A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

Similar documents
A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Part III TLS 1.3 and other Protocols

TLS 1.3: A Collision of Implementation, Standards, and Cryptography

Overview of TLS v1.3 What s new, what s removed and what s changed?

Verifying Real-World Security Protocols from finding attacks to proving security theorems

TLS1.2 IS DEAD BE READY FOR TLS1.3

Coming of Age: A Longitudinal Study of TLS Deployment

THE WORLD OF TLS. Security, Attacks, TLS 1.3

Securely Deploying TLS 1.3. September 2017

Overview of TLS v1.3. What s new, what s removed and what s changed?

TLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1

Auth. Key Exchange. Dan Boneh

MTAT Applied Cryptography

Protecting TLS from Legacy Crypto

State of TLS usage current and future. Dave Thompson

ON THE SECURITY OF TLS RENEGOTIATION

OPTLS and TLS 1.3. Hugo Krawczyk, Hoeteck Wee. TRON Workshop 2/21/2016

Transport Layer Security

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Part II Bellare-Rogaway Model (Active Adversaries)

Formally Analyzing the TLS 1.3 proposal

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates

Your Apps and Evolving Network Security Standards

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1

Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi

CSCE 715: Network Systems Security

Randomness Extractors. Secure Communication in Practice. Lecture 17

Transport Layer Security

Expires: September 10, 2015 Inria Paris-Rocquencourt A. Langley Google Inc. M. Ray Microsoft Corp. March 9, 2015

TLS 1.1 Security fixes and TLS extensions RFC4346

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Authenticated Encryption in TLS

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Internet security and privacy

SECURITY & PRIVACY IN 3G/4G/ 5G NETWORKS: THE AKA PROTOCOL WITH S.ALT, P.-A. FOUQUE, G. MACARIO-RAT, B. RICHARD

Chapter 4: Securing TCP connections

Security Protocols and Infrastructures

for Compound Authentication

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

What s new in TLS 1.3 (and OpenSSL as a result) Rich Salz

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Internet Engineering Task Force (IETF) Google Inc. M. Ray Microsoft Corp. September 2015

Secure Socket Layer. Security Threat Classifications

Modelling the Security of Key Exchange

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Preparing for post-quantum cryptography in TLS

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Introduction to cryptology (GBIN8U16) Introduction

Cryptology complementary. Introduction

Information Security CS 526

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Security Protocols and Infrastructures. Winter Term 2010/2011

Requirements from the. Functional Package for Transport Layer Security (TLS)

SSL Report: ( )

One Year of SSL Internet Measurement ACSAC 2012

E-commerce security: SSL/TLS, SET and others. 4.1

Security Protocols and Infrastructures. Winter Term 2015/2016

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

A messy state of the union:

Multi-Stage Key Exchange and the Case of Google s QUIC Protocol

Introduction to Public-Key Cryptography

Symmetric Encryption 2: Integrity

CS 395T. Formal Model for Secure Key Exchange

no more downgrades: protec)ng TLS from legacy crypto

Introduction to Cryptography. Lecture 6

Real-time protocol. Chapter 16: Real-Time Communication Security

Cryptography (Overview)

A Framework for Universally Composable Diffie-Hellman Key Exchange

Transport Level Security

32c3. December 28, Nick goto fail;

A Messy State of the Union: Taming the Composite State Machines of TLS

TLS Security and Future

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

SSL Report: printware.co.uk ( )

TLS 1.2 Protocol Execution Transcript

On the Security of the TLS Protocol: A Systematic Analysis

Security analysis of DTLS 1.2 implementations

Defeating All Man-in-the-Middle Attacks

CIS 5373 Systems Security

Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther

Concrete cryptographic security in F*

Towards Post-Quantum Cryptography Standardization. Lily Chen and Dustin Moody National Institute of Standards and Technology USA

Cryptographic Mechanisms: Recommendations and Key Lengths

A Standard- Model Security Analysis of TLS- DHE

Chapter 12 Security Protocols of the Transport Layer

Comparison Studies between Pre-Shared and Public Key Exchange Mechanisms for Transport Layer Security

CS 494/594 Computer and Network Security

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

SSL Server Rating Guide

Transcription:

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 1

TLS History of widespread adoption The [TLS] protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. TLS 1.2 [RFC 5246] 1995 SSL 2.0 1996 SSL 3.0 1999 TLS 1.0 2006 TLS 1.1 70% of global Internet traffic expected to be encrypted in 2016 (Sandvine: Internet Traffic Encryption Trends, Feb 2016) 2008 TLS 1.2 201x TLS 1.3 April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 2

TLS History of attacks and analyses (arbitrary selection from recent years) trunc. handshake [GMP+,MSW] 2008 record protocol (LHAE) [PRS] 2011 full TLS-DHE (ACCE) [JKSS] 2012 verified MITLS impl. [BFK+] 2013 TLS-DH, TLS-RSA-CCA [KSS] multiple ciphersuites [KPW] TLS 1.2 handshake [BFK+] 2014 pre-shared key suites [LSY+] (de-)constructing TLS [KMO+] 2008 TLS 1.2 2009 Insecure Renegotiation [RayDis] 2011 BEAST [DuoRiz] 2012 CRIME [DuoRiz] 2013 Lucky 13 [AlFPat] RC4 biases [ABP+] 2014 Triple Handshake [BDF+] Heartbleed [Cod] POODLE [MDK] April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 3 2015 SMACK + FREAK [BBD+] Logjam [ABD+] PKCS#1 v1.5 vs. TLS 1.3 [JSS] 2016 SLOTH [BhaLeu] DROWN [ASS+]

TLS Future TLS 1.3 next TLS version, currently being specified (latest: draft-12, Mar 2016) several substantial cryptographic changes (compared to TLS 1.2), incl. 1. encrypting some handshake messages with intermediate session key 2. signing the entire transcript when authenticating 3. including handshake message hashes in key calculations 4. generating Finished messages with seperate key 5. deprecating some crypto algorithms (RC4, SHA-1, key transport, MtEE, etc.) 6. using only AEAD schemes for the record layer encryption 7. switch to HKDF for key derivation 8. providing reduced-latency 0-RTT handshake in large part meant to address previous attacks and design weaknesses analysis can check absence of unexpected cryptographic weaknesses desirably before standardization April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 4

TLS Overview Handshake Protocol Alert Protocol App. Data Protocol Record Protocol Record Protocol we analyze the handshake protocol candidates for TLS 1.3 April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 5

Our Scope TLS 1.3 is work in progress analyze draft-10 (Oct 2015) updating our earlier analysis of draft-05 and draft-dh (of May 2015, @CCS 2015) contribution to ongoing discussion rather than definitive analysis of TLS 1.3 STANDARD UNDER CONSTRUCTION focus on full and preshared-key handshakes (separately) Diffie Hellman-based (EC)DHE full handshake PSK / PSK-(EC)DHE preshared-key/resumption handshake don t capture 0-RTT handshake we don t analyze the Record Protocol but follow a compositional approach that allows independent treatment (see later) April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 6

TLS 1.3 Full Handshake (simplified) draft-ietf-tls-tls13-10 Client ClientHello ClientKeyShare Server ServerHello ServerKeyShare ServerConfiguration ServerFinished OPTLS [KraWee] cryptographic core April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 7

TLS 1.3 Full Handshake (simplified) draft-ietf-tls-tls13-10 Client ClientHello ClientKeyShare ClientCertificate ClientCertificateVerify ClientFinished Server ServerHello ServerKeyShare ServerConfiguration ServerCertificate ServerCertificateVerify ServerFinished application data traffic key tk app tk app actually, there is more April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 7

TLS 1.3 Full Handshake (still simplified) draft-ietf-tls-tls13-10 tk hs Client ClientHello ClientKeyShare handshake traffic key resumption master key for resuming a session {ClientCertificate } {ClientCertificateVerify } {ClientFinished} multi-stage key exchange Server second part of handshake encrypted with tk hs ServerHello ServerKeyShare {ServerConfiguration } {ServerCertificate } {ServerCertificateVerify } {ServerFinished} tk hs exporter master key for exporting key material tk app RMS EMS April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 7 tk app RMS EMS

Multi-Stage Key Exchange (Security) (Fischlin, Günther @ CCS 2014) game-based model, provable security paradigm forward secrecy after long-term reveal corruption pk B, sk A eavesdropping key K i reveal active attacks pk A, sk B KE??? K 1 K 1 $ test K i key independence in derivation K 2 K 2 April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 8 drawings by Giorgia Azzurra Marson

Modeling Multi-Stage Key Exchange Further Aspects Extensions in This Work unauthenticated keys/stages (beyond unilateral/mutual authentication) TLS 1.3: neither server nor client send a certificate concurrent execution of different authentication types TLS 1.3: anonymous, server authenticates, server+client authenticate post-specified peers TLS 1.3: parties learn peer s identity (= pk) only within handshake pre-shared secret key variant TLS 1.3: PSK/PSK-DHE handshake modes from preshared secrets (RMS) April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 9

Modeling Multi-Stage Key Exchange Capturing the Compromise of Secrets Secret Compromise Paradigm We consider leakage of: long-term/static secret keys (signing keys of server/client) high potential of compromise, necessary to model forward secrecy session keys (traffic keys tk hs and tk app, RMS, EMS) outputs of handshake used outside the key exchange for encryption, resumption, exporting We do not permit leakage of: ephemeral secret keys (DH exponents, signature randomness) internal values / session state (master secrets, intermediate values) TLS 1.3 full/psk handshakes not designed to be secure against such compromise semi-static secret keys (s in semi-static g s used for 0-RTT) security of full/psk handshakes independent of this value but: in analysis of 0-RTT handshake this type of leakage needs to be considered! April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 10

Security of the draft-10 Full Handshake Client ClientHello: r c $ {0, 1} 256 ClientKeyShare: X g x Server ServerHello: r s $ {0, 1} 256 ServerKeyShare: Y g y H 1 H(CH... SKS) ES X y {ServerCertificate } H 2 H(CH... SCRT... ) {SCertVerify }: Sign sks (H 2 ) {ServerFinished} {CCert },{CCertVerify },{CFin} H sess H(CH... CCV ) session hash signing tk hs tk app RMS,EMS tk hs tk app EMS April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 11 H1 Exp Hsess Exp (still simplified) ES 0 Ext SS sound key separation 0 Ext xes xss Exp Exp mes mss Ext MS Hsess Hsess Exp Exp RMS (resumption)

Security of the draft-10 Full Handshake We show that the draft-10 full (EC)DHE handshake establishes random-looking keys (tk hs, tk app, RMS, EMS) with adversary allowed to corrupt other users and reveal other session keys forward secrecy for all these keys concurrent security of anonymous, unilateral, mutual authentication key independence (leakage of traffic/resumption/exporter keys in same session does not compromise each other s security) assuming collision-resistant hashing unforgeable signatures Decisional Diffie Hellman is hard HKDF is pseudorandom function standard key exchange security under standard assumptions April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 12

Security of the draft-10 PSK Handshakes PSK random-looking keys (tk hs, tk app, EMS) mutual authentication (down to RMS) key independence no forward secrecy PSK-DHE random-looking keys (tk hs, tk app, EMS) mutual authentication (down to RMS) key independence forward secrecy for all keys Under similar standard assumptions: collision-resistant hashing HKDF is pseudorandom function collision-resistant hashing HKDF is pseudorandom function HMAC is unforgeable Decisional Diffie Hellman is hard April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 13

Composition Handshake Protocol Alert Protocol App. Data Protocol? Record Protocol we established security of the keys derived in the full and PSK handshakes what about the usage of those keys, e.g., in the Record Protocol? April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 14

Composition we follow a modular, compositional approach (extending [FG 14], originating from [BFWW 11]) Handshake Protocol? Alert Protocol App. Data Protocol Record Protocol we show: using final, forward-secret keys in any symmetric-key protocol is safe i.e., Record Protocol can be analyzed independently also captures use of exported EMS and RMS for resumption (cascading) full (EC)DHE handshake tk app EMS Record Protocol generic usage? actually, for tk app modularity is unclear RMS PSK handshake non-fs tkapp Record Protocol EMS generic usage PSK-DHE handshake tkapp EMS Record Protocol generic usage? April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 15

Post-Handshake Messages (introduced in draft-10 and draft-11) Client encrypted under tk app {ServerFinished} {ClientFinished} [NewSessionTicket]: psk_id Server optionally sent to signal PSK identifier (resumption ticket) for derived RMS April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 16

Post-Handshake Messages (introduced in draft-10 and draft-11) Client encrypted under tk app {ServerFinished} {ClientFinished} [NewSessionTicket]: psk_id [Post-Handshake Client Authentication] [KeyUpdate] Server server can ask client to authenticate at any time after handshake completed either side can at any time trigger update of session keys April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 16

Post-Handshake Messages (introduced in draft-10 and draft-11) Client encrypted under tk app {ServerFinished} {ClientFinished} [NewSessionTicket]: psk_id [Post-Handshake Client Authentication] [KeyUpdate] Server final/main session key tk app used for (post-)handshake messages reminds of TLS 1.2 Finished message (requiring monolithic/special analysis) or: should we just understand the initial messages as the TLS 1.3 handshake? note: there is no immediate attack arising from this but means (post-)handshake does not achieve generic KE security violates classical modularity between handshake and record layer April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 16

0.5-RTT Data with Late Authentication (introduced in draft-11) Client {ServerFinished} Server [0.5-RTT application data] {ClientCertificate} server can send data to {ClientCertificateVerify} not-yet-authenticated client {ClientFinished} using the same key [1-RTT application data] changing authentication of keys during usage (first server-only, then mutual) beyond what classical key exchange models capture take it conservatively? can t provide security guarantees concern: server might send auth-requiring data to unauthenticated client take it progressively? computational models need adaption to cover late authentication intuition: just retroactively authenticating the client we re already talking to April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 17

Main Comments on TLS 1.3 from Our Analysis 1. Soundness of key separation separate keys for handshake and application data encryption allows to achieve standard key secrecy notions using standard assumptions 2. Key independence unique labels in key derivation neither key affected by other s compromise allows compositional approach 3. Session hash in online signatures full transcript signed in CertificateVerify messages makes proof easier and allows for standard assumptions 4. Encryption of handshake messages tk hs secure against passive adversaries, hence can indeed increase privacy we confirm there are no negative effects on main key secrecy goal 5. Challenges due to Post-Handshake Messages and 0.5-RTT Data using application data key for post-handshake violates modularity unclear authentication guarantees when changing key auth during usage April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 18

Summary We analyze TLS 1.3 (draft-10) full (EC)DHE, PSK, and PSK-DHE handshake in an extended multi-stage key exchange model Client ClientHello ClientKeyShare Server ServerHello ServerKeyShare establish standard key secrecy notions with forward secrecy (for full/psk-dhe) running all authentication modes concurrently under standard assumptions extend composition result for modular analysis full handshake tkapp RMS EMS Record Protocol resumption handshake generic usage? point out challenges due to post-handshake messages and 0.5-RTT data full versions @ IACR eprint http://ia.cr/2016/081 (draft-10) http://ia.cr/2015/914 (draft-05 + draft-dh) Thank You! April 7, 2016 CryptoAction Symposium 2016, Budapest, Hungary Felix Günther (TU Darmstadt) 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback