real world authenticated key exchange
play

Real-World Authenticated Key Exchange Tibor Jager Paderborn - PowerPoint PPT Presentation

Nov 19, 2022 •223 likes •1.09k views

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 17 th , 2019 Outline Security of the Diffie-Hellman Key Exchange Man-in-the-Middle attacks

  1. Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy Šibenik, Croatia June 17 th , 2019

  2. Outline • Security of the Diffie-Hellman Key Exchange – Man-in-the-Middle attacks – Forward Security • TLS 1.3 – Overview – The cryptographic core of TLS 1.3 • Real-World Problems – Problems arising from backwards compatibility – Middleboxes and ETS • Further reading, open research problems 2

  3. Diffie-Hellman Key Exchange Public parameters: Group description (G,g,q) a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b t A t B k AB := t Ab k AB := t Ba 3

  4. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ 4

  5. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ t B ’ t B b’ ß {0, …, q-1} t B ’ := g b’ 5

  6. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ t B ’ t B b’ ß {0, …, q-1} t B ’ := g b’ k AB’ = g ab’ k A’B = g a’b 6

  7. Man-in-the-middle Attack on DH a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b a’ ß {0, …, q-1} t A t A ’ := g a’ t A ’ t B ’ t B b’ ß {0, …, q-1} t B ’ := g b’ k AB’ = g ab’ k A’B = g a’b • This is an active attack • DH is provably secure against passive (”eavesdropping”) attacks 7

  8. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B 8

  9. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} t A := g a s A := Sign(sk A ,t A ) t A , s A 9

  10. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B 10

  11. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B If Vfy(pk A , t A , s A ) = TRUE then: If Vfy(pk B , t B , s B ) = TRUE then: k AB := t Ab k AB := t Ba 11

  12. Signed Diffie-Hellman Public parameters: (pk B , sk B ) ß SigKeyGen() Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B If Vfy(pk A , t A , s A ) = TRUE then: If Vfy(pk B , t B , s B ) = TRUE then: k AB := t Ab k AB := t Ba Security of the signature scheme prevents the MITM attack 12

  13. Forward Security Objective: Make large-scale collection of encrypted data useless 13

  14. Forward Security Objective: Make large-scale collection of encrypted data useless Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 14

  15. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 15

  16. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 16

  17. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time 17

  18. Forward Security Objective: Make large-scale collection of encrypted data useless Secret key Session 1 Session 3 Session 2 Session 4 with Alice with Charlie with Bob with Alice Time • Widely used : • Standard security goal of modern protocols 18

  19. Forward Security of Signed DH Public parameters: Group description (G,g,q) (pk A , sk A ) ß SigKeyGen() (pk B , sk B ) ß SigKeyGen() pk A , pk B a ß {0, …, q-1} b ß {0, …, q-1} t A := g a t B = g b s A := Sign(sk A ,t A ) s B := Sign(sk B ,t B ) t A , s A t B , s B If Vfy(pk Alice , t A , s A ) = TRUE then: If Vfy(pk Bob , t B , s B ) = TRUE then: k AB := t Ab k AB := t Ba Forward secure (if ephemeral exponents are not stored) 19

  20. Are we done? • Signed DH is a beautiful protocol… – Clean and simple – Easy to implement and analyze – Forward Security • … but lacking features considered important in the real world, for instance: – How are public keys distributed? – No key confirmation – Fixed DH groups and signature schemes – Protocol for encryption of payload data not specified 20

  21. Are we done? • Signed DH is a beautiful protocol… – Clean and simple – Easy to implement and analyze – Forward Security • … but lacking features considered important in the real world, for instance: – How are public keys distributed? – No key confirmation – Fixed DH groups and signature schemes – Protocol for encryption of payload data not specified 21

  22. Are we done? • Signed DH is a beautiful protocol… – Clean and simple – Easy to implement and analyze Further issues: – Forward Security • How to deal with errors – Alert messages – Protocol spec. • … but lacking features considered important in • Interoperability the real world, for instance: – Message formats – How are public keys distributed? – Protocol headers • Possible extensions – No key confirmation • Implementational issues – Fixed DH groups and signature schemes • … – Protocol for encryption of payload data not specified 22

  23. Outline • Security of the Diffie-Hellman Key Exchange – Man-in-the-Middle attacks – Forward Security • TLS 1.3 – Overview – The cryptographic core of TLS 1.3 • Real-World Problems – Problems arising from backwards compatibility – Middleboxes and ETS • Further reading, open research problems 23

  24. Transport Layer Security (TLS) Client Server http, smtp, imap, Application Application pop3, ftp, sip, … Transport Transport TLS Network Network Link Link Physical communication Goal: provide confidential , authenticated , integrity-protected channel 24

  25. Transport Layer Security (TLS) Client Server http, smtp, imap, Application Application pop3, ftp, sip, … Transport Transport TLS Network Network Link Link Network communication Goal: provide confidential , authenticated , integrity-protected channel 25

  26. TLS vs. SSL 2006 2008 2018 1994 1995 1999 SSL 1.0 and 2.0 TLS 1.0 (=SSL 3.1) TLS 1.3 (Netscape) TLS 1.1 (IETF standard) TLS 1.2 SSL 3.0 (Netscape & Microsoft PCT) 26

  27. Use of SSL/TLS Versions in Practice June 2019 27 https://www.ssllabs.com/ssl-pulse/

  28. Use of SSL/TLS Versions in Practice June 2019 Standardized in 1999! 28 https://www.ssllabs.com/ssl-pulse/

  29. Use of SSL/TLS Versions in Practice June 2019 Standardized in 1999! Security protocols have an extremely long life time 29 https://www.ssllabs.com/ssl-pulse/

  30. TLS Sessions: Handshake + Record Layer Encryption Server Client 1. Handshake Handshake: • Negotiation of cryptographic algorithms (KE, Sig., Cipher Suite ) • Authentication of comm. partners • Establishment of session key k 30

  31. TLS Sessions: Handshake + Record Layer Encryption Server Client 1. Handshake 2. Record Layer Handshake: Record Layer Encryption: • Negotiation of cryptographic • Data encryption and algorithms (KE, Sig., Cipher Suite ) authentication using key k • Authentication of comm. partners • Establishment of session key k 31

  32. The Cryptographic Core of the The Cryptographic Core of the TLS 1.3 Handshake TLS 1.3 Handshake Optional Server S pk Client pk C Server S pk Client 35 32

  33. The Cryptographic Core of the The Cryptographic Core of the TLS 1.3 Handshake TLS 1.3 Handshake Server S pk Client Server S pk Client 35 33

  34. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c 34

  35. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c ServerHello: • Selected Cipher Suite • Server random r S • Diffie-Hellman share g s 35

  36. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c ServerHello: • Selected Cipher Suite • Server random r S • Diffie-Hellman share g s Replaced with HelloRetryRequest , if necessary 36

  37. The Cryptographic Core of the TLS 1.3 Handshake Server S pk ClientHello: Client • Supported cipher suites, sigs, (DH groups) • Client random r C • Diffie-Hellman share g c ServerHello: k = KDF(g cs , r C , r S ) • Selected Cipher Suite k = KDF(g cs , r C , r S ) • Server random r S k’ = KDF’(g cs , r C , r S ) k’ = KDF’(g cs , r C , r S ) • Diffie-Hellman share g s 37

Recommend

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

Understanding and Constructing AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated key exchange Motivations & our contributions AKE 2-key KEM AKE in a post quantum world

821 views • 36 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook zgr Dagdelen DIMACS Workshop on the Mathematics of

339 views • 33 slides
To truly know the world, look deeply within your own being; to truly know yourself, take real

To truly know the world, look deeply within your own being; to truly know yourself, take real

To truly know the world, look deeply within your own being; to truly know yourself, take real interest in the world. Rudolf Steiner INFO Waldorf Exchange Seasonal Program by Adazi Free Waldorf School this summer provides well-rounded, healthy

493 views • 32 slides
Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

185 views • 18 slides
Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces

Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces

Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Hot Spaces How to Pack More Valuable Human Exchange into Real World Marketplaces Def. Hot: In the Marshall McLuhan sense rich. Def. Marketplace: Where

336 views • 17 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson University of Bristol Joint work with: Mike Bond (Cryptomathic), George French (Barclays Bank Plc) and Nigel P. Smart (UoB) Real World Cryptography

1.23k views • 104 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( ) 2006.10 RSS is cool ! RSS RSS Really Simple Syndication Tired of checking your favorite news and blogs sites everyday?

786 views • 75 slides
IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS France Authenticated Key

291 views • 5 slides
ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN Q.731.3 CALLING LINE IDENTIFICATION PRESENTATION Huahong Tu, Adam Doup, Ziming Zhao, and

388 views • 36 slides
ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN Q.731.3 CALLING LINE IDENTIFICATION PRESENTATION Huahong Tu, Adam Doup, Ziming Zhao, and

721 views • 35 slides
Facebook Exchange Facebook Exchange (FBX) (FBX) Facebook Exchange The Facebook Exchange allows

Facebook Exchange Facebook Exchange (FBX) (FBX) Facebook Exchange The Facebook Exchange allows

Facebook Exchange Facebook Exchange (FBX) (FBX) Facebook Exchange The Facebook Exchange allows programmatic buying of Facebook ad inventory through real-time bidding. Agencies, trading desks and direct marketers can buy Facebook ads using

343 views • 7 slides
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability and Channel Secrecy Underlying

400 views • 21 slides
Real World Health IT IT In Initiatives Pamela King Health IT Outreach Coordinator October 2,

Real World Health IT IT In Initiatives Pamela King Health IT Outreach Coordinator October 2,

Agency for Health Care Administration: Real World Health IT IT In Initiatives Pamela King Health IT Outreach Coordinator October 2, 2018 Query ry Exchange Built on the nationwide eHealth Exchange platform Allows providers to query

348 views • 31 slides
Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round GAKE Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng Yang Ruhr-University Bochum CANS 2013 1 / 40 Introduction, Motivation and Contributions GAKE Security Model

515 views • 50 slides
Exchanging a key - how hard can it be? Cas Cremers Joint work with Michle Feltz Authenticated

Exchanging a key - how hard can it be? Cas Cremers Joint work with Michle Feltz Authenticated

Exchanging a key - how hard can it be? Cas Cremers Joint work with Michle Feltz Authenticated Key Exchange Protocols (a,g a ) (b,g b ) use AKE protocol to establish key k Hi, do you want to visit us? I'll make sure the university pays for

664 views • 24 slides
real-world crypto and privacy. June 2016 Copy of speaker slides from a summer school in Croatia on

real-world crypto and privacy. June 2016 Copy of speaker slides from a summer school in Croatia on

Copy of speaker slides from a summer school in Croatia on Authenticated Encryption (AE) real-world crypto and privacy. June 2016 Part 1: 14:00 15:00 Kind thanks to the Part 2: 15:00 16:00 organizers of this Copy of speaker slides from

929 views • 72 slides
L2TP or not L2TP? Alain Durand, ??? L2TP Configuration Latency (in authenticated mode) L2TP

L2TP or not L2TP? Alain Durand, ??? L2TP Configuration Latency (in authenticated mode) L2TP

L2TP or not L2TP? Alain Durand, ??? L2TP Configuration Latency (in authenticated mode) L2TP (8), PPP+CHAP (11), DHCPv6 (4) = 23 pkts Idea: collapse all those layers into 1 protocol with minimum packet exchange. E.g.: TSP: 10

380 views • 5 slides

More recommend