Secure APIs and Simulationbased. Exposé thésard

Transcription

1 Secure APIs and Simulationbased Security Exposé thésard 1

2 ME & MY THESIS at LSV since Oct 2010 Batiment IRIS Supervisors: Graham & Steve INRIA 2

3 Outline What are Secure Tokens, and what use do they have? Where are we? Where do we want to go? What am I currently doing? 3

4 Basic Assumptions We assume that an intruder can interpose a computer in all communication paths, and thus can alter or copy parts of messages, replay messages, or emit false material. While this may seem an extreme view, it is the only safe one when designing authentication protocols. [Needham-Schroeder, 1978] 4

5 Basic Assumptions We also assume that each principal has a secure environment in which to compute, such as is provided by a personal computer or would be by a secure shared operating system. [Needham-Schroeder, 1978] 5

6 Hello, Dave. Viruses / Worms / Malfunctions Adi Shamir s Cache-Attack 6

7 Where do we want to go? Participant A Protocol Participant B 7

8 Where do we want to go? Participant A Protocol Participant B 7

9 Where do we want to go? Participant A Protocol Participant B 7

10 Where do we want to go? Participant A Protocol Participant B 7

11 Where do we want to go? Participant A Protocol Participant B consistent state! 7

12 Secure APIs 8

13 Synonymonymalicous Secure APIs / Security APIs Secure Tokens Hardware Security Modules Key Management Interfaces Cryptographic devices / Cryptographic tokens Tamper-Resistant Device 9

14 Solution secure tokens = secure key-memory and trusted cryptographic computations Protocol Command Output A B 10

15 Solution secure tokens = secure key-memory and trusted cryptographic computations Protocol Policy Command Implementation (Keys,Algos) Output A B 10

16 smart cards 11

17 TPM 12

18 A really save computer 13

19 The Cloud 14

20 Attack model ST TRD Honest Agent Attacker control Compromised Agent ST TRD ST TRD Honest Agent Network Compromised Agent ST TRD ST TRD Honest Agent Honest Agent ST TRD [Cortier-Steel, 2009] 2. Threat model. The attacker controls the network, all machines, and has d access to the memory of some compromised agents TRDs 15

21 A simple attack W d 16

22 A simple attack 17

23 A simple attack set_w(k) 17

24 A simple attack set_w(k) W 17

25 A simple attack set_w(k) wrap(k,k) W 17

26 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W 17

27 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W set_d(k) 17

28 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W set_d(k) d 17

29 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W set_d(k) decrypt(k,c) d 17

30 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W set_d(k) decrypt(k,c) d k 17

31 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W set_d(k) decrypt(k,c) d k!! 17

32 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W set_d(k) decrypt(k,c) d k!! Policy 17

33 A simple attack set_w(k) wrap(k,k) c=enc(k,k) W Implementation set_d(k) decrypt(k,c) d k!! Policy 17

34 Where are we? There are several layers: Protocol API - Policy Implementation security strengthen properties assume 18

35 Where are we? Protocol API - Policy Implementation Assume: perfect crypto (symbolic world), and a ST with a strict policy. For all protocols implemented using STs, nonces, long- and shortterm keys stay secret. For some protocols, even under compromise 19 [Cortier-Steel, 2009]

36 Where are we? Protocol API - Policy Implementation 20 Assume perfect crypto: show complete policies secure (secrecy of keys) [Froschle-Steel,2009] identify secure policies for limited number of keys [DKS,2010] Problems: non-monotonic state, need to find good abstractions [Mödersheim,2010; ARR,2011]

37 Where are we? Protocol API - Policy Implementation Make sure that components work together, problems: shared keys, synchronisation of several devices Definition of Security of an API in the computational model, as well as the symbolic model [KSW, 2011;CC,2009] 21 Real-or-random game versus idealised Adversary

38 Where do we want to go? long term: coherent theory for STs: computational/symbolic definition of security, automated analysis short term: a general definition of security of a ST is missing 22

39 Universal Composability [Canneti,2000] security defined by functionality that is secure by construction defines security and correctness at the same time can be used within any environment, therefore: implementation should be indistinguishable from functionality for any environment 23

40 The Functionality F ST (handles) FST (translates handles to corresponding keys) F1 F3 (keys) F2 24

41 What does FST assure? In General: Correctness & Security Keys never leave device preserve properties of used functionalities wrapping preserves the attributes of a key specified corruption behaviour: (Key Hierarchy) 25

42 ST1... STm FST F1 F2 F3 F1 F2 F3 F1 F3 F2 Sim Env 26

43 Benefits direct interaction with the environment: strong guarantees even for corrupted agents reliable implementation of a certain policy building block in protocols composition of different F ST s 27

44 Drawbacks direct interaction with the environment functionality and implementation receive same inputs, therefore compromise expressiveness / security But: can be used to implement more abstract notion 28

45 References [Needham-Schroeder, 1978] R. M. Needham and M. D. Schroeder Using encryption for authentication in large networks of computers [Canneti,2000] R. Canetti Universally Composable Security: A New Paradigm for Cryptographic Protocols [CC,2011] C. Cachin and N. Chandran A Secure Cryptographic Token Interface [Froschle-Steel,2009] S. Fröschle and G. Steel Analysing PKCS#11 Key Management APIs with Unbounded Fresh Data [Cortier-Steel, 2009] V. Cortier and G. Steel A generic security API for symmetric key management on cryptographic devices [Mödersheim,2010] S. Mödersheim Abstraction by set-membership: verifying security protocols and web services with databases [DKS,2010] S. Delaune and S. Kremer and G. Steel Formal Analysis of PKCS#11 and Proprietary Extensions [KSW,2011] S. Kremer and G. Steel and B. Warinschi Security for Key Management Interfaces [ARR,2011] Myrto Arapinis, Eike Ritter and Mark Ryan StatVerif:Verification of Stateful Processes 29