RunesAuth
/
FormalProof
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
FormalProof/proverif/Federation.pv

380 lines
13 KiB
Plaintext
Raw Normal View History

Proofs and little description Signed-off-by: Luca Fulchir <luker@fenrirproject.org>
2016-10-14 09:05:37 +00:00
(*
* Formal definition to verify the Fenrir protocol.
* to be used with ProVerif
*
* This is to verify the correctness of the full 3-RTT handshake.
* DNSSEC is NOT verified, as it is assumed to be correct.
*
* The test *WILL* take a while... proverif says it has inserted more than 18k rules, and has a rule base of almost 12k rules.
* just leave it to work...
*)
(*
* ==============
* Type definition
* ==============
*)
type host.
type sKey. (* symmetric key *)
type pubKey. (* public key for asymmetric key encryption *)
type privKey. (* private key for asymmetric key encryption *)
type nonce. (* just a nonce *)
const leak: channel. (* to leak private material *)
const cf_full: channel. (* client-fenrir, full-security handshake *)
const cf_state: channel. (* client-fenrir, stateful handshake *)
const cf_dir: channel. (* client-fenrir, directory-synchronized handshake *)
const cs: channel. (* client-service *)
const sf: channel [private]. (* service-fenrir: since it is managed as the client-fenrir channel, this is not checked *)
(* various stuff that should remain private *)
const Auth: nonce [private].
const prS: privKey [private]. (* service private key *)
const prF: privKey [private].
const prF_dir: privKey [private].
const OTP: sKey [private].
free csKey: sKey [private].
free Rekey: bitstring. (* rekey message *)
type algorithm.
const alg_bad: algorithm. (* broken key exchange algorithm *)
const alg_good: algorithm. (* good key exchange algorithm *)
const alg_both: algorithm. (* both good and bad algorithms support*)
(*
* ==============
* Function definition
* ==============
*)
(* any to bitstring conversion *)
fun fromKey(sKey) : bitstring.
reduc forall a : sKey; toKey(fromKey(a)) = a.
(* symmetric key encription *)
fun sEnc(bitstring, sKey): bitstring. (* encrypt with symmetric key *)
reduc forall c: bitstring, k: sKey; sDec(sEnc(c,k),k) = c. (* decrypt with symmetric key *)
(* public key definition *)
fun genPub(privKey): pubKey. (* public keys are generated from private ones *)
(* public key signing *)
fun sign(bitstring, privKey): bitstring.
reduc forall c: bitstring, k: privKey; ver(c, sign(c, k), genPub(k)) = true. (* verify signature *)
(* some key exchange based on public keys *)
fun exchange(privKey, pubKey) : sKey.
equation forall p1 : privKey, p2 : privKey; exchange(p1, genPub(p2)) = exchange(p2, genPub(p1)).
(* hash used by OTP, sKey based *)
fun hash(sKey) : sKey.
(* xor function *)
fun xor(sKey, sKey) : sKey.
reduc forall a : sKey, b : sKey; unxor(xor(a, b), b) = a.
reduc forall a : sKey, b : sKey; unxor2(xor(a, b), a) = b. (* created for proverif, not used for simplicity *)
(*
* ==============
* Events -- used for correlation
* ==============
*)
event downgrade().
event acceptedFenrir(sKey).
event clientConnect(sKey, sKey).
event serviceConnect(sKey).
(* NOTE: in multiple places we have an if-else branch over a nonce.
* and the else branch start with an "if" that is the opposite of the first "if".
* This "if" after the else seems unnecessary but actually hugely speeds up proverif.
* reason: proverif does not have to check for all the possible nonces, as it seems
* it doesn't notice that the nonce can have only few vales, as it actually is an enum *)
(*
* ==========================================================================
* Client definition, Full-security handshake with good and broken algorithms
* ==========================================================================
*)
let client_full(pubF: pubKey, Auth: nonce, supported: algorithm, OTP: sKey) =
new cn1: nonce; (* Client Nonce 1 *)
new prC: privKey; (* ephemeral public key. *)
(* Note: this nonce is technically useless, but prevents amplification/DoS attack
* also: the nonce should include a timer, but proverif doesn't check for DoS,
* and doesn't play nicely with timers, so we don't really care...
*)
(* start cookie exchange *)
out (cf_full, (cn1, supported));
in (cf_full, (sn1: nonce, selected: algorithm, s1: bitstring, s2: bitstring));
if ver((sn1, cn1, supported, selected), s1, pubF) = true then
if ver((sn1, selected), s2, pubF) = true then
(* RTT 1 completed *)
(* start algorithm agreement *)
new cn2: nonce;
(* out: nonces and signature, supported_algorithms *)
(* bad algorithm somehow exposes authentication data *)
if selected = alg_bad && (supported = alg_both || supported = alg_bad) then
(
event downgrade()
)
else
(
if selected = alg_good then
out (cf_full, (sn1, selected, s2, cn2, genPub(prC)));
(* se1: server encrypt 1: contains supported authentication algorithms
* unused here, it's the same mechanism as the "selected" one
*)
in (cf_full, (ephF: pubKey, se1: bitstring, s3: bitstring));
if ver((ephF, se1), s3, pubF) = true then
let (cfKey) = exchange(prC, ephF) in
(* RTT 2 Completed *)
out (cf_full, (sEnc((Auth, Auth), cfKey)));
in (cf_full, (se2: bitstring));
let (chan: channel, xorKey: bitstring) = sDec(se2, cfKey) in
(* RTT 3 completed, can now connect to service *)
let cs_Key = sDec(xorKey, hash(OTP)) in
event clientConnect(cfKey, toKey(cs_Key));
out (chan, sEnc(fromKey(OTP), toKey(cs_Key)))
).
(*
* ===========================================================================
* Fenrir definition, full security handshake, with good and broken algorithms
* ===========================================================================
*)
let fenrir_full(privF: privKey, Auth: nonce, supported: algorithm) =
(* Nonce exchange *)
in (cf_full, (fin1: nonce, client_alg: algorithm));
new s_nonce: nonce;
(* triggers "event downgrade()" in the client, no need to go further *)
(* bad only if both support bad *)
if client_alg = alg_bad && (supported = alg_bad || supported = alg_both) then
(
out (cf_full, (s_nonce, alg_bad, sign((s_nonce, fin1, client_alg, alg_bad), privF),
sign((s_nonce, alg_bad), privF)))
)
else
(
if client_alg = alg_good || client_alg = alg_both then
out (cf_full, (s_nonce, alg_good, sign((s_nonce, fin1, client_alg, alg_good), privF),
sign((s_nonce, alg_good), privF)));
(* RTT 1 finished *)
in (cf_full, (=s_nonce, =alg_good, signed: bitstring, fin2: nonce, pubC: pubKey));
if ver((s_nonce, alg_good), signed, genPub(privF)) = true then
new prF2: privKey;
let (cfKey) = exchange(prF2, pubC) in
out (cf_full, (genPub(prF2), sEnc((supported, supported), cfKey), sign((genPub(prF2), sEnc((s_nonce, s_nonce), cfKey)), privF)));
(* RTT 2 finished, now we have a state *)
in (cf_full, (ce1: bitstring));
let (data: nonce, data2: nonce) = sDec(ce1, cfKey) in
if data = Auth && data2 = Auth then
new user_info : nonce;
out (sf, user_info);
in (sf, key : sKey);
event acceptedFenrir(cfKey);
out (cf_full, (sEnc((cs, key), cfKey)))
(* RT3 finished *)
).
(*
* ==================================
* Service definition, common for all
* ==================================
*)
let service(OTP : sKey) =
(* sf channel is secret, thus trusted. do not encrypt to reduce
* proverif running time *)
in (sf, rnd : nonce); (* user info. useless in our model *)
(* this should be cskey XOR hash(OTP), but proverif can't handle XOR.
* so we treat it as encryption, as it has the same properties in our case *)
out (sf, sEnc(fromKey(csKey), hash(OTP)));
in (cs, enc2 : bitstring);
let is_OTP : bitstring = sDec(enc2, csKey) in
if OTP = toKey(is_OTP) then
event serviceConnect(csKey).
(*
* ======================================================================
* Client Definition, Stateful handshake, with good and broken algorithms
* ======================================================================
*)
let client_state (pubF: pubKey, Auth: nonce, supported: algorithm, OTP: sKey) =
new cn1: nonce; (* Client Nonce 1 *)
new prC: privKey; (* ephemeral key *)
(* Note: this nonce is technically useless, but prevents amplification/DoS attack
* also: the nonce should include a timer, but proverif doesn't check for DoS,
* and doesn't play nicely with timers, so we don't really care...
*)
(* start cookie exchange *)
out (cf_state, (cn1, supported));
in (cf_state, (alg: algorithm, ephF: pubKey, s1: bitstring));
if ver((cn1, supported, alg, ephF), s1, pubF) = true then
(* RTT 1 completed *)
if alg = alg_bad then
(
if supported = alg_bad || supported = alg_both then
(* bad algorithm exposes authentication data *)
event downgrade()
)
else
(
if alg = alg_good then
if supported = alg_good || supported = alg_both then
let (cfKey) = exchange(prC, ephF) in
out (cf_state, (genPub(prC), sEnc((Auth,Auth), cfKey)));
in (cf_state, enc: bitstring);
(* RTT 2 completed, can now connect to service *)
let (chan: channel, xorKey: bitstring) = sDec(enc, cfKey) in
let cs_Key = sDec(xorKey, hash(OTP)) in
event clientConnect(cfKey, toKey(cs_Key));
out (chan, sEnc(fromKey(OTP), toKey(cs_Key)))
).
(*
* ===========================================================================
* Fenrir definition, stateful handshake, with good and broken algorithms
* ===========================================================================
*)
let fenrir_state (privF: privKey, Auth: nonce, supported: algorithm) =
(* Nonce exchange *)
new prF2 : privKey;
new s_nonce: nonce;
in (cf_state, (fin1: nonce, client_alg: algorithm));
if client_alg = alg_bad && (supported = alg_bad || supported = alg_both) then
(
out(cf_state, (alg_bad, genPub(prF2), sign((fin1, client_alg, alg_bad, genPub(prF2)), privF)))
)
else
(
if (client_alg = alg_good || client_alg = alg_both) && (supported = alg_good || supported = alg_both) then
out(cf_state, (alg_good, genPub(prF2), sign((fin1, client_alg, alg_good, genPub(prF2)), privF)));
(* RTT 1 finished *)
in (cf_state, (pubC: pubKey, enc: bitstring));
let (cfKey) = exchange(prF2, pubC) in
let (data: nonce, data2: nonce) = sDec(enc, cfKey) in
if data = Auth && data2 = Auth then
new user_info : nonce;
out (sf, (user_info));
in (sf, key : sKey);
event acceptedFenrir(cfKey);
out (cf_state, sEnc((cs, key), cfKey))
(* RTT 2 finished *)
).
(*
* ===========================================================================
* Client definition, directory synchronized handshake
* ===========================================================================
*)
let client_dir (pubF: pubKey, Auth: nonce, OTP: sKey) =
new prC : privKey;
new cn : nonce;
let (cfKey) = exchange(prC, pubF) in
out (cf_dir, (genPub(prC), sEnc((Auth,cn), cfKey)));
in (cf_dir, enc: bitstring);
(* RTT 1 finished, now connect to service *)
let (=cn, chan: channel, xorKey: bitstring) = sDec(enc, cfKey) in
let cs_Key = sDec(xorKey, hash(OTP)) in
event clientConnect(cfKey, toKey(cs_Key));
out (chan, sEnc(fromKey(OTP), toKey(cs_Key))).
(*
* ===========================================================================
* Fenrir definition, directory synchronized handshake
* ===========================================================================
*)
let fenrir_dir (privF: privKey, Auth: nonce) =
in (cf_dir, (pubC: pubKey, enc: bitstring));
let (cfKey) = exchange(privF, pubC) in
let (=Auth, cn: nonce) = sDec (enc, cfKey) in
new user_info : nonce;
out (sf, user_info);
in (sf, key : sKey);
event acceptedFenrir(cfKey);
out (cf_dir, sEnc((cn, cs, key), cfKey)).
(*
* ==============
* Event correlation:
* ==============
query k1 : sKey, k2 : sKey; event(serviceConnect(k2)) ==> event(clientConnect(k1, k2)) ==> event(clientConnect(k1, k2)) ==> event(acceptedFenrir(k1)).
*)
(*
* ==============
* What should be secret?
* ==============
*)
query event(downgrade()).
query attacker(Auth). (* client auth data. *)
query attacker(OTP). (* client-service OTP data. *)
(*
* ==============
* Run the verification
* ==============
*)
process
let pbF = genPub(prF) in
let pbF_dir = genPub(prF_dir) in
((!service(OTP))
| (!client_full (pbF, Auth, alg_both, OTP)) | (!client_full (pbF, Auth, alg_good, OTP))
| (!fenrir_full (prF, Auth, alg_both)) | (!fenrir_full (prF, Auth, alg_good))
| (!client_state(pbF, Auth, alg_both, OTP)) | (!client_state(pbF, Auth, alg_good, OTP))
| (!fenrir_state(prF, Auth, alg_both)) | (!fenrir_state(prF, Auth, alg_good))
| (!client_dir (pbF_dir, Auth, OTP)) | (!fenrir_dir (prF, Auth))
| phase 1; out(leak, prF)
(* PFS: leaking of the long-term secret will NOT affect previous communications *)
(* Now do everything again, WITHOUT leaking. Everything must be done again since
* we leaked the previous private key. If we didn't do everything again we could not prove
* that the interaction of the handshakes is secure.
* This is because the 1-RTT handshake does NOT have long-term secret
*)
(*
; (!service(OTP))
| (!client_full (pbF_dir, Auth, alg_both, OTP)) | (!client_full (pbF_dir, Auth, alg_good, OTP))
| (!fenrir_full (prF_dir, Auth, alg_both)) | (!fenrir_full (prF_dir, Auth, alg_good))
| (!client_state(pbF_dir, Auth, alg_both, OTP)) | (!client_state(pbF_dir, Auth, alg_good, OTP))
| (!fenrir_state(prF_dir, Auth, alg_both)) | (!fenrir_state(prF_dir, Auth, alg_good))
| (!client_dir (pbF_dir, Auth, OTP)) | (!fenrir_dir (prF, Auth))
*)
)