Cryptographically Verified Design and Implementation of a Distributed Key Manager

We present DKM, a distributed key management system with a cryptographically verified code base. DKM implements a new data protection API. It manages keys and policies on behalf of groups of users that share data. To ensure long-term protection, DKM supports cryptographic agility: algorithms, keys, and policies can evolve for protecting fresh data while preserving access to old data. DKM is written in C# and currently used by several large data-center applications. To verify our design and implementation, we also write a lightweight reference implementation of DKM in F#. This code closes the gap between formal cryptographic models and production code: • Formally, the F# code is a very precise model of DKM: we automatically verify its security against active adversaries, using a refinement type-checker coupled with an SMT solver and new symbolic libraries for cryptographic agility. • Concretely, the F# code closely mirrors our production code, and we automatically test that the corresponding C# and F# fragments can be swapped without affecting the runtime behavior of DKM. To the best of our knowledge, this is the largest cryptographically-verified implementation to date. We also describe several problems we uncovered and fixed as part of this joint design, implementation, and verification process.

[1]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[2]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[3]  Andrew D. Gordon,et al.  A semantics for web services authentication , 2005, Theor. Comput. Sci..

[4]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[5]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[6]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[7]  Thai Duong,et al.  Practical Padding Oracle Attacks , 2010, WOOT.

[8]  David Cash,et al.  Cryptographic Agility and Its Relation to Circular Encryption , 2010, EUROCRYPT.

[9]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[10]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[11]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[12]  Andrew D. Gordon,et al.  A semantics for web services authentication , 2004, Theor. Comput. Sci..

[13]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[14]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[15]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[16]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[17]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[18]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[19]  Tolga Acar,et al.  Key Management In Distributed Systems , 2010 .

[20]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[21]  Andrew D. Gordon,et al.  Verified implementations of the information card federated identity-management protocol , 2008, ASIACCS '08.

[22]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[23]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).