From Computationally-proved Protocol Specifications to Implementations

This paper presents a novel framework for proving specifications of security protocols in the computational model and generating runnable implementations from such proved specifications. We rely on the computationally-sound protocol verifier CryptoVerif for proving the specification, and we have implemented a compiler that translates a CryptoVerif specification into an implementation in OCaml. We have applied this compiler to the SSH Transport Layer protocol: we proved the authentication of the server and the secrecy of the session keys in this protocol and verified that the generated implementation successfully interacts with OpenSSH. The secrecy of messages sent over the SSH tunnel cannot be proved due to known weaknesses in SSH with CBC-mode encryption.

[1]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[2]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[3]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[4]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..

[5]  Bruno Blanchet,et al.  Computationally Sound Mechanized Proofs of Correspondence Assertions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[6]  Chanathip Namprempre,et al.  The Secure Shell (SSH) Transport Layer Encryption Modes , 2006, RFC.

[7]  Dawn Xiaodong Song,et al.  AGVI - Automatic Generation, Verification, and Implementation of Security Protocols , 2001, CAV.

[8]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[9]  Jan Jürjens,et al.  Extracting and verifying cryptographic models from C protocol code by symbolic execution , 2011, CCS '11.

[10]  Pierre-Yves Strub,et al.  Modular code-based cryptographic verification , 2011, CCS '11.

[11]  Tero Kivinen,et al.  More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) , 2003, RFC.

[12]  Alfredo Pironti,et al.  Provably correct Java implementations of Spi Calculus security protocols specifications , 2010, Comput. Secur..

[13]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[14]  Luca Durante,et al.  Spi2Java: automatic cryptographic protocol Java code generation from spi calculus , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[15]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[16]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[17]  Kenneth G. Paterson,et al.  Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR , 2010, IACR Cryptol. ePrint Arch..

[18]  Alfredo Pironti,et al.  An Experiment in Interoperable Cryptographic Protocol Implementation Using Automatic Code Generation , 2007, 2007 12th IEEE Symposium on Computers and Communications.

[19]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[20]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[21]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[22]  Jan Jürjens,et al.  Security Analysis of Crypto-based Java Programs using Automated Theorem Provers , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[23]  David Pointcheval,et al.  Automated Security Proofs with Sequences of Games , 2006, CRYPTO.

[24]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[25]  Erik Poll,et al.  Verifying an implementation of SSH , 2007 .

[26]  Jan Jürjens,et al.  Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[27]  Michael Backes,et al.  CoSP: a general framework for computational soundness proofs , 2009, CCS.

[28]  Alfredo Pironti,et al.  JavaSPI: A Framework for Security Protocol Implementation , 2011, Int. J. Secur. Softw. Eng..

[29]  Jan Jürjens,et al.  Computational verification of C protocol implementations by symbolic execution , 2012, CCS.

[30]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[31]  Alfredo Pironti,et al.  The Java SPI Framework for Security Protocol Implementation , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[32]  Giuseppe Milicia,et al.  ?-Spaces: Programming Security Protocols , 2002 .