2. Research at the University of Birmingham
• I am a Senior Lecturer in Cyber-Security, in Birmingham’s Security
and Privacy group.
• UK leading cyber security group,
• GCHQ centre of academic excellence,
• Part of the UK wide RITICS/SCEPTICS (CPNI) project on the security of
industrial control systems.
• Birmingham also has a leading rail research group.
• Particular work on Cars, RFID tags, EMV/Contactless bank cards,
banking apps, e-passports …
• We are currently looking at the cyber-security of ERTMS systems.
3. Introduction
• Basic pentesting is not enough.
• It is particularly important to look at the correctness of all
protocols and crypto.
• Proprietorial crypto is almost always a disaster.
• Formal modelling is a useful analytic tool to help experts
explore systems.
• Examples, our work on e-passports, EMV cards.
5. Message of this talk:
• Formal methods can help analysts find bugs in systems.
• All non-standard crypto and crypto constructs should be
examined in detail.
• Formal methods can “prove” systems correct and
“automatically find” errors.
• In my view, their value is more in forcing analysts to think
carefully about a system’s design.
7. ProVerif – a tool for the applied pi-calculus
• An easier syntax for the applied pi calculus: in, out, new,..
• Function definitions to model complex crypto.
• Can check:
• if a value is kept secret,
• reachability,
• correspondence,
• equivalence.
• Checks systems against arbitrary attackers,
• Can check an unbounded number of processes.
8.
9. Traceability Attacks
• A traceability attack lets you link two runs of a
protocol.
• It does not break security, authenticity or
anonymity.
• It does threaten privacy.
• Particularly important for RFID protocols.
10. Basic Access Control
Reader Passport
— GET CHALLENGE →
Pick random NP
← NP
———
Pick random NR,KR
— {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
Check MAC,
Decrypt, Check NP
Pick random KP
← {NP,NR,KP}Ke,MACKm({NP,NR, KP}Ke) —
Check MAC,
Decrypt, Check NR
11. Error Messages: French Passport
Reader Passport
— GET CHALLENGE →
Pick random NP
← NP
———
Pick random NR,KR
— {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
Check MAC Fails
← 6300 no info. –
MAC fail equals with error 6300: “no info”
14. Strong Untracability
A process is untraceable if a run where tags repeat,
looks the same as a run where tags never repeat:
new cs.(Env | !new names.Init.!A)
= new cs.(Env | !new names.Init.A)
no ! here
15. Attack Part 1
Attacker eavesdrops on Alice using her passport
Reader Passport
— GET CHALLENGE →
Pick random NP
← NP
———
Pick random NR,KR
— M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
Attack records message M.
16. Attack Part 2
Attacker ????
— GET CHALLENGE →
Pick random NP
← NP2
———
— M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
← 6300 no info. –
Mac check failed.
???? is not Alice
17. Attack Part 2
Attacker ????
— GET CHALLENGE →
Pick random NP
← NP2
———
— M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
← 6A80 incorrect params. –
Mac check passed,
???? must have used Alice's Mac key
therefore ???? is Alice.
20. Sym. Key: Kbc
Sym. Key: KbcPrivate Bank Key: Sb
Card Data Signed with Sb
Public Bank Key: Vb
Private Card Key: Sc
Public Card Cert
Signed by Bank
amount
Signed data,
Cryptogram
& CertCryptogram
Online only
23. Correspondence Assertions
• Checking this protocol we find that all expected secrecy
properties hold.
• A transaction cannot be completed without a real card.
• Correspondence assertions let us check if two parts of the
system agree on a value, and if they are in a one-to-one
correspondence.
• We find that shops will only accept one payment for each use
of the card .
• But shops can accept a transaction for the wrong amount.
• i.e. with an incorrect cryptogram.
26. Euroradio: Protocol
EuroRadio generates a shared secret key.
Key is used to great message authentications codes (MAC)
used to ensure the integrity of each message to the train.
28. Result
• Session keys are set up securely.
• Messages can be replayed
• (mitigated by counter at the application layer)
• Messages can be deleted without the train
knowing.
• Messages can be delayed.
35. Conclusion
• Formal methods provide a useful tool to help analysts
discover flaws in systems.
• A key advantage is in forcing analysts to think very carefully about
their systems.
• They have been shown to be effective at finding
vulnerabilities that other analyses have missed.
• Any crypto which is not widely used must be carefully
examined.
• Never accept proprietorial crypto.