Breaking the Kubernetes Kill Chain: Host Path Mount
Specification of SNOW 3G in Cryptol
1. Specification of SNOW 3G in Cryptol
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
March 26, 2009
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
2. Index
1 Cryptol
2 Stream Ciphers
3 Conclusion
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
3. Overview
High-level language to deal with low-level problems
Everything is a sequence
Sequences can be either finite or infinite
Primitive polymorphic functions
Information Structure can be changed easily
Recursion and sequence comprehensions ⇒ recurrence
relations
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
4. Types
Cryptol
Haskell
tail : { a b } [ a +1] b -> [ a ] b ;
tail :: [ b ] -> [ b ]
Types are size and bit
oriented
Lists have infinite length
Sequences have infinite size
[b] - Polymorphism over b
(inf)
[a]b - Polymorphism over b
Very similar notation
Polymorphism
Type inference
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
5. Types
Types in Cryptol are size oriented
Cryptol
drop : { a b c } ( fin a , a >= 0) = > (a ,[ a + b ] c ) -> [ b ] c
take : { a b c } ( fin a , b >= 0) = > (a ,[ a + b ] c ) -> [ a ] c
join : { a b c } [ a ][ b ] c -> [ a * b ] c
split : { a b c } [ a * b ] c -> [ a ][ b ] c
tail : { a b } [ a +1] b -> [ a ] b
Haskell
drop :: Int -> [ a ] -> [ a ]
take :: Int -> [ a ] -> [ a ]
concat :: [[ a ]] -> [ a ] -- join in cryptol
tail :: [ a ] -> [ a ]
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
6. Language
Cryptol
fib ( n ) = fibs @ n
where {
fibs = [0 1] # [| x + y || x <- drop (1 , fibs ) || y <- fibs |];
};
Haskell
fib n = fibs !! n
where fibs = [0 ,1] ++ [ x + y | x <- drop 1 fibs | y <- fibs ]
0
ghc -XParallelListComp
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
7. Language
Specification
C
MULα (c) = (MULxPOW (c, 23, 0xA9)||
MULxPOW (c, 245, 0xA9)||
MULxPOW (c, 48, 0xA9)|| /* The function MUL alpha .
* Input c : 8 - bit input .
MULxPOW (c, 239, 0xA9))
* Output : 32 - bit output .
* See section 3.4.2 for details .
*/
u32 MULalpha ( u8 c ) {
return
Cryptol (((( u32 ) MULxPOW (c ,23 , 0 xa9 ) ) << 24 ) |
((( u32 ) MULxPOW (c , 245 ,0 xa9 ) ) << 16 ) |
((( u32 ) MULxPOW (c , 48 ,0 xa9 ) ) << 8 ) |
((( u32 ) MULxPOW (c , 239 ,0 xa9 ) ) ) ) ;
MULa : [8] -> [32];
}
MULa ( c ) = join ( reverse [
( MULxPOW (c , 23 :[32] , 0 xA9 ) )
( MULxPOW (c , 245:[32] , 0 xA9 ) )
( MULxPOW (c , 48 :[32] , 0 xA9 ) )
( MULxPOW (c , 239:[32] , 0 xA9 ) ) ] );
0
’reverse’ is used because Cryptol stores words in little-endian.
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
8. Index
1 Cryptol
2 Stream Ciphers
3 Conclusion
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
9. Stream Ciphers
Characteristics
Symmetric key ciphers ⇒ same key for encryption/decryption
Typically very fast (faster than Block ciphers)
Low hardware complexity
Low memory requirements
Encryption: plaintext ⊕ keystream
Decryption: ciphertext ⊕ keystream
Tries to capture the “essence” of the theoretically unbreakable
One-Time Pad
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
10. Stream Ciphers
One-Time Pad
Uses a truly random keystream
Impossible to determine any kind of relation between
ciphertext and plaintext
Best attack: guessing the plaintext ⇒ Impossible to break
Ok but in reality...
The best we can do is generate a pseudo-random keystream
⇒ Statistical randomness (susceptible to attacks)
But it’s possible to make it very HARD to break
We cannot aim for theoretical security but practical security is
good enough
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
11. Linear Feedback Shift Register (LFSR)
Generates a sequence of bits with near random properties
But it’s mathematical structure gives too much away ⇒
possible to compute it’s polynomial representation
S-boxes make it possible to hide its (low) linear complexity ⇒
practical security!
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
12. A simple LFSR in Cryptol
lfsr : [ inf ] Bit ;
lfsr = [ False True False False True False True True ] #
[| ( x3 ^ x5 ^ x7 )
|| x3 <- drop (3 , lfsr )
|| x5 <- drop (5 , lfsr )
|| x7 <- drop (7 , lfsr ) |];
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
13. Substitution boxes (S-boxes)
Lookup table of portions of bits
Reduces relation between plaintext and ciphertext (Shannon’s
confusion property)
Increases resistance to different Cryptanalysis techniques
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
14. S-boxes in Cryptol
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
15. SNOW 3G
Invented at Lund University (Sweden)
Chosen as the cipher of 3GPP encryption algorithms UEA2
and UIA2
Uses a 128/256 bit key
Combination of a LFSR with a Finite State Machine (S-boxes)
Best (known) attack is exaustive keyspace brute force (2128 )
⇒ Completely safe by today’s standards
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
16. SNOW 3G Structure
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
17. SNOW 3G Spec I - MULx
SNOW 3G Specification
MULx maps 16 bits to 8 bits.
If the leftmost (i.e. the most significant) bit of V equals 1, then
MULx(V, c) = (V 8 1) ⊕ c else MULx(V, c) = V 8 1
MULx : ([8] , [8]) -> [8];
MULx (v , c ) = if ( v ! 0) == True then ( v << 1) ^ c
else ( v << 1) ;
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
18. SNOW 3G Spec II - Initialization
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
19. Index
1 Cryptol
2 Stream Ciphers
3 Conclusion
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
20. Conclusion
With Cryptol is much easier to specify low-level algorithms
The specification is formal and easier to read
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol
21. Questions
?
Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol