTO), ser. Lecture Notes in Computer Science. Springer, 2010, vol. 6223, pp. 631-648.
23. N. Kobeissi, "SP code repository," https://github.com/inriaprosecco/ proscript-messaging, February 2017.
24. V. Shoup, "Sequences of games: a tool for taming complexity in security proofs," IACR Cryptology ePrint Archive, 2004, http://eprint. iacr.org/2004/332.
25. M. Bellare and P. Rogaway, "The security of triple encryption and a framework for code-based game-playing proofs," in Advances in Cryptology (Eurocrypt), ser. Lecture Notes in Computer Science, S. Vaudenay, Ed., vol. 4004. Springer, May 2006, pp. 409-426.
26. T. Okamoto and D. Pointcheval, "The gap-problems: a new class of problems for the security of cryptographic schemes," in Practice and Theory in Public Key Cryptography (PKC), ser. Lecture Notes in Computer Science, K. Kim, Ed., vol. 1992. Springer, 2001, pp. 104-118.
27. A. Fujioka and K. Suzuki, "Designing efficient authenticated key exchange resilient to leakage of ephemeral secret keys," in Topics in Cryptology (CT-RSA), ser. Lecture Notes in Computer Science, A. Kiayias, Ed., vol. 6558. Springer, 2011, pp. 121-141.
28. D. J. Bernstein, "Curve25519: New Diffie-Hellman speed records," in Public Key Cryptography (PKC), 2006, pp. 207-228.
29. S. Goldwasser, S. Micali, and R. Rivest, "A digital signature scheme secure against adaptive chosen-message attacks," SIAM Journal of Computing, vol. 17, no. 2, pp. 281-308, April 1988.
30. J.-S. Coron, Y. Dodis, C. Malinaud, and P. Puniya, "Merkle-Damgård revisited: How to construct a hash function," in Advances in Cryptology (CRYPTO), ser. Lecture Notes in Computer Science, vol. 3621. Springer, 2005, pp. 430-448.
31. M. Bellare, "New proofs for NMAC and HMAC: Security without collision-resistance," in Advances in Cryptology (CRYPTO), ser. Lecture Notes in Computer Science, C. Dwork, Ed., vol. 4117. Springer, 2006, pp. 602-619.
32. D. A. McGrew and J. Viega, "The security and performance of the Galois/Counter Mode (GCM) of operation," in Progress in Cryptology-INDOCRYPT 2004, ser. Lecture Notes in Computer Science, A. Canteaut and K. Viswanathan, Eds., vol. 3348. Chennai, India: Springer, Dec. 2004, pp. 343-355.
33. P. Rogaway, "Authenticated-encryption with associated-data," in Ninth ACM Conference on Computer and Communications Security (CCS-9). Washington, DC: ACM Press, Nov. 2002, pp. 98-107.
34. Open Whisper Systems, "Signal for the browser," 2015, https://github. com/WhisperSystems/Signal-Browser.
35. GitHub, "Electron framework," 2016, http://electron.atom.io/.
36. M. Avalle, A. Pironti, R. Sisto, and D. Pozza, "The Java SPI framework for security protocol implementation," in Availability, Reliability and Security (ARES), 2011 Sixth International Conference on, Aug 2011, pp. 746-751.
37. G. Bierman, M. Abadi, and M. Torgersen, "Understanding Type-Script," in ECOOP 2014 Object-Oriented Programming, ser. Lecture Notes in Computer Science, R. Jones, Ed., vol. 8586. Springer, 2014, pp. 257-281.
38. Facebook Inc., "Flow, a static type checker for JavaScript," http:// flowtype.org/docs/about-flow.html.
39. C. Fournet, N. Swamy, J. Chen, P.-E. Dagand, P.-Y. Strub, and B. Livshits, "Fully abstract compilation to JavaScript," SIGPLAN Not., vol. 48, no. 1, pp. 371-384, Jan. 2013. [Online]. Available: http://doi.acm.org/10.1145/2480359.2429114
40. C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis, "Discovering concrete attacks on website authorization by formal analysis," Journal of Computer Security, vol. 22, no. 4, pp. 601-657, 2014.
41. G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong, "AUTHSCAN: automatic extraction of web authentication protocols from implementations," in Network and Distributed System Security Symposium (NDSS), 2013.
42. D. Fett, R. Küsters, and G. Schmitz, "An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System," in 35th IEEE Symposium on Security and Privacy (S&P 2014). IEEE Computer Society, 2014, pp. 673-688.
43. K. Cohn-Gordon, C. Cremers, and L. Garratt, "On post-compromise security," in IEEE Computer Security Foundations Symposium (CSF), 2016, pp. 164-178.
44. K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila, "A formal security analysis of the signal messaging protocol," in IEEE European Symposium on Security and Privacy (Euro S&P), 2017.