The MAC In The Box Project

Transcription

1 The MAC In The Box Project Michael J. C. Gordon, Robert Künnemann and Graham Steel 1

2 password databases attack bank etc. 2

3 password databases attack bank etc. 2

4 password databases attack bank etc. 2

5 storing passwords 1. pw 2. h(pw) 3. h(pw salt),salt 4. bcrypt(pw salt), salt 5. add high-entropy parameter and hide it: bcrypt(mitb K (pw salt)), salt Password Hashing at Scale Solar Designer (John the Ripper, Openwall) at YaC2012 3

6 idea secure password databases against offline guessing attacks using a local parameter attack 4

7 idea secure password databases against offline guessing attacks using a local parameter attack 4

8 5 (c) Yubico

9 recent incidents 2011 Playstation Network (77M / in the plain!) 2012 LinkedIn (6,5M / 3.5M in 1d) 2012 Last.fm (8M / 1.2M in 2,5h) 2013 LivingSocial (50M / SHA-1, salted) 2013 Evernote (50M / MD5, salted) 2013 Adobe (152M / 2,9 M in 3d, 3DES-ECB ) 2014 various sources, BSI (21M /?) 6

10 storing the local param. HSM (expensive & unaudited) YubiHSM (affordable & unaudited) specification-level analysis revealed severe flaws, but can be configured securely S-CRIB Scrambler (Dan Cvrzek) [..] fine if you can guarantee the key will not be compromised. The problem is you can't guarantee that (Jeremi Gosney) 7

11 goals design of an affordable, open source hardware device for calculating message authentication codes based on SHA-3 API: write key, compute MAC publish design, code, circuits, proof verification at hardware level 8

12 history of the project conceived by Graham and Mike at FMAT 2011 I got involved in summer 2013 recent progress 9

13 API design (simplified) Move Input (key) Ready Input (len<r-1) Absorbing Input (len=r) H(K m), m = m 1... m l 10

14 security not agreed upon: hash? MAC? encryption? but abstractly, we know what we want: faking a password is difficult learn nothing more about input than whether two inputs coincide 11

15 security not agreed upon: hash? MAC? encryption? one-wayness collision-resistance indifferentiability but abstractly, we know what we want: faking a password is difficult learn nothing more about input than whether two inputs coincide 11

16 security not agreed upon: hash? MAC? encryption? one-wayness collision-resistance indifferentiability unforgeability but abstractly, we know what we want: faking a password is difficult learn nothing more about input than whether two inputs coincide 11

17 security not agreed upon: hash? MAC? encryption? one-wayness collision-resistance indifferentiability unforgeability indistinguishability but abstractly, we know what we want: faking a password is difficult learn nothing more about input than whether two inputs coincide 11

18 security not agreed upon: hash? MAC? encryption? one-wayness unforgeability collision-resistance indifferentiability indistinguishability 11

19 security not agreed upon: hash? MAC? encryption? one-wayness unforgeability collision-resistance indifferentiability indistinguishability but abstractly, we know what we want: 11

20 security not agreed upon: hash? MAC? encryption? one-wayness collision-resistance indifferentiability unforgeability indistinguishability but abstractly, we know what we want: faking a password is difficult 11

21 security not agreed upon: hash? MAC? encryption? one-wayness collision-resistance indifferentiability unforgeability indistinguishability but abstractly, we know what we want: faking a password is difficult learn nothing more about input than whether two inputs coincide 11

22 learn nothing more than.. = everything the adv. learns he could have computed himself MITB Simulator m x {0, 1} n RO 12

23 the complete picture SetKey k Mac m Protocol Simulator (skp,mv,inp,len) Ideal MITB RO(K ) 13

24 hardware verification HOL4: interactive proof assistant for higherorder logic: high-level of assurance easily express circuits using relations CakeML: subset of ML formal reasoning in HOL can be compiled into byte-code and x

25 why trace properties do not suffice would like: SEC (S) =8t 2 traces(s).p(t) indistinguishability is not a trace property! key is never output output first n bits all outputs are hashes of something first n bits of key are probably a hash of something all outputs are hashes of previous inputs ready-led leaks key property on distribution of traces 15

26 difficulties reasoning about probabilities and runtime for composition with SHA-3 result frameworks are moving targets : UC (2001, 63pp; 2005, 130pp; 2013, 87pp) IITM (2006, 36pp; 2013,80pp) GNUC (2011, 78pp) CertiCrypt, Easycrypt can argue about polytime programs and adversarial models, currently no support for composition 16

27 Proof use HOL for in-depth verification of input/ output behaviour (trace property), avoiding arguments about: runtime probability distributions environment (can be probabilistic) use pen-and-paper argument only for composition arguments 17

28 1. emulation (HOL) For all inputs, both games produce the same output: SetKey k Mac m Protocol Simulator (skp,mv,inp,len) Ideal MITB H(K ) 18

29 1. emulation (HOL) For all inputs, both games produce the same output: SetKey k Mac m Protocol Simulator (skp,mv,inp,len) Ideal MITB H(K ) 18

30 2. refinement (HOL) For all inputs, both models produce exactly the same output: MITB = = MITB-circuit MITB-CakeML 19

31 3. pen and paper Equal input/output behaviour implies indistinguishability of output distribution Use: Bertolli et al., Berg et al.: SHA-3 (Sponge-construction) is indistinguishable from a random oracle Composition theorem (Maurer et.al) applies: can substitute RO for H in ideal game 20

32 work in progress spec MITB spec SHA-3 sec. definition proof refinement formalisation of UC MITB specified (low-level interface, but functional) SHA-3 specified (spec and implementation) Ideal and simulator specified currently: emulation proof later: refinement of MITB for target platform 21...

33 summary design and verification of small but useful hardware security module intuitive security properties are often not trace properties challenge for formal verification use HOL to refine specification (i/o behaviour must be identical) combine HOL and pen-and-paper proofs to show correctness of specification 22

34 Thank you for your attention Questions? 23