A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

Similar documents
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Part III TLS 1.3 and other Protocols

TLS 1.3: A Collision of Implementation, Standards, and Cryptography

Overview of TLS v1.3 What s new, what s removed and what s changed?

THE WORLD OF TLS. Security, Attacks, TLS 1.3

TLS1.2 IS DEAD BE READY FOR TLS1.3

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Coming of Age: A Longitudinal Study of TLS Deployment

OPTLS and TLS 1.3. Hugo Krawczyk, Hoeteck Wee. TRON Workshop 2/21/2016

Auth. Key Exchange. Dan Boneh

TLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1

Securely Deploying TLS 1.3. September 2017

Overview of TLS v1.3. What s new, what s removed and what s changed?

Transport Layer Security

Formally Analyzing the TLS 1.3 proposal

ON THE SECURITY OF TLS RENEGOTIATION

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

MTAT Applied Cryptography

State of TLS usage current and future. Dave Thompson

Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates

Part II Bellare-Rogaway Model (Active Adversaries)

The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1

Randomness Extractors. Secure Communication in Practice. Lecture 17

TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key

Your Apps and Evolving Network Security Standards

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

Authenticated Encryption in TLS

Protecting TLS from Legacy Crypto

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

TLS 1.1 Security fixes and TLS extensions RFC4346

Internet security and privacy

Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi

Modelling the Security of Key Exchange

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

CSCE 715: Network Systems Security

SECURITY & PRIVACY IN 3G/4G/ 5G NETWORKS: THE AKA PROTOCOL WITH S.ALT, P.-A. FOUQUE, G. MACARIO-RAT, B. RICHARD

Introduction to cryptology (GBIN8U16) Introduction

Cryptology complementary. Introduction

Chapter 4: Securing TCP connections

Transport Layer Security

Security Protocols and Infrastructures

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Expires: September 10, 2015 Inria Paris-Rocquencourt A. Langley Google Inc. M. Ray Microsoft Corp. March 9, 2015

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

What s new in TLS 1.3 (and OpenSSL as a result) Rich Salz

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Internet Engineering Task Force (IETF) Google Inc. M. Ray Microsoft Corp. September 2015

Preparing for post-quantum cryptography in TLS

WAP Security. Helsinki University of Technology S Security of Communication Protocols

for Compound Authentication

L13. Reviews. Rocky K. C. Chang, April 10, 2015

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Requirements from the. Functional Package for Transport Layer Security (TLS)

E-commerce security: SSL/TLS, SET and others. 4.1

A Framework for Universally Composable Diffie-Hellman Key Exchange

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Information Security CS 526

TLS 1.2 Protocol Execution Transcript

Secure Socket Layer. Security Threat Classifications

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

SSL Report: ( )

CS 395T. Formal Model for Secure Key Exchange

A Messy State of the Union: Taming the Composite State Machines of TLS

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

CIS 5373 Systems Security

Cryptography (Overview)

Security analysis of DTLS 1.2 implementations

SSL Server Rating Guide

Multi-Stage Key Exchange and the Case of Google s QUIC Protocol

Transport Level Security

Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther

Application Layer Transport Security. Cesar Ghali, Adam Stubblefield, Ed Knapp, Jiangtao Li, Benedikt Schmidt, Julien Boeuf

Security Protocols and Infrastructures. Winter Term 2010/2011

A messy state of the union:

T Cryptography and Data Security

On the Security of the TLS Protocol: A Systematic Analysis

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

TLS Security and Future

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Securing IoT applications with Mbed TLS Hannes Tschofenig

One Year of SSL Internet Measurement ACSAC 2012

SSL Report: printware.co.uk ( )

no more downgrades: protec)ng TLS from legacy crypto

CSE484 Final Study Guide

Session key establishment protocols

Security Protocols and Infrastructures. Winter Term 2015/2016

32c3. December 28, Nick goto fail;

Session key establishment protocols

Chapter 8 Web Security

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

VPN Overview. VPN Types

SSL Report: bourdiol.xyz ( )

Introduction to Cryptography. Lecture 6

Transcription:

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 1

TRON(?) col Handshake Protocol Alert Protocol App. Data Protocol Record Protocol TLS 1.3 Ready or Not? Implementation Security Efficiency Design... Our answer: Yes (almost). February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 2

Security (Analyses) of TLS (< 1.3) (arbitrary selection from recent years) trunc. handshake [GMP+,MSW] 2008 record protocol (LHAE) [PRS] 2011 full TLS-DHE (ACCE) [JKSS] 2012 verified MITLS impl. [BFK+] 2013 TLS-DH, TLS-RSA-CCA [KSS] multiple ciphersuites [KPW] TLS 1.2 handshake [BFK+] 2014 pre-shared key suites [LSY+] (de-)constructing TLS [KMO+] 2008 TLS 1.2 2009 Insecure Renegotiation [RayDis] 2011 BEAST [DuoRiz] 2012 CRIME [DuoRiz] 2013 Lucky 13 [AlFPat] RC4 biases [ABP+] 2014 Triple Handshake [BDF+] Heartbleed [Cod] POODLE [MDK] 2015 SMACK + FREAK [BBD+] Logjam [ABD+] 2016 SLOTH [BhaLeu] February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 3

TLS 1.3 next TLS version, currently being specified (latest: draft-11, Dec 2015) several substantial cryptographic changes (compared to TLS 1.2), incl. 1. encrypting some handshake messages with intermediate session key 2. signing the entire transcript when authenticating 3. including handshake message hashes in key calculations 4. generating Finished messages with seperate key 5. deprecating some crypto algorithms (RC4, SHA-1, key transport, MtEE, etc.) 6. using only AEAD schemes for the record layer encryption 7. switch to HKDF for key derivation 8. providing reduced-latency 0-RTT handshake in large part meant to address previous attacks and design weaknesses analysis can check absence of unexpected cryptographic weaknesses desirably before standardization February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 4

Our Scope draft-10 (Oct 2015) updating our earlier analysis of draft-05 and draft-dh (of May 2015, @CCS 2015) TLS 1.3 is work in progress contribution to ongoing discussion rather than definitive analysis of TLS 1.3 STANDARD UNDER CONSTRUCTION focus on full and preshared-key handshakes (separately) (EC)DHE full handshake PSK / PSK-(EC)DHE preshared-key/resumption handshake don t capture 0-RTT handshake we don t analyze the Record Protocol but follow a compositional approach that allows independent treatment (see later) February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 5

TLS 1.3 Full Handshake (simplified) draft-ietf-tls-tls13-10 Client ClientHello ClientKeyShare Server ServerHello ServerKeyShare ServerConfiguration ServerFinished OPTLS cryptographic core February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 6

TLS 1.3 Full Handshake (simplified) draft-ietf-tls-tls13-10 Client ClientHello ClientKeyShare ClientCertificate ClientCertificateVerify ClientFinished Server ServerHello ServerKeyShare ServerConfiguration ServerCertificate ServerCertificateVerify ServerFinished application data traffic key tk app tk app... actually, there is more... February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 6

TLS 1.3 Full Handshake (still simplified) draft-ietf-tls-tls13-10 tk hs Client ClientHello ClientKeyShare handshake traffic key resumption master key for resuming a session {ClientCertificate } {ClientCertificateVerify } {ClientFinished} multi-stage key exchange Server second part of handshake encrypted with tk hs ServerHello ServerKeyShare {ServerConfiguration } {ServerCertificate } {ServerCertificateVerify } {ServerFinished} tk hs exporter master key for exporting key material tk app RMS EMS February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 6 tk app RMS EMS

Multi-Stage Key Exchange (Security) (Fischlin, Günther @ CCS 2014) game-based model, provable security paradigm forward secrecy after long-term reveal corruption pk B, sk A eavesdropping key K i reveal active attacks pk A, sk B KE??? K 1 K 1 $ test K i key independence in derivation K 2 K 2... February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 7 drawings by Giorgia Azzurra Marson

Modeling Multi-Stage Key Exchange Further Aspects Extensions in This Work unauthenticated keys/stages (beyond unilateral/mutual authentication) TLS 1.3: neither server nor client send a certificate concurrent execution of different authentication types TLS 1.3: anonymous, server authenticates, server+client authenticate post-specified peers TLS 1.3: parties learn peer s identity (= pk) only within handshake pre-shared secret key variant TLS 1.3: PSK/PSK-DHE handshake modes from preshared secrets (RMS) February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 8

Modeling Multi-Stage Key Exchange Capturing the Compromise of Secrets Secret Compromise Paradigm We consider leakage of: long-term/static secret keys (signing keys of server/client) high potential of compromise, necessary to model forward secrecy session keys (traffic keys tk hs and tk app, RMS, EMS) outputs of handshake used outside the key exchange for encryption, resumption, exporting We do not permit leakage of: ephemeral secret keys (DH exponents, signature randomness) internal values / session state (master secrets, intermediate values) TLS 1.3 full/psk handshakes not designed to be secure against such compromise semi-static secret keys (s in semi-static g s used for 0-RTT) security of full/psk handshakes independent of this value but: in analysis of 0-RTT handshake this type of leakage needs to be considered! February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 9

Security of the draft-10 Full Handshake Client ClientHello: r c $ {0, 1} 256 ClientKeyShare: X g x Server ServerHello: r s $ {0, 1} 256 ServerKeyShare: Y g y H 1 H(CH... SKS) ES X y {ServerCertificate } H 2 H(CH... SCRT... ) {SCertVerify }: Sign sks (H 2 ) {ServerFinished} {CCert },{CCertVerify },{CFin} H sess H(CH... CCV ) session hash signing tk hs tk app RMS,EMS tk hs tk app EMS February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 10 H1 Exp Hsess Exp 0 ES Ext xes Exp mes Ext MS (still simplified) SS sound key separation 0 Ext Hsess Exp Hsess Exp xss Exp mss RMS (resumption)

Security of the draft-10 Full Handshake We show that the draft-10 full (EC)DHE handshake establishes random-looking keys (tk hs, tk app, RMS, EMS) with adversary allowed to corrupt other users and reveal other session keys forward secrecy for all these keys concurrent security of anonymous, unilateral, mutual authentication key independence (leakage of traffic/resumption/exporter keys in same session does not compromise each other s security) assuming collision-resistant hashing unforgeable signatures Decisional Diffie Hellman is hard HKDF is pseudorandom function standard KE security under standard assumptions February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 11

Security of the draft-10 PSK Handshakes PSK random-looking keys (tk hs, tk app, EMS) mutual authentication (down to RMS) key independence no forward secrecy PSK-DHE random-looking keys (tk hs, tk app, EMS) mutual authentication (down to RMS) key independence forward secrecy for all keys Under similar standard assumptions: collision-resistant hashing HKDF is pseudorandom function collision-resistant hashing HKDF is pseudorandom function HMAC is unforgeable Decisional Diffie Hellman is hard February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 12

Composition Handshake Protocol Alert Protocol App. Data Protocol? Record Protocol we established security of the keys derived in the full and PSK handshakes what about the usage of those keys, e.g., in the Record Protocol? February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 13

Composition we follow a modular, compositional approach (extending [FG 14]) Handshake Protocol? Alert Protocol App. Data Protocol Record Protocol we show: using final, forward-secret keys in any symmetric-key protocol is safe i.e., Record Protocol can be analyzed independently also captures use of exported EMS and RMS for resumption (cascading) full (EC)DHE handshake tk app EMS Record Protocol generic usage unfortunately for full HS tk app modularity is impaired RMS PSK handshake non-fs tkapp Record Protocol EMS generic usage PSK-DHE handshake tkapp Record Protocol EMS generic usage February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 14

The NewSessionTicket Issue Client... encrypted under tk app... {ClientFinished} {ServerFinished} Server [NewSessionTicket]: psk_id optionally sent to signal PSK identifier (resumption ticket) for derived RMS final/main session key tk app used within handshake reminds of TLS 1.2 Finished message (requiring monolithic/special analysis) in similar spirit as current WG discussion of not changing tk hs tk app note: there is no immediate attack arising from this...... but means handshake design does not achieve generic KE security violates modularity between handshake and record layer (in draft-10) draft-11: less clear whether part of handshake, can be sent much later February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 15

The NewSessionTicket Issue Effects and Potential Alternatives (if part of handshake) Multi-stage key exchange model allows to separate: key secrecy for tk app still given generic composition using tk app not possible prevents modular combination with independent analysis of Record Protocol requires analysis to be reworked for changes/new aspects in Record Protocol Potential alternatives: 1. Send NewSessionTicket earlier encrypted under tk hs. precludes some usage scenarios, particularly (server) state encoding in ticket 2. Send NewSessionTicket as final message, encrypted under tk hs. tk hs only implicitly authenticated, but RMS is anyway 3. Send NewSessionTicket as final message, encrypted under new tk nst. keeps authentication level, requires extra key switching may be extendable to control channel for post-handshake messages (draft-11) Don t advocate a particular option, balancing of constraints best left to TLS WG. February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 16

Main Comments on TLS 1.3 from Our Analysis 1. Soundness of key separation separate keys for handshake and application data encryption allows to achieve standard key secrecy notions using standard assumptions 2. Key independence unique labels in key derivation neither key affected by other s compromise allows compositional approach 3. Session hash in online signatures full transcript signed in CertificateVerify messages makes proof easier and allows for standard assumptions 4. Encryption of handshake messages tk hs secure against passive adversaries, hence can indeed increase privacy we confirm there are no negative effects on main key secrecy goal 5. NewSessionTicket encrypted under application traffic key (in handshake) violates modularity between handshake and record layer prevents generic composition for tk app of full handshake February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 17

Summary We analyze TLS 1.3 draft-10 full (EC)DHE, PSK, and PSK-DHE handshake in an extended multi-stage key exchange model Client ClientHello ClientKeyShare Server ServerHello ServerKeyShare establish standard key secrecy notions with forward secrecy (for full/psk-dhe) running all authentication modes concurrently under standard assumptions extend composition result for modular analysis full handshake tkapp RMS EMS Record Protocol resumption handshake generic usage exhibit NewSessionTicket message (in handshake) violates modularity full versions @ IACR eprint http://ia.cr/2016/081 (draft-10) http://ia.cr/2015/914 (draft-05 + draft-dh) Thank You! February 21, 2016 TLS 1.3 Ready or Not (TRON) Workshop 2016, San Diego, CA, USA Felix Günther (TU Darmstadt) 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback