Article

Verified correctness and security of OpenSSL HMAC

Authors:

Lennart Beringer,

Katherine Q. Ye,

Andrew W. AppelAuthors Info & Claims

SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

Pages 207 - 221

Published: 12 August 2015 Publication History

Abstract

We have proved, with machine-checked proofs in Coq, that an OpenSSL implementation of HMAC with SHA- 256 correctly implements its FIPS functional specification and that its functional specification guarantees the expected cryptographic properties. This is the first machine-checked cryptographic proof that combines a source-program implementation proof, a compiler-correctness proof, and a cryptographic-security proof, with no gaps at the specification interfaces.

The verification was done using three systems within the Coq proof assistant: the Foundational Cryptography Framework, to verify crypto properties of functional specs; the Verified Software Toolchain, to verify C programs w.r.t. functional specs; and CompCert, for verified compilation of C to assembly language.

References

[1]

AFFELDT, R. On construction of a library of formally verified low-level arithmetic functions. Innovations in Systems and Software Engineering (ISSE) 9, 2 (2013), 59-77.

Digital Library

[2]

AFFELDT, R., AND SAKAGUCHI, K. An intrinsic encoding of a subset of C and its application to TLS network packet processing. Journal of Formalized Reasoning 7, 1 (2014), 63-104.

[3]

ALMEIDA, J. B., BARBOSA, M., BARTHE, G., AND DUPRESSOIR, F. Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications security (2013), ACM, pp. 1217-1230.

Digital Library

[4]

ALMEIDA, J. B., BARBOSA, M., FILLIÂTRE, J., PINTO, J. S., AND VIEIRA, B. CAOVerif: An open-source deductive verification platform for cryptographic software implementations. Sci. Comput. Program. 91 (2014), 216-233.

[5]

APPEL, A. W. Verification of a cryptographic primitive: SHA- 256. ACM Trans. on Programming Languages and Systems 37, 2 (Apr. 2015), 7:1-7:31.

Digital Library

[6]

APPEL, A. W., DOCKINS, R., HOBOR, A., BERINGER, L., DODDS, J., STEWART, G., BLAZY, S., AND LEROY, X. Program Logics for Certified Compilers. Cambridge, 2014.

Digital Library

[7]

APPEL, A. W., MICHAEL, N. G., STUMP, A., AND VIRGA, R. A trustworthy proof checker. J. Automated Reasoning 31 (2003), 231-260.

Digital Library

[8]

AVALLE, M., PIRONTI, A., AND SISTO, R. Formal verification of security protocol implementations: a survey. Formal Asp. Comput. 26, 1 (2014), 99-123.

[9]

BACELAR ALMEIDA, J., BARBOSA, M., BANGERTER, E., BARTHE, G., KRENN, S., AND ZANELLA BÉGUELIN, S. Full proof cryptography: verifiable compilation of efficient zero-knowledge protocols. In Proceedings of the 2012 ACM conference on Computer and communications security (2012), ACM, pp. 488-500.

Digital Library

[10]

BACKES, M., BARTHE, G., BERG, M., GRÉGOIRE, B., KUNZ, C., SKORUPPA, M., AND BÉGUELIN, S. Z. Verified security of Merkle-Damgård. In Computer Security Foundations Symposium (CSF), 2012 IEEE 25th (2012), IEEE, pp. 354-368.

Digital Library

[11]

BARBOSA, M., CASTRO, D., AND SILVA, P. F. Compiling CAO: from cryptographic specifications to C implementations. In Principles of Security and Trust - Third International Conference, POST 2014, Proceedings (2014), M. Abadi and S. Kremer, Eds., vol. 8414 of Lecture Notes in Computer Science, Springer, pp. 240-244.

[12]

BARTHE, G., DUPRESSOIR, F., GRÉGOIRE, B., KUNZ, C., SCHMIDT, B., AND STRUB, P.-Y. EasyCrypt: A tutorial. In Foundations of Security Analysis and Design VII. Springer, 2014, pp. 146-166.

[13]

BARTHE, G., GRÉGOIRE, B., AND ZANELLA BÉGUELIN, S. Formal certification of code-based cryptographic proofs. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (New York, NY, USA, 2009), POPL '09, ACM, pp. 90-101.

Digital Library

[14]

BELLARE, M. New proofs for NMAC and HMAC: Security without collision-resistance. In Advances in Cryptology-CRYPTO 2006. Springer, 2006, pp. 602-619.

[15]

BELLARE, M., CANETTI, R., AND KRAWCZYK, H. Keying hash functions for message authentication. In Advances in CryptologyCRYPTO96 (1996), Springer, pp. 1-15.

Digital Library

[16]

BELLARE, M., AND ROGAWAY, P. Code-based game-playing proofs and the security of triple encryption. IACR Cryptology ePrint Archive 2004 (2004), 331.

[17]

BERGHOFER, S. Verification of dependable software using SPARK and Isabelle. In 6th International Workshop on Systems Software Verification, SSV 2011 (2011), J. Brauer, M. Roveri, and H. Tews, Eds., vol. 24 of OASICS, Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, pp. 15-31.

[18]

BERNSTEIN, D. J. Curve25519: New Diffie-Hellman speed records. In Public Key Cryptography - PKC 2006, 9th International Conference on Theory and Practice of Public-Key Cryptography, Proceedings (2006), M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, Eds., vol. 3958 of Lecture Notes in Computer Science, Springer, pp. 207-228.

Digital Library

[19]

BERNSTEIN, D. J. The HMAC brawl. cr.yp.to/talks/2012.03.20/slides.pdf, Mar. 2012.

[20]

BERTOT, Y., MAGAUD, N., AND ZIMMERMANN, P. A proof of GMP square root. J. Autom. Reasoning 29, 3-4 (2002), 225-252.

Digital Library

[21]

BHARGAVAN, K., FOURNET, C., KOHLWEISS, M., PIRONTI, A., AND STRUB, P. Implementing TLS with verified cryptographic security. In Security and Privacy (SP), 2013 IEEE Symposium on (2013), IEEE, pp. 445-459.

Digital Library

[22]

BLANCHET, B. A computationally sound mechanized prover for security protocols. Dependable and Secure Computing, IEEE Transactions on 5, 4 (2008), 193-207.

Digital Library

[23]

CADÉ, D., AND BLANCHET, B. Proved generation of implementations from computationally secure protocol specifications. In Principles of Security and Trust. Springer, 2013, pp. 63-82.

[24]

CHEN, Y., HSU, C., LIN, H., SCHWABE, P., TSAI, M., WANG, B., YANG, B., AND YANG, S. Verifying curve25519 software. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), G. Ahn, M. Yung, and N. Li, Eds., ACM, pp. 299-309.

Digital Library

[25]

ERKOK, L., CARLSSON, M., AND WICK, A. Hardware/- software co-verification of cryptographic algorithms using Cryptol. In Formal Methods in Computer-Aided Design, 2009 (FMCAD' 09) (2009), IEEE, pp. 188-191.

[26]

FILLIÂTRE, J. Verification of non-functional programs using interpretations in type theory. J. Funct. Program. 13, 4 (2003), 709-745.

Digital Library

[27]

Keyed-hash message authentication code. Tech. Rep. FIPS PUB 198-1, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD, July 2008.

[28]

Secure hash standard (SHS). Tech. Rep. FIPS PUB 180-4, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD, Mar. 2012.

[29]

GU, L., VAYNBERG, A., FORD, B., SHAO, Z., AND COSTANZO, D. CertiKOS: A certified kernel for secure cloud computing. In Proceedings of the Second Asia-Pacific Workshop on Systems (2011), APSys'11, ACM, pp. 3:1-3:5.

Digital Library

[30]

HALEVI, S. A plausible approach to computer-aided cryptographic proofs. http://eprint.iacr.org/2005/181, 2005.

[31]

HOARE, C. A. R. An axiomatic basis for computer programming. Commun. ACM 12, 10 (October 1969), 578-580.

Digital Library

[32]

KLEIN, G., ELPHINSTONE, K., HEISER, G., ANDRONICK, J., COCK, D., DERRIN, P., ELKADUWE, D., ENGELHARDT, K., KOLANSKI, R., NORRISH, M., ET AL. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles (2009), ACM, pp. 207-220.

Digital Library

[33]

KOBLITZ, N., AND MENEZES, A. Another look at HMAC. Journal of Mathematical Cryptology 7, 3 (2013), 225-251.

[34]

LEROY, X. Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In POPL'06 (2006), pp. 42-54.

Digital Library

[35]

LEROY, X. Formal verification of a realistic compiler. Communications of the ACM 52, 7 (2009), 107-115.

Digital Library

[36]

MYREEN, M. O., AND CURELLO, G. Proof pearl: A verified bignum implementation in x86-64 machine code. In Certified Programs and Proofs - Third International Conference, CPP 2013, Proceedings (2013), G. Gonthier and M. Norrish, Eds., vol. 8307 of Lecture Notes in Computer Science, Springer, pp. 66-81.

Digital Library

[37]

O'HEARN, P., REYNOLDS, J., AND YANG, H. Local reasoning about programs that alter data structures. In CSL'01: Annual Conference of the European Association for Computer Science Logic (Sept. 2001), pp. 1-19. LNCS 2142.

Digital Library

[38]

PETCHER, A., AND MORRISETT, G. The foundational cryptography framework. In Principles of Security and Trust - 4th International Conference, POST 2015, Proceedings (2015), R. Focardi and A. C. Myers, Eds., vol. 9036 of Lecture Notes in Computer Science, Springer, pp. 53-72.

[39]

SCHMALTZ, S. F. F. Formal verification of a big integer library including division. Master's thesis, Saarland University, 2007. busserver.cs.uni-sb.de/publikationen/Fi08DATE.pdf.

[40]

SMITH, E. W., AND DILL, D. L. Automatic formal verification of block cipher implementations. In Formal Methods in Computer-Aided Design (FMCAD'08) (2008), IEEE, pp. 1-7.

[41]

TOMA, D., AND BORRIONE, D. Formal verification of a SHA-1 circuit core using ACL2. In Theorem Proving in Higher Order Logics. Springer, 2005, pp. 326-341.

Cited By

Mansky WDu K(2024)An Iris Instance for Verifying CompCert C ProgramsProceedings of the ACM on Programming Languages10.1145/36328488:POPL(148-174)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632848
Ho SFromherz AProtzenko J(2023)Modularity, Code Specialization, and Zero-Cost Abstractions for Program VerificationProceedings of the ACM on Programming Languages10.1145/36078447:ICFP(385-416)Online publication date: 31-Aug-2023
https://dl.acm.org/doi/10.1145/3607844
Haselwarter PRivas EVan Muylder AWinterhalter TAbate CSidorenco NHriţcu CMaillard KSpitters B(2023)SSProve: A Foundational Framework for Modular Cryptographic Proofs in CoqACM Transactions on Programming Languages and Systems10.1145/359473545:3(1-61)Online publication date: 20-Jul-2023
https://dl.acm.org/doi/10.1145/3594735
Show More Cited By

Verified correctness and security of OpenSSL HMAC

Recommendations

Verified Correctness and Security of mbedTLS HMAC-DRBG
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security-that its output is pseudorandom--using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) ...
Verified security of redundancy-free encryption from Rabin and RSA
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Verified security provides a firm foundation for cryptographic proofs by means of rigorous programming language techniques and verification methods. EasyCrypt is a framework that realizes the verified security paradigm and supports the machine-checked ...
General Correctness: A Unification of Partial and Total Correctness

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

August 2015

1072 pages

ISBN:9781931971232

Editor:
Jaeyeon Jung
Microsoft Research

Sponsors

USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 12 August 2015

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mansky WDu K(2024)An Iris Instance for Verifying CompCert C ProgramsProceedings of the ACM on Programming Languages10.1145/36328488:POPL(148-174)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632848
Ho SFromherz AProtzenko J(2023)Modularity, Code Specialization, and Zero-Cost Abstractions for Program VerificationProceedings of the ACM on Programming Languages10.1145/36078447:ICFP(385-416)Online publication date: 31-Aug-2023
https://dl.acm.org/doi/10.1145/3607844
Haselwarter PRivas EVan Muylder AWinterhalter TAbate CSidorenco NHriţcu CMaillard KSpitters B(2023)SSProve: A Foundational Framework for Modular Cryptographic Proofs in CoqACM Transactions on Programming Languages and Systems10.1145/359473545:3(1-61)Online publication date: 20-Jul-2023
https://dl.acm.org/doi/10.1145/3594735
Nunes IEldefrawy KRattanavipanon NSteiner MTsudik GHeninger NTraynor P(2019)VRASEDProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361437(1429-1446)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361437
Lim JNagarakatte SKandemir MJimborean AMoseley T(2019)Automatic equivalence checking for assembly implementations of cryptography librariesProceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization10.5555/3314872.3314880(37-49)Online publication date: 16-Feb-2019
https://dl.acm.org/doi/10.5555/3314872.3314880
Cauligi SSoeller GJohannesmeyer BBrown FWahby RRenner JGrégoire BBarthe GJhala RStefan DMcKinley KFisher K(2019)FaCT: a DSL for timing-sensitive computationProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314605(174-189)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314605
O'Hearn P(2019)Separation logicCommunications of the ACM10.1145/321196862:2(86-95)Online publication date: 28-Jan-2019
https://dl.acm.org/doi/10.1145/3211968
O'Hearn P(2018)Continuous ReasoningProceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science10.1145/3209108.3209109(13-25)Online publication date: 9-Jul-2018
https://dl.acm.org/doi/10.1145/3209108.3209109
Cao QBeringer LGruetter SDodds JAppel A(2018)VST-FloydJournal of Automated Reasoning10.1007/s10817-018-9457-561:1-4(367-422)Online publication date: 1-Jun-2018
https://dl.acm.org/doi/10.1007/s10817-018-9457-5
Roe KSmith STalpin JDerler PSchneider K(2017)Using the coq theorem prover to verify complex data structure invariantsProceedings of the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design10.1145/3127041.3127061(118-121)Online publication date: 29-Sep-2017
https://dl.acm.org/doi/10.1145/3127041.3127061
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten