on the security of tls-dhe in the standard model
TRANSCRIPT
OntheSecurityofTLS-DHEintheStandardModel
TiborJager,FlorianKohlar,SvenSchäge,andJörgSchwenk
HorstGörtzIns,tuteforITSecurity,Bochum
1stBIUSecurityDay:TheCurrentStatusofTLSSecurityMay1,2016
Bar-IlanUniversity,Israel
1
TLSandSSLVersions
2
SSL1.0and2.0(Netscape)
1994 1995
SSL3.0(Netscape&MicrosoYPCT)
1999
TLS1.0(=SSL3.1)(IETFstandard)
2006 2008
TLS1.2TLS1.1
• Thistalk:TLS≈TLS1.0≈TLS1.1≈TLS1.2• ThistalkisnotaboutTLS1.3!
2016?
TLS1.3
SupportofTLSversionsinprac`ce
3SSLLabs,haps://www.trustworthyinternet.org/ssl-pulse/,Jan5,2016
TLSv1.3
(2016?)(1999)(1995)(1994) (2006) (2008)
Supportofmorethanoneversion
isverycommon
TLSSessions:Handshake+RecordLayer
4
1.Handshake
Handshake:• Nego`a`onofcryptographicparameters(selec`onofCipherSuite)
• Authen7ca7on• Establishmentofsessionkeyk
Client Server
TLSSessions:Handshake+RecordLayer
5
1.Handshake
2.RecordLayer
Handshake:• Nego`a`onofcryptographicparameters(selec`onofCipherSuite)
• Authen7ca7on• Establishmentofsessionkeyk
RecordLayer:• Dataencryp7onandauthen7ca7onusingkeyk
Client Server
CipherSuites• Standardizedselec7onofalgorithmsforkeyexchange,signature,encryp`on,hashing– TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
• 3groupsofCipherSuites:– EphemeralDiffie-Hellman(TLS-DHE)– Sta`cDiffie-Hellman(TLS-DH)– RSAencryp`on(TLS-RSA)– Handshakeprotocolis(slightly)differentforeachgroup
6
CipherSuites• Standardizedselec7onofalgorithmsforkeyexchange,signature,encryp`on,hashing– TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
• 3familiesofCipherSuites:– EphemeralDiffie-Hellman(TLS-DHE)– Sta`cDiffie-Hellman(TLS-DH)– RSAencryp`on(TLS-RSA)– Handshakeprotocolis(slightly)differentforeachgroup
7
TheCryptographicCoreoftheTLS-DHEHandshake
8
Chassignaturekey(pkC,skC)
Shassignaturekey(pkS,skS)
TheCryptographicCoreoftheTLS-DHEHandshake
9
Chassignaturekey(pkC,skC)
Shassignaturekey(pkS,skS)
rC,supportedCipherSuites
rS,selectedCipherSuite
1.Ciphersuiteagreement:
TheCryptographicCoreoftheTLS-DHEHandshake
10
Chassignaturekey(pkC,skC)
Shassignaturekey(pkS,skS)
rC,supportedCipherSuites
rS,selectedCipherSuite
1.Ciphersuiteagreement:
gs,Sig(skS;gs,somepreviousdata)gc,Sig(skC;gc,somepreviousdata) pms=gcs
k=PRF(ms;L2,rC,rS)ms=PRF(pms;L1,rC,rS)
pms=gcs
k=PRF(ms;L2,rC,rS)ms=PRF(pms;L1,rC,rS)
2.Keyexchange:
sßZqcßZq
TheCryptographicCoreoftheTLS-DHEHandshake
11
Chassignaturekey(pkC,skC)
Shassignaturekey(pkS,skS)
rC,supportedCipherSuites
rS,selectedCipherSuite
1.Ciphersuiteagreement:
gs,Sig(skS;gs,somepreviousdata)gc,Sig(skC;gc,somepreviousdata) pms=gcs
k=PRF(ms;L2,rC,rS)ms=PRF(pms;L1,rC,rS)
pms=gcs
k=PRF(ms;L2,rC,rS)ms=PRF(pms;L1,rC,rS)
2.Keyexchange:
Enc(k;constS,finS) finS=PRF(ms;L3,prev.data)
finC=PRF(ms;L4,prev.data)
“Accept”keykwithpartnerS
Enc(k;constC,finC)
3.FINISHEDmessages:
“Accept”keykwithpartnerC
sßZqcßZq
TheCryptographicCoreoftheTLS-DHEHandshake
12
Chassignaturekey(pkC,skC)
Shassignaturekey(pkS,skS)
rC,supportedCipherSuites
rS,selectedCipherSuite
1.Ciphersuiteagreement:
gs,Sig(skS;gs,somepreviousdata)gc,Sig(skC;gc,somepreviousdata) pms=gcs
k=PRF(ms;L2,rC,rS)ms=PRF(pms;L1,rC,rS)
pms=gcs
k=PRF(ms;L2,rC,rS)ms=PRF(pms;L1,rC,rS)
2.Keyexchange:
Enc(k;constS,finS) finS=PRF(ms;L3,prev.data)
finC=PRF(ms;L4,prev.data)
“Accept”keykwithpartnerS
Enc(k;constC,finC)
3.FINISHEDmessages:
Isthissecure?
“Accept”keykwithpartnerC
sßZqcßZq
SecureAuthen`catedKeyExchange
• Desiredproper`es:– Authen7ca7onofcommunica`onpartners– Goodcryptographickeys
• Severalsecuritymodelsformalizingthisno`on– WeuseenhancedversionofBellare-Rogaway[BR’93]
• Adoptedtothepublic-keysewng• Cf.Blake-Wilsonetal.[BJM’99]
• Modeldescribedbytwocomponents:– Execu7onmodel– Securitydefini7on
13
SecureAuthen`catedKeyExchange
• Desiredproper`es:– Authen7ca7onofcommunica`onpartners– Goodcryptographickeys
• Severalsecuritymodelsformalizingthisno`on– WeuseenhancedversionofBellare-Rogaway[BR’93]
• Adoptedtothepublic-keysewng• Cf.Blake-Wilsonetal.[BJM’99]
• Modeldescribedbytwocomponents:– Execu7onmodel– Securitydefini7on
14
SecureAuthen`catedKeyExchange
• Desiredproper`es:– Authen7ca7onofcommunica`onpartners– Goodcryptographickeys
• Severalsecuritymodelsformalizingthisno`on– WeuseenhancedversionofBellare-Rogaway[BR’93]
• Adoptedtothepublic-keysewng• Cf.Blake-Wilsonetal.[BJM’99]
• Modeldescribedbytwocomponents:– Execu7onmodel– Securitydefini7on
15
Execu`onModel
16
ProtocolΠ
C1(pkC1,skC1)
C2(pkC2,skC2)
C3(pkC3,skC3)
S1(pkS1,skS1)
S2(pkS2,skS2)
S3(pkS3,skS3)
17
Execu`onModelC1
(pkC1,skC1)C2
(pkC2,skC2)
C3(pkC3,skC3)
S1(pkS1,skS1)
S2(pkS2,skS2)
S3(pkS3,skS3)
18
Execu`onModelC1
(pkC1,skC1)C2
(pkC2,skC2)
C3(pkC3,skC3)
S1(pkS1,skS1)
S2(pkS2,skS2)
S3(pkS3,skS3)
skC1
19
Execu`onModelC1
(pkC1,skC1)C2
(pkC2,skC2)
C3(pkC3,skC3)
S1(pkS1,skS1)
S2(pkS2,skS2)
S3(pkS3,skS3)
skC1
k
SecurityDefini`on
20
• Aaackerbreakstheprotocolif1. C(orS)“accepts”withpartnerS(orC),but
SandCdonothavematchingconversa,ons,or2. itdis7nguishes“real”from“random”key
ProtocolΠ
C(pkC,skC) S
(pkS,skS)
SecurityDefini`on
21
• Aaackerbreakstheprotocolif1. C(orS)“accepts”withpartnerS(orC),but
SandCdonothavematchingconversa,ons,or2. itdis7nguishes“real”from“random”key
ProtocolΠ
C(pkC,skC) S
(pkS,skS)
“accept”withkeykandpartnerS
SecurityDefini`on
22
• Aaackerbreakstheprotocolif1. C(orS)“accepts”withpartnerS(orC),but
SandCdonothavematchingconversa,ons,or2. itdis7nguishes“real”from“random”key
“Test”k/rnd
“real”/“random”
ProtocolΠ
C(pkC,skC) S
(pkS,skS)
“accept”withkeykandpartnerS
TheTLSHandshakeisnotaProvablySecureAKEProtocol
23
Enc(k;constS,finS) finS=PRF(ms;L3,prev.data)
finC=PRF(ms;L4,prev.data) Enc(k;constC,finC)
2.Keyexchange
1.Ciphersuiteagreement
3.FINISHEDmessages:
“Accept”keykwithpartnerS
“Accept”keykwithpartnerC
TheTLSHandshakeisnotaProvablySecureAKEProtocol
• Enc(k;constS,finS)allowstodis7nguishrealkeykfromrandom– AppliestoTLS-DHE,TLS-DHS,andTLS-RSA– Theore7calaFackinthesecuritymodel 24
Enc(k;constS,finS) finS=PRF(ms;L3,prev.data)
finC=PRF(ms;L4,prev.data) Enc(k;constC,finC)
2.Keyexchange
1.Ciphersuiteagreement
3.FINISHEDmessages:
“Accept”keykwithpartnerS
“Accept”keykwithpartnerC
Unsa`sfyingSitua`on
• TLSisthemostimportantsecurityprotocolinprac`ce
• TLSHandshakeisinsecureinanyAKEsecuritymodelbasedonkey-indis`nguishability
• Twoapproachestoresolvethisissue:1. Consider“truncated”TLSHandshake[MSW’10],
withoutencryp7onofFINISHEDmessages2. Developanewsecuritymodel
25
Unsa`sfyingSitua`on
• TLSisthemostimportantsecurityprotocolinprac`ce
• TLSHandshakeisinsecureinanyAKEsecuritymodelbasedonkey-indis`nguishability
• Twoapproachestoresolvethisissue:1. Consider“truncated”TLSHandshake[MSW’10],
withoutencryp7onofFINISHEDmessages2. Developanewsecuritymodel
26
1stApproach:“TruncatedTLS”
27
finS finS=PRF(ms;L3,prev.data)
finC=PRF(ms;L4,prev.data) finC
2.Keyexchange
1.Ciphersuiteagreement
3.FINISHEDmessages:“Accept”keykwithpartnerS
“Accept”keykwithpartnerC
1stApproach:“TruncatedTLS”
28
finS finS=PRF(ms;L3,prev.data)
finC=PRF(ms;L4,prev.data) finC
2.Keyexchange
1.Ciphersuiteagreement
3.FINISHEDmessages:
Theorem:TruncatedTLS-DHEHandshakeisasecureAKEprotocol,if• thePRFisasecurepseudo-randomfunc7on,• thedigitalsignatureschemeisEUF-CMAsecure,• theDDHassump7onholds,and• thePRF-ODHassump7onholds
“Accept”keykwithpartnerS
“Accept”keykwithpartnerC
ComparisontoPreviousWork
Morrissey,Smart,Warinschi‘10 OurworkBellare-RogawayModel Bellare-RogawayModel
TLS_DHE,TLS_DH,TLS_RSA1 TLS_DHERandomOracleModel StandardModel2
29
1AssumesdifferentRSAencryp`onscheme2RequiresPRF-ODHassump`on
Modularanalysis Monolithicanalysis
TruncatedTLS:Morissey,Smart,Warinschi‘10
ComparisontoPreviousWork
Morrissey,Smart,Warinschi‘10 OurworkBellare-RogawayModel Bellare-RogawayModel
TLS_DHE,TLS_DH,TLS_RSA1 TLS_DHERandomOracleModel StandardModel2
30
1AssumesdifferentRSAencryp`onscheme2RequiresPRF-ODHassump`on
Modularanalysis Monolithicanalysis
TruncatedTLS:Morissey,Smart,Warinschi‘10
BothresultsdonotconsidertherealTLSHandshake…!
2ndApproach:NewSecurityModel• SecureAKEprovidesindis7nguishablekeys
– Keycanbeusedinanyfurtherapplica7on– ToostrongforTLSHandshake– Strongerthannecessary:TLSuseskeysforRecordLayer
• Canwedescribeanewsecuritymodelwhichis– strongenoughtoprovidesecurity,but– weakenoughtobeachievablebyTLS?
31
2ndApproach:NewSecurityModel• SecureAKEprovidesindis7nguishablekeys
– Keycanbeusedinanyfurtherapplica7on– ToostrongforTLSHandshake– Strongerthannecessary:TLSuseskeysforRecordLayer
• Canwedescribeanewsecuritymodelwhichis– strongenoughtoprovidesecurity,but– weakenoughtobeachievablebyTLS?
32
but
Authen`catedConfiden`alChannelEstablishment(ACCE)
• SimpleextensionoftheAKEmodel:– Explicitauthen7ca7onofcommunica`onpartners– GoodcryptographickeysAuthen7catedandconfiden7alchannel
• ACCEconsidersHandshake+RecordLayer– Encryp`onsshouldbeindis7nguishable– Ciphertextsshouldbeauthen7cated
33
TLS-DHEisaSecureACCEProtocol
34
Theorem:TLS-DHEisasecureACCEprotocol,if• thePRFisasecurepseudo-randomfunc7on,• thedigitalsignatureschemeisEUF-CMAsecure,• theDDHassump7onholdsintheDiffie-Hellmangroup,• thePRF-ODHassump7onholds,and• theRecordLayercipherissecure(sLHAE)
TLS-DHEisaSecureACCEProtocol
35
Theorem:TLS-DHEisasecureACCEprotocol,if• thePRFisasecurepseudo-randomfunc7on,• thedigitalsignatureschemeisEUF-CMAsecure,• theDDHassump7onholdsintheDiffie-Hellmangroup,• thePRF-ODHassump7onholds,and• theRecordLayercipherissecure(sLHAE)
StatefulLength-HidingAuthen7catedEncryp7on[PRS’11]:• Securityno`onforsymmetricciphers• CapturesexactlywhatisexpectedfromTLSRecordLayer• AchievedbyCBC-basedciphersuitesinTLS1.1and1.2
ThePRF-ODHAssump`on
36
• LetG=<g>beagroupwithorderp,letPRF:GxMàRbeafunc`on
ThePRF-ODHAssump`on
37
AdversaryA ChallengerCm∈M
• LetG=<g>beagroupwithorderp,letPRF:GxMàRbeafunc`on
ThePRF-ODHAssump`on
38
AdversaryA ChallengerCm∈M
U,V∈GPRF(guv,m)orrand∈R
• LetG=<g>beagroupwithorderp,letPRF:GxMàRbeafunc`on
U:=gu,V:=gvwhereu,vßZp
ThePRF-ODHAssump`on
39
AdversaryA ChallengerCm∈M
U,V∈GPRF(guv,m)orrand∈R
W∈G,m’∈MPRF(Wu,m’)
• LetG=<g>beagroupwithorderp,letPRF:GxMàRbeafunc`on
U:=gu,V:=gvwhereu,vßZp
ThePRF-ODHAssump`on
40
AdversaryA ChallengerCm∈M
U,V∈GPRF(guv,m)orrand∈R
“real”or“random”
W∈G,m’∈MPRF(Wu,m’)
• LetG=<g>beagroupwithorderp,letPRF:GxMàRbeafunc`on
U:=gu,V:=gvwhereu,vßZp
ThePRF-ODHAssump`on
• PRF-ODHassump7on:noefficientaaackercandis`nguishPRF(guv,m)fromrandom– VariantofOracleDiffie-Hellmanassump`on[ABR’01] 41
AdversaryA ChallengerCm∈M
U,V∈GPRF(guv,m)orrand∈R
“real”or“random”
W∈G,m’∈MPRF(Wu,m’)
• LetG=<g>beagroupwithorderp,letPRF:GxMàRbeafunc`on
U:=gu,V:=gvwhereu,vßZp
ThePRF-ODHAssump`on
• PRF-ODHassump7on:noefficientaaackercandis`nguishPRF(guv,m)fromrandom– VariantofOracleDiffie-Hellmanassump`on[ABR’01] 42
AdversaryA ChallengerCm∈M
U,V∈GPRF(guv,m)orrand∈R
“real”or“random”
W∈G,m’∈MPRF(Wu,m’)
• LetG=<g>beagroupwithorderp,letPRF:GxMàRbeafunc`on
U:=gu,V:=gvwhereu,vßZp
IsPRF-ODHreallynecessary?
• Notif– nocorrup7onsoflong-termsecretsareallowed,or– smallchangesaremadetoTLS-DHEHandshake
• E.g.makingitmoresimilartoΣ0[CK’02]
• Impossibletoavoid,if– securitymodelwithcorrup7onsisconsidered,and– reduc`onusesaFackerandPRFasblack-box
43
IsPRF-ODHreallynecessary?
• Notif– nocorrup7onsoflong-termsecretsareallowed,or– smallchangesaremadetoTLS-DHEHandshake
• E.g.makingitmoresimilartoΣ0[CK’02]
• Impossibletoavoid,if– securitymodelwithcorrup7onsisconsidered,and– reduc`onusesaFackerandPRFasblack-box
44
SubsequentWorksusingACCE(Thiswork:CRYPTO2012)
• FurtherTLSciphersuites:– Krawczyketal.,Crypto2013– Lietal.,PKC2014
• Securere-nego`a`onofTLSsessionkeys:– Giesenetal.,CCS2013
• Otherprac`calprotocols:– EMVchannelestablishment(Brzuskaetal.,CCS2013)– SSH(Bergsmaetal.,CCS2014)– QUIC(Lychevetal.,S&P2015).
45
SubsequentWorksusingACCE(Thiswork:CRYPTO2012)
• FurtherTLSciphersuites:– Krawczyketal.,Crypto2013– Lietal.,PKC2014
• Securere-nego`a`onofTLSsessionkeys:– Giesenetal.,CCS2013
• Otherprac`calprotocols:– EMVchannelestablishment(Brzuskaetal.,CCS2013)– SSH(Bergsmaetal.,CCS2014)– QUIC(Lychevetal.,S&P2015).
46ACCE:Notbeau`ful,butuseful
ACCE:Notbeau`ful,butuseful
47
TheACCEsecuritymodel
Cryptographersanalyzing“real-world”protocols
SubsequentWorksontheProvableSecurityofTLS<=1.2
(Thiswork:CRYPTO2012)
Forexample:• Krawczyk,Paterson,Wee(CRYPTO13):ACCE-basedanalysisofTLS-RSAandTLS-sDH
• Bhargavane.a.(Oakland13):Formally-verifiedimplementa`onofTLS(miTLS)
• Alterna`vestoACCE:– Brzuskaetal.(Informa`onSecurity2013):Relaxedyetcomposablesecurityno`onsforkeyexchange
– Bharghavane.a.(CRYPTO14):Usereal-or-randomkeyforencryp`onofFIN-message
48
SubsequentWorksontheProvableSecurityofTLS1.3
Forexample:• Krawczyk,Wee(Euro-S&P16):Theore`cally-soundfounda`onofTLS1.3
• Dowling,Fischlin,Günther,Stebila(ACMCCS2015):FormalanalysisofTLS1.3handshakecandidates
• Cremers,Horvat,Scoa,VanDerMerwe(Oakland16):AutomatedAnalysisofTLS1.3
• …
49
Summary
• NewACCEsecuritymodel• FirstfullsecurityproofforTLS-DHE• Manyfollow-upworks,butalsomanyopenproblems:– TLSismuchmorecomplex–we(andsubsequent“pencil-and-paper”proofs)consideredonlythecryptographiccore
– Otherpromisingapproaches:• Verifiedimplementa`ons(miTLS)• AutomatedAnalysis(seeThyla’stalk)
50
Summary
• NewACCEsecuritymodel• FirstfullsecurityproofforTLS-DHE• Manyfollow-upworks,butalsomanyopenproblems:– TLSismuchmorecomplex–we(andsubsequent“pencil-and-paper”proofs)consideredonlythecryptographiccore
– Otherpromisingapproaches:• Verifiedimplementa`ons(miTLS)• AutomatedAnalysis(seeThyla’stalk)
51Thankyou!