on the security of the pre shared key
play

On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 - PowerPoint PPT Presentation

Feb 06, 2024 •196 likes •509 views

On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 , Sven Schge 2 , Zheng Yang 1 , Florian Kohlar 1 , and Jrg Schwenk 1 1 Horst Grtz Institute for IT Security, Bochum 2 University College London Buenos Aires, Argentina

  1. On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 , Sven Schäge 2 , Zheng Yang 1 , Florian Kohlar 1 , and Jörg Schwenk 1 1 Horst Görtz Institute for IT Security, Bochum 2 University College London Buenos Aires, Argentina March 28, 2014 1

  2. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 2

  3. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 3

  4. PSK-Ciphersuites of TLS – TLS-PSK: Authentication with Symmetric Keys (PSKs) – Authentication of resource-restricted clients like smart-cards, SIM Cards, ID Cards, ... 4

  5. PSK-Ciphersuites of TLS • Several interesting and important scenarios for TLS with pre-shared keys: – Authentication protocol based on TLS-PSK for EMV smart cards – Application of TLS-PSK in the Generic Authentication , the 3GGP mobile phone standard for UMTS and LTE – New electronic German ID (eID) card supports online remote authentication 5

  6. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 6

  7. What is TLS? • T ransport L ayer S ecurity • C ryptographic p rotocols which provide secure communication over the I nternet • Confidentiality, Integrity and Authenticity 7

  8. TLS in TCP/IP Model Client Server http, smtp, ftp, http, smtp, ftp, Application Application … … TLS TLS TLS Transport Transport TCP TCP IP Internet IP Internet Ethernet,… Network Ethernet,… Network Secure Communication Channel 8

  9. TLS Sessions: Handshake + Record Layer TLS Handshake Protocol Client Server TLS Record Protocol TLS Handshake: TLS Record Layer: • • cryptographic parameters Data encryption and authentication using • authentication the session key k • session key k 9

  10. Pre-Shared Key Ciphersuites of TLS 3 families of Pre-Shared Key Ciphersuites of TLS: – Pre-shared Keys ( TLS_PSK ): Session key is solely based on the secret pre-shared keys ( PSK ). – RSA Encryption ( TLS_RSA_PSK ): Session key is dependent on PSK and a freshly exchanged secret via RSA Encryption. – Diffie-Hellman key exchange ( TLS_DHE_PSK ): Session key is dependent on PSK and Diffie-Hellman key exchange. 10

  11. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via (Symmetric) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 11

  12. ACCE Model for PSK- Ciphersuites of TLS • Simple extension of the A uthenticated and C onfidential C hannel E stablishment ( ACCE ) model [JKSS’2012] : – Cover scenarios with pre-shared, symmetric keys • Model described by Two components – Security Model – Security Definition 12

  13. Real World without adversary (1) Server 2 (psk C2 ,...) Client 1 Client 2 Protocol Execution (psk c1 ) (psk C2 ) Network Server 1 Server 3 (psk C1 ,...) Client 3 (psk C3 ,...) (psk C3 ) 13

  14. Real World with adversary (2) Server 2 (PSK C2 ,...) Client 1 Client 2 Protocol Execution (PSK c1 ) (PSK C2 ) Network Server 1 Server 3 (PSK C1 ,...) Client 3 (PSK C3 ,...) (PSK C3 ) 14

  15. ACCE Adversary Model (1) • An adversary is allowed to send the following queries to the honest parties: – Send () – RevealKey () – Corrupt () – Encrypt () – Decrypt () 15

  16. Real World without adversary (2) Server 2 Protocol Execution (PSK C2 ,...) k 2 Client 1 Client 2 (PSK c1 ) (PSK C2 ) m= Dec( k 2 ,c) Decrypt(c) psk C2 k 1 Network Corrupt() RevealKey() k 1 Corrupt() psk C3 Server 3 (PSK C3 ,...) Server 1 Client 3 (PSK C1 ,...) (PSK C3 ) 16

  17. ACCE Security Definition (1) Client 1 Server 1 (PSK C1 ) (PSK C1 , ...) Client i (PSK Ci ) C Break Authentication Wins if he Distinguish C from is authenticated uniform random C‘ or Server j distinguishes C. (PSK C1 , ...) 17

  18. ACCE Security Definition (2) The adversary breaks the protocol if • he is successfully authenticated by a Server (or Client) ( Authentication Property ) or • distinguishes C from random ( Ciphertext Indistinguishability ). • with Perfect Forward Secrecy : – retain Ciphertext Indistinguishability for protocol sessions even if the long-term secrets of the client und server are exposed after session key is created. • with asymmetric Perfect Forward Secrecy: • similar to that of classical perfect forward secrecy except that only the client is allowed to be corrupted 18

  19. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 19

  20. TLS_PSK Handshake Cipher Suite Agreement Phase: r C , Supported Cipher Suites Client has PSK Server has PSK r S , selected Cipher Suite |PSK|=N bytes long |PSK|=N bytes long Key Exchange Phase: PSK identity pointing to the PSK used for pms=N ||0...0||N ||PSK authentication pms=N ||0...0||N ||PSK ms = PRF ( pms; Label 1 , r C , r S ) ms = PRF(pms; Label 1 , r C , r S ) k = PRF(ms; Label 2 , r C , r S ) k = PRF(ms; Label 2 , r C , r S ) Symmetric Encryption Phase: fin C = PRF(ms; Label 3 , H(prev. data)) Enc( k ; const S , fin C ) “Accept”, session key k with Client Enc( k ; const C , fin S ) “Accept”, session key k with Server fin S = PRF(ms; Label 4 ,H(prev. data)) 20

  21. TLS-PSK is a Secure ACCE Protocol Theorem : TLS-PSK is a secure ACCE protocol without forward secrecy , if • the PRF is a secure pseudo-random function , • hash function H is secure collision-resistant hash function , • The symmetric encryption is sLHAE-secure . sLHAE [PRS’11]: • Definition for symmetric ciphers • Exactly for TLS Protocol 21

  22. Double Pseudo-Random Functions ( DPRF ) • DPRF : a class of PRF with two input-keys • The output of the DPRF is indistinguishable from random even if the adversary chooses one key which will be revealed • A DPRF is easy to construct:  DPRF(k1; k2; m) := PRF1(k1; m) PRF2(k2; m) 22

  23. TLS_DHE_PSK Handshake Cipher Suite Agreement Phase: r C , Supported Cipher Suites Server has PSK Client has PSK r S , selected Cipher Suite |PSK|=N bytes long |PSK|=N bytes long Key Exchange Phase: c  Z q c  Z q g s mod p T = g cs mod p T = g sc mod p g c mod p |T|= L T bytes long |T|= L T bytes long pms := L T ||T||N||PSK pms := L T ||T||N||PSK ms = DPRF(pms;Label 1 ,r C ,r S ) Symmetric Encryption ms = DPRF(pms;Label 1 ,r C ,r S ) k = PRF(ms;Label 2 ,r C ,r S ) Phase: k = PRF(ms;Label 2 ,r C ,r S ) Enc( k ; const S , fin S ) fin S = PRF(ms; Label 3 , H(prev. data)) “Accept”, session key k with Server Enc( k ; const C , fin C ) “Accept”, session key k with Client fin C = PRF(ms; Label 4 , H(prev. data)) 23

  24. Double Pseudo-Random Functions (DPRF) • In order to prove perfect forward secrecy in TLS_ DHE _PSK, we assume that – TLS-PRF constitutes a secure DPRF – The key space of the DPRF: • K DPRF1 : the key space of the pre-shared key PSK • K DPRF2 : the key space of the freshly generated Diffie-Hellman secret T Example: Implementation in TLS1.1:  PRF(PSK,T; m) = HMAC_MD5 ’(T ; m) HMAC_SHA’(PSK ; m) 24

  25. TLS-DHE-PSK is a Secure ACCE Protocol Theorem : TLS-DHE-PSK is a secure ACCE protocol with perfect forward secrecy , if • DPRF TLS is a double secure pseudo-random function , • PRF TLS is a secure pseudo-random function (PRF) , • hash function H is secure collision-resistant hash function , • the DDH assumption holds in the Diffie-Hellman group, • the symmetric encryption is sLHAE-secure . 25

  26. TLS_RSA_PSK Handshake Cipher Suite Agreement Phase: r C , Supported Cipher Suites Server has PSK and Client has PSK r S , selected Cipher Suite RSA key pair: (pk S, sk S ) |PSK|=N bytes long |PSK|=N bytes long Key Exchange Phase: random value R random value R R = Dec(sk S , R) C = Enc(pk S , R) Ciphertext: C |R|= 46 bytes long |R|= 46 bytes long V = 2-byte version number V = 2-byte version number pms := 48||V||R||N||PSK pms := 48||V||R||N||PSK Symmetric Encryption ms = DPRF(pms;Label 1 ,r C ,r S ) ms = DPRF(pms;Label 1 ,r C ,r S ) Phase: k = PRF(ms;Label 2 ,r C ,r S ) k = PRF(ms;Label 2 ,r C ,r S ) Enc( k ; const S , fin S ) fin S = PRF(ms; Label 3 , H(prev. data)) “Accept”, session key k with Server Enc( k ; const C , fin C ) “Accept”, session key k with Client fin C = PRF(ms; Label 4 , H(prev. data)) 26 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CYBER SECURITY IS OUR SHARED RESPONSIBILITY WHAT ARE WE DEALING WITH AND WHAT DO WE NEED TO DO?

CYBER SECURITY IS OUR SHARED RESPONSIBILITY WHAT ARE WE DEALING WITH AND WHAT DO WE NEED TO DO?

CYBER SECURITY IS OUR SHARED RESPONSIBILITY WHAT ARE WE DEALING WITH AND WHAT DO WE NEED TO DO? NORTH DAKOTA CYBER SECURITY CONFERENCE Jay Beale, CTO and COO at InGuardians @jaybeale and @inguardians th , 2018 March 15

961 views • 50 slides
FISSEA 2011 SECURITY AWARENESS TRAINING SHARED SERVICE CENTERS Where Cost Avoidance and

FISSEA 2011 SECURITY AWARENESS TRAINING SHARED SERVICE CENTERS Where Cost Avoidance and

FISSEA 2011 SECURITY AWARENESS TRAINING SHARED SERVICE CENTERS Where Cost Avoidance and Compliance Meet Success Through Shared Services Tim McBride, Requirements & Acquisition Program Manager Homeland Cybersecurity and Communications

92 views • 6 slides
MI MI and Shared MI MI and Shared and Shared Decision Making and Shared Decision Making

MI MI and Shared MI MI and Shared and Shared Decision Making and Shared Decision Making

The project PRECIOUS has received funding from the European Union s Seventh Framework Programme under Grant Agreement n 611366" MI MI and Shared MI MI and Shared and Shared Decision Making and Shared Decision Making Decision Making

412 views • 20 slides
Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland

Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland

Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland State University CS 430P/530 Internet, Web & Cloud Systems Cloud ud se security urity In this course, security "in-the-cloud" via

445 views • 28 slides
Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared Infrastructure Job Noorman Public PhD Defence 19 Apr 2017 Safety considerations when lodging in a hotel Untrusted guests Locked room Unknown personnel

1.16k views • 79 slides
Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of Computer Science (Specialty : Services, Security and Networks) 24 juin 2011 Universit Henri Poincar Jagdish Prasad Achara (UHP Nancy 1)

653 views • 25 slides
Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

handshake 1 Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g , where K fg can be hash AB authentication not mutual connection hijacking off-line password attack compromise of database

424 views • 16 slides
Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory Requirements Cyber Hygiene How to Develop a Culture of Security What is a Culture of Security A set of values, shared by everyone in an

350 views • 11 slides
Shared Leadership and Shared Responsibility: Successful Shared Governance CUNY: John Jay College

Shared Leadership and Shared Responsibility: Successful Shared Governance CUNY: John Jay College

Shared Leadership and Shared Responsibility: Successful Shared Governance CUNY: John Jay College Deliver: April 28, 2017 R. Barbara Gitenstein President, The College of New Jersey The concept of shared governance at American institutions of

439 views • 7 slides
Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred Schneider Historical Context 1961 1969 1960s OSes begin to be shared. Enter: Communication Synchronization Protection Security:

1.16k views • 53 slides
A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service Perspective Why Consider Shared Services? In February 2010, the Department of Community Affairs (DCA) announced the average property tax bill

663 views • 25 slides
DoD Shared Service Center for ISS LOB Tier I Security Awareness Training a and Tier II Role

DoD Shared Service Center for ISS LOB Tier I Security Awareness Training a and Tier II Role

DoD Shared Service Center for ISS LOB Tier I Security Awareness Training a and Tier II Role Based Training UNCLASSIFIED DoD ISSLOB Annual Awareness Training FY11 product in use (DoD, Federal, IC) FY12 product funded Customer

140 views • 12 slides
Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk http://alexfoxblog.wordpress.com http://vimeo.com/108993357 Kent Shared Lives Karl and Clare with Shared Lives carers Blossom and Mike, at their

541 views • 15 slides
Interprocess Communication Mechanisms shared storage shared virtual memory shared files

Interprocess Communication Mechanisms shared storage shared virtual memory shared files

Interprocess Communication 1 Interprocess Communication Mechanisms shared storage shared virtual memory shared files message-based signals sockets pipes . . . CS350 Operating Systems Winter 2015 Interprocess

669 views • 18 slides
Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

CSCE 613 : Operating Systems Memory Models CSCE 613: Interlude: Distributed Shared Memory Shared Memory Systems Consistency Models Distributed Shared Memory Systems page based shared-variable based Reading (old!):

679 views • 21 slides
Dungarvin, Inc. Shared Living: Legal and Tax Considerations Scope of this Presentation: Shared

Dungarvin, Inc. Shared Living: Legal and Tax Considerations Scope of this Presentation: Shared

Presented by: Dave Toeniskoetter President and CEO Dungarvin, Inc. Shared Living: Legal and Tax Considerations Scope of this Presentation: Shared Living arrangements (not staffed group homes) supporting people with I/DD. Shared Living:

442 views • 29 slides
CSE 484 / CSE M 584 Computer Security: Crypto & Web Security TA: Thomas Crosley tcrosley@cs

CSE 484 / CSE M 584 Computer Security: Crypto & Web Security TA: Thomas Crosley tcrosley@cs

CSE 484 / CSE M 584 Computer Security: Crypto & Web Security TA: Thomas Crosley tcrosley@cs Many slides by Franziska Roesner and Adrian Sham HTTP :// XKCD . COM /1323/ Lab 1 Deadline Reminders Lab 1 Final due tomorrow! (4/29, 8pm).

267 views • 26 slides
Reproducibility & Generalizability @ Twitter Strengthening Reproducibility in Network Science

Reproducibility & Generalizability @ Twitter Strengthening Reproducibility in Network Science

Reproducibility & Generalizability @ Twitter Strengthening Reproducibility in Network Science workshop NetSci 2017 Brandon Roy @bcroygbiv June 19, 2017 What is Twitter? Twitter is a real-time information network its whats

651 views • 26 slides
Erik Robelen Assistant editor, Education Week Art and the Common Core Expert Presenters : Susan M.

Erik Robelen Assistant editor, Education Week Art and the Common Core Expert Presenters : Susan M.

Erik Robelen Assistant editor, Education Week Art and the Common Core Expert Presenters : Susan M. Riley , expert in arts integration, curriculum innovation and resource development specialist, Anne Arundel County public schools, Md. Lynne Munson

1.02k views • 40 slides
Scalable Scheduling Support for Loss and Delay Constrained Media Streams Richard West, Karsten

Scalable Scheduling Support for Loss and Delay Constrained Media Streams Richard West, Karsten

Scalable Scheduling Support for Loss and Delay Constrained Media Streams Richard West, Karsten Schwan & Christian Poellabauer Georgia Institute of Technology Rich West (1999) Introduction Real-Time media servers need to support 100s

440 views • 28 slides
Plan 1. Introduction. 2. Interconnection of Rings. 3. Packet Creation Mechanisms. 4.

Plan 1. Introduction. 2. Interconnection of Rings. 3. Packet Creation Mechanisms. 4.

A solution for Synchronization Problem of Interconnected Metro Access and Metro Core Ring Networks Tlin ATMACA, Van T. NGUYEN, Dung T. NGUYEN, Glenda GONZALEZ Lab. CNRS/Samovar Institut Telecom/Telecom SudParis Evry France Joel

102 views • 9 slides
Advanced Network Security 2. Distributed Algorithms: Leader Election Jaap-Henk Hoepman Digital

Advanced Network Security 2. Distributed Algorithms: Leader Election Jaap-Henk Hoepman Digital

Advanced Network Security 2. Distributed Algorithms: Leader Election Jaap-Henk Hoepman Digital Security (DS) Radboud University Nijmegen, the Netherlands @xotoxot // * jhh@cs.ru.nl // 8 www.cs.ru.nl/~jhh Leader election: motivation n IBM token

421 views • 27 slides
Synthetic Networks Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of

Synthetic Networks Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of

<Your Name> Synthetic Networks Luke Osterritter losterritter@cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ Overview Network researchers have identified some

647 views • 16 slides
OpenIPmap Geolocating Internet Infra-Structure with Inference Engines and Crowdsourcing Jasper

OpenIPmap Geolocating Internet Infra-Structure with Inference Engines and Crowdsourcing Jasper

OpenIPmap Geolocating Internet Infra-Structure with Inference Engines and Crowdsourcing Jasper den Hertog Research and Development RIPE NCC 9 March 2018 | DKNOG8 | Kbenhavn But now for something completely different first Sketches of the

661 views • 49 slides

More recommend