2. Research at the University of Birmingham
â˘âŻ I am a Senior Lecturer in Cyber-Security, in Birminghamâs Security
and Privacy group.
â˘âŻ UK leading cyber security group,
â˘âŻ GCHQ centre of academic excellence,
â˘âŻ Part of the UK wide RITICS/SCEPTICS (CPNI) project on the security of
industrial control systems.
â˘âŻ Birmingham also has a leading rail research group.
â˘âŻ Particular work on Cars, RFID tags, EMV/Contactless bank cards,
banking apps, e-passports âŚ
â˘âŻ We are currently looking at the cyber-security of ERTMS systems.
3. Introduction
â˘âŻ Basic pentesting is not enough.
â˘âŻ It is particularly important to look at the correctness of all
protocols and crypto.
â˘âŻ Proprietorial crypto is almost always a disaster.
â˘âŻ Formal modelling is a useful analytic tool to help experts
explore systems.
â˘âŻ Examples, our work on e-passports, EMV cards.
5. Message of this talk:
â˘âŻ Formal methods can help analysts find bugs in systems.
â˘âŻ All non-standard crypto and crypto constructs should be
examined in detail.
â˘âŻ Formal methods can âproveâ systems correct and
âautomatically findâ errors.
â˘âŻ In my view, their value is more in forcing analysts to think
carefully about a systemâs design.
7. ProVerif â a tool for the applied pi-calculus
â˘âŻ An easier syntax for the applied pi calculus: in, out, new,..
â˘âŻ Function definitions to model complex crypto.
â˘âŻ Can check:
â˘âŻ if a value is kept secret,
â˘âŻ reachability,
â˘âŻ correspondence,
â˘âŻ equivalence.
â˘âŻ Checks systems against arbitrary attackers,
â˘âŻ Can check an unbounded number of processes.
8.
9. Traceability Attacks
â˘âŻ A traceability attack lets you link two runs of a
protocol.
â˘âŻ It does not break security, authenticity or
anonymity.
â˘âŻ It does threaten privacy.
â˘âŻ Particularly important for RFID protocols.
10. Basic Access Control
Reader Passport
â GET CHALLENGE â
Pick random NP
â NP
âââ
Pick random NR,KR
â {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) â
Check MAC,
Decrypt, Check NP
Pick random KP
â {NP,NR,KP}Ke,MACKm({NP,NR, KP}Ke) â
Check MAC,
Decrypt, Check NR
11. Error Messages: French Passport
Reader Passport
â GET CHALLENGE â
Pick random NP
â NP
âââ
Pick random NR,KR
â {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) â
Check MAC Fails
â 6300 no info. â
MAC fail equals with error 6300: âno infoâ
14. Strong Untracability
A process is untraceable if a run where tags repeat,
looks the same as a run where tags never repeat:
new cs.(Env | !new names.Init.!A)
= new cs.(Env | !new names.Init.A)
no ! here
15. Attack Part 1
Attacker eavesdrops on Alice using her passport
Reader Passport
â GET CHALLENGE â
Pick random NP
â NP
âââ
Pick random NR,KR
â M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) â
Attack records message M.
16. Attack Part 2
Attacker ????
â GET CHALLENGE â
Pick random NP
â NP2
âââ
â M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) â
â 6300 no info. â
Mac check failed.
???? is not Alice
17. Attack Part 2
Attacker ????
â GET CHALLENGE â
Pick random NP
â NP2
âââ
â M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) â
â 6A80 incorrect params. â
Mac check passed,
???? must have used Alice's Mac key
therefore ???? is Alice.
20. Sym. Key: Kbc
Sym. Key: KbcPrivate Bank Key: Sb
Card Data Signed with Sb
Public Bank Key: Vb
Private Card Key: Sc
Public Card Cert
Signed by Bank
amount
Signed data,
Cryptogram
& CertCryptogram
Online only
23. Correspondence Assertions
â˘âŻ Checking this protocol we find that all expected secrecy
properties hold.
â˘âŻ A transaction cannot be completed without a real card.
â˘âŻ Correspondence assertions let us check if two parts of the
system agree on a value, and if they are in a one-to-one
correspondence.
â˘âŻ We find that shops will only accept one payment for each use
of the card .
â˘âŻ But shops can accept a transaction for the wrong amount.
â˘âŻ i.e. with an incorrect cryptogram.
26. Euroradio: Protocol
EuroRadio generates a shared secret key.
Key is used to great message authentications codes (MAC)
used to ensure the integrity of each message to the train.
28. Result
â˘âŻSession keys are set up securely.
â˘âŻMessages can be replayed
â˘âŻ (mitigated by counter at the application layer)
â˘âŻMessages can be deleted without the train
knowing.
â˘âŻMessages can be delayed.
35. Conclusion
â˘âŻ Formal methods provide a useful tool to help analysts
discover flaws in systems.
â˘âŻ A key advantage is in forcing analysts to think very carefully about
their systems.
â˘âŻ They have been shown to be effective at finding
vulnerabilities that other analyses have missed.
â˘âŻ Any crypto which is not widely used must be carefully
examined.
â˘âŻ Never accept proprietorial crypto.