on the security of the pre shared key
play

On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 - PowerPoint PPT Presentation

Feb 06, 2024 •196 likes •509 views

On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 , Sven Schge 2 , Zheng Yang 1 , Florian Kohlar 1 , and Jrg Schwenk 1 1 Horst Grtz Institute for IT Security, Bochum 2 University College London Buenos Aires, Argentina

  1. On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 , Sven Schäge 2 , Zheng Yang 1 , Florian Kohlar 1 , and Jörg Schwenk 1 1 Horst Görtz Institute for IT Security, Bochum 2 University College London Buenos Aires, Argentina March 28, 2014 1

  2. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 2

  3. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 3

  4. PSK-Ciphersuites of TLS – TLS-PSK: Authentication with Symmetric Keys (PSKs) – Authentication of resource-restricted clients like smart-cards, SIM Cards, ID Cards, ... 4

  5. PSK-Ciphersuites of TLS • Several interesting and important scenarios for TLS with pre-shared keys: – Authentication protocol based on TLS-PSK for EMV smart cards – Application of TLS-PSK in the Generic Authentication , the 3GGP mobile phone standard for UMTS and LTE – New electronic German ID (eID) card supports online remote authentication 5

  6. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 6

  7. What is TLS? • T ransport L ayer S ecurity • C ryptographic p rotocols which provide secure communication over the I nternet • Confidentiality, Integrity and Authenticity 7

  8. TLS in TCP/IP Model Client Server http, smtp, ftp, http, smtp, ftp, Application Application … … TLS TLS TLS Transport Transport TCP TCP IP Internet IP Internet Ethernet,… Network Ethernet,… Network Secure Communication Channel 8

  9. TLS Sessions: Handshake + Record Layer TLS Handshake Protocol Client Server TLS Record Protocol TLS Handshake: TLS Record Layer: • • cryptographic parameters Data encryption and authentication using • authentication the session key k • session key k 9

  10. Pre-Shared Key Ciphersuites of TLS 3 families of Pre-Shared Key Ciphersuites of TLS: – Pre-shared Keys ( TLS_PSK ): Session key is solely based on the secret pre-shared keys ( PSK ). – RSA Encryption ( TLS_RSA_PSK ): Session key is dependent on PSK and a freshly exchanged secret via RSA Encryption. – Diffie-Hellman key exchange ( TLS_DHE_PSK ): Session key is dependent on PSK and Diffie-Hellman key exchange. 10

  11. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via (Symmetric) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 11

  12. ACCE Model for PSK- Ciphersuites of TLS • Simple extension of the A uthenticated and C onfidential C hannel E stablishment ( ACCE ) model [JKSS’2012] : – Cover scenarios with pre-shared, symmetric keys • Model described by Two components – Security Model – Security Definition 12

  13. Real World without adversary (1) Server 2 (psk C2 ,...) Client 1 Client 2 Protocol Execution (psk c1 ) (psk C2 ) Network Server 1 Server 3 (psk C1 ,...) Client 3 (psk C3 ,...) (psk C3 ) 13

  14. Real World with adversary (2) Server 2 (PSK C2 ,...) Client 1 Client 2 Protocol Execution (PSK c1 ) (PSK C2 ) Network Server 1 Server 3 (PSK C1 ,...) Client 3 (PSK C3 ,...) (PSK C3 ) 14

  15. ACCE Adversary Model (1) • An adversary is allowed to send the following queries to the honest parties: – Send () – RevealKey () – Corrupt () – Encrypt () – Decrypt () 15

  16. Real World without adversary (2) Server 2 Protocol Execution (PSK C2 ,...) k 2 Client 1 Client 2 (PSK c1 ) (PSK C2 ) m= Dec( k 2 ,c) Decrypt(c) psk C2 k 1 Network Corrupt() RevealKey() k 1 Corrupt() psk C3 Server 3 (PSK C3 ,...) Server 1 Client 3 (PSK C1 ,...) (PSK C3 ) 16

  17. ACCE Security Definition (1) Client 1 Server 1 (PSK C1 ) (PSK C1 , ...) Client i (PSK Ci ) C Break Authentication Wins if he Distinguish C from is authenticated uniform random C‘ or Server j distinguishes C. (PSK C1 , ...) 17

  18. ACCE Security Definition (2) The adversary breaks the protocol if • he is successfully authenticated by a Server (or Client) ( Authentication Property ) or • distinguishes C from random ( Ciphertext Indistinguishability ). • with Perfect Forward Secrecy : – retain Ciphertext Indistinguishability for protocol sessions even if the long-term secrets of the client und server are exposed after session key is created. • with asymmetric Perfect Forward Secrecy: • similar to that of classical perfect forward secrecy except that only the client is allowed to be corrupted 18

  19. Outline • Motivation • Introduction to SSL/TLS and Pre-Shared Key Ciphersuites • Security Analysis of Pre-Shared Key Ciphersuites of TLS – A Security Model for Authentication via ( Symmetric ) Pre-Shared Keys – Security Results for Pre-Shared Key Ciphersuites of TLS • Summary 19

  20. TLS_PSK Handshake Cipher Suite Agreement Phase: r C , Supported Cipher Suites Client has PSK Server has PSK r S , selected Cipher Suite |PSK|=N bytes long |PSK|=N bytes long Key Exchange Phase: PSK identity pointing to the PSK used for pms=N ||0...0||N ||PSK authentication pms=N ||0...0||N ||PSK ms = PRF ( pms; Label 1 , r C , r S ) ms = PRF(pms; Label 1 , r C , r S ) k = PRF(ms; Label 2 , r C , r S ) k = PRF(ms; Label 2 , r C , r S ) Symmetric Encryption Phase: fin C = PRF(ms; Label 3 , H(prev. data)) Enc( k ; const S , fin C ) “Accept”, session key k with Client Enc( k ; const C , fin S ) “Accept”, session key k with Server fin S = PRF(ms; Label 4 ,H(prev. data)) 20

  21. TLS-PSK is a Secure ACCE Protocol Theorem : TLS-PSK is a secure ACCE protocol without forward secrecy , if • the PRF is a secure pseudo-random function , • hash function H is secure collision-resistant hash function , • The symmetric encryption is sLHAE-secure . sLHAE [PRS’11]: • Definition for symmetric ciphers • Exactly for TLS Protocol 21

  22. Double Pseudo-Random Functions ( DPRF ) • DPRF : a class of PRF with two input-keys • The output of the DPRF is indistinguishable from random even if the adversary chooses one key which will be revealed • A DPRF is easy to construct:  DPRF(k1; k2; m) := PRF1(k1; m) PRF2(k2; m) 22

  23. TLS_DHE_PSK Handshake Cipher Suite Agreement Phase: r C , Supported Cipher Suites Server has PSK Client has PSK r S , selected Cipher Suite |PSK|=N bytes long |PSK|=N bytes long Key Exchange Phase: c  Z q c  Z q g s mod p T = g cs mod p T = g sc mod p g c mod p |T|= L T bytes long |T|= L T bytes long pms := L T ||T||N||PSK pms := L T ||T||N||PSK ms = DPRF(pms;Label 1 ,r C ,r S ) Symmetric Encryption ms = DPRF(pms;Label 1 ,r C ,r S ) k = PRF(ms;Label 2 ,r C ,r S ) Phase: k = PRF(ms;Label 2 ,r C ,r S ) Enc( k ; const S , fin S ) fin S = PRF(ms; Label 3 , H(prev. data)) “Accept”, session key k with Server Enc( k ; const C , fin C ) “Accept”, session key k with Client fin C = PRF(ms; Label 4 , H(prev. data)) 23

  24. Double Pseudo-Random Functions (DPRF) • In order to prove perfect forward secrecy in TLS_ DHE _PSK, we assume that – TLS-PRF constitutes a secure DPRF – The key space of the DPRF: • K DPRF1 : the key space of the pre-shared key PSK • K DPRF2 : the key space of the freshly generated Diffie-Hellman secret T Example: Implementation in TLS1.1:  PRF(PSK,T; m) = HMAC_MD5 ’(T ; m) HMAC_SHA’(PSK ; m) 24

  25. TLS-DHE-PSK is a Secure ACCE Protocol Theorem : TLS-DHE-PSK is a secure ACCE protocol with perfect forward secrecy , if • DPRF TLS is a double secure pseudo-random function , • PRF TLS is a secure pseudo-random function (PRF) , • hash function H is secure collision-resistant hash function , • the DDH assumption holds in the Diffie-Hellman group, • the symmetric encryption is sLHAE-secure . 25

  26. TLS_RSA_PSK Handshake Cipher Suite Agreement Phase: r C , Supported Cipher Suites Server has PSK and Client has PSK r S , selected Cipher Suite RSA key pair: (pk S, sk S ) |PSK|=N bytes long |PSK|=N bytes long Key Exchange Phase: random value R random value R R = Dec(sk S , R) C = Enc(pk S , R) Ciphertext: C |R|= 46 bytes long |R|= 46 bytes long V = 2-byte version number V = 2-byte version number pms := 48||V||R||N||PSK pms := 48||V||R||N||PSK Symmetric Encryption ms = DPRF(pms;Label 1 ,r C ,r S ) ms = DPRF(pms;Label 1 ,r C ,r S ) Phase: k = PRF(ms;Label 2 ,r C ,r S ) k = PRF(ms;Label 2 ,r C ,r S ) Enc( k ; const S , fin S ) fin S = PRF(ms; Label 3 , H(prev. data)) “Accept”, session key k with Server Enc( k ; const C , fin C ) “Accept”, session key k with Client fin C = PRF(ms; Label 4 , H(prev. data)) 26 26

Recommend

CYBER SECURITY IS OUR SHARED RESPONSIBILITY WHAT ARE WE DEALING WITH AND WHAT DO WE NEED TO DO?

CYBER SECURITY IS OUR SHARED RESPONSIBILITY WHAT ARE WE DEALING WITH AND WHAT DO WE NEED TO DO?

CYBER SECURITY IS OUR SHARED RESPONSIBILITY WHAT ARE WE DEALING WITH AND WHAT DO WE NEED TO DO? NORTH DAKOTA CYBER SECURITY CONFERENCE Jay Beale, CTO and COO at InGuardians @jaybeale and @inguardians th , 2018 March 15

961 views • 50 slides
FISSEA 2011 SECURITY AWARENESS TRAINING SHARED SERVICE CENTERS Where Cost Avoidance and

FISSEA 2011 SECURITY AWARENESS TRAINING SHARED SERVICE CENTERS Where Cost Avoidance and

FISSEA 2011 SECURITY AWARENESS TRAINING SHARED SERVICE CENTERS Where Cost Avoidance and Compliance Meet Success Through Shared Services Tim McBride, Requirements & Acquisition Program Manager Homeland Cybersecurity and Communications

92 views • 6 slides
MI MI and Shared MI MI and Shared and Shared Decision Making and Shared Decision Making

MI MI and Shared MI MI and Shared and Shared Decision Making and Shared Decision Making

The project PRECIOUS has received funding from the European Union s Seventh Framework Programme under Grant Agreement n 611366" MI MI and Shared MI MI and Shared and Shared Decision Making and Shared Decision Making Decision Making

412 views • 20 slides
Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland

Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland

Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland State University CS 430P/530 Internet, Web & Cloud Systems Cloud ud se security urity In this course, security "in-the-cloud" via

445 views • 28 slides
Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared Infrastructure Job Noorman Public PhD Defence 19 Apr 2017 Safety considerations when lodging in a hotel Untrusted guests Locked room Unknown personnel

1.16k views • 79 slides
Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of Computer Science (Specialty : Services, Security and Networks) 24 juin 2011 Universit Henri Poincar Jagdish Prasad Achara (UHP Nancy 1)

653 views • 25 slides
Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

handshake 1 Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g , where K fg can be hash AB authentication not mutual connection hijacking off-line password attack compromise of database

424 views • 16 slides
Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory Requirements Cyber Hygiene How to Develop a Culture of Security What is a Culture of Security A set of values, shared by everyone in an

350 views • 11 slides
Shared Leadership and Shared Responsibility: Successful Shared Governance CUNY: John Jay College

Shared Leadership and Shared Responsibility: Successful Shared Governance CUNY: John Jay College

Shared Leadership and Shared Responsibility: Successful Shared Governance CUNY: John Jay College Deliver: April 28, 2017 R. Barbara Gitenstein President, The College of New Jersey The concept of shared governance at American institutions of

439 views • 7 slides
Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred Schneider Historical Context 1961 1969 1960s OSes begin to be shared. Enter: Communication Synchronization Protection Security:

1.16k views • 53 slides
A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service Perspective Why Consider Shared Services? In February 2010, the Department of Community Affairs (DCA) announced the average property tax bill

663 views • 25 slides
DoD Shared Service Center for ISS LOB Tier I Security Awareness Training a and Tier II Role

DoD Shared Service Center for ISS LOB Tier I Security Awareness Training a and Tier II Role

DoD Shared Service Center for ISS LOB Tier I Security Awareness Training a and Tier II Role Based Training UNCLASSIFIED DoD ISSLOB Annual Awareness Training FY11 product in use (DoD, Federal, IC) FY12 product funded Customer

140 views • 12 slides
Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk http://alexfoxblog.wordpress.com http://vimeo.com/108993357 Kent Shared Lives Karl and Clare with Shared Lives carers Blossom and Mike, at their

542 views • 15 slides
Interprocess Communication Mechanisms shared storage shared virtual memory shared files

Interprocess Communication Mechanisms shared storage shared virtual memory shared files

Interprocess Communication 1 Interprocess Communication Mechanisms shared storage shared virtual memory shared files message-based signals sockets pipes . . . CS350 Operating Systems Winter 2015 Interprocess

669 views • 18 slides
Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

Distributed Shared Memory Shared memory : difficult to realize vs . easy to program with.

CSCE 613 : Operating Systems Memory Models CSCE 613: Interlude: Distributed Shared Memory Shared Memory Systems Consistency Models Distributed Shared Memory Systems page based shared-variable based Reading (old!):

679 views • 21 slides
Dungarvin, Inc. Shared Living: Legal and Tax Considerations Scope of this Presentation: Shared

Dungarvin, Inc. Shared Living: Legal and Tax Considerations Scope of this Presentation: Shared

Presented by: Dave Toeniskoetter President and CEO Dungarvin, Inc. Shared Living: Legal and Tax Considerations Scope of this Presentation: Shared Living arrangements (not staffed group homes) supporting people with I/DD. Shared Living:

442 views • 29 slides
COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors Multiple threads use shared memory (address space) SysV Shared Memory or Threads in software Communication implicit via loads

548 views • 40 slides
Residential Shared Zones RAD 9 4 6 3 8 2 W HAT ? A Residential Shared Zone is a street

Residential Shared Zones RAD 9 4 6 3 8 2 W HAT ? A Residential Shared Zone is a street

RAD 9 4 6 3 8 2 Residential Shared Zones RAD 9 4 6 3 8 2 W HAT ? A Residential Shared Zone is a street where pedestrians and cyclists share the road with motor vehicles with some added features that make it safer for everyone.

223 views • 10 slides
Hull and East Yorkshire Hospitals Hull CCG East Riding CCG Shared Vision, Shared Opportunity,

Hull and East Yorkshire Hospitals Hull CCG East Riding CCG Shared Vision, Shared Opportunity,

Hull and East Yorkshire Hospitals Hull CCG East Riding CCG Shared Vision, Shared Opportunity, Shared Risk Commitment to System Wide Improvement Address cost base via activity reductions Joint responsibility right care in the

125 views • 8 slides
LAW-MWE-CxG 2018 Shared task poster boosters 1. DEEP-BGT AT PARSEME SHARED TASK 2018:

LAW-MWE-CxG 2018 Shared task poster boosters 1. DEEP-BGT AT PARSEME SHARED TASK 2018:

LAW-MWE-CxG 2018 Shared task poster boosters 1. DEEP-BGT AT PARSEME SHARED TASK 2018: BIDIRECTIONAL LSTM- CRF MODEL FOR VERBAL MULTIWORD EXPRESSION IDENTIFICATION, Gzde Berk, Berna Erden and Tunga Gungor 2. GBD-NER AT PARSEME SHARED TASK

555 views • 14 slides
Security CS 4410 Operating Systems [E. Birrell, A. Bracy, E. Sirer, R. Van Renesse] References:

Security CS 4410 Operating Systems [E. Birrell, A. Bracy, E. Sirer, R. Van Renesse] References:

Security CS 4410 Operating Systems [E. Birrell, A. Bracy, E. Sirer, R. Van Renesse] References: Security Introduction and Access Control by Fred Schneider Historical Context 1961 1969 1960s OSes begin to be shared. Enter:

750 views • 45 slides
Security CS 4410 Operating Systems [E. Birrell, A. Bracy, E. Sirer, R. Van Renesse] References:

Security CS 4410 Operating Systems [E. Birrell, A. Bracy, E. Sirer, R. Van Renesse] References:

Security CS 4410 Operating Systems [E. Birrell, A. Bracy, E. Sirer, R. Van Renesse] References: Security Introduction and Access Control by Fred Schneider Historical Context 1961 1969 1960s OSes begin to be shared. Enter:

812 views • 47 slides
Lessons from the Shared Air / Shared Action: Community Empowerment through Low Cost Air Pollution

Lessons from the Shared Air / Shared Action: Community Empowerment through Low Cost Air Pollution

Lessons from the Shared Air / Shared Action: Community Empowerment through Low Cost Air Pollution Monitoring Project Gregory Newmark September 14, 2018 Air Sensors International Conference Air Quality is Important Annual premature deaths

368 views • 33 slides
them all A story of cross-software ownage, shared codebases and advanced exploitation. Mateusz

them all A story of cross-software ownage, shared codebases and advanced exploitation. Mateusz

One font vulnerability to rule them all A story of cross-software ownage, shared codebases and advanced exploitation. Mateusz j00ru Jurczyk REcon 2015, Montreal PS> whoami Project Zero @ Google Low-level security researcher

2.33k views • 187 slides

More recommend