VERIFICATION OF CRYPTO PRIMITIVES MIND THE GAPS. Lennart Beringer, Princeton University

Transcription

1 VERIFICATION OF CRYPTO PRIMITIVES MIND THE GAPS Lennart Beringer, Princeton University

2 Crypto primitives: the building blocks of cryptographic libraries Examples: hash functions, message authentications, (a)symmetric schemes (AES/RSA), PRNG, signatures, stream ciphers, elliptic-curve crypto, commitment schemes Verification of the primitive - as defined in standard documents / scientific papers - property to be verified: cryptographic security - according to certain cryptographic model (assumptions) - crypto literature contains mathematical proofs (at various levels of detail and rigor) Techniques: probability theory game-based cryptography relational reasoning Integration: bridges specification and model gaps requires expressive ambient logic (Coq) Techniques: program logics static analysis Verification of an implementation - implementation can be open-source/public domain or purpose-built - properties to be verified: (partial/total) correctness w.r.t. functional spec memory / runtime safety data integrity and confidentiality (no private data/key exfiltration) absence of timing and other side channels

3 OSspec.v ModelA.v APIspecA.v A.h Mind the(se) gap(s) Model-level verification and validation (cryptographic security, functional properties, testing) Aproof.v Bproof.v Floyd proof automation Verifiable C program logic ModelB.v Did the cryptographers get their proof right? Informal specs (NIST, RFC, ) APIspecB.v B.h (FCF, cyber-physical control, physics, fault models, modelspecific assumptions) LibrarySpec.v PThreadSpec.v Proven in Coq A.c (Compositional) B.c x86 PPC ARM Processor Models (eg BlueSpec) and implementations Specification gap

4 OSspec.v ModelA.v APIspecA.v A.h Mind the(se) gap(s) Model-level verification and validation (cryptographic security, functional properties, testing) Aproof.v Informal specs (NIST, RFC, ) Bproof.v Floyd proof automation Verifiable C program logic ModelB.v APIspecB.v (FCF, cyber-physical control, physics, fault models, modelspecific assumptions) Did the authors of the standard understand the cryptography? B.h LibrarySpec.v PThreadSpec.v Proven in Coq A.c (Compositional) B.c x86 PPC ARM Processor Models (eg BlueSpec) and implementations Specification gap

5 APIspecA.v A.c Model-level verification and validation (cryptographic security, functional properties, testing) Does the ModelA.v C program implement the correct ModelB.v function? Informal specs (NIST, RFC, ) OSspec.v Proven in Coq A.h Mind the(se) gap(s) Aproof.v Bproof.v Floyd proof automation Verifiable C program logic (Compositional) APIspecB.v B.h B.c (FCF, cyber-physical control, physics, fault models, modelspecific assumptions) LibrarySpec.v PThreadSpec.v Does the C program access additional memory regions? x86 PPC ARM Processor Models (eg BlueSpec) and implementations Specification gap

6 Mind the(se) gap(s) OSspec.v ModelA.v APIspecA.v A.h Model-level verification and validation (cryptographic security, functional properties, testing) Aproof.v Informal specs (NIST, RFC, ) Bproof.v Floyd proof automation ModelB.v APIspecB.v B.h (FCF, cyber-physical control, physics, fault models, modelspecific assumptions) LibrarySpec.v PThreadSpec.v Did the C programmer Verifiable C program and the logicompiler writer agree on C? Proven in Coq A.c (Compositional) B.c Is the C compiler correct? In which sense? What about the OS and other libraries? x86 PPC ARM Processor Models (eg BlueSpec) and implementations Specification gap

7 Mind the(se) gap(s) OSspec.v ModelA.v APIspecA.v A.h Model-level verification and validation (cryptographic security, functional properties, testing) Aproof.v Informal specs (NIST, RFC, ) Bproof.v Floyd proof automation ModelB.v APIspecB.v B.h (FCF, cyber-physical control, physics, fault models, modelspecific assumptions) LibrarySpec.v PThreadSpec.v Verifiable C program logic A.c Is the C compiler s view of the processor correct? Proven in Coq (Compositional) B.c Is the processor implemented, fabricated & deployed correctly? x86 PPC ARM Processor model and implementation (e.g. BlueSpec) Specification gap

8 Mind the(se) gap(s) OSspec.v ModelA.v APIspecA.v A.h Model-level verification and validation (cryptographic security, functional properties, testing) Aproof.v Informal specs (NIST, RFC, ) Bproof.v Floyd proof automation ModelB.v APIspecB.v B.h (FCF, cyber-physical control, physics, fault models, modelspecific assumptions) LibrarySpec.v PThreadSpec.v Proven in Coq A.c Verifiable C program logic (Compositional) B.c Is the cryptographer s security model (assumptions on power of adversary) realistic? x86 PPC ARM Processor Models (eg BlueSpec) and implementations Specification gap

9 Mind the(se) gap(s): Hmac-Sha256 Model-level verification (HMAC256 is a PRF) Specification gap: theoretical vs applied crypto: padding, exposure of Merkle- Damgard construction, bits vs bytes (closed by proof) Model-level SHA256.v validation (extract&test) NIST specs SHA256spec.v OpenSS L sha.h OpenSS L sha.c shaprf.v Floyd proof automation : hmacprf.v Verifiable C program logic HMAC256.v HMAC256.v HMACspec.v OpenSS L hmac.h OpenSS L hmac.c (FCF, assumption: SHA is a PRF) Model-level validation (extract&test) Specification gaps: abstract data types/invariants vs concrete memory layout one-shot hmac vs incremental API (init, update*, finish) (closed by proof) Resulting properties for the code resulting from compiling sha.c + hmac.c: functional correctness code implements a PRF (modulo sha) memory integrity: safety + footprint

10 CRYPTO-PLANS FOR DEEPSPEC Crypto proof in FCF? Past/present SHA256: hash function HMAC-SHA256: message authentication HMAC-DRBG : (pseudo) random number generation OpenSSL OpenSSL mbedtls Salsa20 (stream cipher) TweetNacl Near future AES AES-DRBG : (pseudo) random number generation mbedtls mbedtls? Opportunities HKDF (HMAC-based key derivation) ChaCha (cipher, evolution of Salsa) Poly1305 (MAC, using Salsa20/ChaCha or AES) Signatures, certificates Connect to protocol specs and verification? Orthogonal issues: timing channels ( constant -time, cf noninterference), other side channels

11 DETERMINISTIC RANDOM BIT GENERATOR (DRBG) expand true randomness obtained from external entropy source to yield a stream of random bit/byte sequences Nonce invoke Cipher (HMAC / AES) Entropy Instantiate invoke n1 Bytes initializ e Internal state invoke reseedctr Internal function: update rd/w r Key, value invoke Generate n1 rd/wr Internal function: reseed?/incrctr invoke n2 n2 Bytes Desirable properties: indistinguishability from random distribution backtracking resistance prediction resistance

12 BREAKOUT AGENDA Talk Alley Stoughton: Borrowing Definitional Methods from Theoretical Crypto". Crypto tools Easycrypt: establish connection to Coq (cf CertiCrypt) FCF: longterm maintenance / evolution Functional specs Verification infrastructure robust implementation of crypto primitives in Gallina connect to Ocaml/Haskell (protocol) implementations (eg nqsb-tls)? testable by Quickcheck / Quickchick improve VST/ s support for multi-file developments specification compatibility with Bedrock/Fiat specs of ECC domain-specific abstractions / tactics / lemmas for C-level crypto Bignum library Primitives selection of hierarchies of primitives selection of API (OpenSSL-style? TweetNacl? Other?) selection of code base (OpenSSL-clone, Custom, Other) THEN JOIN THE APPLICATION BREAKOUT