Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SaltyRTC and Verifpal #160

Open
ovalseven8 opened this issue Oct 20, 2019 · 2 comments
Open

SaltyRTC and Verifpal #160

ovalseven8 opened this issue Oct 20, 2019 · 2 comments

Comments

@ovalseven8
Copy link
Contributor

@ovalseven8 ovalseven8 commented Oct 20, 2019

Today, I had a look at Verifpal, an experimental software to do some analysis on cryptographic protocols. Because it's designed for non-experts (unlike proven formal verification tools), I thought I could try to model some parts of SaltyRTC.

Honestly, I am not sure if I've done it right and if it even makes sense. But perhaps there is some interest and, if useful, we can create a more detailed/better model.

The analysis on my model didn't bring up any issues. In case you're interested, here is my current model:

attacker[active]

// Setup phase

principal Initiator[
    knows private privatePermanentKeyInitiator
    knows private authenticationToken
    publicPermanentKeyInitiator = G^privatePermanentKeyInitiator
]

principal Server[
    knows private privatePermanentKeyServer
    publicPermanentKeyServer = G^privatePermanentKeyServer
]

principal Responder[
    knows private privatePermanentKeyResponder
    knows private authenticationToken
    publicPermanentKeyResponder = G^privatePermanentKeyResponder
]

// Let's assume the public key is exchanged securely to responder.
Initiator -> Responder: [publicPermanentKeyInitiator]

// 1) Initiator connects to server

Initiator -> Server: publicPermanentKeyInitiator

principal Server[
    generates privateSessionKeyForInitiator
    publicSessionKeyServerForInitiator = G^privateSessionKeyForInitiator
    sessionSharedKeyServerInitiator = publicSessionKeyServerForInitiator^publicPermanentKeyInitiator
]

// 2) 'server-hello' message from server to initiator

Server -> Initiator: publicSessionKeyServerForInitiator

// 3) 'client-auth' message from initiator to server

principal Initiator[
    knows private clientAuthMessage1
    sessionSharedKeyInitiatorServer = publicSessionKeyServerForInitiator^publicPermanentKeyInitiator
    secretBoxClientAuthInitiator = AEAD_ENC(sessionSharedKeyInitiatorServer, clientAuthMessage1, nil)
]

Initiator -> Server: secretBoxClientAuthInitiator

principal Server[
    clientAuthMessageFromInitiator = AEAD_DEC(sessionSharedKeyServerInitiator, secretBoxClientAuthInitiator, nil)?
]

// 4) 'server-auth' message from server to initiator

principal Server[
    knows private serverAuthMessage1
    secretBoxServerAuthToInitiator = AEAD_ENC(sessionSharedKeyServerInitiator, serverAuthMessage1, nil)
]

Server -> Initiator: secretBoxServerAuthToInitiator

principal Initiator[
    serverAuthMessageToInitiator = AEAD_DEC(sessionSharedKeyInitiatorServer, secretBoxServerAuthToInitiator, nil)?
]

// 5) Responder connects to server

// 6) 'server-hello' message from server to responder

principal Server[
    generates privateSessionKeyServerForResponder
    publicSessionKeyServerForResponder = G^privateSessionKeyServerForResponder
]

Server -> Responder: publicSessionKeyServerForResponder

// 7) 'client-hello' message from responder to server

Responder -> Server: publicPermanentKeyResponder

principal Server[
    sessionSharedKeyServerResponder = publicSessionKeyServerForResponder^publicPermanentKeyResponder
]

// 8) 'client-auth' message from responder to server

principal Responder[
    knows private clientAuthMessage2
    sessionSharedKeyResponderServer = publicSessionKeyServerForResponder^publicPermanentKeyResponder
    secretBoxClientAuthResponder = AEAD_ENC(sessionSharedKeyResponderServer, clientAuthMessage2, nil)
]

Responder -> Server: secretBoxClientAuthResponder

principal Server[
    clientAuthMessageFromResponder = AEAD_DEC(sessionSharedKeyServerResponder, secretBoxClientAuthResponder, nil)?
]

// 9) 'server-auth' message from server to responder

principal Server[
    knows private serverAuthMessage2
    secretBoxServerAuthToResponder = AEAD_ENC(sessionSharedKeyServerResponder, serverAuthMessage2, nil)
]

Server -> Responder: secretBoxServerAuthToResponder

principal Responder[
    serverAuthMessageToResponder = AEAD_DEC(sessionSharedKeyResponderServer, secretBoxServerAuthToResponder, nil)?
]

// 10) 'new-responder' message from server to initiator

principal Server[
    knows private newResponderMessage1
    secretBoxNewResponderToInitiator = AEAD_ENC(sessionSharedKeyServerInitiator, newResponderMessage1, nil)
]

Server -> Initiator: secretBoxNewResponderToInitiator

principal Initiator[
    newResponderMessageToInitiator = AEAD_DEC(sessionSharedKeyInitiatorServer, secretBoxNewResponderToInitiator, nil)?
]

// 11) 'token' message from responder to server to initiator

principal Responder[
    knows private tokenMessage1
    secretBoxTokenResponderToInitiator = AEAD_ENC(authenticationToken, tokenMessage1, nil)
]

Responder -> Initiator: secretBoxTokenResponderToInitiator

principal Initiator[
    tokenMessageToInitiator1 = AEAD_DEC(authenticationToken, secretBoxTokenResponderToInitiator, nil)?
]

// TODO: In case Initiator could decrypt, he knows the publicPermanentKey of responder
Responder -> Initiator: [publicPermanentKeyResponder]

// 12) 'key' message from responder to server to initiator

principal Responder[
    generates privateSessionKeyResponderForInitiator
    publicSessionKeyResponderForInitiator = G^privateSessionKeyResponderForInitiator
    knows private keyMessage1
    secretBoxKeyResponderToInitiator = AEAD_ENC(publicPermanentKeyResponder^publicPermanentKeyInitiator, keyMessage1, nil)
]

Responder -> Initiator: secretBoxKeyResponderToInitiator

principal Initiator[
    keyMessageToInitiator1 = AEAD_DEC(publicPermanentKeyInitiator^publicPermanentKeyResponder, secretBoxKeyResponderToInitiator, nil)?
]

// TODO: In case Initiator could decrypt, he knows the publicSessionKeyResponderForInitiator
Responder -> Initiator: [publicSessionKeyResponderForInitiator]

// 13) 'key' message from initiator to server to responder

principal Initiator[
    generates privateSessionKeyInitiatorForResponder
    publicSessionKeyInitiatorForResponder = G^privateSessionKeyInitiatorForResponder
    sessionSharedKeyInitiatorResponder = publicSessionKeyInitiatorForResponder^publicSessionKeyresponderForInitiator
    knows private keyMessage2
    secretBoxKeyInitiatorToResponder = AEAD_ENC(publicPermanentKeyInitiator^publicPermanentKeyResponder, keyMessage2, nil)
]

Initiator -> Responder: secretBoxKeyInitiatorToResponder

principal Responder[
    keyMessageToResponder1 = AEAD_DEC(publicPermanentKeyResponder^publicPermanentKeyInitiator, secretBoxKeyInitiatorToResponder, nil)?
]

// TODO: In case Responder could decrypt, he knows the publicSessionKeyInitiatorForResponder
Initiator -> Responder: [publicSessionKeyInitiatorForResponder]

principal Responder[
    sessionSharedKeyResponderInitiator = publicSessionKeyResponderForInitiator^publicSessionKeyInitiatorForResponder
]

// 14) 'auth' message from responder to server to initiator

principal Responder[
    knows private authMessage1
    secretBoxAuthResponderToInitiator = AEAD_ENC(sessionSharedKeyResponderInitiator, authMessage1, nil)
]

Responder -> Initiator: secretBoxAuthResponderToInitiator

principal Initiator[
    authMessageToInitiator1 = AEAD_DEC(sessionSharedKeyInitiatorResponder, secretBoxAuthResponderToInitiator, nil)?
]

// 15) 'auth' message from initiator to server to responder

principal Initiator[
    knows private authMessage2
    secretBoxAuthInitiatorToResponder = AEAD_ENC(sessionSharedKeyInitiatorResponder, authMessage2, nil)
]

Initiator -> Responder: secretBoxAuthInitiatorToResponder

principal Responder[
    authMessageToResponder1 = AEAD_DEC(sessionSharedKeyResponderInitiator, secretBoxAuthInitiatorToResponder, nil)?
]

queries[
    confidentiality? sessionSharedKeyInitiatorResponder
    confidentiality? sessionSharedKeyResponderInitiator
    confidentiality? tokenMessage1
    confidentiality? keyMessage1
    confidentiality? keyMessage2
    confidentiality? authMessage1
    confidentiality? authMessage2

    authentication? Responder -> Initiator: secretBoxTokenResponderToInitiator
    authentication? Responder -> Initiator: secretBoxKeyResponderToInitiator
    authentication? Initiator -> Responder: secretBoxKeyInitiatorToResponder
    authentication? Responder -> Initiator: secretBoxAuthResponderToInitiator
    authentication? Initiator -> Responder: secretBoxKeyInitiatorToResponder
]
@dbrgn

This comment has been minimized.

Copy link
Member

@dbrgn dbrgn commented Oct 20, 2019

Interesting, thanks for sharing! I didn't know verifpal yet.

@lgrahl do we want to do anything with that right now, or should we close and remember the tool for the future?

@lgrahl

This comment has been minimized.

Copy link
Member

@lgrahl lgrahl commented Oct 21, 2019

Definitely looks promising and it'd make a fine addition in the repo. However, it would require someone digging into it for reviewing. 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.