14
SAC Summer School 2016 Implementation and analysis of cryptographic protocols Part 4: Provable security of TLS Dr. Douglas Stebila https://www.douglas.stebila.ca/teaching/sac-2016
SACSummerSchool2016
Implementationandanalysisofcryptographicprotocols
Part4:ProvablesecurityofTLSDr.DouglasStebila
https://www.douglas.stebila.ca/teaching/sac-2016
• Defineacryptographicschemeasasetofalgorithms.
• Definesecurityasaninteractivegamebetweenachallengerandanadversary.
• Specifyyourscheme.• Proveatheoremthatanyadversarythatcanwinthesecuritygamecanbeusedtobreaksomehardproblem(“reduction”).
Provablesecurity
Sametypeofreductionase.g.provingNP-
completenessoftravellingsalesmanproblem
Fromanapplicationperspective,TLSprovides:– (negotiationofparameters)
– entityauthentication– (keyexchange)– confidentialityandintegrityofmessages
SecuritygoalsofTLS
negauthkexconfint
IdeaProvetheTLShandshakeisasecureauthenticatedkeyexchangeprotocol
– BRorCKoreCK model:adversarycan'tdistinguishrealsessionkeyfromrandomsessionkey
ProvetheTLSrecordlayerisasecureauthenticatedencryptionscheme
ProblemTLShandshakesendsmessagesencryptedunderthesessionkey
– =>overlapbetweenhandshakeandrecordlayer
– Adversarycandistinguishrealsessionkeyfromrandom
IsTLSsecure?
negauthkexconfint
negauthkexconfint
1996
SSLv3.0standardized
2001Somevariantofoneciphersuite oftheTLSrecordlayerisasecureencryptionscheme[Kra01]
2002
Truncated TLShandshakeusingRSAkeytransportisasecureauthenticatedkeyexchangeprotocol[JK02]
2008
Truncated TLShandshakeusingRSAkeytransportorsignedDiffie–HellmanisasecureAKE[MSW08]
IsTLSsecure?
“somevariant”…“truncatedTLS”…limitedciphersuites
1996
SSLv3.0standardized
2011SomemodesofTLSrecordlayeraresecureauthenticatedencryptionschemes[PRS11]
2012
UnalteredfullsignedDiffie–Hellmanciphersuite isasecurechannel[JKSS12]
2013
MostunalteredfullTLSciphersuitesareasecurechannel[KSS13,KPW13,BFKPS13]
IsTLSsecure?
“unaltered”…“full”…“mostciphersuites”
AuthenticatedandConfidentialChannelEstablishment(ACCE)securitydefinition[JKSS12]captures:– entityauthentication– confidentialityandintegrityofmessages
SecuritygoalsofTLS
negauthkexconfint
MoreresultsonTLS1.2
ACCEfamily• Renegotiationcountermeasure
• Negotiation/downgraderesilience
Constructivecryptography
Formalverificationofimplementation• miTLS
SACSummerSchool2016
Implementationandanalysisofcryptographicprotocols
Part5:TLS1.3Dr.DouglasStebila
https://www.douglas.stebila.ca/teaching/sac-2016
TLSv1.3:TheNextGeneration
• CurrentlyunderdevelopmentattheIETF
• Primarygoals:– removeciphersuites withoutforwardsecrecy– removeobsolete/deprecatedalgorithms– providelow-latencymodewithfewerroundtrips– encryptmoreofthehandshaketoimproveprivacy
Zeroroundtripmode(0-RTT)
• Goal:– allowclienttosendapplicationdataonfirstC-Shandshakeflow
– allowservertorespondwithapplicationdataonfirstS-Chandshakeflow
• Comparedwith3roundtripsforTLS1.2fullhandshakeand2roundtripsforTLS1.2sessionresumption
AcademicinvolvementinTLS1.3
• TLSworkinggroupactivelyencouragedacademicanalysesofTLS1.3
• TLS1.3ReadyOrNot(TRON)Workshop– January2016–May2016
AcademicresultsonTLS1.3• OPTLSprotocol– Candidatedesignfor0-RTTmode
• ProvablesecurityofTLS1.3handshakecandidates– draft-05anddraft-10,ECDHEandPSK
• AutomatedverificationofTLS1.3modesusingTamarinprover– Identifiedsomeflawsthathavebeenfixed
• VerifiedTLS1.3implementations• TLS1.3andQUICweaknessesagainstPKCS#1v1.5encryption
• Provablesecurityanalysisofpost-handshakeauthentication
TLS1.3timeline
• Workinggrouplastcalllaterin2016?• ~2?monthsforadditionalacademicanalysis• Standardizationin2017?• Firstimplementationsin2017or2018• Firstattacks…?– 0-RTTcouldberisky:• Noforwardsecrecy• Nosolidreplayprotection
– Howdoapplicationsdecidewhichrequestsareokaywithoutreplayprotection?
