public key 0 rtt protocols
play

Public-Key 0-RTT Protocols Tibor Jager Paderborn University Summer - PowerPoint PPT Presentation

Nov 08, 2023 •99 likes •1.07k views

Public-Key 0-RTT Protocols Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 20 th , 2019 Outline Mass surveillance and Forward Security 0-RTT Protocols and their Forward Security

  1. Public-Key 0-RTT Protocols Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy Šibenik, Croatia June 20 th , 2019

  2. Outline • Mass surveillance and Forward Security • 0-RTT Protocols and their Forward Security – Challenges – Impossibility? • Forward-Secure 0-RTT Protocols – Rather theoretical solution (EUROCRYPT 2017) – Somewhat practical solution (EUROCRYPT 2018) – Practical solution for TLS 1.3 (EUROCRYPT 2019) 2

  3. Before ca. 2011 Internet Encrypted = Not encrypted = 3

  4. Before ca. 2011 Internet J Encrypted = Not encrypted = 4

  5. https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 5

  6. https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 https://www.facebook.com/notes/facebook-engineering/secure- browsing-by-default/10151590414803920/ 6

  7. https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 https://www.facebook.com/notes/facebook-engineering/secure- browsing-by-default/10151590414803920/ April 5, 2016 https://blog.whatsapp.com/10000618/end-to-end-encryption?l=en 7

  8. Today Internet L Encrypted = Not encrypted = 8

  9. Mass Surveillance of Encrypted Data Internet Database Encrypted = Not encrypted = 9

  10. Mass Surveillance of Encrypted Data Internet Google, we need your secret key. Database Encrypted = Not encrypted = 10

  11. Mass Surveillance of Encrypted Data Internet Google, we need your secret key. Database Encrypted = Not encrypted = 11

  12. Lavabit 12

  13. Lavabit https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden 13

  14. Lavabit https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden https://arstechnica.com/tech-policy/2014/04/lavabit-held-in-contempt-of-court-for- 14 printing-crypto-key-in-tiny-font/

  15. Mass Surveillance Everywhere https://techcrunch.com/2016/01/14/no-backdoors-but-uk-government- still-wants-encryption-decrypted-on-request/ https://www.forbes.com/sites/kenrapoza/2017/10/16/russia-fines- https://zoomapps.club/whatsapp-threema-and-co- cryptocurrency-worlds-preferred-messaging-app-telegram/#767569eef765 seehofer-wants-to-enforce-decryption-of-chats/ 15

  16. Forward Security* Makes large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time *aka. Forward Secrecy, aka. Perfect Forward Secrecy/Security, aka. pre-compromise security 16

  17. Outline • Mass surveillance and Forward Security • 0-RTT Protocols and their Forward Security – Challenges – Impossibility? • Forward-Secure 0-RTT Protocols – Rather theoretical solution (EUROCRYPT 2017) – Somewhat practical solution (EUROCRYPT 2018) – Practical solution for TLS 1.3 (EUROCRYPT 2019) 17

  18. Key Establishment with TLS 1.3 Server S Client ClientHello ServerHello Compute session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 18

  19. Key Establishment with TLS 1.3 Server S Client ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 19

  20. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 20

  21. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) 2 RTTs before first payload message can be sent Is this really necessary? 21

  22. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) Using UDP instead of TCP saves one RTT Enc k (Payload) 22

  23. Key Establishment with TLS 1.3 Server S Client SYN 1 RTT SYN/ACK ACK ClientHello ServerHello Compute 1 RTT session key k Cert, Cert Vfy., SFIN Client Finished CFIN Enc k (Payload) Using UDP instead of TCP saves one RTT Enc k (Payload) Objective: send cryptographically protected payload in first message from client to server (“0-RTT KE”) 23

  24. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Why not! 24 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  25. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue Yearly revenue in 2018: 232.9 billion USD (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Why not! 25 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  26. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue Yearly revenue in 2018: 232.9 billion USD (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Why not! 26 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  27. Why 0-RTT? • Delay page delivery by 100 ms ⇒ -1% revenue Yearly revenue in 2018: 232.9 billion USD (Amazon, 2006) • 500 ms RTT not unusual for * – Mobile internet – Satellite internet – Rural broadband connections • Latency requirements of applications 27 (*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

  28. Trivial Protocol (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) Client Server 28

  29. Trivial Protocol (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) Client Server Major deficiencies: 1. No Forward Secrecy 2. Vulnerable to replay attacks 29

  30. Replay Attack (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) 30

  31. Replay Attack (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) C = Enc pk (k) SymEnc(k, payload) 31

  32. Replay Attack (pk, sk) C = Enc pk (k) k = Dec sk (C) SymEnc(k, payload) C = Enc pk (k) SymEnc(k, payload) C = Enc pk (k) SymEnc(k, payload) 32

  33. Breaking Confidentiality with a Replay Attack Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 33 https://github.com/tlswg/tls13-spec/issues/1001

  34. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 34 https://github.com/tlswg/tls13-spec/issues/1001

  35. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 35 https://github.com/tlswg/tls13-spec/issues/1001

  36. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 36 https://github.com/tlswg/tls13-spec/issues/1001

  37. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 37 https://github.com/tlswg/tls13-spec/issues/1001

  38. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 38 https://github.com/tlswg/tls13-spec/issues/1001

  39. Breaking Confidentiality with a Replay Attack Web Server GET DissidentsHandbook.pdf DissidentsHandbook.pdf GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf ERROR 404 not found Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, 39 https://github.com/tlswg/tls13-spec/issues/1001

  40. Preventing replays for 0-RTT Protocols • Server may remember all received messages – Difficult in applications with multiple servers (load balancing, multiple data centers, …) • Alternatively, use this only for applications where replay attacks are “not harmful”™ • Eric Rescorla in a talk (*) about TLS 1.3 0-RTT: – “Difficult application integration issue” – “But too big a win not to do” 40 (*) http://web.stanford.edu/class/ee380/Abstracts/151118-slides.pdf

  41. Preventing replays for 0-RTT Protocols • Server may remember all received messages – Difficult in applications with multiple servers (load balancing, multiple data centers, …) • Or use only for applications where replay attacks are “not harmful”™ • Eric Rescorla in a talk (*) about TLS 1.3 0-RTT: – “Difficult application integration issue” – “But too big a win not to do” 41 (*) http://web.stanford.edu/class/ee380/Abstracts/151118-slides.pdf

Recommend

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols Knowledge Protocols Coin Zero Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktrm (KTH) 1 Zero Knowledge [GMR85] Zero

613 views • 22 slides
Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Announcements intermission Introduction to Computer Security Day 16: Crypto protocols and S protocols Cryptographic protocols, pt. 1 Stephen McCamant Key

492 views • 11 slides
1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

TECS Week 2005 Key Management Options Key Management Protocols Out of band and Compositionality Can set up some keys this way (Kerberos) Public-key infrastructure (PKI) Leverage small # of public signing keys Protocols for

282 views • 5 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE (e.g., DDH, RSA) and

444 views • 16 slides
Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to

Outline Public-key crypto basics Public key encryption and signatures CSci 5271 Introduction to Computer Security Announcements Day 16: Cryptographic protocols and failures Cryptographic protocols Stephen McCamant HW1 debrief University of

673 views • 11 slides
Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Public key crypto Public key crypto RSA Essentials RSA Essentials Public key protocols Radboud University Nijmegen Public key protocols Radboud University Nijmegen Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Outline Public key

328 views • 10 slides
Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI model. 1 Layered Protocols (2) 2-2 A typical message as it appears on the network. Data Link Layer 2-3 Discussion between a receiver and a

577 views • 23 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
4 Application Layer Protocols Device Management Protocols Application layer protocols offering

4 Application Layer Protocols Device Management Protocols Application layer protocols offering

EPFL, Spring 2017 4 Application Layer Protocols Device Management Protocols Application layer protocols offering remote services for large networks of devices: - Monitoring (health of devices and network, get current state) - Management

1.31k views • 93 slides
Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

The 1 st World Congress on Controversies in Hematology (COHEM) Rome, September, 2-5, 2010 Session 4. Acute Lymphoblastic Leukemia Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL? No No JM

990 views • 44 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

Concurrency Control Lock-Based Protocols Timestamp-Based Protocols Lecture 9 Concurrency Control Validation-Based Protocols Multiple Granularity Multiversion Schemes Deadlock Handling Chapter 16 Insert and Delete

780 views • 8 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
AW Central Lab - UCMR 3 Sampling Protocols Sampling Protocols Presenter: Cody Cruse Rev

AW Central Lab - UCMR 3 Sampling Protocols Sampling Protocols Presenter: Cody Cruse Rev

AW Central Lab - UCMR 3 Sampling Protocols Sampling Protocols Presenter: Cody Cruse Rev 01-22-13 Rpt Ver: andy 1/22/2013 2:23:35 PM 1 of 17 Agenda Review UCMR 3 Test Groups Sampling Protocols Storage and Transportation 2 Rpt

712 views • 17 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based

Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based

Winter 2011 Josh Benaloh Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based protocols) Introduction Kerberos SSL/TLS Certificates and Public Key Infrastructure (PKI) Certificates

1.81k views • 135 slides
Consistency Protocols Description describe an implementation of a specific

Consistency Protocols Description describe an implementation of a specific

Consistency Protocols Description describe an implementation of a specific consistency model Classification Distributed Systems (ICE 601) primary-based protocols remote-write protocols Replication & Consistency

425 views • 4 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Developing - Implementing - Enforcing New Protocols in a Health Club Environment DEVELOPING

Developing - Implementing - Enforcing New Protocols in a Health Club Environment DEVELOPING

Developing - Implementing - Enforcing New Protocols in a Health Club Environment DEVELOPING COVID-19 PROTOCOLS & GUIDELINES PROTOCOL RESEARCH + CREATION Wellness Partners + Hospital Network Patient room protocols for cleaning

751 views • 37 slides
Applications Lecture goal: Overview: conceptual + implementation specific protocols:

Applications Lecture goal: Overview: conceptual + implementation specific protocols:

Applications Lecture goal: Overview: conceptual + implementation specific protocols: aspects of network o http --- Web application protocols o ftp --- File transfer learn about protocols by examining popular o smtp --- Mail

419 views • 17 slides

More recommend