On Post-compromise Security

Cohn-Gordon, Katriel; Cremers, Cas; Garratt, Luke

doi:10.1109/csf.2016.19

Cited by 102 publications

(72 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Updating the chaining key for every message provides a fine-grained form of forward secrecy: even if a device is compromised by a powerful adversary, the keys used to encrypt previous messages cannot be recovered. Updating the root key for every flight of message provides a form of post-compromise security [36]: if an adversary gains temporary control over a device and obtains all its keys, he can read and tamper with the next few messages in the current flight, but loses this ability as soon as a new flight of messages is sent or received by the device.…”

Section: A An F * Specification For the Signal Protocolmentioning

confidence: 99%

Formally Verified Cryptographic Web Applications in WebAssembly

Protzenko

Beurdouche

Merigoux

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F * are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes.We present a new toolchain that compiles Low * , a low-level subset of the F * programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL * , a WebAssembly version of the existing, verified HACL * cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.

show abstract

Section: A An F * Specification For the Signal Protocolmentioning

confidence: 99%

Formally Verified Cryptographic Web Applications in WebAssembly

Protzenko

Beurdouche

Merigoux

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…instead aims for (non-forward) secrecy and just derives a single group key. Of necessity [14], ART must therefore support stateful and iterated key derivations. Using SafeSlinger's unbalanced DH key tree with ART's key updates, while reducing the computational load on the initiator, would take linear (versus logarithmic) time.…”

Section: Deployed Implementationsmentioning

confidence: 99%

“…The Signal Protocol and its variants offer a security property called Post-Compromise Security (PCS) [14], sometimes referred to as "future secrecy" or "self-healing". For PCS, even if Alice's device is entirely compromised by an adversary, she will automatically re-establish secure communications with others after a single unintercepted exchange, even if she was not aware of the compromise.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On Ends-to-Ends Encryption

Cohn-Gordon

Cremers

Garratt

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

In the past few years secure messaging has become mainstream, with over a billion active users of end-to-end encryption protocols such as Signal. The Signal Protocol provides a strong property called post-compromise security to its users. However, it turns out that many of its implementations provide, without notification, a weaker property for group messaging: an adversary who compromises a single group member can read and inject messages indefinitely. We show for the first time that post-compromise security can be achieved in realistic, asynchronous group messaging systems. We present a design called Asynchronous Ratcheting Trees (ART), which uses tree-based Diffie-Hellman key exchange to allow a group of users to derive a shared symmetric key even if no two are ever online at the same time. ART scales to groups containing thousands of members, while still providing provable security guarantees. It has seen significant interest from industry, and forms the basis for two draft IETF RFCs and a chartered working group. Our results show that strong security guarantees for group messaging are practically achievable in a modern setting. CCS CONCEPTS • Security and privacy → Security protocols; Cryptography; Formal methods and theory of security; Formal security models; Mobile and wireless security;

show abstract

“…In [11], Cohn-Gordon et al introduce post-compromise security: security guarantees for communication after a party's long-term keys are compromised. This is accomplished using dynamic secrets, similarly to the commitment protocol above (though the secrets in the commitment protocol are used only for authentication).…”

Section: Analysing Other System Designsmentioning

confidence: 99%

Automatically Detecting the Misuse of Secrets: Foundations, Design Principles, and Applications

Milner

Cremers

et al. 2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

We develop foundations and several constructions for security protocols that can automatically detect, without false positives, if a secret (such as a key or password) has been misused. Such constructions can be used, e.g., to automatically shut down compromised services, or to automatically revoke misused secrets to minimize the effects of compromise. Our threat model includes malicious agents, (temporarily or permanently) compromised agents, and clones. Previous works have studied domain-specific partial solutions to this problem. For example, Google's Certificate Transparency aims to provide infrastructure to detect the misuse of a certificate authority's signing key, logs have been used for detecting endpoint compromise, and protocols have been proposed to detect cloned RFID/smart cards. Contrary to these existing approaches, for which the designs are interwoven with domain-specific considerations and which usually do not enable fully automatic response (i.e., they need human assessment), our approach shows where automatic action is possible. Our results unify, provide design rationales, and suggest improvements for the existing domain-specific solutions. Based on our analysis, we construct several mechanisms for the detection of misuse. Our mechanisms enable automatic response, such as revoking keys or shutting down services, thereby substantially limiting the impact of a compromise. In several case studies, we show how our mechanisms can be used to substantially increase the security guarantees of a wide range of systems, such as web logins, payment systems, or electronic door locks. For example, we propose and formally verify an improved version of Cloudflare's Keyless SSL protocol that enables key misuse detection.

show abstract

On Post-compromise Security

Cited by 102 publications

References 20 publications

Formally Verified Cryptographic Web Applications in WebAssembly

Formally Verified Cryptographic Web Applications in WebAssembly

On Ends-to-Ends Encryption

Automatically Detecting the Misuse of Secrets: Foundations, Design Principles, and Applications

Contact Info

Product

Resources

About