the optls protocol and tls 1 3
play

the OPTLS protocol and TLS 1.3 Hugo Krawczyk IBM Hoeteck Wee ENS . - PowerPoint PPT Presentation

the OPTLS protocol and TLS 1.3 Hugo Krawczyk IBM Hoeteck Wee ENS . . . . . . . . TLS = lingua franca of crypto on the Internet HTTPS, 802.1x, VPNs, email, VoIP, ... . . . . . . . . cannot inject forged data into the stream (


  1. the OPTLS protocol and TLS 1.3 Hugo Krawczyk IBM Hoeteck Wee ENS . . . . . . . .

  2. TLS = lingua franca of crypto on the Internet HTTPS, 802.1x, VPNs, email, VoIP, ... . . . . . . . .

  3. cannot – inject forged data into the stream ( authenticity ) – distinguish data stream from random bytes ( confidentiality ) TLS : transport layer security X.509 server client . . . . . . . .

  4. cannot – inject forged data into the stream ( authenticity ) – distinguish data stream from random bytes ( confidentiality ) goal : secure channel X.509 server client . . . . . . . .

  5. goal : secure channel X.509 server client attacker cannot – inject forged data into the stream ( authenticity ) – distinguish data stream from random bytes ( confidentiality ) . . . . . . . .

  6. 1.3 and OPTLS TLS history. 20 years of attacks, fixes, and extensions – netscape’s SSL (1994) ... TLS 1.2 (2008) ... . . . . . . . .

  7. and OPTLS OPTLS. a simple suite of protocols developed to serve as the crypto core of TLS 1.3 handshake TLS 1.3 history. 20 years of attacks, fixes, and extensions TLS 1.3. clean-up – improved security and privacy, e.g. forward secrecy – reduced latency: 1 -rtt ; 0 -rtt for repeat connections . . . . . . . .

  8. TLS 1.3 and OPTLS history. 20 years of attacks, fixes, and extensions TLS 1.3. clean-up – improved security and privacy, e.g. forward secrecy – reduced latency: 1 -rtt ; 0 -rtt for repeat connections OPTLS. a simple suite of protocols developed to serve as the crypto core of TLS 1.3 handshake . . . . . . . .

  9. FORMAL VERIFICATION REAL-WORLD CONSTRAINTS our philosophy CRYPTO simple + modular + uniform crypto core as foundations . . . . . . . .

  10. FORMAL VERIFICATION our philosophy REAL-WORLD CONSTRAINTS CRYPTO simple + modular + uniform crypto core as foundations . . . . . . . .

  11. our philosophy FORMAL VERIFICATION REAL-WORLD CONSTRAINTS CRYPTO simple + modular + uniform crypto core as foundations . . . . . . . .

  12. goal : secure key exchange X.509 server client . . . . . . . .

  13. goal : secure key exchange X.509 server client handshake + authenticated encryption = secure channel record layer . . . . . . . .

  14. goal : secure key exchange X.509 server client security. if a client completes with an honest server as its peer – agreement. ∃ a server session with the same transcript – confidentiality. the key is indistinguishable from random . . . . . . . .

  15. on which we can layer additional functionality/properties e.g. client auth, key sync security goal : secure key exchange X.509 server client agreement + confidentiality = fundamental requirements . . . . . . . .

  16. goal : secure key exchange X.509 server client agreement + confidentiality = fundamental requirements on which we can layer additional functionality/properties e.g. client auth, key sync security . . . . . . . .

  17. OPTLS X.509 dh cert g s server client simplicity . . . . . . . .

  18. OPTLS η C , g x X.509 η S , g y dh cert g s server client ← g xy application traffic key . . . . . . . .

  19. sfk OPTLS η C , g x X.509 η S , g y , cert , MAC dh cert g s ( ... ) server client server finished ← g xy application traffic key . . . . . . . .

  20. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy sfk ← g xs application traffic key server finished key . . . . . . . .

  21. – confidentiality. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC two-layer authentication . . . . . . . .

  22. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy , g xs sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC – confidentiality. . . . . . . . .

  23. OPTLS η C , g x X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy , g xs sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC – confidentiality. even if s or y is compromised forward secrecy + resilience to exposure of y . . . . . . . .

  24. OPTLS η C , g x early data X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client server finished ← g xy , g xs sfk ← g xs application traffic key server finished key – agreement. i. g s via cert, ii. transcript via MAC – confidentiality. even if s or y is compromised – 0 -rtt. client encrypts early data using g xs no forward secrecy . . . . . . . .

  25. OPTLS : basic protocol η C , g x early data X.509 η S , g y , cert , MAC sfk ( ... ) dh cert g s server client ← g xy , g xs sfk ← g xs next. 4 modes corresponding to TLS settings – i.e. rsa certs and pre-shared keys . . . . . . . .

  26. server signs ephemeral g s g y server signs semi-static g s 1 -rtt non-static. OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert semi-static ← g xy , g xs sfk ← g xs 1 -rtt semi-static. 1 . . . . . . . .

  27. server signs ephemeral g s g y 1 -rtt non-static. OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert semi-static ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 . . . . . . . .

  28. server signs ephemeral g s g y OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. 2 . . . . . . . .

  29. OPTLS : 4 modes η C , g x early data g s X.509 η S , g y , cert , MAC sfk ( ... ) server client rsa cert ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 . . . . . . . .

  30. uses psk in place of g xs psk. psk only fast, but no forward secrecy OPTLS : 4 modes pre-shared key psk η C , g x early data η S , g y , cert , MAC sfk ( ... ) server client ← g xy , g xs sfk ← g xs 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 psk-dhe. 3 . . . . . . . .

  31. psk. psk only fast, but no forward secrecy OPTLS : 4 modes pre-shared key psk η C , g x early data η S , g y , cert , MAC sfk ( ... ) server client ← g xy , psk sfk ← psk 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 psk-dhe. uses psk in place of g xs 3 . . . . . . . .

  32. g x g y g xy OPTLS : 4 modes pre-shared key psk early data η C cert , MAC sfk ( ... ) server client η S , psk sfk ← psk ← 1 -rtt semi-static. server signs semi-static g s 1 1 -rtt non-static. server signs ephemeral g s = g y 2 psk-dhe. uses psk in place of g xs 3 psk. psk only fast, but no forward secrecy 4 . . . . . . . .

  33. OPTLS : key derivation es ss ephemeral secret static secret g xy g xs 1 -rtt semi-static g xy g xs = 1 -rtt non-static g xy psk psk-dhe psk psk psk = . . . . . . . .

  34. OPTLS : key derivation es ss ephemeral secret static secret g xy or psk g xs or psk sfk edk server finished key early data key from ss application traffic key from ss , es . . . . . . . .

  35. OPTLS : key derivation es ss ephemeral secret static secret g xy or psk g xs or psk salt sfk edk extract ikm server finished key early data key from ss expand info key HKDF application traffic key from ss , es . . . . . . . .

  36. OPTLS : key derivation 0 es ss extract ephemeral secret static secret expand η C salt sfk edk extract ikm server finished key early data key from ss expand info key HKDF application traffic key . . . . . . . .

  37. OPTLS : key derivation 0 0 es ss extract extract ephemeral secret static secret expand expand η S η C sfk edk extract server finished key early data key application traffic key from ss , es . . . . . . . .

  38. OPTLS : key derivation 0 0 es ss extract extract ephemeral secret static secret expand expand η S η C sfk edk extract server finished key early data key ms master secret expand ε application traffic key from ss , es . . . . . . . .

  39. OPTLS : key derivation 0 0 es ss extract extract ephemeral secret static secret expand expand η S η C htk sfk edk extract handshake traffic key server finished key early data key ms master secret expand ε application traffic key . . . . . . . .

  40. crypto core handshake – adopts the same modes + uniform key derivation via HKDF – default full handshake = 1 -rtt non-static additions in TLS 1.3 i. session hash in HKDF binding to unique session parameters ii. “always signs” in 1 -rtt semi-static continuous possession of signing key iii. client finished message client key confirmation TLS 1.3 OPTLS . . . . . . . .

Recommend


More recommend