public key 0 rtt protocols
play

Public-Key 0-RTT Protocols Tibor Jager Paderborn University Summer - PowerPoint PPT Presentation

Nov 08, 2023 •99 likes •1.07k views

Public-Key 0-RTT Protocols Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 20 th , 2019 Outline Mass surveillance and Forward Security 0-RTT Protocols and their Forward Security

  1. Public-Key 0-RTT Protocols Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy Šibenik, Croatia June 20 th , 2019

  2. Outline • Mass surveillance and Forward Security • 0-RTT Protocols and their Forward Security – Challenges – Impossibility? • Forward-Secure 0-RTT Protocols – Rather theoretical solution (EUROCRYPT 2017) – Somewhat practical solution (EUROCRYPT 2018) – Practical solution for TLS 1.3 (EUROCRYPT 2019) 2

  3. Before ca. 2011 Internet Encrypted = Not encrypted = 3

  4. Before ca. 2011 Internet J Encrypted = Not encrypted = 4

  5. https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 5

  6. https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 https://www.facebook.com/notes/facebook-engineering/secure- browsing-by-default/10151590414803920/ 6

  7. https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 https://www.facebook.com/notes/facebook-engineering/secure- browsing-by-default/10151590414803920/ April 5, 2016 https://blog.whatsapp.com/10000618/end-to-end-encryption?l=en 7

  8. Today Internet L Encrypted = Not encrypted = 8

  9. Mass Surveillance of Encrypted Data Internet Database Encrypted = Not encrypted = 9

  10. Mass Surveillance of Encrypted Data Internet Google, we need your secret key. Database Encrypted = Not encrypted = 10

  11. Mass Surveillance of Encrypted Data Internet Google, we need your secret key. Database Encrypted = Not encrypted = 11

  12. Lavabit 12

  13. Lavabit https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden 13

  14. Lavabit https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden https://arstechnica.com/tech-policy/2014/04/lavabit-held-in-contempt-of-court-for- 14 printing-crypto-key-in-tiny-font/

  15. Mass Surveillance Everywhere https://techcrunch.com/2016/01/14/no-backdoors-but-uk-government- still-wants-encryption-decrypted-on-request/ https://www.forbes.com/sites/kenrapoza/2017/10/16/russia-fines- https://zoomapps.club/whatsapp-threema-and-co- cryptocurrency-worlds-preferred-messaging-app-telegram/#767569eef765 seehofer-wants-to-enforce-decryption-of-chats/ 15

  16. Forward Security* Makes large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time *aka. Forward Secrecy, aka. Perfect Forward Secrecy/Security, aka. pre-compromise security 16

  17. Outline • Mass surveillance and Forward Security • 0-RTT Protocols and their Forward Security – Challenges – Impossibility? • Forward-Secure 0-RTT Protocols – Rather theoretical solution (EUROCRYPT 2017) – Somewhat practical solution (EUROCRYPT 2018) – Practical solution for TLS 1.3 (EUROCRYPT 2019) 17

  18. Key Establishment with TLS 1.3 Server S Client ClientHello ServerHello Compute session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 18

  19. Key Establishment with TLS 1.3 Server S Client ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 19

  20. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 20

  21. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 2 RTTs before first payload message can be sent Is this really necessary? 21

  22. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) Using UDP instead of TCP saves one RTT Enc k (Payload) 22

  23. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) Using UDP instead of TCP saves one RTT Enc k (Payload) Objective: send cryptographically protected payload in first message from client to server (“0-RTT KE”) 23

  24. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Why not! 24 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  25. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue Yearly revenue in 2018: 232.9 billion USD (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Why not! 25 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  26. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue Yearly revenue in 2018: 232.9 billion USD (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Why not! 26 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  27. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue Yearly revenue in 2018: 232.9 billion USD (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Latency requirements of applications 27 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  28. Trivial Protocol (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) Client Server 28

  29. Trivial Protocol (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) Client Server Major deficiencies: 1. No Forward Secrecy 2. Vulnerable to replay attacks 29

  30. Replay Attack (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) 30

  31. Replay Attack (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) C = Enc pk (k) SymEnc(k, payload) 31

  32. Replay Attack (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) C = Enc pk (k) SymEnc(k, payload) C = Enc pk (k) SymEnc(k, payload) 32

  33. Breaking Confidentiality with a Replay Attack Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 33 https://github.com/tlswg/tls13-spec/issues/1001

  34. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 34 https://github.com/tlswg/tls13-spec/issues/1001

  35. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 35 https://github.com/tlswg/tls13-spec/issues/1001

  36. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 36 https://github.com/tlswg/tls13-spec/issues/1001

  37. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 37 https://github.com/tlswg/tls13-spec/issues/1001

  38. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 38 https://github.com/tlswg/tls13-spec/issues/1001

  39. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf ERROR 404 not found Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 39 https://github.com/tlswg/tls13-spec/issues/1001

  40. Preventing replays for 0-RTT Protocols • Server may remember all received messages – Difficult in applications with multiple servers (load balancing, multiple data centers, …) • Alternatively, use this only for applications where replay attacks are “not harmful”™ • Eric Rescorla in a talk (*) about TLS 1.3 0-RTT: – “Difficult application integration issue” – “But too big a win not to do” 40 (*) http://web.stanford.edu/class/ee380/Abstracts/151118-slides.pdf

  41. Preventing replays for 0-RTT Protocols • Server may remember all received messages – Difficult in applications with multiple servers (load balancing, multiple data centers, …) • Or use only for applications where replay attacks are “not harmful”™ • Eric Rescorla in a talk (*) about TLS 1.3 0-RTT: – “Difficult application integration issue” – “But too big a win not to do” 41 (*) http://web.stanford.edu/class/ee380/Abstracts/151118-slides.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols Knowledge Protocols Coin Zero Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktrm (KTH) 1 Zero Knowledge [GMR85] Zero

613 views • 22 slides
Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements intermission Introduction to Computer Security Day 16: Crypto protocols and S protocols Cryptographic protocols, pt. 1 Stephen McCamant Key

492 views • 11 slides
1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

TECS Week 2005 Key Management Options Key Management Protocols Out of band and Compositionality Can set up some keys this way (Kerberos) Public-key infrastructure (PKI) Leverage small # of public signing keys Protocols for

282 views • 5 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE (e.g., DDH, RSA) and

444 views • 16 slides
Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to Computer Security Announcements Day 16: Cryptographic protocols and failures Cryptographic protocols Stephen McCamant HW1 debrief University of

673 views • 11 slides
Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Public key crypto Public key crypto RSA Essentials RSA Essentials Public key protocols Radboud University Nijmegen Public key protocols Radboud University Nijmegen Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Outline Public key

328 views • 10 slides
Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI model. 1 Layered Protocols (2) 2-2 A typical message as it appears on the network. Data Link Layer 2-3 Discussion between a receiver and a

577 views • 23 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
4 Application Layer Protocols Device Management Protocols Application layer protocols offering

4 Application Layer Protocols Device Management Protocols Application layer protocols offering

EPFL, Spring 2017 4 Application Layer Protocols Device Management Protocols Application layer protocols offering remote services for large networks of devices: - Monitoring (health of devices and network, get current state) - Management

1.31k views • 93 slides
Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

The 1 st World Congress on Controversies in Hematology (COHEM) Rome, September, 2-5, 2010 Session 4. Acute Lymphoblastic Leukemia Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL? No No JM

990 views • 44 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

Concurrency Control Lock-Based Protocols Timestamp-Based Protocols Lecture 9 Concurrency Control Validation-Based Protocols Multiple Granularity Multiversion Schemes Deadlock Handling Chapter 16 Insert and Delete

780 views • 8 slides
Management & Supervision: Selected Legal Issues Jill D. Moore, JD, MPH University of North

Management & Supervision: Selected Legal Issues Jill D. Moore, JD, MPH University of North

Fall 2014 Management and Supervision Management & Supervision: Selected Legal Issues Jill D. Moore, JD, MPH University of North Carolina School of Government October 2014 Game Plan Fundamentals of public health law Sources of

900 views • 32 slides
How to Make the Trial Fair New Rules Guidance Who Controls Your Docket? Every man

How to Make the Trial Fair New Rules Guidance Who Controls Your Docket? Every man

How to Make the Trial Fair New Rules Guidance Who Controls Your Docket? Every man (woman) is entitled to a fair trial Oliver v. Commonwealth, 151 Va. 533 (1928) Commonwealth v. Proffitt, p. 8 Sexual Violent Predator- jury

217 views • 19 slides
On Constructing Lower Power and Robust Clock Tree via Slew Budgeting Yeh-Chi Chang, Chun-Kai

On Constructing Lower Power and Robust Clock Tree via Slew Budgeting Yeh-Chi Chang, Chun-Kai

1 On Constructing Lower Power and Robust Clock Tree via Slew Budgeting Yeh-Chi Chang, Chun-Kai Wang and Hung-Ming Chen Dept. of EE, National Chiao Tung University, Taiwan 2012 3 29 Outline 2 Motivation Previous Clock Tree

610 views • 35 slides
MEMCARE (Metals and Metal Mixtures: Cognitive Aging, Remediation, and Exposure Sources) To

MEMCARE (Metals and Metal Mixtures: Cognitive Aging, Remediation, and Exposure Sources) To

P42ES030990 MEMCARE (Metals and Metal Mixtures: Cognitive Aging, Remediation, and Exposure Sources) To understand and mitigate the effects of exposure, particularly early life exposure, to metals and metal mixtures on late life cognitive

236 views • 22 slides
Discovery requirements and obligations under rule 3.220 and understanding Brady v. Maryland and

Discovery requirements and obligations under rule 3.220 and understanding Brady v. Maryland and

Flo lorid ida R Rule le of C Crim imin inal l Procedure 3 3.1 .113 Discovery requirements and obligations under rule 3.220 and understanding Brady v. Maryland and Giglio v. United States By Denis M. deVlaming Board Certified in

1.19k views • 100 slides
Defa efamation ation an and Virgini rginia Com ommon on I Int ntere erest st Co Comm

Defa efamation ation an and Virgini rginia Com ommon on I Int ntere erest st Co Comm

C OM M UN ITY A SSOC IA TIO N L EG A L S EM INAR 2020 C H A DWI C K , W A SHIN GTO N , M ORIA RTY , E LMOR E & B U N N , P.C. Defa efamation ation an and Virgini rginia Com ommon on I Int ntere erest st Co Comm mmunit unity

409 views • 19 slides
HOUSING UPDATE Daniel Skinner Partner Capsticks Helen Gascoigne

HOUSING UPDATE Daniel Skinner Partner Capsticks Helen Gascoigne

HOUSING UPDATE Daniel Skinner Partner Capsticks Helen Gascoigne Associate - Capsticks daniel.skinner@capsticks.com helen.gascoigne@capsticks.com 07841 004921 01962 678398 @dskinnerlegal @misshelsg Who Are We?

970 views • 65 slides
Democracy and Social Justice in an Age of Datafication Joanna Redden Reddenj@Cardiff.ac.uk

Democracy and Social Justice in an Age of Datafication Joanna Redden Reddenj@Cardiff.ac.uk

Democracy and Social Justice in an Age of Datafication Joanna Redden Reddenj@Cardiff.ac.uk www.datajusticelab.org @DataJusticeLab Research Approach: TOP 3 Neoliberal Context Power / Agency Datafication Data Assemblage

564 views • 33 slides

More recommend