Automated Analysis of Protocols that use Authenticated Encryption: Analysing the Impact of the Subtle Differences between AEADs on Protocol Security
Autor: | Cremers, Cas, Dax, Alexander, Jacomme, Charlie, Zhao, Mang |
---|---|
Přispěvatelé: | Helmholtz Center for Information Security [Saarbrücken] (CISPA), Programming securely with cryptography (PROSECCO), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), USENIX, ANR-22-PECY-0006,SVP,Verification of Security Protocols(2022) |
Jazyk: | angličtina |
Rok vydání: | 2023 |
Předmět: | |
Zdroj: | USENIX Security 2023 USENIX Security 2023, USENIX, Aug 2023, Anaheim, United States |
Popis: | International audience; Many modern security protocols such as TLS, WPA2, WireGuard, and Signal use a cryptographic primitive called Authenticated Encryption (optionally with Authenticated Data), also known as an AEAD scheme. AEAD is a variant of symmetric encryption that additionally provides authentication. While authentication may seem to be a straightforward additional requirement, it has in fact turned out to be complex: many different security notions for AEADs are still being proposed, and several recent protocol-level attacks exploit subtle behaviors that differ among real-world AEAD schemes. We provide the first automated analysis method for protocols that use AEADs that can systematically find attacks that exploit the subtleties of the specific type of AEAD used. This can then be used to analyze specific protocols with a fixed AEAD choice, or to provide guidance on which AEADs might be (in)sufficient to make a protocol design secure. We develop generic symbolic AEAD models, which we instantiate for the Tamarin prover. Our approach can automatically and efficiently discover protocol attacks that could previously only be found using manual inspection, such as the Salamander attack on Facebook's message franking, and attacks on SFrame and YubiHSM. Furthermore, our analysis reveals undesirable behaviors of several other protocols. |
Databáze: | OpenAIRE |
Externí odkaz: |