implementation and analysis of cryptographic protocols...• provable security of tls 1.3 handshake...
TRANSCRIPT
![Page 1: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/1.jpg)
SACSummerSchool2016
Implementationandanalysisofcryptographicprotocols
Part4:ProvablesecurityofTLSDr.DouglasStebila
https://www.douglas.stebila.ca/teaching/sac-2016
![Page 2: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/2.jpg)
• Defineacryptographicschemeasasetofalgorithms.
• Definesecurityasaninteractivegamebetweenachallengerandanadversary.
• Specifyyourscheme.• Proveatheoremthatanyadversarythatcanwinthesecuritygamecanbeusedtobreaksomehardproblem(“reduction”).
Provablesecurity
Sametypeofreductionase.g.provingNP-
completenessoftravellingsalesmanproblem
![Page 3: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/3.jpg)
Fromanapplicationperspective,TLSprovides:– (negotiationofparameters)
– entityauthentication– (keyexchange)– confidentialityandintegrityofmessages
SecuritygoalsofTLS
negauthkexconfint
![Page 4: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/4.jpg)
IdeaProvetheTLShandshakeisasecureauthenticatedkeyexchangeprotocol
– BRorCKoreCK model:adversarycan'tdistinguishrealsessionkeyfromrandomsessionkey
ProvetheTLSrecordlayerisasecureauthenticatedencryptionscheme
ProblemTLShandshakesendsmessagesencryptedunderthesessionkey
– =>overlapbetweenhandshakeandrecordlayer
– Adversarycandistinguishrealsessionkeyfromrandom
IsTLSsecure?
negauthkexconfint
negauthkexconfint
![Page 5: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/5.jpg)
1996
SSLv3.0standardized
2001Somevariantofoneciphersuite oftheTLSrecordlayerisasecureencryptionscheme[Kra01]
2002
Truncated TLShandshakeusingRSAkeytransportisasecureauthenticatedkeyexchangeprotocol[JK02]
2008
Truncated TLShandshakeusingRSAkeytransportorsignedDiffie–HellmanisasecureAKE[MSW08]
IsTLSsecure?
“somevariant”…“truncatedTLS”…limitedciphersuites
![Page 6: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/6.jpg)
1996
SSLv3.0standardized
2011SomemodesofTLSrecordlayeraresecureauthenticatedencryptionschemes[PRS11]
2012
UnalteredfullsignedDiffie–Hellmanciphersuite isasecurechannel[JKSS12]
2013
MostunalteredfullTLSciphersuitesareasecurechannel[KSS13,KPW13,BFKPS13]
IsTLSsecure?
“unaltered”…“full”…“mostciphersuites”
![Page 7: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/7.jpg)
AuthenticatedandConfidentialChannelEstablishment(ACCE)securitydefinition[JKSS12]captures:– entityauthentication– confidentialityandintegrityofmessages
SecuritygoalsofTLS
negauthkexconfint
![Page 8: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/8.jpg)
MoreresultsonTLS1.2
ACCEfamily• Renegotiationcountermeasure
• Negotiation/downgraderesilience
Constructivecryptography
Formalverificationofimplementation• miTLS
![Page 9: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/9.jpg)
SACSummerSchool2016
Implementationandanalysisofcryptographicprotocols
Part5:TLS1.3Dr.DouglasStebila
https://www.douglas.stebila.ca/teaching/sac-2016
![Page 10: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/10.jpg)
TLSv1.3:TheNextGeneration
• CurrentlyunderdevelopmentattheIETF
• Primarygoals:– removeciphersuites withoutforwardsecrecy– removeobsolete/deprecatedalgorithms– providelow-latencymodewithfewerroundtrips– encryptmoreofthehandshaketoimproveprivacy
![Page 11: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/11.jpg)
Zeroroundtripmode(0-RTT)
• Goal:– allowclienttosendapplicationdataonfirstC-Shandshakeflow
– allowservertorespondwithapplicationdataonfirstS-Chandshakeflow
• Comparedwith3roundtripsforTLS1.2fullhandshakeand2roundtripsforTLS1.2sessionresumption
![Page 12: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/12.jpg)
AcademicinvolvementinTLS1.3
• TLSworkinggroupactivelyencouragedacademicanalysesofTLS1.3
• TLS1.3ReadyOrNot(TRON)Workshop– January2016–May2016
![Page 13: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/13.jpg)
AcademicresultsonTLS1.3• OPTLSprotocol– Candidatedesignfor0-RTTmode
• ProvablesecurityofTLS1.3handshakecandidates– draft-05anddraft-10,ECDHEandPSK
• AutomatedverificationofTLS1.3modesusingTamarinprover– Identifiedsomeflawsthathavebeenfixed
• VerifiedTLS1.3implementations• TLS1.3andQUICweaknessesagainstPKCS#1v1.5encryption
• Provablesecurityanalysisofpost-handshakeauthentication
![Page 14: Implementation and analysis of cryptographic protocols...• Provable security of TLS 1.3 handshake candidates – draft-05 and draft-10, ECDHE and PSK • Automated verification of](https://reader030.vdocuments.us/reader030/viewer/2022041114/5f21b93dee70283919239a1d/html5/thumbnails/14.jpg)
TLS1.3timeline
• Workinggrouplastcalllaterin2016?• ~2?monthsforadditionalacademicanalysis• Standardizationin2017?• Firstimplementationsin2017or2018• Firstattacks…?– 0-RTTcouldberisky:• Noforwardsecrecy• Nosolidreplayprotection
– Howdoapplicationsdecidewhichrequestsareokaywithoutreplayprotection?