$30 off During Our Annual Pro Sale. View Details »

プロトコルの形式的安全性検証ツールProVerif / proverif

Mako
August 09, 2021
Technology
0
380

プロトコルの形式的安全性検証ツールProVerif / proverif

seccamp2020 LT大会での発表内容

Mako

August 09, 2021
Tweet

More Decks by Mako

See All by Mako
マイナンバーカードの暗号技術とセキュリティ
tex2e
0
140
SELinuxで堅牢化する / selinux
tex2e
3
370
TLS 1.3自作入門 / tls13
tex2e
0
230
マイナンバーカードで署名する / mynumbercard
tex2e
1
1.5k

Other Decks in Technology

See All in Technology
Honoが良さそう🔥
is_ryo
0
180
Java Language Future
chiroito
5
1.3k
ライブラリとの上手な付き合い方
sekido
PRO
0
100
継続的なコツコツ技術広報とブランディング磨き込みの過程と課題/engineering-brand
nishiuma
0
110
Cloud Security Day 2023パネルディスカッション資料
coconala_engineer
0
160
CSSパフォーマンスに関する計測結果
poteboy
3
1.3k
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
1.1k
開発生産性向上へのコミットについて理解してもらうためのスライドテンプレートを作った話
ouchi2501
0
250
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
220
機械学習システム構築実践ガイド
shibuiwilliam
0
290
開発チーム横断タスクフォース 「Goサブ会」の 運用事例と今後の展望
stefafafan
0
100
ニフティの過去・現在・未来 - NIFTY Tech Day 2023
niftycorp
0
150

Featured

See All Featured
Designing for humans not robots
tammielis
246
24k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Web development in the modern age
philhawksworth
201
9.9k
Building an army of robots
kneath
299
41k
Optimizing for Happiness
mojombo
368
68k
How GitHub (no longer) Works
holman
299
140k
[RailsConf 2023] Rails as a piece of cake
palkan
17
3.2k
Making the Leap to Tech Lead
cromwellryan
120
8.2k
Art, The Web, and Tiny UX
lynnandtonic
286
19k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Building a Scalable Design System with Sketch
lauravandoore
453
32k
Practical Orchestrator
shlominoach
179
9.4k

Transcript

  1. ϓϩτίϧͷܗࣜత҆શੑݕূπʔϧ
    ProVerif
    @tex2e








































    View Slide









































  2. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ProVerif ֓ཁ
    • Ͱ͖Δ͜ͱɿ
    ϓϩτίϧΛϞσϧԽͨ͠ίʔυΛهड़
    → ProVerif πʔϧͰ࣮ߦ
    → ੬ऑੑ͋Γɾͳ͠ͷ൑ఆ
    • Θ͔Δ͜ͱɿ
    ϓϩτίϧͷηΩϡϦςΟಛੑ
    ൿಗੑɺਅਖ਼ੑɺΦϑϥΠϯ߈ܸɺલํൿಗੑ
    • ࠓ೔ͷ͓࿩ɿ
    αϯϓϧϓϩτίϧͰݕূ
    • ϓϩτίϧ α
    • ϓϩτίϧ β

    View Slide









































  3. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ProVerif
    • ϓϩτίϧ͕҆શ͔Ͳ͏͔ΛࣗಈͰূ໌
    • ୭Ͱ΋࢖͑ͯແྉ 1
    • spi ܭࢉͷॻ͖ํʹ (গ͠) ࣅ͍ͯΔ
    • ݴޠͱͯ͠͸ OCaml ʹ (গ͠) ࣅ͍ͯΔ
    free c: channel.
    free message: bitstring [private].
    query attacker(message).
    process
    out(c, message);
    0
    1
    http://proverif.inria.fr/

    View Slide









































  4. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧ α
    Server
    Client
    ύεϫʔυ p, ฏจ m ύεϫʔυ p
    ҉߸Խ enc(m, p)
    ෮߸
    ͜ͷϓϩτίϧ͕҆શ͔Ͳ͏͔Λ ProVerif Ͱݕূ͠·͢

    View Slide









































  5. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧͷϞσϧԽ
    ϋογϡؔ਺
    ಛ௃ɿ
    • Ұํ޲ؔ਺ : f(m) → h
    • ׬શͳ҉߸Ϟσϧ2ʹ͓͍ͯٯؔ਺͸ଘࡏ͠ͳ͍
    ProVerif ͷίʔυ
    fun hash(bitstring): bitstring.
    2
    Dolve-Yao Ϟσϧ

    View Slide









































  6. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧͷϞσϧԽ
    ڞ௨ݤ҉߸
    ಛ௃ɿ
    • ҉߸Խ : enc(m, k)
    • ෮߸ɹ : dec(c, k)
    • ҉߸Խͱ෮߸Ͱݩʹ໭Δ : dec(enc(m, k), k) = m
    ProVerif ͷίʔυ
    fun enc(bitstring , key): bitstring.
    reduc forall m: bitstring , k: key;
    dec(enc(m,k),k) = m.

    View Slide









































  7. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧ αͷϞσϧԽ
    ΫϥΠΞϯτ–αʔόؒͷ௨৴
    (* Ϋ ϥ Π Ξ ϯ τ A *)
    let clientA() =
    event beginA(msg);
    out(c, enc(msg, password));
    0.
    (* α ʔ ό B *)
    let serverB() =
    in(c, x: bitstring);
    let recvmsg = dec(x, password) in
    event endB(recvmsg);
    0.
    process
    ( (!clientA()) | (!serverB()) )

    View Slide









































  8. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূํ๏
    ൿಗੑ
    ݶΒΕͨਓ͔͠৘ใʹΞΫηεͰ͖ͳ͍͜ͱ
    • query : ݕূΫΤϦ
    • attacker(v) : ߈ܸऀ͸ม਺ v ʹ౸ୡՄೳ͔
    (* ൿ ಗ ੑ ͷ ݕ ূ *)
    query attacker(msg).
    query attacker(password).

    View Slide









































  9. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    ൿಗੑ
    $ proverif -color protocol1.pv
    (
    {1}!
    {2}out(c, enc(msg,password))
    ) | (
    {3}!
    {4}in(c, x: bitstring);
    {5}let recvmsg: bitstring = dec(x,password) in
    0
    )
    ...
    --------------------------------------------------------------
    Verification summary:
    Query not attacker(msg[]) is true.
    Query not attacker(password[]) is true.
    ൿಗੑ → ͋Γ ✓
    ΦϑϥΠϯ߈ܸ
    લํൿಗੑ

    View Slide









































  10. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূํ๏
    ΦϑϥΠϯ߈ܸ
    ౪ௌͨ͠಺༰ΛΦϑϥΠϯͰղಡ͢Δ͜ͱ
    • weaksecret v.
    ൿີ஋ v ͷΤϯτϩϐʔ͕௿͍ͱ͖ 3ɺ
    ߈ܸऀ͸ม਺ v ʹ౸ୡՄೳ͔
    (* Φ ϑ ϥ Π ϯ ߈ ܸ ͷ ݕ ূ *)
    weaksecret password.
    3ਓ͕֮ؒ͑ΒΕΔఔ౓ͷจࣈྻ͔͠ͳ͍ͱ͖ʢύεϫʔυͳͲʣ

    View Slide









































  11. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    ΦϑϥΠϯ߈ܸ
    $ proverif -color protocol1a.pv
    ...
    The attacker tests whether dec(~M,@weaksecretcst) is fail knowing
    ~M = enc(msg,password).
    This allows the attacker to know whether @weaksecretcst = password.
    A trace has been found.
    RESULT Weak secret password is false.
    ...
    --------------------------------------------------------------
    Verification summary:
    Weak secret password is false.4
    Query not attacker(msg[]) is true.
    Query not attacker(password[]) is true.
    ൿಗੑ → ͋Γ ✓
    ΦϑϥΠϯ߈ܸ → Մೳ ×
    લํൿಗੑ
    4ऑ͍ൿີΛ࢖ͬͨͱ͖ϓϩτίϧͷ҆શੑ͸ͳ͍ɺͱ͍͏ҙຯ

    View Slide









































  12. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    ΦϑϥΠϯ߈ܸ
    $ proverif -color protocol1a.pv
    ...
    The attacker tests whether dec(~M,@weaksecretcst) is fail knowing
    ~M = enc(msg,password).
    This allows the attacker to know whether @weaksecretcst = password.
    A trace has been found.
    RESULT Weak secret password is false.
    ...
    --------------------------------------------------------------
    Verification summary:
    Weak secret password is false.4
    Query not attacker(msg[]) is true.
    Query not attacker(password[]) is true.
    ൿಗੑ → ͋Γ ✓
    ΦϑϥΠϯ߈ܸ → Մೳ ×
    લํൿಗੑ
    4ऑ͍ൿີΛ࢖ͬͨͱ͖ϓϩτίϧͷ҆શੑ͸ͳ͍ɺͱ͍͏ҙຯ

    View Slide









































  13. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    ΦϑϥΠϯ߈ܸ
    A trace has been found.
    Honest Process Attacker
    ! !
    Beginning of process clientA
    ~M = enc(msg,password)
    The attacker tests whether dec(~M,@weaksecretcst)
    is fail knowing
    ~M = enc(msg,password).
    This allows the attacker to know whether @weaksecretcst
    = password.

    View Slide









































  14. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূํ๏
    લํൿಗੑ
    ൿີݤ͕࿙Ӯͯ͠΋ɺաڈͷ҉߸Խ௨৴͕෮߸Ͱ͖ͳ͍͜ͱ
    • phase 1; out(c, password)
    Phase 0 : ύεϫʔυͰฏจ m Λ҉߸Խͯ͠ૹ৴
    Phase 1 : ύεϫʔυΛ࿙Ӯͤ͞Δ
    ύεϫʔυ࿙Ӯޙʹ߈ܸऀ͸ฏจ m ʹ౸ୡՄೳ͔
    (* લ ํ ൿ ಗ ੑ ͷ ݕ ূ *)
    process
    ( (!clientA()) | (!serverB()) | phase 1; out(c, password) )

    View Slide









































  15. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    લํൿಗੑ
    $ proverif -color protocol1b.pv
    ...
    (
    {1}!
    {2}out(c, enc(msg,password))
    ) | (
    {3}!
    {4}in(c, x: bitstring);
    {5}let recvmsg: bitstring = dec(x,password) in
    0
    ) | (
    {6}phase 1;
    {7}out(c, password)
    )
    ...
    --------------------------------------------------------------
    Verification summary:
    Query not attacker_p1(msg[]) is false.
    Query not attacker_p1(password[]) is false.
    ൿಗੑ → ͋Γ ✓
    ΦϑϥΠϯ߈ܸ → Մೳ ×
    લํൿಗੑ → ͳ͠ ×

    View Slide









































  16. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    લํൿಗੑ
    A trace has been found.
    Honest Process Attacker
    ! !
    Beginning of process clientA
    ~M = enc(msg,password)
    Phase 1
    ~M_1 = password
    The attacker has the message dec(~M,~M_1) = msg
    in phase 1

    View Slide









































  17. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ରࡦɾվળ
    ΦϑϥΠϯ߈ܸͱલํൿಗੑ
    • ΦϑϥΠϯ߈ܸɿ
    ऑ͍ݤ͔Βڧ͍ݤΛ࡞Δ
    • લํൿಗੑɿ
    ௨৴ຖʹҟͳΔڞ௨ݤΛ࢖͏Α͏ʹ͢Δ

    View Slide









































  18. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    Diffie-Hellman ݤڞ༗ (DH)
    1. Alice ͸ཚ਺ a Λબ୒͢Δ
    2. Alice→Bob : A = ga (mod p)
    3. Bob ͸ཚ਺ b Λબ୒͢Δ
    4. Bob→Alice : B = gb (mod p)
    5. Alice ͱ Bob ͸ڞ௨ݤ K ͕ٻ·Δɿ
    K = (ga)b = gab = (gb)a (mod p)
    ੜ੒ݩ g ͱૉ਺ p Λద੾ʹબͿͱ͖ɺ౪ௌऀ͸ެ։஋ A, B ͔Βڞ
    ༗ݤ K ΛٻΊΔ͜ͱ͸ࠔ೉ʢ཭ࢄର਺໰୊ʣ

    View Slide









































  19. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧͷϞσϧԽ
    Diffie-Hellman ݤڞ༗ (DH ݤڞ༗)
    • Ұํ޲ :
    A = ga (mod p)
    A = exp(g, a)
    • ެ։஋͔Βڞ௨ݤ͕ٻ·Δ :
    K = (ga)b = gab = (gb)a (mod p)
    K = exp(exp(g, a), b) = exp(exp(g, b), a)
    ProVerif ͷίʔυ
    type G.
    type exponent.
    const g: G [data]. (* ੜ ੒ ݩ g *)
    fun exp(G, exponent): G.
    equation forall a: exponent , b: exponent;
    exp(exp(g,a),b) = exp(exp(g,b),a).

    View Slide









































  20. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧ β
    DH ݤڞ༗ + ҉߸Խ
    Server
    Client
    ύεϫʔυ p, ฏจ m ύεϫʔυ p
    ੜ੒ݩ g = genG(p) ੜ੒ݩ g = genG(p)
    ga gb
    gab gab
    ڞ༗ݤ s = KDF(gba) ڞ༗ݤ s = KDF(gab)
    ҉߸Խ enc(m, s)
    ෮߸

    View Slide









































  21. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧ β
    DH ݤڞ༗ + ҉߸Խ
    Server
    Client
    ύεϫʔυ p, ฏจ m ύεϫʔυ p
    ੜ੒ݩ g = genG(p) ੜ੒ݩ g = genG(p)
    ga gb
    gab gab
    ڞ༗ݤ s = KDF(gba) ڞ༗ݤ s = KDF(gab)
    ҉߸Խ enc(m, s)
    ෮߸

    View Slide









































  22. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧ β ͷϞσϧԽ
    ΫϥΠΞϯτ–αʔόؒͷ௨৴
    let clientA() =
    new randomA: exponent;
    let gA = exp(genG(password), randomA) in
    out(c, gA);
    in(c, gB: G);
    let sharedSecret = KDF(exp(gB, randomA)) in
    let ciphertext = enc(msg, sharedSecret) in
    out(c, ciphertext);
    0.
    let serverB() =
    new randomB: exponent;
    let gB = exp(genG(password), randomB) in
    in(c, gA: G);
    out(c, gB);
    let sharedSecret = KDF(exp(gA, randomB)) in
    in(c, ciphertext: bitstring);
    let recvmsg = dec(ciphertext , sharedSecret) in
    0.
    process
    ( (!clientA()) | (!serverB()) )

    View Slide









































  23. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূํ๏
    ൿಗੑɺΦϑϥΠϯ߈ܸɺલํൿಗੑ
    • attacker(v)
    ߈ܸऀ͸ม਺ v ʹ౸ୡՄೳ͔
    • weaksecret v.
    ൿີͷ஋ v ͷΤϯτϩϐʔ͕௿͍ͱ͖ɺ
    ߈ܸऀ͸ม਺ v ʹ౸ୡՄೳ͔
    • phase 1; out(c, password)
    Phase 0 : ύεϫʔυͰฏจ m Λ҉߸Խͯ͠ૹ৴
    Phase 1 : ύεϫʔυΛ࿙Ӯͤ͞Δ
    ύεϫʔυ࿙Ӯޙʹ߈ܸऀ͸ฏจ m ʹ౸ୡՄೳ͔

    View Slide









































  24. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    ൿಗੑɺΦϑϥΠϯ߈ܸ
    $ proverif -color protocol2a.pv
    ...
    --------------------------------------------------------------
    Verification summary:
    Query not attacker(msg[]) is true.
    Query not attacker(password[]) is true.
    Weak secret password is true.
    ൿಗੑ → ͋Γ ✓
    ΦϑϥΠϯ߈ܸ → ࠔ೉ ✓
    લํൿಗੑ

    View Slide









































  25. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ݕূ݁Ռ
    લํൿಗੑ
    $ proverif -color protocol2b.pv
    ...
    --------------------------------------------------------------
    Verification summary:
    Query not attacker_p1(msg[]) is true.
    Query not attacker_p1(password[]) is false.
    ...
    ൿಗੑ → ͋Γ ✓
    ΦϑϥΠϯ߈ܸ → ࠔ೉ ✓
    લํൿಗੑ → ͋Γ ✓

    View Slide









































  26. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ϓϩτίϧ β
    Wi-Fi ͷ৽ن֨ WPA3 Λࢀߟʹ࡞੒
    Server
    Client
    ύεϫʔυ p, ฏจ m ύεϫʔυ p
    ੜ੒ݩ g = genG(p) ੜ੒ݩ g = genG(p)
    ga gb
    gab gab
    ڞ༗ݤ s = KDF(gba) ڞ༗ݤ s = KDF(gab)
    ҉߸Խ enc(m, s)
    ෮߸

    View Slide









































  27. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ͓ΘΓʹ
    • ProVerif ͸ൿಗੑ΍ਅਖ਼ੑΛࣗಈͰݕূՄೳ
    • ͍ΖΜͳϓϩτίϧΛݕূͯ͠ΈΔͱָ͍͠
    Happy ProVerifying!

    View Slide









































  28. ϓϩτίϧͷܗࣜత҆શੑݕূ ϓϩτίϧ α ϓϩτίϧ β ͓ΘΓʹ
    ࢀߟจݙ I
    Blanchet at el.: ProVerif 2.02pl1: Automatic Cryptographic
    Protocol Verifier, User Manual and Tutorial. INRIA, September
    2020.
    Blanchet: ProVerif Automatic Cryptographic Protocol Verifier
    User Manual for Untyped Inputs. INRIA, September 2020.

    View Slide