0-RTT Key Establishment with Full Forward Secrecy Felix Gnther 1 - - PowerPoint PPT Presentation

0-RTT Key Establishment with Full Forward Secrecy

Felix Günther1 Britta Hale2 Tibor Jager3 Sebastian Lauer4

1Technischen Universität Darmstadt 2NTNU Norwegian University of Science and Technology 3Paderborn University 4Ruhr-Universität Bochum

Eurocrypt 2017

Britta Hale | EUROCRYPT 2017 | 2/256

0-RTT with full forward secrecy

Yes, it is possible!

Britta Hale | EUROCRYPT 2017 | 3/256

key exchange latency Round-Trip Time (RTT)

Client Server 1-RTT 2-RTT

Britta Hale | EUROCRYPT 2017 | 4/256

key exchange latency TLS+TCP:

Client Server Session Key: K Session Key: K 1-RTT ClientHello ServerHello Enc.Extensions Server Finished Client Finished

Britta Hale | EUROCRYPT 2017 | 4/256

key exchange latency TLS+TCP:

1-RTT TCP SYN TCP SYN+ACK Client Server Session Key: K Session Key: K 1-RTT ClientHello ServerHello Enc.Extensions Server Finished Client Finished

Britta Hale | EUROCRYPT 2017 | 5/256

key exchange latency TLS + UDP:

1-RTT TCP SYN TCP SYN+ACK Client Server Session Key: K Session Key: K 1-RTT ClientHello ServerHello Enc.Extensions Server Finished Client Finished

Britta Hale | EUROCRYPT 2017 | 6/256

Why not send cryptographically protected payload immediately?

Britta Hale | EUROCRYPT 2017 | 7/256

Zero Round-Trip Time (0-RTT)

Client Server payload 0-RTT

Britta Hale | EUROCRYPT 2017 | 8/256

• QUIC by ...

Britta Hale | EUROCRYPT 2017 | 8/256

• QUIC by ...

(Quick UDP Internet Connections)

Britta Hale | EUROCRYPT 2017 | 9/256

QUIC Protocol

(prior session) config: gsk, Sig(sksig, gsk) Client Server (pksig, sksig), sk

Britta Hale | EUROCRYPT 2017 | 9/256

QUIC Protocol

(prior session) config: gsk, Sig(sksig, gsk) Client Server (pksig, sksig), sk ga Enc(k, payload) a ∈ Zq, k = ga·sk b ∈ Zq Enc(k, gb) K = gab K = gab

Britta Hale | EUROCRYPT 2017 | 10/256

QUIC Protocol Issues: Replay

Client Server (pksig, sksig), sk ga Enc(k, payload) k = ga·sk

Britta Hale | EUROCRYPT 2017 | 10/256

QUIC Protocol Issues: Replay

Client Server (pksig, sksig), sk ga Enc(k, payload) k = ga·sk ga Enc(k, payload)

Britta Hale | EUROCRYPT 2017 | 10/256

QUIC Protocol Issues: Forward Secrecy

Client Server (pksig, sksig), sk ga Enc(k, payload) k = ga·sk

Britta Hale | EUROCRYPT 2017 | 10/256

QUIC Protocol Issues: Forward Secrecy

Client Server (pksig, sksig), sk ga k = ga·sk Enc(k, payload) k = ga·sk

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1 K1

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1 K1

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1 K1

Learn long-term key

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1 K1 ki

Learn long-term key

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1 K1 ki Ki

Learn long-term key

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1 K1 ki Ki

Learn long-term key

Are past session keys secure?

Britta Hale | EUROCRYPT 2017 | 11/256

Forward Secrecy Threat Landscape:

K0 k1 K1 ki Ki

Learn long-term key

Are past session keys secure? Perfect Forward Secrecy: Long-term key compromised Past session keys remain secure

Britta Hale | EUROCRYPT 2017 | 12/256

QUIC

K0 k1 K1 ki Ki

Learn long-term key medium-lived

Britta Hale | EUROCRYPT 2017 | 13/256

Is Perfect Forward Secrecy even possible for 0-RTT?

Britta Hale | EUROCRYPT 2017 | 14/256

Yes!

Britta Hale | EUROCRYPT 2017 | 14/256

Yes!

Our design:

• Full Forward Secrecy

Britta Hale | EUROCRYPT 2017 | 14/256

Yes!

Our design:

• Full Forward Secrecy
• Replay protection

Britta Hale | EUROCRYPT 2017 | 14/256

Yes!

Our design:

• Full Forward Secrecy
• Replay protection
• Based on hierarchical ID-based key encapsulation

mechanism (with selective security) and one-time signatures

Britta Hale | EUROCRYPT 2017 | 14/256

Yes!

Our design:

• Full Forward Secrecy
• Replay protection
• Based on hierarchical ID-based key encapsulation

mechanism (with selective security) and one-time signatures

• Flexible to different instantiations/assumptions
• post-quantum
• pairings
• etc...

Britta Hale | EUROCRYPT 2017 | 15/256

Core idea: Server: static public key – private key can be updated → Forward Secret KEM → Forward Secret 0-RTT KE

Britta Hale | EUROCRYPT 2017 | 16/256

Forward Secure 0-RTT KE Core idea:

Client Server (pk, sk) C (C, K) ← Enc(pk) K ← Dec(sk, C) sk ← Punct(sk, C) ≈ sk/C K K

Britta Hale | EUROCRYPT 2017 | 17/256

Hierarchical ID-Based KEM

sk sk0 sk1 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111 sk0010 sk0011

Britta Hale | EUROCRYPT 2017 | 17/256

Hierarchical ID-Based KEM

sk sk0 sk1 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111 sk0010 sk0011

Britta Hale | EUROCRYPT 2017 | 18/256

Puncturing private key sk

sk sk0 sk1 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111 sk0010 sk0011

Britta Hale | EUROCRYPT 2017 | 18/256

Puncturing private key sk

sk sk0 sk1 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111 sk0010 sk0011

Britta Hale | EUROCRYPT 2017 | 19/256

Puncturing private key sk

sk sk0 sk1 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111 sk0010 sk0011

Britta Hale | EUROCRYPT 2017 | 19/256

Puncturing private key sk

sk sk0 sk1 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111 sk0010 sk0011

• private key size ≈

#punctures × log (max #punctures/timeslot) + log(#timeslots)

• #punctures = #sessions

Britta Hale | EUROCRYPT 2017 | 20/256

Purging the private key: time sync intervals t0, t1, . . .

sk sk0 sk1 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111

Britta Hale | EUROCRYPT 2017 | 21/256

Purging the private key: time sync intervals t0, t1, . . .

sk sk0 sk1 erase after t0 sk00 sk01 sk10 sk11 sk000 sk001 sk010 sk011 sk100 sk101 sk110 sk111

Britta Hale | EUROCRYPT 2017 | 22/256

Evaluation:

Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits,

• ne-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz
• Enc: ms
• Dec: seconds
• Puncturing: seconds

Britta Hale | EUROCRYPT 2017 | 22/256

Evaluation:

Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits,

• ne-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz
• Enc: ms
• Dec: seconds
• Puncturing: seconds → need only selective security

...Room for improvement?

Britta Hale | EUROCRYPT 2017 | 22/256

Evaluation:

Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits,

• ne-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz
• Enc: ms
• Dec: seconds
• Puncturing: seconds → need only selective security

...Room for improvement?

... vs. Green and Myers S&P ’15:

• Any HIBE vs. specific bilinear groups
• CCA-secure in standard model vs. ROM

Britta Hale | EUROCRYPT 2017 | 23/256

Summary Now:

• FS 0-RTT key exchange + security model
• Generic construction + security proof

(from one-time signatures and any hierarchical ID-based KEM with selective security)

Britta Hale | EUROCRYPT 2017 | 23/256

Summary Now:

• FS 0-RTT key exchange + security model
• Generic construction + security proof

(from one-time signatures and any hierarchical ID-based KEM with selective security)

Future:

• Optimize KEM key delegation
• Make it practical!

Britta Hale | EUROCRYPT 2017 | 24/256

Questions ?

Britta Hale | EUROCRYPT 2017 | 25/256

Britta Hale | EUROCRYPT 2017 | 26/256

acknowledgements

Some slide designs are based on presentations of the same work by co-authors Felix Günther and Tibor Jager