View
2.046
Download
0
Category
Preview:
Citation preview
FORMAL SECURITY ANALYSIS OF CRITICAL INFRASTRUCTURE Tom Chothia University of Birmingham
Research at the University of Birmingham • I am a Senior Lecturer in Cyber-Security, in Birmingham’s Security
and Privacy group.
• UK leading cyber security group, • GCHQ centre of academic excellence, • Part of the UK wide RITICS/SCEPTICS (CPNI) project on the security of
industrial control systems. • Birmingham also has a leading rail research group.
• Particular work on Cars, RFID tags, EMV/Contactless bank cards, banking apps, e-passports …
• We are currently looking at the cyber-security of ERTMS systems.
Introduction • Basic pentesting is not enough.
• It is particularly important to look at the correctness of all protocols and crypto. • Proprietorial crypto is almost always a disaster.
• Formal modelling is a useful analytic tool to help experts explore systems.
• Examples, our work on e-passports, EMV cards.
Thales è Chip marker è Key maker è Volkswagen
NXP London Underground
Mifare classic
Mifare DESFire
Message of this talk:
• Formal methods can help analysts find bugs in systems.
• All non-standard crypto and crypto constructs should be examined in detail.
• Formal methods can “prove” systems correct and
“automatically find” errors.
• In my view, their value is more in forcing analysts to think carefully about a system’s design.
The Applied Pi Calculus
ProVerif – a tool for the applied pi-calculus • An easier syntax for the applied pi calculus: in, out, new,..
• Function definitions to model complex crypto.
• Can check: • if a value is kept secret, • reachability, • correspondence, • equivalence.
• Checks systems against arbitrary attackers,
• Can check an unbounded number of processes.
Traceability Attacks
• A traceability attack lets you link two runs of a protocol.
• It does not break security, authenticity or anonymity.
• It does threaten privacy.
• Particularly important for RFID protocols.
Basic Access Control
Reader Passport — GET CHALLENGE → Pick random NP ← NP
——— Pick random NR,KR — {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Check MAC,
Decrypt, Check NP Pick random KP ← {NP,NR,KP}Ke,MACKm({NP,NR, KP}Ke) — Check MAC, Decrypt, Check NR
Error Messages: French Passport
Reader Passport — GET CHALLENGE → Pick random NP
← NP ———
Pick random NR,KR
— {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
Check MAC Fails ← 6300 no info. – MAC fail equals with error 6300: “no info”
Error Messages: French Passport
Reader Passport — GET CHALLENGE → Pick random NP
← NP ———
Pick random NR,KR
— {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Check MAC, Decrypt Check NP Fails ← 6A80 Incorrect params – Nonce fail equals error 6A80 “Incorrect params”
Formal Model of BAC
Strong Untracability
A process is untraceable if a run where tags repeat, looks the same as a run where tags never repeat:
new cs.(Env | !new names.Init.!A) = new cs.(Env | !new names.Init.A)
no ! here
Attack Part 1
Attacker eavesdrops on Alice using her passport Reader Passport — GET CHALLENGE → Pick random NP ← NP
——— Pick random NR,KR — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Attack records message M.
Attack Part 2
Attacker ???? — GET CHALLENGE → Pick random NP ← NP2
——— — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → ← 6300 no info. – Mac check failed. ???? is not Alice
Attack Part 2
Attacker ???? — GET CHALLENGE → Pick random NP ← NP2
——— — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → ← 6A80 incorrect params. – Mac check passed, ???? must have used Alice's Mac key therefore ???? is Alice.
The failed MAC is rejected sooner, UK passport
Contactless EMV Cards
Sym. Key: Kbc
Sym. Key: Kbc Private Bank Key: Sb
Card Data Signed with Sb
Public Bank Key: Vb
Private Card Key: Sc
Public Card Cert Signed by Bank
amount
Signed data, Cryptogram & Cert Cryptogram
Online only
Visa’s PayWave
Formal Model PayWave
Correspondence Assertions • Checking this protocol we find that all expected secrecy
properties hold.
• A transaction cannot be completed without a real card.
• Correspondence assertions let us check if two parts of the system agree on a value, and if they are in a one-to-one correspondence.
• We find that shops will only accept one payment for each use of the card .
• But shops can accept a transaction for the wrong amount. • i.e. with an incorrect cryptogram.
Wedge Attack
Bad card replaces AC with fake data.
Euroradio: Protocol EuroRadio generates a shared secret key. Key is used to great message authentications codes (MAC) used to ensure the integrity of each message to the train.
EuroRadio Model
Result • Session keys are set up securely.
• Messages can be replayed • (mitigated by counter at the application layer)
• Messages can be deleted without the train knowing.
• Messages can be delayed.
EuroRadio: Message Authentication Code
A More Secure MAC
Balises
Ethernet and CAN Bus Attacks
Back End Systems
Conclusion • Formal methods provide a useful tool to help analysts
discover flaws in systems. • A key advantage is in forcing analysts to think very carefully about
their systems.
• They have been shown to be effective at finding vulnerabilities that other analyses have missed.
• Any crypto which is not widely used must be carefully examined. • Never accept proprietorial crypto.
Recommended