Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FORMAL SECURITY ANALYSIS OF
CRITICAL INFRASTRUCTURE
Tom Chothia
University of Birmingham
Research at the University of Birmingham
•  I am a Senior Lecturer in Cyber-Security, in Birmingham’s Security
and Privacy...
Introduction
•  Basic pentesting is not enough.
•  It is particularly important to look at the correctness of all
protocol...
Thales è Chip marker è
Key maker è Volkswagen
NXP London
Underground
Mifare classic
Mifare DESFire
Message of this talk:
•  Formal methods can help analysts find bugs in systems.
•  All non-standard crypto and crypto cons...
The Applied Pi Calculus
ProVerif – a tool for the applied pi-calculus
•  An easier syntax for the applied pi calculus: in, out, new,..
•  Function...
Traceability Attacks
•  A traceability attack lets you link two runs of a
protocol.
•  It does not break security, authent...
Basic Access Control
Reader Passport
— GET CHALLENGE →
Pick random NP
← NP
———
Pick random NR,KR
— {NR,NP,KR}Ke,MACKm({NR,...
Error Messages: French Passport
Reader Passport
— GET CHALLENGE →
Pick random NP
← NP
———
Pick random NR,KR
— {NR,NP,KR}Ke...
Error Messages: French Passport
Reader Passport
— GET CHALLENGE →
Pick random NP
← NP
———
Pick random NR,KR
— {NR,NP,KR}Ke...
Formal Model of BAC
Strong Untracability
A process is untraceable if a run where tags repeat,
looks the same as a run where tags never repeat:...
Attack Part 1
Attacker eavesdrops on Alice using her passport
Reader Passport
— GET CHALLENGE →
Pick random NP
← NP
———
Pi...
Attack Part 2
Attacker ????
— GET CHALLENGE →
Pick random NP
← NP2
———
— M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
← 6300 no ...
Attack Part 2
Attacker ????
— GET CHALLENGE →
Pick random NP
← NP2
———
— M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) →
← 6A80 inc...
The failed MAC is rejected sooner,
UK passport
Contactless EMV Cards
Sym. Key: Kbc
Sym. Key: KbcPrivate Bank Key: Sb
Card Data Signed with Sb
Public Bank Key: Vb
Private Card Key: Sc
Public C...
Visa’s
PayWave
Formal Model PayWave
Correspondence Assertions
•  Checking this protocol we find that all expected secrecy
properties hold.
•  A transaction ca...
Wedge
Attack
Bad card replaces
AC with fake data.
Euroradio: Protocol
EuroRadio generates a shared secret key.
Key is used to great message authentications codes (MAC)
used...
EuroRadio Model
Result
• Session keys are set up securely.
• Messages can be replayed
•  (mitigated by counter at the application layer)
•...
EuroRadio: Message Authentication Code
A More Secure MAC
Balises
Ethernet and CAN Bus Attacks
Back End Systems
Conclusion
•  Formal methods provide a useful tool to help analysts
discover flaws in systems.
•  A key advantage is in fo...
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
Upcoming SlideShare
Loading in …5
×

HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure

HIS 2015

  • Be the first to comment

  • Be the first to like this

HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure

  1. 1. FORMAL SECURITY ANALYSIS OF CRITICAL INFRASTRUCTURE Tom Chothia University of Birmingham
  2. 2. Research at the University of Birmingham •  I am a Senior Lecturer in Cyber-Security, in Birmingham’s Security and Privacy group. •  UK leading cyber security group, •  GCHQ centre of academic excellence, •  Part of the UK wide RITICS/SCEPTICS (CPNI) project on the security of industrial control systems. •  Birmingham also has a leading rail research group. •  Particular work on Cars, RFID tags, EMV/Contactless bank cards, banking apps, e-passports … •  We are currently looking at the cyber-security of ERTMS systems.
  3. 3. Introduction •  Basic pentesting is not enough. •  It is particularly important to look at the correctness of all protocols and crypto. •  Proprietorial crypto is almost always a disaster. •  Formal modelling is a useful analytic tool to help experts explore systems. •  Examples, our work on e-passports, EMV cards.
  4. 4. Thales è Chip marker è Key maker è Volkswagen NXP London Underground Mifare classic Mifare DESFire
  5. 5. Message of this talk: •  Formal methods can help analysts find bugs in systems. •  All non-standard crypto and crypto constructs should be examined in detail. •  Formal methods can “prove” systems correct and “automatically find” errors. •  In my view, their value is more in forcing analysts to think carefully about a system’s design.
  6. 6. The Applied Pi Calculus
  7. 7. ProVerif – a tool for the applied pi-calculus •  An easier syntax for the applied pi calculus: in, out, new,.. •  Function definitions to model complex crypto. •  Can check: •  if a value is kept secret, •  reachability, •  correspondence, •  equivalence. •  Checks systems against arbitrary attackers, •  Can check an unbounded number of processes.
  8. 8. Traceability Attacks •  A traceability attack lets you link two runs of a protocol. •  It does not break security, authenticity or anonymity. •  It does threaten privacy. •  Particularly important for RFID protocols.
  9. 9. Basic Access Control Reader Passport — GET CHALLENGE → Pick random NP ← NP ——— Pick random NR,KR — {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Check MAC, Decrypt, Check NP Pick random KP ← {NP,NR,KP}Ke,MACKm({NP,NR, KP}Ke) — Check MAC, Decrypt, Check NR
  10. 10. Error Messages: French Passport Reader Passport — GET CHALLENGE → Pick random NP ← NP ——— Pick random NR,KR — {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Check MAC Fails ← 6300 no info. – MAC fail equals with error 6300: “no info”
  11. 11. Error Messages: French Passport Reader Passport — GET CHALLENGE → Pick random NP ← NP ——— Pick random NR,KR — {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Check MAC, Decrypt Check NP Fails ← 6A80 Incorrect params – Nonce fail equals error 6A80 “Incorrect params”
  12. 12. Formal Model of BAC
  13. 13. Strong Untracability A process is untraceable if a run where tags repeat, looks the same as a run where tags never repeat: new cs.(Env | !new names.Init.!A) = new cs.(Env | !new names.Init.A) no ! here
  14. 14. Attack Part 1 Attacker eavesdrops on Alice using her passport Reader Passport — GET CHALLENGE → Pick random NP ← NP ——— Pick random NR,KR — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → Attack records message M.
  15. 15. Attack Part 2 Attacker ???? — GET CHALLENGE → Pick random NP ← NP2 ——— — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → ← 6300 no info. – Mac check failed. ???? is not Alice
  16. 16. Attack Part 2 Attacker ???? — GET CHALLENGE → Pick random NP ← NP2 ——— — M = {NR,NP,KR}Ke,MACKm({NR,NP,KR}Ke) → ← 6A80 incorrect params. – Mac check passed, ???? must have used Alice's Mac key therefore ???? is Alice.
  17. 17. The failed MAC is rejected sooner, UK passport
  18. 18. Contactless EMV Cards
  19. 19. Sym. Key: Kbc Sym. Key: KbcPrivate Bank Key: Sb Card Data Signed with Sb Public Bank Key: Vb Private Card Key: Sc Public Card Cert Signed by Bank amount Signed data, Cryptogram & CertCryptogram Online only
  20. 20. Visa’s PayWave
  21. 21. Formal Model PayWave
  22. 22. Correspondence Assertions •  Checking this protocol we find that all expected secrecy properties hold. •  A transaction cannot be completed without a real card. •  Correspondence assertions let us check if two parts of the system agree on a value, and if they are in a one-to-one correspondence. •  We find that shops will only accept one payment for each use of the card . •  But shops can accept a transaction for the wrong amount. •  i.e. with an incorrect cryptogram.
  23. 23. Wedge Attack Bad card replaces AC with fake data.
  24. 24. Euroradio: Protocol EuroRadio generates a shared secret key. Key is used to great message authentications codes (MAC) used to ensure the integrity of each message to the train.
  25. 25. EuroRadio Model
  26. 26. Result • Session keys are set up securely. • Messages can be replayed •  (mitigated by counter at the application layer) • Messages can be deleted without the train knowing. • Messages can be delayed.
  27. 27. EuroRadio: Message Authentication Code
  28. 28. A More Secure MAC
  29. 29. Balises
  30. 30. Ethernet and CAN Bus Attacks
  31. 31. Back End Systems
  32. 32. Conclusion •  Formal methods provide a useful tool to help analysts discover flaws in systems. •  A key advantage is in forcing analysts to think very carefully about their systems. •  They have been shown to be effective at finding vulnerabilities that other analyses have missed. •  Any crypto which is not widely used must be carefully examined. •  Never accept proprietorial crypto.

×