0 rtt key establishment with full forward secrecy
play

0-RTT Key Establishment with Full Forward Secrecy Felix Gnther 1 - PowerPoint PPT Presentation

0-RTT Key Establishment with Full Forward Secrecy Felix Gnther 1 Britta Hale 2 Tibor Jager 3 Sebastian Lauer 4 1 Technischen Universitt Darmstadt 2 NTNU Norwegian University of Science and Technology 3 Paderborn University 4 Ruhr-Universitt


  1. 0-RTT Key Establishment with Full Forward Secrecy Felix Günther 1 Britta Hale 2 Tibor Jager 3 Sebastian Lauer 4 1 Technischen Universität Darmstadt 2 NTNU Norwegian University of Science and Technology 3 Paderborn University 4 Ruhr-Universität Bochum Eurocrypt 2017

  2. 0-RTT with full forward secrecy Yes, it is possible! Britta Hale | EUROCRYPT 2017 | 2/ 256

  3. key exchange latency Round-Trip Time (RTT) Client Server 1-RTT 2-RTT Britta Hale | EUROCRYPT 2017 | 3/ 256

  4. key exchange latency TLS+TCP: Client Server ClientHello ServerHello Enc.Extensions 1-RTT Server Finished Client Finished Session Key: K Session Key: K Britta Hale | EUROCRYPT 2017 | 4/ 256

  5. key exchange latency TLS+TCP: Client Server TCP SYN 1-RTT TCP SYN+ACK ClientHello ServerHello Enc.Extensions 1-RTT Server Finished Client Finished Session Key: K Session Key: K Britta Hale | EUROCRYPT 2017 | 4/ 256

  6. key exchange latency TLS + UDP: Client Server TCP SYN 1-RTT TCP SYN+ACK ClientHello ServerHello Enc.Extensions 1-RTT Server Finished Client Finished Session Key: K Session Key: K Britta Hale | EUROCRYPT 2017 | 5/ 256

  7. Why not send cryptographically protected payload immediately ? Britta Hale | EUROCRYPT 2017 | 6/ 256

  8. Zero Round-Trip Time (0-RTT) Client Server payload 0-RTT Britta Hale | EUROCRYPT 2017 | 7/ 256

  9. • QUIC by ... Britta Hale | EUROCRYPT 2017 | 8/ 256

  10. • QUIC by ... (Quick UDP Internet Connections) Britta Hale | EUROCRYPT 2017 | 8/ 256

  11. QUIC Protocol Server ( pk sig , sk sig ) , sk Client (prior session) config: g sk , Sig ( sk sig , g sk ) Britta Hale | EUROCRYPT 2017 | 9/ 256

  12. QUIC Protocol Server ( pk sig , sk sig ) , sk Client (prior session) config: g sk , Sig ( sk sig , g sk ) a ∈ Z q , k = g a · sk g a Enc( k , payload ) b ∈ Z q Enc( k , g b ) K = g ab K = g ab Britta Hale | EUROCRYPT 2017 | 9/ 256

  13. QUIC Protocol Issues: Replay Server ( pk sig , sk sig ) , sk Client k = g a · sk g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

  14. QUIC Protocol Issues: Replay Server ( pk sig , sk sig ) , sk Client k = g a · sk g a Enc( k , payload) g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

  15. QUIC Protocol Issues: Forward Secrecy Server ( pk sig , sk sig ) , sk Client k = g a · sk g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

  16. QUIC Protocol Issues: Forward Secrecy Server ( pk sig , sk sig ) , sk Client k = g a · sk k = g a · sk g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

  17. Forward Secrecy Threat Landscape: Britta Hale | EUROCRYPT 2017 | 11/ 256

  18. Forward Secrecy Threat Landscape: K 0 Britta Hale | EUROCRYPT 2017 | 11/ 256

  19. Forward Secrecy Threat Landscape: K 0 k 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

  20. Forward Secrecy Threat Landscape: K 0 k 1 K 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

  21. Forward Secrecy Threat Landscape: K 0 k 1 K 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

  22. Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

  23. Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i Britta Hale | EUROCRYPT 2017 | 11/ 256

  24. Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i K i Britta Hale | EUROCRYPT 2017 | 11/ 256

  25. Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i K i Are past session keys secure? Britta Hale | EUROCRYPT 2017 | 11/ 256

  26. Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i K i Are past session keys secure? Perfect Forward Secrecy: Long-term key compromised Past session keys remain secure Britta Hale | EUROCRYPT 2017 | 11/ 256

  27. QUIC medium-lived Learn long-term key K 0 k 1 K 1 k i K i Britta Hale | EUROCRYPT 2017 | 12/ 256

  28. Is Perfect Forward Secrecy even possible for 0-RTT? Britta Hale | EUROCRYPT 2017 | 13/ 256

  29. Yes! Britta Hale | EUROCRYPT 2017 | 14/ 256

  30. Yes! Our design: • Full Forward Secrecy Britta Hale | EUROCRYPT 2017 | 14/ 256

  31. Yes! Our design: • Full Forward Secrecy • Replay protection Britta Hale | EUROCRYPT 2017 | 14/ 256

  32. Yes! Our design: • Full Forward Secrecy • Replay protection • Based on hierarchical ID-based key encapsulation mechanism (with selective security) and one-time signatures Britta Hale | EUROCRYPT 2017 | 14/ 256

  33. Yes! Our design: • Full Forward Secrecy • Replay protection • Based on hierarchical ID-based key encapsulation mechanism (with selective security) and one-time signatures • Flexible to different instantiations/assumptions • post-quantum • pairings • etc... Britta Hale | EUROCRYPT 2017 | 14/ 256

  34. Core idea: Server: static public key – private key can be updated → Forward Secret KEM → Forward Secret 0-RTT KE Britta Hale | EUROCRYPT 2017 | 15/ 256

  35. Forward Secure 0-RTT KE Core idea: Server ( pk , sk ) Client ( C, K ) ← Enc( pk ) C K ← Dec( sk , C ) sk ← Punct( sk , C ) ≈ sk /C K K Britta Hale | EUROCRYPT 2017 | 16/ 256

  36. Hierarchical ID-Based KEM sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 17/ 256

  37. Hierarchical ID-Based KEM sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 17/ 256

  38. Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 18/ 256

  39. Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 18/ 256

  40. Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 19/ 256

  41. Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 • private key size ≈ #punctures × log (max #punctures/timeslot) sk 0010 sk 0011 + log(#timeslots) • #punctures = #sessions Britta Hale | EUROCRYPT 2017 | 19/ 256

  42. Purging the private key: time sync intervals t 0 , t 1 , . . . sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 Britta Hale | EUROCRYPT 2017 | 20/ 256

  43. Purging the private key: time sync intervals t 0 , t 1 , . . . sk sk 0 sk 1 erase after t 0 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 Britta Hale | EUROCRYPT 2017 | 21/ 256

  44. Evaluation: Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits, one-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz • Enc: ms • Dec: seconds • Puncturing: seconds Britta Hale | EUROCRYPT 2017 | 22/ 256

  45. Evaluation: Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits, one-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz • Enc: ms • Dec: seconds • Puncturing: seconds → need only selective security ...Room for improvement? Britta Hale | EUROCRYPT 2017 | 22/ 256

  46. Evaluation: Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits, one-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz • Enc: ms • Dec: seconds • Puncturing: seconds → need only selective security ...Room for improvement? ... vs. Green and Myers S&P ’15: • Any HIBE vs. specific bilinear groups • CCA-secure in standard model vs. ROM Britta Hale | EUROCRYPT 2017 | 22/ 256

  47. Summary Now: • FS 0-RTT key exchange + security model • Generic construction + security proof (from one-time signatures and any hierarchical ID-based KEM with selective security) Britta Hale | EUROCRYPT 2017 | 23/ 256

  48. Summary Now: • FS 0-RTT key exchange + security model • Generic construction + security proof (from one-time signatures and any hierarchical ID-based KEM with selective security) Future: • Optimize KEM key delegation • Make it practical! Britta Hale | EUROCRYPT 2017 | 23/ 256

  49. Questions ? Britta Hale | EUROCRYPT 2017 | 24/ 256

  50. Britta Hale | EUROCRYPT 2017 | 25/ 256

  51. acknowledgements Some slide designs are based on presentations of the same work by co-authors Felix Günther and Tibor Jager Britta Hale | EUROCRYPT 2017 | 26/ 256

Recommend


More recommend