the optls protocol and tls 1 3
play

the OPTLS protocol and TLS 1.3 Hugo Krawczyk IBM Hoeteck Wee ENS . - PowerPoint PPT Presentation

Jun 27, 2023 •134 likes •606 views

the OPTLS protocol and TLS 1.3 Hugo Krawczyk IBM Hoeteck Wee ENS . . . . . . . . TLS = lingua franca of crypto on the Internet HTTPS, 802.1x, VPNs, email, VoIP, ... . . . . . . . . cannot inject forged data into the stream (

  1. the OPTLS protocol and TLS 1.3 Hugo Krawczyk IBM Hoeteck Wee ENS . . . . . . . .

  2. TLS = lingua franca of crypto on the Internet HTTPS, 802.1x, VPNs, email, VoIP, ... . . . . . . . .

  3. cannot – inject forged data into the stream ( authenticity ) – distinguish data stream from random bytes ( confidentiality ) TLS : transport layer security X.509 server client . . . . . . . .

  4. cannot – inject forged data into the stream ( authenticity ) – distinguish data stream from random bytes ( confidentiality ) goal : secure channel X.509 server client . . . . . . . .

  5. goal : secure channel X.509 server client attacker cannot – inject forged data into the stream ( authenticity ) – distinguish data stream from random bytes ( confidentiality ) . . . . . . . .

  6. 1.3 and OPTLS TLS history. 20 years of attacks, fixes, and extensions – netscape’s SSL (1994) ... TLS 1.2 (2008) ... . . . . . . . .

  7. and OPTLS OPTLS. a simple suite of protocols developed to serve as the crypto core of TLS 1.3 handshake TLS 1.3 history. 20 years of attacks, fixes, and extensions TLS 1.3. clean-up – improved security and privacy, e.g. forward secrecy – reduced latency: 1 -rtt ; 0 -rtt for repeat connections . . . . . . . .

  8. TLS 1.3 and OPTLS history. 20 years of attacks, fixes, and extensions TLS 1.3. clean-up – improved security and privacy, e.g. forward secrecy – reduced latency: 1 -rtt ; 0 -rtt for repeat connections OPTLS. a simple suite of protocols developed to serve as the crypto core of TLS 1.3 handshake . . . . . . . .

  9. FORMAL VERIFICATION REAL-WORLD CONSTRAINTS our philosophy CRYPTO simple + modular + uniform crypto core as foundations . . . . . . . .

  10. FORMAL VERIFICATION our philosophy REAL-WORLD CONSTRAINTS CRYPTO simple + modular + uniform crypto core as foundations . . . . . . . .

  11. our philosophy FORMAL VERIFICATION REAL-WORLD CONSTRAINTS CRYPTO simple + modular + uniform crypto core as foundations . . . . . . . .

  12. goal : secure key exchange X.509 server client . . . . . . . .

  13. goal : secure key exchange X.509 server client handshake + authenticated encryption = secure channel record layer . . . . . . . .

  14. goal : secure key exchange X.509 server client security. if a client completes with an honest server as its peer – agreement. ∃ a server session with the same transcript – confidentiality. the key is indistinguishable from random . . . . . . . .

  15. on which we can layer additional functionality/properties e.g. client auth, key sync security goal : secure key exchange X.509 server client agreement + confidentiality = fundamental requirements . . . . . . . .

  16. goal : secure key exchange X.509 server client agreement + confidentiality = fundamental requirements on which we can layer additional functionality/properties e.g. client auth, key sync security . . . . . . . .

  17. OPTLS X.509 dh cert g s server client simplicity . . . . . . . .

  18. OPTLS η C , g x X.509 η S , g y dh cert g s server client ← g xy application traffic key . . . . . . . .

  19. sfk OPTLS η C , g x X.509 η S , g y , cert , MAC dh cert g s ( ... ) server client server finished ← g xy application traffic key . . . . . . . .

  20. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy sfk ← g xs application traffic key server finished key . . . . . . . .

  21. – confidentiality. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC two-layer authentication . . . . . . . .

  22. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy , g xs sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC – confidentiality. . . . . . . . .

  23. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy , g xs sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC – confidentiality. even if s or y is compromised forward secrecy + resilience to exposure of y . . . . . . . .

  24. OPTLS η C , g x early data X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy , g xs sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC – confidentiality. even if s or y is compromised – 0 -rtt. client encrypts early data using g xs no forward secrecy . . . . . . . .

  25. OPTLS : basic protocol η C , g x early data X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client ← g xy , g xs sfk ← g xs next. 4 modes corresponding to TLS settings – i.e. rsa certs and pre-shared keys . . . . . . . .

  26. server signs ephemeral g s g y server signs semi-static g s 1 -rtt non-static. OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert semi-static ← g xy , g xs sfk ← g xs 1 -rtt semi-static. 1 . . . . . . . .

  27. server signs ephemeral g s g y 1 -rtt non-static. OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert semi-static ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 . . . . . . . .

  28. server signs ephemeral g s g y OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. 2 . . . . . . . .

  29. OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 . . . . . . . .

  30. uses psk in place of g xs psk. psk only fast, but no forward secrecy OPTLS : 4 modes pre-shared key psk η C , g x early data η S , g y , cert , MAC sfk ( ... ) server client ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 psk-dhe. 3 . . . . . . . .

  31. psk. psk only fast, but no forward secrecy OPTLS : 4 modes pre-shared key psk η C , g x early data η S , g y , cert , MAC sfk ( ... ) server client ← g xy , psk sfk ← psk 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 psk-dhe. uses psk in place of g xs 3 . . . . . . . .

  32. g x g y g xy OPTLS : 4 modes pre-shared key psk early data η C cert , MAC sfk ( ... ) server client η S , psk sfk ← psk ← 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 psk-dhe. uses psk in place of g xs 3 psk. psk only fast, but no forward secrecy 4 . . . . . . . .

  33. OPTLS : key derivation es ss ephemeral secret static secret g xy g xs 1 -rtt semi-static g xy g xs = 1 -rtt non-static g xy psk psk-dhe psk psk psk = . . . . . . . .

  34. OPTLS : key derivation es ss ephemeral secret static secret g xy or psk g xs or psk sfk edk server finished key early data key from ss application traffic key from ss , es . . . . . . . .

  35. OPTLS : key derivation es ss ephemeral secret static secret g xy or psk g xs or psk salt sfk edk extract ikm server finished key early data key from ss expand info key HKDF application traffic key from ss , es . . . . . . . .

  36. OPTLS : key derivation 0 es ss extract ephemeral secret static secret expand η C salt sfk edk extract ikm server finished key early data key from ss expand info key HKDF application traffic key . . . . . . . .

  37. OPTLS : key derivation 0 0 es ss extract extract ephemeral secret static secret expand expand η S η C sfk edk extract server finished key early data key application traffic key from ss , es . . . . . . . .

  38. OPTLS : key derivation 0 0 es ss extract extract ephemeral secret static secret expand expand η S η C sfk edk extract server finished key early data key ms master secret expand ε application traffic key from ss , es . . . . . . . .

  39. OPTLS : key derivation 0 0 es ss extract extract ephemeral secret static secret expand expand η S η C htk sfk edk extract handshake traffic key server finished key early data key ms master secret expand ε application traffic key . . . . . . . .

  40. crypto core handshake – adopts the same modes + uniform key derivation via HKDF – default full handshake = 1 -rtt non-static additions in TLS 1.3 i. session hash in HKDF binding to unique session parameters ii. “always signs” in 1 -rtt semi-static continuous possession of signing key iii. client finished message client key confirmation TLS 1.3 OPTLS . . . . . . . .

Recommend

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack 2 TCP Protocol Transmission Control Protocol (TCP) is a core protocol

598 views • 47 slides
Forest Protocol Forest Protocol Protocol Update Effort Protocol Update Effort Goals and

Forest Protocol Forest Protocol Protocol Update Effort Protocol Update Effort Goals and

Forest Protocol Forest Protocol Protocol Update Effort Protocol Update Effort Goals and Objectives Goals and Objectives CAR adopted the Forest Protocols in 2005 CAR Board directed staff in 2007 to: Initiate a stakeholder process

532 views • 25 slides
TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for ensuring that data is transferred between two Intenret hosts based on a 32 bit address. To be ROUTABLE, a protocol must specify a NETWORK ADDRESS

899 views • 22 slides
The HTTP Protocol The HTTP Protocol How to write servers and clients in Java Anders Mller

The HTTP Protocol The HTTP Protocol How to write servers and clients in Java Anders Mller

Objectives Objectives How the HTTP protocol works An Introduction An Introduction to XML and Web Technologies to XML and Web Technologies The SSL security extension from a programmer's point of view The HTTP Protocol The HTTP Protocol

433 views • 10 slides
Internetworking Internetworking Address Resolution Protocol Address Resolution Protocol z

Internetworking Internetworking Address Resolution Protocol Address Resolution Protocol z

Internet Protocol Suite: Transport Internet Protocol Suite: Transport TCP: Transmission Control Protocol Byte stream transfer Internet Protocol Suite Internet Protocol Suite Reliable, connection-oriented service Point-to-point

374 views • 3 slides
FIX Protocol 101 An Introduction To the FIX Protocol Martin Koopman, Former Chair FIX Protocol

FIX Protocol 101 An Introduction To the FIX Protocol Martin Koopman, Former Chair FIX Protocol

FIX Protocol 101 An Introduction To the FIX Protocol Martin Koopman, Former Chair FIX Protocol Ltd Americas Committee martinkoopman@gmail.com Australia Was Early to Electronic Trading But Late to FIX Very early use of electronic trading

809 views • 12 slides
EFFICIENCY OF THE BASIC EMDR PROTOCOL COMPARED TO A RESOURCE PROTOCOL ROLE OF EYE MOVEMENTS IN A

EFFICIENCY OF THE BASIC EMDR PROTOCOL COMPARED TO A RESOURCE PROTOCOL ROLE OF EYE MOVEMENTS IN A

EFFICIENCY OF THE BASIC EMDR PROTOCOL COMPARED TO A RESOURCE PROTOCOL ROLE OF EYE MOVEMENTS IN A RESOURCE PROTOCOL A comparison between one session of the standard protocol versus the reinforced resource protocol The basic EMDR protocol

368 views • 15 slides
The Luxembourg Protocol in the UK Moving Britain Ahead March 16 Luxembourg Protocol 1 As of 26

The Luxembourg Protocol in the UK Moving Britain Ahead March 16 Luxembourg Protocol 1 As of 26

The Luxembourg Protocol in the UK Moving Britain Ahead March 16 Luxembourg Protocol 1 As of 26 th February 2016 the UK is now a Signatory to the Luxembourg Protocol to the Convention on International Interests in Mobile Equipment on Matters

358 views • 6 slides
Dont Hold My Data Hostage A Case For Client Protocol Redesign What is a Client Protocol

Dont Hold My Data Hostage A Case For Client Protocol Redesign What is a Client Protocol

Mark Raasveldt, Hannes Mhleisen Dont Hold My Data Hostage A Case For Client Protocol Redesign What is a Client Protocol anyway? Every database that supports remote clients has a client protocol Using this protocol, clients can query

152 views • 14 slides
Protocol Attacks What is a protocol attack? How does it work? Different types of

Protocol Attacks What is a protocol attack? How does it work? Different types of

Outline : Part 1 Introduction Protocol Attacks What is a protocol attack? How does it work? Different types of protocol attack By Sushant Rewaskar Introduction: Types of attacks What is a protocol attack? Buffer overflow

518 views • 13 slides
1 The http protocol: more WWW: the http protocol http is stateless http: hypertext

1 The http protocol: more WWW: the http protocol http is stateless http: hypertext

Internet apps: their protocols and transport protocols Application Underlying layer protocol Application transport protocol e-mail smtp [RFC 821] World Wide Web TCP remote terminal access telnet [RFC 854] TCP Web http [RFC 2068] TCP

438 views • 5 slides
Protocol on SEA Chapter B2: Example structure of practical exercises for use in training course

Protocol on SEA Chapter B2: Example structure of practical exercises for use in training course

Protocol on SEA Chapter B2: Example structure of practical exercises for use in training course on the Protocol Resource Manual to Support Application of the UNECE Protocol on Strategic Environmental Assessment draft 17-Apr-07 B2.1 Contents

894 views • 17 slides
Protocol on SEA Chapter A3: Determining whether plans & programmes require SEA under the

Protocol on SEA Chapter A3: Determining whether plans & programmes require SEA under the

Protocol on SEA Chapter A3: Determining whether plans & programmes require SEA under the Protocol Resource Manual to Support Application of the UNECE Protocol on Strategic Environmental Assessment draft 26-Apr-07 A3.1 Contents of the

563 views • 28 slides
PPSP Peer Protocol draft-gu-ppsp-peer-protocol PPSP WG IETF 82 Taipei Rui Cruz (presenter)

PPSP Peer Protocol draft-gu-ppsp-peer-protocol PPSP WG IETF 82 Taipei Rui Cruz (presenter)

PPSP Peer Protocol draft-gu-ppsp-peer-protocol PPSP WG IETF 82 Taipei Rui Cruz (presenter) Yingjie Gu, Jinwei Xia, Mrio Nunes, David Bryan, Joo Taveira Background The PPSP Peer Protocol (as well as the PPSP Tracker protocol) are bound

199 views • 16 slides
User Datagram Protocol (UDP) Standard connectionless protocol for the transport layer of the

User Datagram Protocol (UDP) Standard connectionless protocol for the transport layer of the

User Datagram Protocol (UDP) Standard connectionless protocol for the transport layer of the Internet architecture Only adds demultiplexing capability to basic best-effort delivery provided by IP Needs to identify target process

834 views • 36 slides
Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol MOSPF Multicast OSPF PIM Protocol Independent Multicast S-38.2121 / Fall-2007 / RKa, NB Multicast2-1 Multicast in local area networks

489 views • 25 slides
Transmission Control Protocol (TCP) Srinidhi Varadarajan TCP: Transmission Control Protocol z TCP

Transmission Control Protocol (TCP) Srinidhi Varadarajan TCP: Transmission Control Protocol z TCP

Transmission Control Protocol (TCP) Srinidhi Varadarajan TCP: Transmission Control Protocol z TCP must perform typical transport layer functions: Segmentation -- breaks message into packets Error recovery -- since IP is an unreliable

323 views • 16 slides
Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol MOSPF - Multicast OSPF (see notes pages for some slides!) S38.122/RKantola/s00 9 - 1 IGMPv2 - Internet Group Management Protocol implements Group

474 views • 14 slides
Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol

Multicast Protocols IGMP IP Group Membership Protocol DVMRP DV Multicast Routing Protocol MOSPF Multicast OSPF PIM Protocol Independent Multicast S-38.121 / Fall-04 / RKa, NB Multicast2-1 Multicast in local area networks

621 views • 24 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Session Initiation Protocol (SIP) The Session Description Protocol The Most Common Message

Session Initiation Protocol (SIP) The Session Description Protocol The Most Common Message

Session Initiation Protocol (SIP) The Session Description Protocol The Most Common Message Body Session information describing the media to be exchanged between the parties SDP, RFC 2327 (initial publication) A number of

671 views • 21 slides
Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work

Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work

Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work Presentation API Protocol Items Review of Open Screen Protocol 1.0 Remote Playback API Protocol Items OSP Authentication & Security Second

1.75k views • 143 slides
Outline The IP protocol 15-441/641: Computer Networks IPv4 The Internet Protocol IPv6

Outline The IP protocol 15-441/641: Computer Networks IPv4 The Internet Protocol IPv6

9/16/2019 Outline The IP protocol 15-441/641: Computer Networks IPv4 The Internet Protocol IPv6 Fall 2019 Profs Peter Steenkiste & Justine Sherry IP in practice Network address translation Tunnels ARP

90 views • 6 slides

More recommend