Implémentations formellement vérifiées de standards cryptographiques à base de courbes elliptiques

par Natalia Kulatova

Projet de thèse en Informatique

Sous la direction de Karthikeyan Bhargavan.

Thèses en préparation à l'Université Paris sciences et lettres , dans le cadre de École doctorale Sciences mathématiques de Paris centre , en partenariat avec DIENS - Département d'informatique de l'École normale supérieure (laboratoire) et de École normale supérieure (Paris ; 1985-....) (établissement opérateur d'inscription) depuis le 01-09-2017 .


  • Résumé

    The extensive start of cryptography has happened at early 1970s with the development of the first encryption algorithm (DES). Since that time, cryptography has been on the rise. It's widely used in a majority of the spheres that requires security and confidentiality. Most of security applications are based on asymmetric cryptography. It requires the user to have some set of keys that are used for identification, signatures, etc. The key management is a very important part of securing the system. Key leakage could lead to compromise of the whole system. For these purposes, a big infrastructure to create, store and manage the keys is used on daily basis. It includes servers, databases, specified systems and devices. One of the part of the infrastructure is hardware modules. Hardware tamper-proof devices play a big role as a part of two-factor authentication. They consist of several main parts: the hardware part, firmware installed on it and the driver for the external applications. There exists a big variety of tamper-proof devices for key management. The well-known manufacturers include RSA, IBM, nCipher, Thales, Utimaco, HP. The cost starts with 40 euros and up to thousands per device. All of the devices require strong and secure API. The PKCS standard defines the API for such cryptographic tokens. Furthermore, there exists security level certification for such devices. One of them is FIPS-140. The standard gives the set of requirements for such devices, starting from the implementation and up to the application interfaces. It also includes the requirements for Cryptographic key management (generation, entry, output, storage and destruction of keys). Nevertheless, we observe a lot of attacks for the devices. The attacks could come from hardware implementation (hardware Trojans), software bugs, from the API between the hardware and the software, from the API between the software and the application. The easiest example of the attack using the attributes for keys. The misconfiguration of the attributes of one of the keys led to the compromise of another key. More real-time attacks were done on Yubikey devices. The attack led to the leakage of some cryptographic keys to the attacker. The article shows the formal analysis of Yubikey Security API's. A more recent paper (2016) describes attacks on PKCS11 devices that was successfully mounted by interacting with the low-level APDU protocol, used to communicate with the device. It also led to the key leakage as plain-text. We advocate the use of formal verification to provide high-assurance APIs for such devices. We will be building our verified implementation in F*. We begin from a verified cryptographic library called HACL* and extend it with a verified PKCS11 API so that it can be used by any application that relies on this standardized API. We then extend this library to exploit hardware security mechanisms and, under realistic assumptions on the hardware, we verify our API to be secure. In particular, we verify that the combined hardware-software device continues to provide strong protections against hardware side-channel attacks. Hence, we will obtain the first verified hybrid hardware-software implementation of PKCS11.

  • Titre traduit

    Formally Verified Implementations of Elliptic Curve Cryptography Standards


  • Résumé

    The extensive start of cryptography has happened at early 1970s with the development of the first encryption algorithm (DES). Since that time, cryptography has been on the rise. It's widely used in a majority of the spheres that requires security and confidentiality. Most of security applications are based on asymmetric cryptography. It requires the user to have some set of keys that are used for identification, signatures, etc. The key management is a very important part of securing the system. Key leakage could lead to compromise of the whole system. For these purposes, a big infrastructure to create, store and manage the keys is used on daily basis. It includes servers, databases, specified systems and devices. One of the part of the infrastructure is hardware modules. Hardware tamper-proof devices play a big role as a part of two-factor authentication. They consist of several main parts: the hardware part, firmware installed on it and the driver for the external applications. There exists a big variety of tamper-proof devices for key management. The well-known manufacturers include RSA, IBM, nCipher, Thales, Utimaco, HP. The cost starts with 40 euros and up to thousands per device. All of the devices require strong and secure API. The PKCS standard defines the API for such cryptographic tokens. Furthermore, there exists security level certification for such devices. One of them is FIPS-140. The standard gives the set of requirements for such devices, starting from the implementation and up to the application interfaces. It also includes the requirements for Cryptographic key management (generation, entry, output, storage and destruction of keys). Nevertheless, we observe a lot of attacks for the devices. The attacks could come from hardware implementation (hardware Trojans), software bugs, from the API between the hardware and the software, from the API between the software and the application. The easiest example of the attack using the attributes for keys. The misconfiguration of the attributes of one of the keys led to the compromise of another key. More real-time attacks were done on Yubikey devices. The attack led to the leakage of some cryptographic keys to the attacker. The article shows the formal analysis of Yubikey Security API's. A more recent paper (2016) describes attacks on PKCS11 devices that was successfully mounted by interacting with the low-level APDU protocol, used to communicate with the device. It also led to the key leakage as plain-text. We advocate the use of formal verification to provide high-assurance APIs for such devices. We will be building our verified implementation in F*. We begin from a verified cryptographic library called HACL* and extend it with a verified PKCS11 API so that it can be used by any application that relies on this standardized API. We then extend this library to exploit hardware security mechanisms and, under realistic assumptions on the hardware, we verify our API to be secure. In particular, we verify that the combined hardware-software device continues to provide strong protections against hardware side-channel attacks. Hence, we will obtain the first verified hybrid hardware-software implementation of PKCS11.