Accessible Unlicensed Requires Authentication Published by De Gruyter Oldenbourg October 8, 2020

Modeling advanced security aspects of key exchange and secure channel protocols

Felix Günther ORCID logo

Abstract

Secure connections are at the heart of today’s Internet infrastructure, protecting the confidentiality, authenticity, and integrity of communication. Achieving these security goals is the responsibility of cryptographic schemes, more specifically two main building blocks of secure connections. First, a key exchange protocol is run to establish a shared secret key between two parties over a, potentially, insecure connection. Then, a secure channel protocol uses that shared key to securely transport the actual data to be exchanged. While security notions for classical designs of these components are well-established, recently developed and standardized major Internet security protocols like Google’s QUIC protocol and the Transport Layer Security (TLS) protocol version 1.3 introduce novel features for which supporting security theory is lacking.

In my dissertation [20], which this article summarizes, I studied these novel and advanced design aspects, introducing enhanced security models and analyzing the security of deployed protocols. For key exchange protocols, my thesis introduces a new model for multi-stage key exchange to capture that recent designs for secure connections establish several cryptographic keys for various purposes and with differing levels of security. It further introduces a formalism for key confirmation, reflecting a long-established practical design criteria which however was lacking a comprehensive formal treatment so far. For secure channels, my thesis captures the cryptographic subtleties of streaming data transmission through a revised security model and approaches novel concepts to frequently update key material for enhanced security through a multi-key channel notion. These models are then applied to study (and confirm) the security of the QUIC and TLS 1.3 protocol designs.

ACM CCS:

Funding source: Deutsche Forschungsgemeinschaft

Award Identifier / Grant number: GU 1859/1-1

Funding statement: This work was supported by Deutsche Forschungsgemeinschaft, Grant Number: GU 1859/1-1.

References

1. M. R. Albrecht, K. G. Paterson, and G. J. Watson. Plaintext recovery attacks against SSH. In 2009 IEEE Symposium on Security and Privacy, pages 16–26, Oakland, CA, USA, May 17–20, 2009. IEEE Computer Society Press.Search in Google Scholar

2. G. Arfaoui, X. Bultel, P.-A. Fouque, A. Nedelcu, and C. Onete. The privacy of the TLS 1.3 protocol. Proceedings on Privacy Enhancing Technologies, 2019(4):190–210, Oct. 2019.Search in Google Scholar

3. M. Bellare, T. Kohno, and C. Namprempre. Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol. In V. Atluri, editor, ACM CCS 2002: 9th Conference on Computer and Communications Security, pages 1–11, Washington, DC, USA, Nov. 18–22, 2002. ACM Press.Search in Google Scholar

4. M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson, editor, Advances in Cryptology – CRYPTO’93, volume 773 of Lecture Notes in Computer Science, pages 232–249, Santa Barbara, CA, USA, Aug. 22–26, 1994. Springer, Heidelberg, Germany.Search in Google Scholar

5. K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P.-Y. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, pages 98–113, Berkeley, CA, USA, May 18–21, 2014. IEEE Computer Society Press.Search in Google Scholar

6. A. Boldyreva, J. P. Degabriele, K. G. Paterson, and M. Stam. Security of symmetric encryption in the presence of ciphertext fragmentation. In D. Pointcheval and T. Johansson, editors, Advances in Cryptology – EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 682–699, Cambridge, UK, Apr. 15–19, 2012. Springer, Heidelberg, Germany.Search in Google Scholar

7. J. Brendel and M. Fischlin. Zero round-trip time for the extended access control protocol. In S. N. Foley, D. Gollmann, and E. Snekkenes, editors, ESORICS 2017: 22nd European Symposium on Research in Computer Security, Part I, volume 10492 of Lecture Notes in Computer Science, pages 297–314, Oslo, Norway, Sept. 11–15, 2017. Springer, Heidelberg, Germany.Search in Google Scholar

8. C. Brzuska, M. Fischlin, B. Warinschi, and S. C. Williams. Composability of Bellare-Rogaway key exchange protocols. In Y. Chen, G. Danezis, and V. Shmatikov, editors, ACM CCS 2011: 18th Conference on Computer and Communications Security, pages 51–62, Chicago, Illinois, USA, Oct. 17–21, 2011. ACM Press.Search in Google Scholar

9. K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila. A formal security analysis of the Signal messaging protocol. In 2nd IEEE European Symposium on Security and Privacy, EuroS&P 2017, pages 451–466, Paris, France, Apr. 26–28, 2017. IEEE.Search in Google Scholar

10. D. Diemert and T. Jager. On the tight security of TLS 1.3: Theoretically-sound cryptographic parameters for real-world deployments. Journal of Cryptology, 2020. To appear. Available as Cryptology ePrint Archive, Report 2020/726. https://eprint.iacr.org/2020/726.Search in Google Scholar

11. W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, 1976.Search in Google Scholar

12. D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Trans. Information Theory, 29(2):198–207, 1983.Search in Google Scholar

13. B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In I. Ray, N. Li, and C. Kruegel, editors, ACM CCS 2015: 22nd Conference on Computer and Communications Security, pages 1197–1210, Denver, CO, USA, Oct. 12–16, 2015. ACM Press.Search in Google Scholar

14. B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081, 2016. http://eprint.iacr.org/2016/081.Search in Google Scholar

15. M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google’s QUIC protocol. In G.-J. Ahn, M. Yung, and N. Li, editors, ACM CCS 2014: 21st Conference on Computer and Communications Security, pages 1193–1204, Scottsdale, AZ, USA, Nov. 3–7, 2014. ACM Press.Search in Google Scholar

16. M. Fischlin and F. Günther. Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates. In 2nd IEEE European Symposium on Security and Privacy, EuroS&P 2017, pages 60–75, Paris, France, Apr. 26–28, 2017. IEEE.Search in Google Scholar

17. M. Fischlin, F. Günther, G. A. Marson, and K. G. Paterson. Data is a stream: Security of stream-based channels. In R. Gennaro and M. J. B. Robshaw, editors, Advances in Cryptology – CRYPTO 2015, Part II, volume 9216 of Lecture Notes in Computer Science, pages 545–564, Santa Barbara, CA, USA, Aug. 16–20, 2015. Springer, Heidelberg, Germany.Search in Google Scholar

18. M. Fischlin, F. Günther, B. Schmidt, and B. Warinschi. Key confirmation in key exchange: A formal treatment and implications for TLS 1.3. In 2016 IEEE Symposium on Security and Privacy, pages 452–469, San Jose, CA, USA, May 22–26, 2016. IEEE Computer Society Press.Search in Google Scholar

19. S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984.Search in Google Scholar

20. F. Günther. Modeling Advanced Security Aspects of Key Exchange and Secure Channel Protocols. Ph. D. thesis, Technische Universität Darmstadt, Darmstadt, Germany, Feb. 2018. Available online at http://tuprints.ulb.tu-darmstadt.de/7162/.Search in Google Scholar

21. F. Günther and S. Mazaheri. A formal treatment of multi-key channels. In J. Katz and H. Shacham, editors, Advances in Cryptology – CRYPTO 2017, Part III, volume 10403 of Lecture Notes in Computer Science, pages 587–618, Santa Barbara, CA, USA, Aug. 20–24, 2017. Springer, Heidelberg, Germany.Search in Google Scholar

22. R. Holz, J. Amann, A. Razaghpanah, and N. Vallina-Rodriguez. The era of TLS 1.3: Measuring deployment and use with active and passive methods. arXiv:1907.12762 [cs.CR], 2019. https://arxiv.org/abs/1907.12762.Search in Google Scholar

23. R. Holz, J. Hiller, J. Amann, A. Razaghpanah, T. Jost, N. Vallina-Rodriguez, and O. Hohlfeld. Tracking the deployment of TLS 1.3 on the web: A story of experimentation and centralization. SIGCOMM Comput. Commun. Rev., 50(3):3–15, July 2020.Search in Google Scholar

24. J. Iyengar and M. Thomson. QUIC: A UDP-Based Multiplexed and Secure Transport – draft-ietf-quic-transport-29. https://tools.ietf.org/html/draft-ietf-quic-transport-29, June 2020.Search in Google Scholar

25. D. Kahn. The Code-Breakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet. Scribner, 1996.Search in Google Scholar

26. X. Lan, J. Xu, Z.-F. Zhang, and W.-T. Zhu. Investigating the multi-ciphersuite and backwards-compatibility security of the upcoming TLS 1.3. IEEE Transactions on Dependable and Secure Computing, 16(2):272–286, 2019.Search in Google Scholar

27. A. Langley, A. Riddoch, A. Wilk, A. Vicente, C. Krasic, D. Zhang, F. Yang, F. Kouranov, I. Swett, J. R. Iyengar, J. Bailey, J. Dorfman, J. Roskind, J. Kulik, P. Westin, R. Tenneti, R. Shade, R. Hamilton, V. Vasiliev, W. Chang, and Z. Shi. The QUIC transport protocol: Design and internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication, SIGCOMM 2017, Los Angeles, CA, USA, August 21–25, 2017, pages 183–196, Los Angeles, CA, USA, Aug. 21–25, 2017. ACM.Search in Google Scholar

28. X. Li, J. Xu, Z. Zhang, D. Feng, and H. Hu. Multiple handshakes security of TLS 1.3 candidates. In 2016 IEEE Symposium on Security and Privacy, pages 486–505, San Jose, CA, USA, May 22–26, 2016. IEEE Computer Society Press.Search in Google Scholar

29. A. Luykx and K. G. Paterson. Limits on authenticated encryption use in TLS, Aug. 2017. http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf.Search in Google Scholar

30. Netmarketshare. HTTP vs HTTPS, Aug. 2020. https://netmarketshare.com/report.aspx?id=https.Search in Google Scholar

31. K. G. Paterson and T. van der Merwe. Reactive and proactive standardisation of TLS. In L. Chen, D. A. McGrew, and C. J. Mitchell, editors, Security Standardisation Research: Third International Conference (SSR 2016), volume 10074 of Lecture Notes in Computer Science, pages 160–186, Gaithersburg, MD, USA, Dec. 5–6, 2016. Springer.Search in Google Scholar

32. C. Patton and T. Shrimpton. Partially specified channels: The TLS 1.3 record layer without elision. In D. Lie, M. Mannan, M. Backes, and X. Wang, editors, ACM CCS 2018: 25th Conference on Computer and Communications Security, pages 1415–1428, Toronto, ON, Canada, Oct. 15–19, 2018. ACM Press.Search in Google Scholar

33. QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic.Search in Google Scholar

34. E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard), Aug. 2018.Search in Google Scholar

35. B. Smyth and A. Pironti. Truncating TLS connections to violate beliefs in web applications. In J. Oberheide and W. K. Robertson, editors, 7th USENIX Workshop on Offensive Technologies, WOOT’13, Washington, D.C., USA, Aug. 13, 2013. USENIX Association.Search in Google Scholar

Received: 2020-08-04
Accepted: 2020-10-02
Published Online: 2020-10-08
Published in Print: 2020-12-16

© 2020 Walter de Gruyter GmbH, Berlin/Boston