HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
Transcript of HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
![Page 1: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/1.jpg)
FORMAL SECURITY ANALYSIS OF CRITICAL INFRASTRUCTURE Tom Chothia University of Birmingham
![Page 2: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/2.jpg)
Research at the University of Birmingham • I am a Senior Lecturer in Cyber-Security, in Birmingham’s Security
and Privacy group.
• UK leading cyber security group, • GCHQ centre of academic excellence, • Part of the UK wide RITICS/SCEPTICS (CPNI) project on the security of
industrial control systems. • Birmingham also has a leading rail research group.
• Particular work on Cars, RFID tags, EMV/Contactless bank cards, banking apps, e-passports …
• We are currently looking at the cyber-security of ERTMS systems.
![Page 3: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/3.jpg)
Introduction • Basic pentesting is not enough.
• It is particularly important to look at the correctness of all protocols and crypto. • Proprietorial crypto is almost always a disaster.
• Formal modelling is a useful analytic tool to help experts explore systems.
• Examples, our work on e-passports, EMV cards.
![Page 4: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/4.jpg)
Thales è Chip marker è Key maker è Volkswagen
NXP London Underground
Mifare classic
Mifare DESFire
![Page 5: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/5.jpg)
Message of this talk:
• Formal methods can help analysts find bugs in systems.
• All non-standard crypto and crypto constructs should be examined in detail.
• Formal methods can “prove” systems correct and
“automatically find” errors.
• In my view, their value is more in forcing analysts to think carefully about a system’s design.
![Page 6: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/6.jpg)
The Applied Pi Calculus
![Page 7: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/7.jpg)
ProVerif – a tool for the applied pi-calculus • An easier syntax for the applied pi calculus: in, out, new,..
• Function definitions to model complex crypto.
• Can check: • if a value is kept secret, • reachability, • correspondence, • equivalence.
• Checks systems against arbitrary attackers,
• Can check an unbounded number of processes.
![Page 8: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/8.jpg)
![Page 9: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/9.jpg)
Traceability Attacks
• A traceability attack lets you link two runs of a protocol.
• It does not break security, authenticity or anonymity.
• It does threaten privacy.
• Particularly important for RFID protocols.
![Page 10: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/10.jpg)
Basic Access Control
Reader Passport — GET CHALLENGE → Pick random NP ← NP
——— Pick random NR,KR — {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Check MAC,
Decrypt, Check NP Pick random KP ← {NP,NR,KP}Ke,MACKm({NP,NR, KP}Ke) — Check MAC, Decrypt, Check NR
![Page 11: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/11.jpg)
Error Messages: French Passport
Reader Passport — GET CHALLENGE → Pick random NP
← NP ———
Pick random NR,KR
— {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
Check MAC Fails ← 6300 no info. – MAC fail equals with error 6300: “no info”
![Page 12: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/12.jpg)
Error Messages: French Passport
Reader Passport — GET CHALLENGE → Pick random NP
← NP ———
Pick random NR,KR
— {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Check MAC, Decrypt Check NP Fails ← 6A80 Incorrect params – Nonce fail equals error 6A80 “Incorrect params”
![Page 13: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/13.jpg)
Formal Model of BAC
![Page 14: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/14.jpg)
Strong Untracability
A process is untraceable if a run where tags repeat, looks the same as a run where tags never repeat:
new cs.(Env | !new names.Init.!A) = new cs.(Env | !new names.Init.A)
no ! here
![Page 15: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/15.jpg)
Attack Part 1
Attacker eavesdrops on Alice using her passport Reader Passport — GET CHALLENGE → Pick random NP ← NP
——— Pick random NR,KR — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Attack records message M.
![Page 16: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/16.jpg)
Attack Part 2
Attacker ???? — GET CHALLENGE → Pick random NP ← NP2
——— — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → ← 6300 no info. – Mac check failed. ???? is not Alice
![Page 17: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/17.jpg)
Attack Part 2
Attacker ???? — GET CHALLENGE → Pick random NP ← NP2
——— — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → ← 6A80 incorrect params. – Mac check passed, ???? must have used Alice's Mac key therefore ???? is Alice.
![Page 18: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/18.jpg)
The failed MAC is rejected sooner, UK passport
![Page 19: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/19.jpg)
Contactless EMV Cards
![Page 20: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/20.jpg)
Sym. Key: Kbc
Sym. Key: Kbc Private Bank Key: Sb
Card Data Signed with Sb
Public Bank Key: Vb
Private Card Key: Sc
Public Card Cert Signed by Bank
amount
Signed data, Cryptogram & Cert Cryptogram
Online only
![Page 21: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/21.jpg)
Visa’s PayWave
![Page 22: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/22.jpg)
Formal Model PayWave
![Page 23: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/23.jpg)
Correspondence Assertions • Checking this protocol we find that all expected secrecy
properties hold.
• A transaction cannot be completed without a real card.
• Correspondence assertions let us check if two parts of the system agree on a value, and if they are in a one-to-one correspondence.
• We find that shops will only accept one payment for each use of the card .
• But shops can accept a transaction for the wrong amount. • i.e. with an incorrect cryptogram.
![Page 24: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/24.jpg)
Wedge Attack
Bad card replaces AC with fake data.
![Page 25: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/25.jpg)
![Page 26: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/26.jpg)
Euroradio: Protocol EuroRadio generates a shared secret key. Key is used to great message authentications codes (MAC) used to ensure the integrity of each message to the train.
![Page 27: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/27.jpg)
EuroRadio Model
![Page 28: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/28.jpg)
Result • Session keys are set up securely.
• Messages can be replayed • (mitigated by counter at the application layer)
• Messages can be deleted without the train knowing.
• Messages can be delayed.
![Page 29: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/29.jpg)
EuroRadio: Message Authentication Code
![Page 30: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/30.jpg)
A More Secure MAC
![Page 31: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/31.jpg)
Balises
![Page 32: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/32.jpg)
Ethernet and CAN Bus Attacks
![Page 33: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/33.jpg)
Back End Systems
![Page 34: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/34.jpg)
![Page 35: HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure](https://reader031.fdocuments.in/reader031/viewer/2022030300/5881ab431a28ab1a398b768d/html5/thumbnails/35.jpg)
Conclusion • Formal methods provide a useful tool to help analysts
discover flaws in systems. • A key advantage is in forcing analysts to think very carefully about
their systems.
• They have been shown to be effective at finding vulnerabilities that other analyses have missed.
• Any crypto which is not widely used must be carefully examined. • Never accept proprietorial crypto.