Abstract
Secure connections are at the heart of today’s Internet infrastructure, protecting the confidentiality, authenticity, and integrity of communication. Achieving these security goals is the responsibility of cryptographic schemes, more specifically two main building blocks of secure connections. First, a key exchange protocol is run to establish a shared secret key between two parties over a, potentially, insecure connection. Then, a secure channel protocol uses that shared key to securely transport the actual data to be exchanged. While security notions for classical designs of these components are well-established, recently developed and standardized major Internet security protocols like Google’s QUIC protocol and the Transport Layer Security (TLS) protocol version 1.3 introduce novel features for which supporting security theory is lacking.
In my dissertation [20], which this article summarizes, I studied these novel and advanced design aspects, introducing enhanced security models and analyzing the security of deployed protocols. For key exchange protocols, my thesis introduces a new model for multi-stage key exchange to capture that recent designs for secure connections establish several cryptographic keys for various purposes and with differing levels of security. It further introduces a formalism for key confirmation, reflecting a long-established practical design criteria which however was lacking a comprehensive formal treatment so far. For secure channels, my thesis captures the cryptographic subtleties of streaming data transmission through a revised security model and approaches novel concepts to frequently update key material for enhanced security through a multi-key channel notion. These models are then applied to study (and confirm) the security of the QUIC and TLS 1.3 protocol designs.
Funding source: Deutsche Forschungsgemeinschaft
Award Identifier / Grant number: GU 1859/1-1
Funding statement: This work was supported by Deutsche Forschungsgemeinschaft, Grant Number: GU 1859/1-1.
About the author
Dr. Felix Günther studied Computer Science (B.Sc./M.Sc.) and IT Security (M.Sc.) at TU Darmstadt, where he received his Ph.D. in Computer Science (summa cum laude) in 2018 under the supervision of Prof. Dr. Marc Fischlin. For his dissertation, he received the ACM SIGSAC Doctoral Dissertation Award for Outstanding PhD Theses in Computer and Information Security, the ERCIM STM WG Award for the Best Ph.D. Thesis on Security and Trust Management, and the Dr.-Heinz-Sebiger Dissertation Award on Data Protection and IT Security of the DATEV-Stiftung Zukunft; he further was runner-up for the CAST/GI Doctoral Dissertation Award in IT Security. After his Ph.D., he has been supported by a Research Fellowship grant of the German Research Foundation (DFG) to work as a postdoctoral researcher at UC San Diego with Prof. Mihir Bellare and at ETH Zürich, his current position, with Prof. Kenneth G. Paterson.
References
1. M. R. Albrecht, K. G. Paterson, and G. J. Watson. Plaintext recovery attacks against SSH. In 2009 IEEE Symposium on Security and Privacy, pages 16–26, Oakland, CA, USA, May 17–20, 2009. IEEE Computer Society Press.10.1109/SP.2009.5Search in Google Scholar
2. G. Arfaoui, X. Bultel, P.-A. Fouque, A. Nedelcu, and C. Onete. The privacy of the TLS 1.3 protocol. Proceedings on Privacy Enhancing Technologies, 2019(4):190–210, Oct. 2019.10.2478/popets-2019-0065Search in Google Scholar
3. M. Bellare, T. Kohno, and C. Namprempre. Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol. In V. Atluri, editor, ACM CCS 2002: 9th Conference on Computer and Communications Security, pages 1–11, Washington, DC, USA, Nov. 18–22, 2002. ACM Press.10.1145/586110.586112Search in Google Scholar
4. M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson, editor, Advances in Cryptology – CRYPTO’93, volume 773 of Lecture Notes in Computer Science, pages 232–249, Santa Barbara, CA, USA, Aug. 22–26, 1994. Springer, Heidelberg, Germany.10.1007/3-540-48329-2_21Search in Google Scholar
5. K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P.-Y. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, pages 98–113, Berkeley, CA, USA, May 18–21, 2014. IEEE Computer Society Press.10.1109/SP.2014.14Search in Google Scholar
6. A. Boldyreva, J. P. Degabriele, K. G. Paterson, and M. Stam. Security of symmetric encryption in the presence of ciphertext fragmentation. In D. Pointcheval and T. Johansson, editors, Advances in Cryptology – EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 682–699, Cambridge, UK, Apr. 15–19, 2012. Springer, Heidelberg, Germany.10.1007/978-3-642-29011-4_40Search in Google Scholar
7. J. Brendel and M. Fischlin. Zero round-trip time for the extended access control protocol. In S. N. Foley, D. Gollmann, and E. Snekkenes, editors, ESORICS 2017: 22nd European Symposium on Research in Computer Security, Part I, volume 10492 of Lecture Notes in Computer Science, pages 297–314, Oslo, Norway, Sept. 11–15, 2017. Springer, Heidelberg, Germany.10.1007/978-3-319-66402-6_18Search in Google Scholar
8. C. Brzuska, M. Fischlin, B. Warinschi, and S. C. Williams. Composability of Bellare-Rogaway key exchange protocols. In Y. Chen, G. Danezis, and V. Shmatikov, editors, ACM CCS 2011: 18th Conference on Computer and Communications Security, pages 51–62, Chicago, Illinois, USA, Oct. 17–21, 2011. ACM Press.10.1145/2046707.2046716Search in Google Scholar
9. K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila. A formal security analysis of the Signal messaging protocol. In 2nd IEEE European Symposium on Security and Privacy, EuroS&P 2017, pages 451–466, Paris, France, Apr. 26–28, 2017. IEEE.10.1109/EuroSP.2017.27Search in Google Scholar
10. D. Diemert and T. Jager. On the tight security of TLS 1.3: Theoretically-sound cryptographic parameters for real-world deployments. Journal of Cryptology, 2020. To appear. Available as Cryptology ePrint Archive, Report 2020/726. https://eprint.iacr.org/2020/726.10.1007/s00145-021-09388-xSearch in Google Scholar
11. W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, 1976.10.1109/TIT.1976.1055638Search in Google Scholar
12. D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Trans. Information Theory, 29(2):198–207, 1983.10.1109/SFCS.1981.32Search in Google Scholar
13. B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In I. Ray, N. Li, and C. Kruegel, editors, ACM CCS 2015: 22nd Conference on Computer and Communications Security, pages 1197–1210, Denver, CO, USA, Oct. 12–16, 2015. ACM Press.10.1145/2810103.2813653Search in Google Scholar
14. B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081, 2016. http://eprint.iacr.org/2016/081.10.1145/2810103.2813653Search in Google Scholar
15. M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google’s QUIC protocol. In G.-J. Ahn, M. Yung, and N. Li, editors, ACM CCS 2014: 21st Conference on Computer and Communications Security, pages 1193–1204, Scottsdale, AZ, USA, Nov. 3–7, 2014. ACM Press.10.1145/2660267.2660308Search in Google Scholar
16. M. Fischlin and F. Günther. Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates. In 2nd IEEE European Symposium on Security and Privacy, EuroS&P 2017, pages 60–75, Paris, France, Apr. 26–28, 2017. IEEE.10.1109/EuroSP.2017.18Search in Google Scholar
17. M. Fischlin, F. Günther, G. A. Marson, and K. G. Paterson. Data is a stream: Security of stream-based channels. In R. Gennaro and M. J. B. Robshaw, editors, Advances in Cryptology – CRYPTO 2015, Part II, volume 9216 of Lecture Notes in Computer Science, pages 545–564, Santa Barbara, CA, USA, Aug. 16–20, 2015. Springer, Heidelberg, Germany.10.1007/978-3-662-48000-7_27Search in Google Scholar
18. M. Fischlin, F. Günther, B. Schmidt, and B. Warinschi. Key confirmation in key exchange: A formal treatment and implications for TLS 1.3. In 2016 IEEE Symposium on Security and Privacy, pages 452–469, San Jose, CA, USA, May 22–26, 2016. IEEE Computer Society Press.10.1109/SP.2016.34Search in Google Scholar
19. S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984.10.1016/0022-0000(84)90070-9Search in Google Scholar
20. F. Günther. Modeling Advanced Security Aspects of Key Exchange and Secure Channel Protocols. Ph. D. thesis, Technische Universität Darmstadt, Darmstadt, Germany, Feb. 2018. Available online at http://tuprints.ulb.tu-darmstadt.de/7162/.Search in Google Scholar
21. F. Günther and S. Mazaheri. A formal treatment of multi-key channels. In J. Katz and H. Shacham, editors, Advances in Cryptology – CRYPTO 2017, Part III, volume 10403 of Lecture Notes in Computer Science, pages 587–618, Santa Barbara, CA, USA, Aug. 20–24, 2017. Springer, Heidelberg, Germany.10.1007/978-3-319-63697-9_20Search in Google Scholar
22. R. Holz, J. Amann, A. Razaghpanah, and N. Vallina-Rodriguez. The era of TLS 1.3: Measuring deployment and use with active and passive methods. arXiv:1907.12762 [cs.CR], 2019. https://arxiv.org/abs/1907.12762.Search in Google Scholar
23. R. Holz, J. Hiller, J. Amann, A. Razaghpanah, T. Jost, N. Vallina-Rodriguez, and O. Hohlfeld. Tracking the deployment of TLS 1.3 on the web: A story of experimentation and centralization. SIGCOMM Comput. Commun. Rev., 50(3):3–15, July 2020.10.1145/3411740.3411742Search in Google Scholar
24. J. Iyengar and M. Thomson. QUIC: A UDP-Based Multiplexed and Secure Transport – draft-ietf-quic-transport-29. https://tools.ietf.org/html/draft-ietf-quic-transport-29, June 2020.10.17487/RFC9000Search in Google Scholar
25. D. Kahn. The Code-Breakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet. Scribner, 1996.Search in Google Scholar
26. X. Lan, J. Xu, Z.-F. Zhang, and W.-T. Zhu. Investigating the multi-ciphersuite and backwards-compatibility security of the upcoming TLS 1.3. IEEE Transactions on Dependable and Secure Computing, 16(2):272–286, 2019.10.1109/TDSC.2017.2685382Search in Google Scholar
27. A. Langley, A. Riddoch, A. Wilk, A. Vicente, C. Krasic, D. Zhang, F. Yang, F. Kouranov, I. Swett, J. R. Iyengar, J. Bailey, J. Dorfman, J. Roskind, J. Kulik, P. Westin, R. Tenneti, R. Shade, R. Hamilton, V. Vasiliev, W. Chang, and Z. Shi. The QUIC transport protocol: Design and internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication, SIGCOMM 2017, Los Angeles, CA, USA, August 21–25, 2017, pages 183–196, Los Angeles, CA, USA, Aug. 21–25, 2017. ACM.10.1145/3098822.3098842Search in Google Scholar
28. X. Li, J. Xu, Z. Zhang, D. Feng, and H. Hu. Multiple handshakes security of TLS 1.3 candidates. In 2016 IEEE Symposium on Security and Privacy, pages 486–505, San Jose, CA, USA, May 22–26, 2016. IEEE Computer Society Press.10.1109/SP.2016.36Search in Google Scholar
29. A. Luykx and K. G. Paterson. Limits on authenticated encryption use in TLS, Aug. 2017. http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf.Search in Google Scholar
30. Netmarketshare. HTTP vs HTTPS, Aug. 2020. https://netmarketshare.com/report.aspx?id=https.Search in Google Scholar
31. K. G. Paterson and T. van der Merwe. Reactive and proactive standardisation of TLS. In L. Chen, D. A. McGrew, and C. J. Mitchell, editors, Security Standardisation Research: Third International Conference (SSR 2016), volume 10074 of Lecture Notes in Computer Science, pages 160–186, Gaithersburg, MD, USA, Dec. 5–6, 2016. Springer.10.1007/978-3-319-49100-4_7Search in Google Scholar
32. C. Patton and T. Shrimpton. Partially specified channels: The TLS 1.3 record layer without elision. In D. Lie, M. Mannan, M. Backes, and X. Wang, editors, ACM CCS 2018: 25th Conference on Computer and Communications Security, pages 1415–1428, Toronto, ON, Canada, Oct. 15–19, 2018. ACM Press.10.1145/3243734.3243789Search in Google Scholar
33. QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic.Search in Google Scholar
34. E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard), Aug. 2018.10.17487/RFC8446Search in Google Scholar
35. B. Smyth and A. Pironti. Truncating TLS connections to violate beliefs in web applications. In J. Oberheide and W. K. Robertson, editors, 7th USENIX Workshop on Offensive Technologies, WOOT’13, Washington, D.C., USA, Aug. 13, 2013. USENIX Association.Search in Google Scholar
© 2020 Walter de Gruyter GmbH, Berlin/Boston
