introduction to tls - tls upto 1.2 & cryptographic background · schedule tls≤1.2 jan17...
TRANSCRIPT
Introduction to TLSTLS ≤1.2 & Cryptographic Background
TLS Crypto SeminarJanuary 17, 2019
Felix GüntherUC San Diego
special thanks to Kenny Paterson
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 1
This Seminar
GoalI gain (some) understanding of a complex real-world protocol and its cryptoI partially lecture-style introduction to protocol and crypto backgroundI partially reading-group–style covering specific results (thanks to presenters!)
Part I TLS ≤1.2I The Transport Layer Security (TLS) protocol: intro and crypto background.I Attacks and analyses: understanding past weaknesses and hurdles.
Part II TLS 1.3I The road to TLS 1.3 & its technical details.I More analyses: understanding TLS 1.3’s security and what drove design.
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 2
Schedule
TLS ≤1.2Jan 17 TLS intro [TLS12] & crypto backround [BR94,BKN02] FelixJan 24 Lucky 13 [AP13] NicholasJan 31 no seminar -Feb 7 The ACCE model [JKSS12,KPW13] JosephFeb 14 Logjam [ABD+15] Mark
TLS 1.3Feb 21 TLS 1.3 [TLS13] & some security models [FG17,GM17] FelixFeb 28 Multiplexing channels [PS18] VivekMar 7 Symbolic Tamarin analysis [CHH+17] BaiyuMar 14 Downgrade resilience [BBF+16] Ruth
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 3
Introduction to TLS
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 4
So What Is TLS?
TLS?
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 5
The Transport Layer Security (TLS) Protocol
TLS allows client/server applications to communicateover the Internet in a way that is designed toprevent eavesdropping, tampering, and message forgery.
TLS 1.3 [RFC 8446]1994 SSL 1.0 (unpublished)1995 SSL 2.01996 SSL 3.0
all considered seriously broken today
1999 TLS 1.0 – RFC 2246 ≈ SSL 3.0, adopted by IETF2006 TLS 1.1 – RFC 43462008 TLS 1.2 – RFC 5246
2018 TLS 1.3 – RFC 8446
maintained by IETF TLS working groupa team effort, editor: Eric Rescorla
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 6
So What Is TLS?
TLS?
An IETF standard
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 7
The TLS ProtocolA Story of Success . . . and Failures
I initially introduced by Netscape to enable e-commerce on the WWW
I today: protecting billions of Internet connections every dayI web, email, messaging, VoIP, banking, payments, e-health, . . .I >80% of web traffic is encrypted1
I an exposed target for attacks with a track record of critical flawsI structural/design errorsI weaknesses in cryptographic primitivesI implementation flawsI . . .
I crypto and security research important to understand and improve securityI finding protocol flaws, guiding design, discussing security trade-offs
1e.g., https://www.f5.com/labs/articles/threat-intelligence/the-2017-tls-telemetry-report
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 8
So What Is TLS?
TLS?
An IETF standardA green padlock
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 9
The TLS ProtocolHigh-level Goals
(from TLS 1.3, RFC 8446)“The primary goal of TLS is to provide a secure channel between two peers”
I only requirement from underlying transport: reliable, in-order data stream
I AuthenticationI server side of the channel is always authenticatedI client side is optionally authenticatedI via asymmetric crypto (e.g., signatures) or a symmetric pre-shared key
I ConfidentialityI data sent over the channel is only visible to the endpointsI TLS does not hide the length of the data it transmits (but allows padding)
I IntegrityI data sent over the channel cannot be modified without detection
I security in the face of attacker who has complete control of the networkJanuary 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 10
So What Is TLS?
TLS?
An IETF standardA green padlockA protocol for
secure communication
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 11
The TLS ProtocolOverly Simplified
Client Server
Handshake Protocol
K K
Handshake Protocol: I negotiate security parameters (“cipher suite”)I authenticate peersI establish key material for data protection
Record Protocoldata
Record Protocol: I protect data using key material from handshakeI ensuring confidentiality and integrity
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 12
So What Is TLS?
TLS?
An IETF standardA green padlockA protocol for
secure communication
Key exchange + channel(i.e., long understood. . . (?))
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 13
The TLS ProtocolArchitecture within Network Stack
TCP
Application (HTTPS, IMAPS, SMTPS, . . . )
TLS
Handshake Protocol
Record Protocol
AlertProtocol
App.dataProtocol
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 14
So What Is TLS?
TLS?
An IETF standardA green padlockA protocol for
secure communication
Key exchange + channel(i.e., long understood. . . (?))
A layer-4 protocol
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 15
The TLS ProtocolActors
I with billions of users come billions of devices (for servers and clients)I of all types, from laptop ↔ cloud to embedded device ↔ smart home hub
I running various implementations of TLS, in software and hardwareI from widely-used libraries (OpenSSL, Google’s BoringSSL, . . . )
to small or even ad-hoc implementations
I authentication via Certification Authorities (100+ in standard browser)I highly trusted and single-point-of-failure
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 16
So What Is TLS?
TLS?
An IETF standardA green padlockA protocol for
secure communication
Key exchange + channel(i.e., long understood. . . (?))
A layer-4 protocol The Internet security backbone
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 17
The TLS ProtocolComponents
I TLS is a “self-negotiating” protocolI handshake first of all agrees on TLS version and cipher suite to use
I Cipher suites: client proposes list, server picksI fixes crypto algorithms to be used for that sessionI format (up to TLS 1.2): TLS_KEX_AUT_WITH_CIP_MAC
Key ExchangeRSA DHE ECDHE PSK. . .
AuthenticationRSA DSS ECDSA PSK. . .
CipherRC4_128 3DES_EDE_CBC
AES_128_CBC AES_256_GCM. . .
(H)MACMD5 SHA SHA256. . .
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 18
The TLS ProtocolHandshake Protocol Structure
Client ServerClientHello: TLS_..., TLS_..., . . .
ServerHello: TLS_KEX_AUT_WITH_CIP_MACServerCertificate∗
ServerKeyExchange∗
CertificateRequest∗
ClientCertificate∗
ClientKeyExchangeClientCertificateVerify∗
[ChangeCipherSpec]{ClientFinished}
[ChangeCipherSpec]{ServerFinished}
application data, protected with derived key
negotiate security parameters
agree on key material
authenticate server
authenticate client
verify transcript agreement
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 19
The TLS ProtocolRecord Protocol Structure
payload data(stream)
Fragment Len‖SqN‖. . . Payload
ensure ordering
MAC–. . . MAC
protect integrity
. . . –Encode–. . . Payload MAC Tag Padding
pad to block lengthobfuscate payload length
. . . –Encrypt Encryptprotect confidentiality
Output Header CiphertextJanuary 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 20
The TLS ProtocolExample: TLS_RSA_WITH_AES_128_CBC_SHA— Handshake
(simplified)Client ServerCH: TLS_RSA_WITH_AES_128_CBC_SHA, . . . , rc
SH: TLS_RSA_WITH_AES_128_CBC_SHA, rsSCRT: (RSA pk)
SKX
preMS← $ by clientCKX: RSAEnc(pk, preMS)
MS = PRF(preMS, rc‖rs)[CCS]{CF}: PRF(MS, client,H(transcript))
[CCS]{SF}: PRF(MS, server ,H(transcript))
K = PRF(MS, rc‖rs)application data, protected with derived key K
random client/server nonces
using HMAC with SHA1
server authenticates viaability to decrypt preMS
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 21
The TLS ProtocolExample: TLS_RSA_WITH_AES_128_CBC_SHA— Record Protocol
payload data(stream)
Fragment Len‖SqN‖. . . Payload
MAC–. . . MAC: HMAC-SHA1
. . . –Encode–. . . Payload MAC Tag Padding
. . . –Encrypt Encrypt: AES128-CBC
Output Header CiphertextJanuary 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 22
The TLS ProtocolExample: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384— Handshake
(simplified)Client ServerCH: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, . . . , rc
SH: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, rsSCRT: (RSA pk)
SKX: params = (p, g , gy ),RSASign(rc , rs , params)CKX: gx preMS = gxy
MS = PRF(preMS, rc‖rs)[CCS]{CF}: PRF(MS, client,H(transcript))
[CCS]{SF}: PRF(MS, server ,H(transcript))
K = PRF(MS, rc‖rs)application data, protected with derived key K
server authenticates viasigning client nonce
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 23
The TLS ProtocolExample: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384— Record Protocol
payload data(stream)
Fragment Len‖SqN‖. . . Payload
MAC–. . . MAC
. . . –Encode–. . . Payload MAC Tag Padding
. . . –Encrypt Encrypt
Output Header Ciphertext
AEAD: AES256-GCM (AD: Header)(only since TLS 1.2)
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 24
So What Is TLS?
TLS?
An IETF standardA green padlockA protocol for
secure communication
Key exchange + channel(i.e., long understood. . . (?))
A layer-4 protocol The Internet security backboneA crypto zoo
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 25
The TLS ProtocolResumption, Renegotiation, Extensions, . . .
I (Session) ResumptionI abbreviated handshake based on previously established shared secretI multiple and possibly parallel connections from same initial secret
I RenegotiationI change of cipher suite (and keys) within session, protected by Record ProtocolI used, e.g., for late client authentication (hiding client’s identity)
or key renewal on long-lived connections without re-establishing connectionI Extensions & Variants
I extensions specify additional functionality and/or security featuresI e.g.: AEAD cipher suites, ECC, connections to other protocols, ...I some mandatory to implement, some security-critical patchesI DTLS: variant for TLS over UDP
I TLS: complex protocol with many subtly interacting sub-components
“What could possibly go wrong?” :-) (Kenny Paterson)
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 26
TLS Security IssuesWell. . .
Crypto primitives
• RSA, DSA, ECDSA
• Diffie–Hellman, ECDH
• HMAC• MD5, SHA1,
SHA-2• DES, 3DES,
RC4, AES• Export grade
Ciphersuitedetails
• Data structures• Key derivation• Encryption
modes, IVs• Padding
Advanced functionality
• Alerts & errors• Certification /
revocation• Negotiation• Renegotiation• Session
resumption• Key reuse• Compression• State machine
Libraries
• OpenSSL• LibreSSL,
BoringSSL• NSS• GnuTLS• SChannel• Java JSSE• Everest / miTLS• s2n
Applications
• Web browsers: Chrome, Firefox, IE/Edge, Safari
• Web servers: Apache, IIS, nginx, node, …
• Application SDKs
• Certificates• Protocols
• HTTP, IMAP, ..
Attacks on TLS
Attacks on TLS Stebila • 2018-09-04 5
Cross-protocol
DH/ECDH attack
RC4 biases,rc4nomore,Bar Mitzvah
CRIME, BREACH, HEIST
Triple handshake attack
gotofail;
Goldberg & Wagner
Netscape PRNG attack
FREAK, Logjam
Sweet32
Lucky13
Termination,Cookie Cutter
Bleichenbacher
SSL 2.0 downgrade,
FREAK, Logjam
POODLE
BEAST
Cross-protocol DH/ECDH attack
SLOTH
Bleichenbacher,
Collisions
Ray & Dispensa
DebianOpenSSL
entropy bug
“Most dangerous code…”
MalloDroid
CCS injection
BERserk
Heartbleed
CA breaches
Frankencerts
Virtual host confusion
SSL strippingSMACK
STARTTLS
injectionLucky
microseconds
Jager et al.DROWN
Slide by Douglas Stebila
https://www.douglas.stebila.ca/research/presentations/tls-attacks/
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 27
TLS Security Issues@Crypto: MAC-Encode-Encrypt and Lucky13
NicholasJan 24
I core issue: (good) MAC –then– (good) Encrypt 6= CCA-secure AE [BN00]
Fragment Len‖SqN‖. . . Payload
MAC–. . . MAC
. . . –Encode–. . . Payload MAC Tag Padding
00 or 01 01 or 02 02 02or . . . or FF FF ... FF
. . . –Encrypt EncryptAES_128_CBC
Output Header Payload
I MAC–then–AES-CBC DecryptionI decrypt ciphertext to obtain Payload ‖ MAC Tag ‖ PaddingI remove padding — what if padding is incorrect?I check MAC
I A padding oracleI in a modified ciphertext, either the padding check fails. . .I . . . or the MAC check failsI if the two are distinguishable: padding oracleI can lift a padding oracle to a decryption oracle [Vau02] (conditions apply)
I instead of switch to CCA-secure Enc-then-MAC, TLS tried hiding error signalI “compute MAC w/ zero padding”I “leaves a [non-exploitable] small timing channel”I Lucky13 [AP13]: HMAC timing difference still big enoughI really need constant time—which is extremely difficult!
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 28
TLS Security Issues@Crypto: MAC-Encode-Encrypt and Lucky13
NicholasJan 24
I core issue: (good) MAC –then– (good) Encrypt 6= CCA-secure AE [BN00]
I MAC–then–AES-CBC DecryptionI decrypt ciphertext to obtain Payload ‖ MAC Tag ‖ PaddingI remove padding — what if padding is incorrect?I check MAC
I A padding oracleI in a modified ciphertext, either the padding check fails. . .I . . . or the MAC check failsI if the two are distinguishable: padding oracleI can lift a padding oracle to a decryption oracle [Vau02] (conditions apply)
I instead of switch to CCA-secure Enc-then-MAC, TLS tried hiding error signalI “compute MAC w/ zero padding”I “leaves a [non-exploitable] small timing channel”I Lucky13 [AP13]: HMAC timing difference still big enoughI really need constant time—which is extremely difficult!
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 28
TLS Security Issues@Protocol Design: Weak DH Negotiation and Logjam
MarkFeb 14
I core issue: weak algorithms make strong ones fail through downgrades
Client ServerClientHello: [G2048,G512]
ServerHelloServerCertificate∗
ServerKeyExchange∗
ClientKeyExchange{ClientFinished}
{ServerFinished}
Signature?– only covers nonces
Transcript MAC?– with weak key
drawings by Giorgia Azzurra Marson
I Logjam [ABD+15]: How Diffie–Hellman Fails in PracticeI server impersonation through support of (also) weak DH groups
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 29
TLS Security Issues@Implementation: Buffers and Heartbleed
I core issue: buffer over-read in OpenSSL
I Heartbeat extension (RFC 6520)I client sends “ping back those 4 bytes: 00 01 02 03”I server responds “00 01 02 03”
I Heartbleed attack [Hea]I client sends “ping back those 16 Kbytes: 00 01 02 03”I server responds “00 01 02 03 ...<memory dump>”I possibly including sensitive data like server private key etc.
I high severity & public attention — and a catchy logo
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 30
So What Is TLS?
TLS?
An IETF standardA green padlockA protocol for
secure communication
Key exchange + channel(i.e., long understood. . . (?))
A layer-4 protocol The Internet security backboneA crypto zoo
A career opportunityfor bit flippers
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 31
Cryptographic Background
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 32
The TLS Protocol Components(Again, overly simplified)
Key Exchange
Secure Channel
Client Server
Handshake Protocol
K K
Record Protocoldata
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 33
Key Exchange SecurityBellare, Rogaway 1993 [BR94]
pkB , skA pkA, skB
KE
K K
eavesdropping active attacks
key revealcorruption
test(on “fresh” session)
$
???
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 34
Key Exchange SecurityThe communication/security model
KE(id , pid , skid , pkpid , transcript, . . . ) 7→ (msg , status, K , . . . )
skA skB
skC skD
1m1
1m1m2m2
m3 m3
2m4
1m5
1m4m6m6
m7
corrupt skA
m8
reveal Ktest
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 35
Key Exchange SecurityWhat we want
Authentication“Adversary can just relay message / act as a wire”
I relaying is the only way adversary can make sessions acceptI session accepts =⇒ ∃ other session with matching transcript
Key Secrecy“uncompromised session keys look random to adversary”
I Test query with hidden bit bI outputs real K if b = 0, else random key ←$ {0, 1}|K |
I adversary is only allowed to issue Test on “fresh”/uncompromised sessionsI Pr[A ⇒ b]− 1
2 ≈ negl.
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 36
The TLS (1.2) HandshakeWhy is it not BR-secure?
JosephFeb 7
Client ServerClientHello: TLS_..., TLS_..., . . .
ServerHello: TLS_KEX_AUT_WITH_CIP_MACServerCertificate∗
ServerKeyExchange∗
CertificateRequest∗
ClientCertificate∗
ClientKeyExchangeClientCertificateVerify∗
[ChangeCipherSpec]{ClientFinished}K
[ChangeCipherSpec]{ServerFinished}K
K ← . . .
K ← . . .
accept with K accept with K
K used to encrypt Finished messages=⇒ A can trial-decrypt with tested keyK used to encrypt Finished messages=⇒ A can trial-decrypt with tested key
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 37
The TLS Protocol Components(Again, overly simplified)
Key Exchange
Secure Channel
Client Server
Handshake Protocol
K K
Record Protocoldata
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 38
Channel SecurityBellare, Kohno, Namprempre 2002 [BKN02]
m1 m2 m3 m4 m5 . . .
K Kc1 c2′ c3 c4 c5 . . .
m1
IND-sfCPA (passive confidentiality)
IND-sfCCA (active confidentiality)
⊥
INT-sfPTXT (plaintext integrity)
INT-sfCTXT (ciphertext integrity)
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 39
Channel SecuritySecurity notions [BKN02]
IND-sfCCA SecurityExptIND-sfCCAE,A (1λ):1. K ←$ KGen(1λ), b←$ {0, 1}2. i , j ← 0, sync← 13. b′←$A(1λ)OLoR(K ,·,·),ODec(K ,·)
4. return b = b′
OLoR(K ,m0,m1): // |m0| = |m1|
1. i ← i + 12. return ci ← Enc(K ,mb)
ODec(K , c):1. j ← j + 12. if j > i or c 6= cj : sync← 03. if sync = 0: return m← Dec(K , c)
INT-sfCTXT SecurityExptINT-sfCTXTE,A (1λ):1. K ←$ KGen(1λ)2. i , j ← 0, sync← 1, win← 03. A(1λ)OEnc(K ,·),ODec(K ,·)
4. return win
OEnc(K ,m):1. i ← i + 12. return ci ← Enc(K ,m)
ODec(K , c):1. j ← j + 1, m← Dec(K , c)2. if j > i or c 6= cj : sync← 03. if sync = 0 and m 6= ⊥: win← 1
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 40
Channel SecurityStill work in progress. . .
I Many more aspects to consider for secure channels in practice:I length-hiding / padding [PRS11]I fragmentation of ciphertexts [BDPS12]I stream-based data [FGMP15]I bidirectionality [MP17]I multiple keys [GM17]I multiplexing [PS18] Vivek
Feb 28I . . .
I despite being intuitively simple, the crypto community still hasn’t reallyconclusively ventilated the question: What is a secure channel protocol?
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 41
Introduction to TLSTLS ≤1.2 & Cryptographic Background
Thank You!TLS ≤1.2Jan 17 TLS intro [TLS12] & crypto backround [BR94,BKN02] FelixJan 24 Lucky 13 [AP13] NicholasJan 31 no seminar -Feb 7 The ACCE model [JKSS12,KPW13] JosephFeb 14 Logjam [ABD+15] Mark
TLS 1.3Feb 21 TLS 1.3 [TLS13] & some security models [FG17,GM17] FelixFeb 28 Multiplexing channels [PS18] VivekMar 7 Symbolic Tamarin analysis [CHH+17] BaiyuMar 14 Downgrade resilience [BBF+16] Ruth
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 42
References I
[ABD+15] D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger,D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Z. Béguelin, andP. Zimmermann. “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice”. In: ACMCCS 15. Ed. by I. Ray, N. Li, and C. Kruegel: ACM Press, Oct. 2015, pp. 5–17.
[AP13] N. J. AlFardan and K. G. Paterson. “Lucky Thirteen: Breaking the TLS and DTLS RecordProtocols”. In: 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Press,May 2013, pp. 526–540.
[BKN02] M. Bellare, T. Kohno, and C. Namprempre. “Authenticated Encryption in SSH: Provably FixingThe SSH Binary Packet Protocol”. In: ACM CCS 02. Ed. by V. Atluri. ACM Press, Nov. 2002,pp. 1–11.
[BN00] M. Bellare and C. Namprempre. “Authenticated Encryption: Relations among notions andanalysis of the generic composition paradigm”. In: ASIACRYPT 2000. Ed. by T. Okamoto.Vol. 1976. LNCS. Springer, Heidelberg, Dec. 2000, pp. 531–545.
[BR94] M. Bellare and P. Rogaway. “Entity Authentication and Key Distribution”. In: CRYPTO’93.Ed. by D. R. Stinson. Vol. 773. LNCS. Springer, Heidelberg, Aug. 1994, pp. 232–249.
[BBF+16] K. Bhargavan, C. Brzuska, C. Fournet, M. Green, M. Kohlweiss, and S. Z. Béguelin. “DowngradeResilience in Key-Exchange Protocols”. In: 2016 IEEE Symposium on Security and Privacy.IEEE Computer Society Press, May 2016, pp. 506–525.
[BDPS12] A. Boldyreva, J. P. Degabriele, K. G. Paterson, and M. Stam. “Security of Symmetric Encryptionin the Presence of Ciphertext Fragmentation”. In: EUROCRYPT 2012. Ed. by D. Pointchevaland T. Johansson. Vol. 7237. LNCS. Springer, Heidelberg, Apr. 2012, pp. 682–699.
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 43
References II
[CHH+17] C. Cremers, M. Horvat, J. Hoyland, S. Scott, and T. van der Merwe. “A ComprehensiveSymbolic Analysis of TLS 1.3”. In: ACM CCS 17. Ed. by B. M. Thuraisingham, D. Evans,T. Malkin, and D. Xu. ACM Press, 2017, pp. 1773–1788.
[TLS12] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246(Proposed Standard). RFC. Fremont, CA, USA: RFC Editor, Aug. 2008.
[FG17] M. Fischlin and F. Günther. “Replay Attacks on Zero Round-Trip Time: The Case of theTLS 1.3 Handshake Candidates”. In: 2017 IEEE European Symposium on Security and Privacy,EuroS&P 2017. Paris, France: IEEE, 2017, pp. 60–75.
[FGMP15] M. Fischlin, F. Günther, G. A. Marson, and K. G. Paterson. “Data Is a Stream: Security ofStream-Based Channels”. In: CRYPTO 2015, Part II. Ed. by R. Gennaro and M. J. B. Robshaw.Vol. 9216. LNCS. Springer, Heidelberg, Aug. 2015, pp. 545–564.
[GM17] F. Günther and S. Mazaheri. “A Formal Treatment of Multi-key Channels”. In: CRYPTO 2017,Part III. Ed. by J. Katz and H. Shacham. Vol. 10403. LNCS. Springer, Heidelberg, Aug. 2017,pp. 587–618.
[Hea] Heartbleed bug. http://heartbleed.com/. 2014.[JKSS12] T. Jager, F. Kohlar, S. Schäge, and J. Schwenk. “On the Security of TLS-DHE in the Standard
Model”. In: CRYPTO 2012. Ed. by R. Safavi-Naini and R. Canetti. Vol. 7417. LNCS. Springer,Heidelberg, Aug. 2012, pp. 273–293.
[KPW13] H. Krawczyk, K. G. Paterson, and H. Wee. “On the Security of the TLS Protocol: A SystematicAnalysis”. In: CRYPTO 2013, Part I. Ed. by R. Canetti and J. A. Garay. Vol. 8042. LNCS.Springer, Heidelberg, Aug. 2013, pp. 429–448.
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 44
References III
[MP17] G. A. Marson and B. Poettering. “Security Notions for Bidirectional Channels”. In: IACR Trans.Symm. Cryptol. 2017.1 (2017), pp. 405–426.
[PRS11] K. G. Paterson, T. Ristenpart, and T. Shrimpton. “Tag Size Does Matter: Attacks and Proofsfor the TLS Record Protocol”. In: ASIACRYPT 2011. Ed. by D. H. Lee and X. Wang.Vol. 7073. LNCS. Springer, Heidelberg, Dec. 2011, pp. 372–389.
[PS18] C. Patton and T. Shrimpton. “Partially Specified Channels: The TLS 1.3 Record Layer withoutElision”. In: ACM CCS 18. Ed. by D. Lie, M. Mannan, M. Backes, and X. Wang. ACM Press,Oct. 2018, pp. 1415–1428.
[TLS13] E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (ProposedStandard). RFC. Fremont, CA, USA: RFC Editor, Aug. 2018.
[Vau02] S. Vaudenay. “Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS...”In: EUROCRYPT 2002. Ed. by L. R. Knudsen. Vol. 2332. LNCS. Springer, Heidelberg, 2002,pp. 534–546.
January 17, 2019 | Introduction to TLS | TLS Crypto Seminar, Winter 2019 Quarter, UC San Diego Felix Günther 45