Part III TLS 1.3 and other Protocols

Transcription

1 Part III TLS 1.3 and other Protocols 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1

2 Marc Fischlin BIU Winter School TLS 1.3

3 Development of SSL/TLS SSL=Secure Socket Layer TLS=Transport Layer Security SSL 2.0 (Netscape) SSL 3.0 TLS 1.0 SSL 3.1 TLS 1.1 TLS 1.2 TLS ? SSL1.0 never published (security problems) non-proprietary branch new crypto algorithms SSL 2.0 dropped because of security problems small improvements completely revised protocol Marc Fischlin BIU Winter School

4 The Path to TLS Marc Fischlin BIU Winter School

5 TLS 1.3: (EC)DHE-Handshake Overview ClientHello ClientKeyShare handshake key ServerHello ServerKeyShare {ServerConfiguration*} {ServerCertificate*} {ServerCertificateVerify*} {ServerFinished} handshake key channel key {ClientCertificate*} {ClientCertificateVerify*} {ClientFinished} channel key Marc Fischlin BIU Winter School

6 TLS 1.3: (EC)DHE-Handshake (Crypto Details) CH CKS handshake key SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key {Client} CCert* {ClientC} CCertV* {Cl} CF derived from handshake key channel key Marc Fischlin BIU Winter School

7 TLS 1.3: (EC)DHE-Handshake (Crypto Details) CH CKS handshake key client hs traffic key server hs traffic key client MAC key server MAC key exporter EMS resumption RMS client app traffic key server app traffic key channel key (master secret) {Client} CCert* {ClientC} CCertV* {Cl} CF SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key client hs traffic key server hs traffic key client MAC key server MAC key exporter EMS resumption RMS client app traffic key server app traffic key channel key (master secret) Marc Fischlin BIU Winter School

8 Pre-Shared Key (PSK) Variant PSK ClientHello ClientKeyShare* early_data psk_key_exchange_modes pre_shared_key PSK ServerHello ServerKeyShare* pre_shared_key {EncryptedExtensions} {ServerFinished} externally or from RMS Marc Fischlin Presentation Deutsche Bank March 14th,

9 Analysis of Unilateral DH Case Dowling, Fischlin, Günther, Stebila: A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates, CCS 2015 (eprint) simplification here: no encryption in handshake and ignore finished MACs (Warning: full analysis much more complicated and needs PRF-ODH assumption) Marc Fischlin BIU Winter School

10 Analysis of Unilateral DH Case: Strategy Analysis according to case distinction: 1. Adversary tests client session without partner 2. Adversary tests server session without partner 3. Adversary tests session with partner Marc Fischlin BIU Winter School

11 Analysis of Unilateral DH Case: Case 1 TEST session client w/o partner no partner session by assumption Marc Fischlin BIU Winter School S has never signed sid + authenticated partner S must not be corrupt adversary must have forged signature for S to make client accept

12 Analysis of Unilateral DH Case: Case 2 server w/o partner TEST session not allowed by definition of unilaterally authenticated protocols Marc Fischlin BIU Winter School

13 Analysis of Unilateral DH Case: Case 3 TEST session test with partner TEST session two honest parties have chosen g x resp. g y in test session adversary must compute g xy from g x and g y Marc Fischlin BIU Winter School

14 Other Security Properties (and Other Protocols) Marc Fischlin BIU Winter School

15 How to (not) Authenticate Anonymous Protocols Unauthenticated Key Exchange Authentication pid =certificate Marc Fischlin BIU Winter School

16 Key Secrecy TEST session Unauthenticated Key Exchange Authentication partner C must not be corrupt Sig scheme secure can only have been created by C for its g x and my g y Adversary cannot compute g xy pid =certificate Marc Fischlin BIU Winter School

17 Unknown-Key-Share (UKS) Attack Blake-Wilson, Menezes: Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol, PKC 99 Believes to share key K with E Believes to share key K with C Marc Fischlin BIU Winter School

18 Secure and Insecure??? Security guarantees of authenticated key exchange: At most one other party ( 1) holds the session key (and for authenticated cases, if intended partner is honest then it is that party) Believes to share key K with E Also true: only S knows key (but not E), and intended partner E is corrupt Believes to share key K with C Obviously true Marc Fischlin BIU Winter School

19 Thwarting UKS Attacks Bind intended partner identity into authentication Bind intended partner identity into key derivation (or via MACs) (and sid = entire transcript) Examples: ISO/IEC (KE version) IKEv2 in IPSec TLS 1.3 Example: TLS 1.3 Marc Fischlin BIU Winter School

20 ISO/IEC (augmented by KE / SIG-DH) pid =certificate Marc Fischlin BIU Winter School

21 ISO/IEC Resistance against UKS E would need forgery pid =certificate Marc Fischlin BIU Winter School

22 TLS 1.3 and UKS-Resistance CH CKS handshake key Uses MAC over derived key SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key {Client} CCert* {ClientC} CCertV* {Cl} CF Uses identities in key derivation channel key Marc Fischlin BIU Winter School

23 Key Compromise Impersonation (KCI) Attack Blake-Wilson, Johnson, Menezes: Key Agreement Protocols and Their Security Analysis, IMA Corrupt client s long-term secret 2. Impersonate towards client as server Can be mounted in real life (here: specific TLS 1.2 sub protocol) Marc Fischlin BIU Winter School

24 TLS 1.2 (static DH) and KCIs Adversary knowing x can compute (g y ) x from server s public key g y Marc Fischlin BIU Winter School

25 TLS 1.3 and KCI-Resistance CH CKS handshake key Knowledge of client s signing key does not help to forge server signature channel key {Client} CCert* {ClientC} CCertV* {Cl} CF SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key Marc Fischlin BIU Winter School

26 Attacks on the State {pk uid } (id, msg) next-msg SEND id a K b id K id uid TEST b REVEAL What if adversary breaks into computer and also finds ephemeral keys or randomness? sk uid COR- RUPT Marc Fischlin BIU Winter School

27 Canetti, Krawczyk: Analysis of Key-Exchange Protocols and Their Use for Building, Eurocrypt 2001 CK and eck Security LaMacchia, Lauter, Mityagin: Stronger security of authenticated key exchange. ProvSec 2007 {pk uid } (id, msg) next-msg id SEND CK model: session state reveals (but not in TEST session) K b id TEST b CK/HMQV model: CK+KCI a K id uid sk uid REVEAL COR- RUPT extended CK (eck): ephemeral key reveal +KCI id r id Session STATE REVEAL or Eph. Key REVEAL example: NAXOS protocol Marc Fischlin BIU Winter School

28 TLS 1.3 and eck-vulnerability CH CKS handshake key Knowledge of ephemeral key breaks security channel key {Client} CCert* {ClientC} CCertV* {Cl} CF SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key Marc Fischlin BIU Winter School

29 Teaser for the Break Explain why KCI attacks are, per se, not covered by BR key secrecy. Marc Fischlin BIU Winter School