Seems Legit: Automated Analysis of Subtle Attacks on Protocols that Use Signatures

The standard definition of security for digital signatures - existential unforgeability - does not ensure certain properties that protocol designers might expect. For example, in many modern signature schemes, one signature may verify against multiple distinct public keys. It is left to protocol designers to ensure that the absence of these properties does not lead to attacks. Modern automated protocol analysis tools are able to provably exclude large classes of attacks on complex real-world protocols such as TLS~1.3 and 5G. However, their abstraction of signatures (implicitly) assumes much more than existential unforgeability, thereby missing several classes of practical attacks. We give a hierarchy of new formal models for signature schemes that captures these subtleties, and thereby allows us to analyse (often unexpected) behaviours of real-world protocols that were previously out of reach of symbolic analysis. We implement our models in the Tamarin Prover, yielding the first way to perform these analyses automatically, and validate them on several case studies. In the process, we find new attacks on DRKey and SOAP's WS-Security, both protocols which were previously proven secure in traditional symbolic models.

[1]  Adrian Perrig,et al.  SCION: A Secure Internet Architecture , 2017, Information Security and Cryptography.

[2]  Hubert Comon-Lundh,et al.  Towards Unconditional Soundness: Computationally Complete Symbolic Attacker , 2012, POST.

[3]  Yannick Chevalier,et al.  Key Substitution in the Symbolic Analysis of Cryptographic Protocols , 2007, FSTTCS.

[4]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[5]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[6]  Yih-Chun Hu,et al.  Mechanized Network Origin and Path Authenticity Proofs , 2014, CCS.

[7]  Johannes A. Buchmann,et al.  Formal Proof for the Correctness of RSA-PSS , 2006, IACR Cryptol. ePrint Arch..

[8]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[9]  Alfred Menezes,et al.  Security of Signature Schemes in a Multi-User Setting , 2004, Des. Codes Cryptogr..

[10]  Alfred Menezes,et al.  Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol , 1999, Public Key Cryptography.

[11]  Ben Smyth,et al.  ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial , 2011 .

[12]  Cas J. F. Cremers,et al.  Secure Authentication in the Grid: A Formal Analysis of DNP3: SAv5 , 2017, ESORICS.

[13]  Felix Günther,et al.  Linkable message tagging: solving the key distribution problem of signature schemes , 2015, International Journal of Information Security.

[14]  Joshua D. Guttman,et al.  Searching for Shapes in Cryptographic Protocols , 2007, TACAS.

[15]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[16]  Cas J. F. Cremers,et al.  A Comprehensive Symbolic Analysis of TLS 1.3 , 2017, CCS.

[17]  Andrew D. Gordon,et al.  TulaFale: A Security Tool for Web Services , 2003, FMCO.

[18]  Cas J. F. Cremers,et al.  Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[19]  Jacques Stern,et al.  Flaws in Applying Proof Methodologies to Signature Schemes , 2002, CRYPTO.

[20]  Rohit Chadha,et al.  Verification Methods for the Computationally Complete Symbolic Attacker Based on Indistinguishability , 2019, IACR Cryptol. ePrint Arch..

[21]  Serge Vaudenay,et al.  The Security of DSA and ECDSA , 2003, Public Key Cryptography.

[22]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[23]  Sebastian Mödersheim,et al.  Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario , 2006, IACR Cryptol. ePrint Arch..

[24]  Simon Josefsson,et al.  Edwards-Curve Digital Signature Algorithm (EdDSA) , 2017, RFC.

[25]  Yih-Chun Hu,et al.  Lightweight source authentication and path validation , 2015, SIGCOMM 2015.

[26]  Tibor Jager,et al.  On the Security of the PKCS#1 v1.5 Signature Scheme , 2018, IACR Cryptol. ePrint Arch..

[27]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[28]  José Meseguer,et al.  Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties , 2009, FOSAD.

[29]  Karthikeyan Bhargavan,et al.  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  Julien P. Stern,et al.  Digital Signatures Do Not Guarantee Exclusive Ownership , 2005, ACNS.

[31]  Richard Barnes,et al.  Automatic Certificate Management Environment (ACME) , 2019, RFC.

[32]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[33]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[34]  Michael Backes,et al.  CoSP: a general framework for computational soundness proofs , 2009, CCS.

[35]  Nikhil Swamy,et al.  Implementing and Proving the TLS 1.3 Record Layer , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[36]  Rainer Steinwandt,et al.  Key substitution attacks revisited: Taking into account malicious signers , 2005, International Journal of Information Security.

[37]  Andrew D. Gordon,et al.  Secure sessions for Web services , 2004, TSEC.

[38]  Joonsang Baek,et al.  Remarks on the Unknown Key Share Attacks , 2000 .

[39]  Karthikeyan Bhargavan,et al.  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[40]  Yehuda Lindell,et al.  Introduction to Modern Cryptography, Second Edition , 2014 .

[41]  David A. Basin,et al.  CryptHOL: Game-Based Proofs in Higher-Order Logic , 2020, Journal of Cryptology.

[42]  David Pointcheval,et al.  Automated Security Proofs with Sequences of Games , 2006, CRYPTO.

[43]  Jakob Jonsson,et al.  PKCS #1 Version 2.2: RSA Cryptography Specifications , 2016 .

[44]  Brent Waters,et al.  Strongly Unforgeable Signatures Based on Computational Diffie-Hellman , 2006, Public Key Cryptography.

[45]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[46]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[47]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[48]  Cas Cremers,et al.  Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[49]  Christian Decker,et al.  Bitcoin Transaction Malleability and MtGox , 2014, ESORICS.

[50]  Jakob Jonsson,et al.  PKCS #1: RSA Cryptography Specifications Version 2.2 , 2016, RFC.

[51]  Karthikeyan Bhargavan,et al.  Formal Modeling and Verification for Domain Validation and ACME , 2017, Financial Cryptography.

[52]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[53]  Cas J. F. Cremers,et al.  Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion , 2019, NDSS.