research-article

Public Access

Verified Correctness and Security of mbedTLS HMAC-DRBG

Authors:

Katherine Q. Ye,

Naphat Sanguansin,

Lennart Beringer,

Andrew W. AppelAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 2007 - 2020

https://doi.org/10.1145/3133956.3133974

Published: 30 October 2017 Publication History

Abstract

We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security-that its output is pseudorandom--using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) correctly implements this functional specification. That proof composes with an existing C compiler correctness proof to guarantee, end-to-end, that the machine language program gives strong pseudorandomness. All proofs (hybrid games, C program verification, compiler, and their composition) are machine-checked in the Coq proof assistant. Our proofs are modular: the hybrid game proof holds on any implementation of HMAC-DRBG that satisfies our functional specification. Therefore, our functional specification can serve as a high-assurance reference.

Supplemental Material

MP4 File

Download
2036.77 MB

References

[1]

Reynald Affeldt, David Nowak, and Kiyoshi Yamada. 2012. Certifying assembly with formal security proofs: The case of BBS. Science of Computer Programming 77, 10 (2012), 1058--1074.

Digital Library

[2]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, and François Dupressoir. 2015. Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. IACR Cryptology ePrint Archive 2015 (2015), 1241. http://eprint.iacr.org/2015/1241

[3]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, François Dupressoir, and Michael Emmi. 2016. Verifying Constant-Time Implementations. In 25th USENIX Security Symposium, USENIX Security 16, Thorsten Holz and Stefan Savage (Eds.). USENIX Association, 53--70. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentatio/almeida

[4]

Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. on Programming Languages and Systems 37, 2 (April 2015), 7:1--7:31.

Digital Library

[5]

Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press, New York.

[6]

Elaine Barker and John Kelsey. 2012. Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Technical Report 800--90A. National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-90A/SP800--90A.pdf

[7]

Gilles Barthe, Gustavo Betarte, Juan Diego Campo, Carlos Daniel Luna, and David Pichardie. 2014. System-level Non-interference for Constant-time Cryptography. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Gail-Joon Ahn, Moti Yung, and Ninghui Li (Eds.). ACM, 1267--1279.

Digital Library

[8]

Georg T. Becker, Francesco Regazzoni, Christof Paar, and Wayne P. Burleson. 2013. Stealthy Dopant-level Hardware Trojans. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, Berlin, 197--214.

Digital Library

[9]

Mihir Bellare. 2006. New proofs for NMAC and HMAC: Security without collision-resistance. In Annual International Cryptology Conference. Springer, 602--619.

Digital Library

[10]

Mihir Bellare and Phillip Rogaway. 2006. The security of triple encryption and a framework for code-based game-playing proofs. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 409--426.

Digital Library

[11]

Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel. 2015. Verified Correctness and Security of OpenSSL HMAC. In 24th USENIX Security Symposium. USENIX Assocation, 207--221.

[12]

Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, and Nicko van Someren. 2013. Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild. In ASIACRYPT 2013: 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings Part II . Springer, Berlin, 341--360.

[13]

Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen. 2016. Dual EC: A Standardized Back Door. In The New Codebreakers - Essays Dedicated to David Kahn on the Occasion of His 85th Birthday (Lecture Notes in Computer Science), Peter Y. A. Ryan, David Naccache, and Jean-Jacques Quisquater (Eds.), Vol. 9100. Springer, 256--281.

Digital Library

[14]

Karthikeyan Bhargavan, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, and Pierre-Yves Strub. 2013. Implementing TLS with verified cryptographic security. In 2013 IEEE Symposium on Security and Privacy. IEEE, 445--459.

Digital Library

[15]

Stephen Checkoway, Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, and Hovav Shacham. 2016. A Systematic Analysis of the Juniper Dual EC Incident. In CCS '16: 23rd ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 468--479.

Digital Library

[16]

Stephen Checkoway, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, Hovav Shacham, and Matthew Fredrikson. 2014. On the Practical Exploitability of Dual EC in TLS Implementations. In Usenix Security '14. USENIX Association, San Diego, CA, 319--335. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/checkoway

[17]

Russ Cox. 2008. Lessons from the Debian/OpenSSL Fiasco. (21 May 2008). https://research.swtch.com/openssl

[18]

Yevgeniy Dodis, Chaya Ganesh, Alexander Golovnev, Ari Juels, and Thomas Ristenpart. 2015. A formal treatment of backdoored pseudorandom generators. In EUROCRYPT (1). 101--126.

[19]

Yevgeniy Dodis, Rosario Gennaro, Johan Håstad, Hugo Krawczyk, and Tal Rabin. 2004. Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In Annual International Cryptology Conference. Springer, 494--510.

[20]

Felix Dörre and Vladimir Klebanov. 2016. Practical Detection of Entropy Loss in Pseudo-Random Number Generators. In CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, 678--689.

Digital Library

[21]

Pierre-Alain Fouque, David Pointcheval, and Sébastien Zimmer. 2008. HMAC is a randomness extractor and applications to TLS. In ACM symposium on Information, Computer and Communications Security. ACM, 21--32.

Digital Library

[22]

Dan Goodin. 2013. Google confirms critical Android crypto flaw used in $5,700 Bitcoin heist. Ars Technica (14 Aug. 2013). https://arstechnica.com/security/2013/08/google-confirms-critical-android-crypto-flaw-used-in-5700-bitcoin-heist/

[23]

Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2012. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In 21st USENIX Security Symposium. USENIX Association, 205--220.

[24]

Shoichi Hirose. 2008. Security analysis of DRBG using HMAC in NIST SP 800-90. In International Workshop on Information Security Applications. Springer, 278--291.

[25]

Fortinet Inc. 2016. CVE-2016--8492. Available at https://fortiguard.com/advisory/FG-IR-16-067|. (2016).

[26]

ISO. 2012. ISO 19790:2012: Security requirements for cryptographic modules. Available at https://www.iso.org/standard/52906.html. (August 2012).

[27]

Hugo Krawczyk. 2010. Cryptographic extraction and key derivation: The HKDF scheme. In Annual Cryptology Conference. Springer, 631--648.

[28]

Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, Thorsten Klein-jung, and Christophe Wachter. 2012. Ron was wrong, Whit is right. Cryptology ePrint Archive, Report 2012/064. (2012). http://eprint.iacr.org/2012/064.

[29]

H. D. Moore. 2008. Debian OpenSSL Flaw. Available at https://hdm.io/tools/debian-openssl/. (2008).

[30]

National Institute of Standards and Technology. 2014. NIST RNG Cryptographic Toolkit. Available at http://csrc.nist.gov/groups/ST/toolkit/rng/. (July 2014).

[31]

National Institute of Standards and Technology. 2017. CAVP Testing: Random Number Generators. (2017). http://csrc.nist.gov/groups/STM/cavp/random-number-generation.html.

[32]

National Institute of Standards and Technology (NIST). 2001. FIPS 140--2: Security Requirements for Cryptographic Modules. Available at http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140--2.pdf. (May 2001).

[33]

Nicole Perlroth, Jeff Larson, and Scott Shane. 2013. N.S.A. Able to Foil Basic Safeguards of Privacy on Web. The New York Times (6 Sept. 2013). http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html

[34]

Adam Petcher. 2015. A Foundational Proof Framework for Cryptography. Ph.D. Dissertation. Harvard University.

[35]

Adam Petcher and Greg Morrisett. 2015. The Foundational Cryptography Framework. In 4th International Conference on Principles of Security and Trust (POST). Springer LNCS 9036, Berlin, 53--72.

Digital Library

[36]

Dan Shumow and Niels Ferguson. 2007. On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng. CRYPTO 2007 Rump Session. (Aug. 2007). http://rump2007.cr.yp.to/15-shumow.pdf

[37]

Andrey Sidorenko and Berry Schoenmakers. 2005. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator. In Cryptography and Coding: 10th IMA International Conference. Springer LNCS 3796, Berlin, 355--375.

Digital Library

[38]

Ken Thompson. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (1984), 761--763.

Digital Library

[39]

Kim Zetter. 2016. New Discovery Around Juniper Backdoor Raises More Questions About the Company WIRED.com (Jan. 2016). https://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company/

Cited By

Kim Y(2025)A Formal Verification Library Design for Behavioral Refinement of CompCert ClightIEEE Access10.1109/ACCESS.2025.353958413(26927-26944)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3539584
Erbsen APhilipoom JJamner DLin AGruetter SPit-Claudel CChlipala A(2024)Foundational Integration Verification of a Cryptographic ServerProceedings of the ACM on Programming Languages10.1145/36564468:PLDI(1704-1729)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656446
Haselwarter PHvass BHansen LWinterhalter THriţcu CSpitters BTimany ATraytel DPientka BBlazy S(2024)The Last Yard: Foundational End-to-End Verification of High-Speed CryptographyProceedings of the 13th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3636501.3636961(30-44)Online publication date: 9-Jan-2024
https://dl.acm.org/doi/10.1145/3636501.3636961
Show More Cited By

Index Terms

Verified Correctness and Security of mbedTLS HMAC-DRBG
1. General and reference
  1. Document types
    1. General conference proceedings
2. Security and privacy
  1. Cryptography
  2. Formal methods and theory of security
    1. Logic and verification

Recommendations

Verified correctness and security of OpenSSL HMAC
SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

We have proved, with machine-checked proofs in Coq, that an OpenSSL implementation of HMAC with SHA- 256 correctly implements its FIPS functional specification and that its functional specification guarantees the expected cryptographic properties. This ...
Verified sequential Malloc/Free
ISMM 2020: Proceedings of the 2020 ACM SIGPLAN International Symposium on Memory Management

We verify the functional correctness of an array-of-bins (segregated free-lists) single-thread malloc/free system with respect to a correctness specification written in separation logic. The memory allocator is written in standard C code compatible with ...
Verified programs with binders
PLPV '14: Proceedings of the ACM SIGPLAN 2014 Workshop on Programming Languages meets Program Verification

Programs that treat datatypes with binders, such as theorem provers or higher-order compilers, are regularly used for mission-critical purposes, and must be both reliable and performant. Formally proving such programs using as much automation as ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

DARPPA
NSF

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

39
Total Citations
View Citations
644
Total Downloads

Downloads (Last 12 months)166
Downloads (Last 6 weeks)17

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kim Y(2025)A Formal Verification Library Design for Behavioral Refinement of CompCert ClightIEEE Access10.1109/ACCESS.2025.353958413(26927-26944)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3539584
Erbsen APhilipoom JJamner DLin AGruetter SPit-Claudel CChlipala A(2024)Foundational Integration Verification of a Cryptographic ServerProceedings of the ACM on Programming Languages10.1145/36564468:PLDI(1704-1729)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656446
Haselwarter PHvass BHansen LWinterhalter THriţcu CSpitters BTimany ATraytel DPientka BBlazy S(2024)The Last Yard: Foundational End-to-End Verification of High-Speed CryptographyProceedings of the 13th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3636501.3636961(30-44)Online publication date: 9-Jan-2024
https://dl.acm.org/doi/10.1145/3636501.3636961
Chowdhuryy MZheng HYao F(2024)MetaLeak: Uncovering Side Channels in Secure Processor Architectures Exploiting Metadata2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00056(693-707)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00056
Chung WKim HLee JLee Y(2024)Security analysis of the ISO standard $$\textsf{OFB}$$-$$\textsf{DRBG}$$Designs, Codes and Cryptography10.1007/s10623-024-01449-z92:11(3515-3532)Online publication date: 27-Jun-2024
https://doi.org/10.1007/s10623-024-01449-z
Chung WKim HLee JLee Y(2024)Provable Security of Linux-DRBG in the Seedless Robustness ModelAdvances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0938-3_15(461-490)Online publication date: 12-Dec-2024
https://doi.org/10.1007/978-981-96-0938-3_15
Almeida JArranz Olmos SBarbosa MBarthe GDupressoir FGrégoire BLaporte VLéchenet JLow COliveira TPacheco HQuaresma MSchwabe PStrub P(2024)Formally Verifying KyberAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68379-4_12(384-421)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68379-4_12
Haselwarter PRivas EVan Muylder AWinterhalter TAbate CSidorenco NHriţcu CMaillard KSpitters B(2023)SSProve: A Foundational Framework for Modular Cryptographic Proofs in CoqACM Transactions on Programming Languages and Systems10.1145/359473545:3(1-61)Online publication date: 20-Jul-2023
https://dl.acm.org/doi/10.1145/3594735
Nasrabadi FKünnemann RNemati HMeng WJensen CCremers CKirda E(2023)CryptoBap: A Binary Analysis Platform for Cryptographic ProtocolsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623090(1362-1376)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623090
Cohen JAppel A(2023)Specifying and Verifying a Real-World Packet Error-Correction SystemVerified Software. Theories, Tools and Experiments10.1007/978-3-031-66064-1_4(44-63)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-66064-1_4
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten