How Formal Analysis and Verification Add Security to Blockchain-based Systems

Similar documents
Introduction to Bitcoin I

OUROBOROS PRAOS: AN ADAPTIVELY-SECURE, SEMI-SYNCHRONOUS

The security and insecurity of blockchains and smart contracts

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Introduction to Cryptography in Blockchain Technology. December 23, 2018

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Bitcoin (Part I) Ken Calvert Keeping Current Seminar 22 January Keeping Current 1

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Sharding. Making blockchains scalable, decentralized and secure.

TC307 SG3 - SECURITY & PRIVACY

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Formal Methods and Cryptography

From Crypto to Code. Greg Morrisett

Secure Multiparty Computation

Introduction to Cryptoeconomics

Formal Methods for Assuring Security of Computer Networks

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Security Protections for Mobile Agents

Implementing Cryptography: Good Theory vs. Bad Practice

Concrete cryptographic security in F*

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Whitepaper Rcoin Global

Formally Specifying Blockchain Protocols

Blockchain & Distributed Internet Infrastructure

CS 395T. Analyzing SET with Inductive Method

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

Kerberos Revisited Quantum-Safe Authentication

UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

COMMON CRITERIA CERTIFICATION REPORT

Cryptographic Concepts

FeliCa Approval for Security and Trust (FAST) Overview. Copyright 2018 FeliCa Networks, Inc.

Analysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.

On cryptographic properties of the CVV and PVV parameters generation procedures in payment systems

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

Secure Programming Techniques

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

SKBI Cryptocurrency Technical Seminar Series Seminar 1: Basics: Cryptography and Transactions

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Ergo platform. Dmitry Meshkov

Identification Schemes

IT Security Evaluation : Common Criteria

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

ENEE 457: E-Cash and Bitcoin

Principals of Blockchain technology - Digital Business Ecosystem Kick of meeting Helsinki

Reliability, distributed consensus and blockchain COSC412

Getting to Grips with Public Key Infrastructure (PKI)

Key concepts of blockchain

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Plaintext Awareness via Key Registration

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Bitcoin and Blockchain

Refresher: Applied Cryptography

An analysis of the applicability of blockchain to secure IP addresses allocation, delegation and bindings draft-paillisse-sidrops-blockchain-01

Grenzen der Kryptographie

Design and Analysis of Protocols The Spyce Way

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Introduction to Security

I. Introduction. II. Security, Coinage and Attacks

Cryptography V: Digital Signatures

BBc-1 : Beyond Blockchain One - An Architecture for Promise-Fixation Device in the Air -

Realization and Addressing Analysis In Blockchain Bitcoin

Randomness Extractors. Secure Communication in Practice. Lecture 17

BLOCKCHAIN The foundation behind Bitcoin

Cryptography V: Digital Signatures

About & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017

Secure Multiparty Computation

Security Analysis of Bitcoin. Dibyojyoti Mukherjee Jaswant Katragadda Yashwant Gazula

VERIFICATION OF CRYPTO PRIMITIVES MIND THE GAPS. Lennart Beringer, Princeton University

Secure digital certificates with a blockchain protocol

Direct Anonymous Attestation

VTBPEKE: Verifier-based Tw o-basis Password Exponenti al Key Exchange

The Open Protocol for Access Control Identification and Ticketing with PrivacY

APNIC elearning: Cryptography Basics

Technical Specifications for Platform Development

But where'd that extra "s" come from, and what does it mean?

ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL. Huijing Gong CMSC 858F

Lecture 7 - Applied Cryptography

ICS 421 & ICS 690. Bitcoin & Blockchain. Assoc. Prof. Lipyeow Lim Information & Computer Sciences Department University of Hawai`i at Mānoa

Part VI. Public-key cryptography

Security Requirements for Crypto Devices

Blockchain! What consultants should know about it. Daniel

Summary on Crypto Primitives and Protocols

A Policy Framework for a Secure

More crypto and security

CONIKS: Bringing Key Transparency to End Users

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Problem: Equivocation!

BaFin-Tech 2018 BlockChain & Security (from #developerview)

CardOS Secure Elements for Smart Home Applications

Certification Report

BlockFin A Fork-Tolerant, Leaderless Consensus Protocol April

Transcription:

Verification Add Security to Blockchain-based Systems January 26, 2017 (MIT Media Lab) Pindar Wong (VeriFi Ltd.) 2

Outline of this talk Security Definition of Blockchain-based system Technology and Security Layer Applicability of Formal Analysis and Verification Four layers are suitable: Implementation, Backbone Protocols, Application Protocols and Application Logic Idea toward Domain specific language 3

Background: The case of the DAO Had chance to lose 50M Dollars by this attack. Caused by vulnerability of the code The way of workaround is still not decided. Problems Vulnerability handling Procedure for work around Over-investment to uncertified technology and codes Intersection of technology and financial incentive 4

Security definitions of blockchain Several proposals on back-bone protocol Few consideration for security of entire system https://cyber.stanford.edu/blockchainconf 5

Security Definitions for backbone-protocol [1] Two definitions Common Prefix Property If two players prune a sufficient number of blocks from their chains, they will obtain the same prefix. Chain Quality Any large enough chunk of an honest player s chain will contain some block from honest players. There are results on provable secure protocol but needs assumptions [KKRDO16] 6

Provable Secure Blockchain with Proof of Stake [KKRDO16] Prove Two Requirements of Blockchain Persistence and Liveliness [1]: Robustness of the Blockchain Propose Provable Secure Protocol Use Multi-Party Coin Flipping for leader election to produce randomness Many Assumptions Highly Synchronous Majority of Selected Stakeholder is available The Stakeholders do not remain offline for a long time 7

Example of Blockchain Technology layer [3] Network: broadcasting transactions and View blocks Application Consensus: the agreement-reaching engine Storage: bootstrapping new nodes, storing Storage Sideplane archival data Consensus Application: transaction graph, scripting language semantics Network View: cached summary of the transaction log Side-plane: off-chain contracts 8

Layers for security consideration Security layers of cryptographic application Operation Key Management, Audit, Backup ISO/IEC 27000 Implementation Program Code, Secure Hardware ISO/IEC 15408 Scripting Language for Financial Transaction, Contract Secure coding guides Application Protocol Privacy protection, Secure transaction ISO/IEC 29128 Backbone Protocol P2P, Consensus, Merkle Tree ISO/IEC 29128 Cryptography ECDSA, SHA-2, RIPEMD160 NIST,ISO Application Logic How Can We Convince the Security of Blockchain? 4 9

Cryptography Layer Security goals in Blockchain Realizing authenticity and integrity Digital Signature: ECDSA Hash Function: SHA-2, RIPEMD-160 Underlying Mathematics: Secure parameter of elliptic curve Firm analysis model Provable Security Estimation of security margin Many theoretic results and evaluations Academic proof, Standardization by NIST, ISO/IEC, IETF(IRTF), IEEE 10

Backbone Protocol Layer Security goals in Blockchain Realizing de-centralization and robustness by P2P network Realizing consistency of transaction by consensus algorithm Ensuring order of transaction by Merkle hash tree and chaining Security definition, requirements and evaluation No fixed security definition (researches are ongoing) Evaluation by mathematical proof or formal analysis Standard for evaluation ISO/IEC 29128 for cryptographic protocols 11

Application Protocol Layer Security goals in Blockchain Privacy Protection Secure data transmission Secure transaction Security definition, requirements and evaluation https://cyber.stanford.edu/blockchainconf Need application specific security definition Evaluation by mathematical proof or formal analysis Standard for evaluation ISO/IEC 29128 for cryptographic protocols 12

Application Logic Layer Security goals in Blockchain Soundness and completeness in application logic Security definition, requirements and evaluation https://cyber.stanford.edu/blockchainconf Checking the existence of bug 13

Implementation Layer Security goals in Blockchain Protection of signing key and prevent forgery of digital signature Against black box attacker (main channel), gray box attacker (Side channel) and white box attacker (rooted device) Security definition, requirements and evaluation Capability of the adversary Standard for evaluation ISO/IEC 15408 14

Operation Layer Security goals in Blockchain Key management Audit of operation Security definition, requirements and evaluation https://cyber.stanford.edu/blockchainconf Depends on security policy of each system Standard for evaluation ISO/IEC 27000 Series (Information Security Management System) 15

Formal Analysis and Formal Verification Formal Analysis Evaluating the possibility of attack on the specification of the protocol, products or system by conducting some mathematical formalization of the security requirements, specifications and operational environment (an adversarial model). Formal Verification To verify the correctness of the specification of the protocol, products or system formal methods such as automated axiomatic theorem proving or model checking. 16

Applicability of formal verification Security layers of cryptographic application Operation Key Management, Audit, Backup ISO/IEC 27000 Implementation Program Code, Secure Hardware ISO/IEC 15408 Scripting Language for Financial Transaction, Contract Secure coding guides Application Protocol Privacy protection, Secure transaction ISO/IEC 29128 Backbone Protocol P2P, Consensus, Merkle Tree ISO/IEC 29128 Cryptography ECDSA, SHA-2, RIPEMD160 NIST,ISO Application Logic How Can We Convince the Security of Blockchain? 4 17

Formal analysis methods and tools for cryptographic protocol 18

Formal analysis of Implementation Both software/ hardware implementation Security mechanisms which use cryptographic algorithms, protocols, random number generator and key management mechanisms Target of Evaluation Crypto-token wallet (Hardware/Software) HSM (Hardware Security Module) 19

Standards and Examples for Implementation Layer Industrial Standard Common Criteria (ISO 15408) Define seven EALs (Evaluation Assurance Levels) EAL6 requires semi formal analysis on the design and implementation EAL7 requires fully formal analysis on design and implementation Examples of formal analysis for implementation EAL6 FeliCa IC chip RC-SA00 Crypto Library V1.0 on P60x080/052/040yVC(Y/Z/A)/yVG Microcontrôleurs sécurisés SA23YR48/80B et SB23YR48/80B 20

Analysis of Cryptographic Protocols: Formal Verification vs UC Framework Formal Verification Mathematical Proof Formal method Rigorous proof Find the existence of insecure state Automated verification Estimate probability of attack Same as cryptographic Primitive Tool-aided 21

Formal Analysis of Cryptographic Protocols Check if the insecure state may happen in execution Protocol specification Adversarial model Insecure states to be avoided Insecure states Protocol specification Adversarial Model Formal Analysis tool Output if the insecure states may happen. If yes, output trace by which the insecure state is happen. 22

Formal Analysis of Backbone protocols and application protocols Explore the existence of state against security goals (Security Properties) Dolev-Yao Model Basically Cryptographic algorithm is idealized Only a party who has a decryption key obtains plaintext. The other party obtains nothing. Same treatment for digital signature and others An adversary can control communication channel. 23

UC Framework Define the ideal functionality, then prove that the actual protocol is indistinguishable against the ideal functionality. P1 P2 P1 P2 https://cyber.stanford.edu/blockchainconf F P3 P4 P3 P4 Ideal Functionality Z Actual Protocol 24

Combination of Formal Analysis and Mathematical proof Combine the merit of formal analysis and mathematical rigorous proof. Many researches from 2002 Game-based evaluation Cryptoverif 25

The case of SSL/TLS Many attacks/vulnerabilities are found during this 5 years. Heartbleed, Poodle, FREAK, DROWN, CCS Injection Problems No security proof No procedure for verification of technology. No experts on the verification of cryptographic protocols Insufficient quality assurance of program code 26

The case of TLS 1.3 [6] IETF Academia Formal Verification TLS1.3 Specification TRON Conference Developer/ Open Source Community Add Add trust trust 27

International Standard: ISO/IEC 29128 Accuracy Protocol Assurance Level Protocol Specification Adversarial Model Security Property Self Assessment Evidence PAL1 PAL2 PAL3 PAL4 PPS_SEMIFORMAL PPS_FORMAL PPS_MECHANIZED https://cyber.stanford.edu/blockchainconf PAM_INFORMAL PAM_FORMAL PAM_MECHANIZED PSP_INFORMAL PSP_FORMAL PSP_MECHANIZED PEV_ARGUMENT PEV_HANDPROVEN PEV_BOUNDED PEV_UNBOUNDED 28

Security consideration for Smart contract Need completeness and soundness as an application logic The DAO case was caused by bug Checking program code is well-known application of formal analysis 29

Language for Smart Contract Solidity Flexible and General purpose language Bhargavan et al. proposed a framework to analyze both the runtime safety and functional correctness of a Solidity contract [9] Introducing intermediate functional programming language suitable for verification At this time, not covered all EVM functionalities 30

Designing Domain Specific Language To limit possible execution states, which include insecure state, create new domain specific language Has enough capability to write business logic Suitable for formal verification 31

Letter of Credit (L/C) and Trade Finance over Blockchain Bank C Confirmation Issuing L/C Bank D Customs Confirmation Blockchain Customs Shipping Company Importer A Confirmation Confirmation Request Issuing L/C Exporter B 32

Sequence of process Contract A,B A B L/C A C A Payment C C,D Blockchain Write Issue Request Lock Payment Value Issue L/C Read Read Completion of trade Settlement 33

State Transitions of common process of L/C Four variables for state representation: Contract, L/C, Payment, Shipment Create language and execution environment from state transitions and constraints 2 1 4 5 6 7 8 9 10 11 12 3 Not allowed to reverse 1 2 3 4 5 6 7 8 9 10 11 12 L/C Init Init Init Init Issue Req Issue Req Issued Issued Issued Confirmed Confirmed Confirmed Cash Init Init Init Init Init Cash Lock Cash Lock Cash Lock Cash Lock Cash Lock Settled Settled Goods Init Init Init Init Init Init Init Shipped Received Received Received Received Contract Init A signed B signed Both Both Both Both Both Both Both Both Fin 34

Limitation of Formal Verification Limitation of automated tool Upper bound of memory, Not sufficient for complicated protocols How can we verify the correctness of formalization? Formal verification does not assure the security in most cases Need templates and languages which are suitable for formal verification 35

Conclusion Applicability of Formal Analysis and Formal Verification Current activities can help four layers of Blockchain Security Possibility to define specific language for Application Logic Layer 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback