Verified Cryptographic Implementations for TLS

We narrow the gap between concrete implementations of cryptographic protocols and their verified models. We develop and verify a small functional implementation of the Transport Layer Security protocol (TLS 1.0). We make use of the same executable code for interoperability testing against mainstream implementations for automated symbolic cryptographic verification and automated computational cryptographic verification. We rely on a combination of recent tools and also develop a new tool for extracting computational models from executable code. We obtain strong security guarantees for TLS as used in typical deployments.

[1]  Clemens Heinrich,et al.  Transport Layer Security (TLS) , 2011, Encyclopedia of Cryptography and Security.

[2]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[3]  David Pointcheval,et al.  HMAC is a randomness extractor and applications to TLS , 2008, ASIACCS '08.

[4]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[5]  Kazuhiro Ogata,et al.  Equational Approach to Formal Analysis of TLS , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[6]  FournetCédric,et al.  Verified Cryptographic Implementations for TLS , 2012 .

[7]  권태경,et al.  SSL Protocol 기반의 서버인증 , 2003 .

[8]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[9]  Alan O. Freier,et al.  SSL Protocol Version 3.0 Internet Draft , 1996 .

[10]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[11]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[12]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[13]  Peeter Laud,et al.  Computationally sound secrecy proofs by mechanized flow analysis , 2006, CCS '06.

[14]  Jakob Jonsson,et al.  On the Security of RSA Encryption in TLS , 2002, CRYPTO.

[15]  John C. Mitchell,et al.  A modular correctness proof of IEEE 802.11i and TLS , 2005, CCS '05.

[16]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[17]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[18]  Bogdan Warinschi,et al.  The TLS Handshake Protocol: A Modular Analysis , 2010, Journal of Cryptology.

[19]  David Pointcheval,et al.  Automated Security Proofs with Sequences of Games , 2006, CRYPTO.

[20]  John C. Mitchell,et al.  Computationally sound compositional logic for key exchange protocols , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[21]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[22]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[23]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[24]  Gavin Lowe,et al.  Analysing TLS in the strand spaces model , 2011, J. Comput. Secur..

[25]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[26]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[27]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[28]  Bruno Blanchet,et al.  Computationally Sound Mechanized Proofs of Correspondence Assertions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[29]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[30]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[31]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[32]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[33]  Bogdan Warinschi,et al.  A Modular Security Analysis of the TLS Handshake Protocol , 2008, ASIACRYPT.

[34]  David Pointcheval,et al.  About the Security of Ciphers (Semantic Security and Pseudo-Random Permutations) , 2004, Selected Areas in Cryptography.

[35]  Jerry den Hartog,et al.  A Probabilistic Hoare-style Logic for Game-Based Cryptographic Proofs , 2006, ICALP.

[36]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[37]  Peeter Laud,et al.  Application of Dependency Graphs to Security Protocol Analysis , 2007, TGC.

[38]  Andre Scedrov,et al.  Computationally sound mechanized proofs for basic and public-key Kerberos , 2008, ASIACCS '08.

[39]  Ahmad-Reza Sadeghi,et al.  Provably secure browser-based user-aware mutual authentication over TLS , 2008, ASIACCS '08.

[40]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[41]  Gregorio Díaz,et al.  Automatic verification of the TLS handshake protocol , 2004, SAC '04.

[42]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[43]  Jan Jürjens,et al.  Security Analysis of Crypto-based Java Programs using Automated Theorem Provers , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[44]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on CBC-Mode Encryption with Secret and Random IVs , 2005, FSE.

[45]  Peeter Laud,et al.  Secrecy types for a simulatable cryptographic library , 2005, CCS '05.

[46]  Bruno Blanchet,et al.  From Secrecy to Authenticity in Security Protocols , 2002, SAS.