0-RTT Key Exchange with Full Forward Secrecy

Günther, Felix; Hale, Britta; Jager, Tibor; Lauer, Sebastian

doi:10.1007/978-3-319-56617-7_18

Cited by 66 publications

(60 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This intuition can be compared to different security levels that are achieved by key encapsulation mechanisms (KEM), one-round-key exchanges (ORKE), and authenticated key exchanges (AKE) as depicted in Figure 1. For example, one message patterns (i.e., KEM-DEM constructions) are, among other deficiencies, subject to replay attacks if not equipped with expensive key update mechanisms such as in [19]. As a result, such attacks must be considered when designing an appropriate security model.…”

Section: Flexibility and Generalization For Acce Originally The Authementioning

confidence: 99%

“…Replay Attacks in Noise Replay attacks are an inevitable issue for early communication in many protocols -among them, many Noise patterns (e.g., patterns N, NK, and XK, cf., Figure 2). When assuming long-term keys of parties to be constant (and not variable; cf., [19]), the first ciphertext in a session, sent from an initiator instance π s i of a party i to a responder instance π t1 j of a party j, can be replayed to all other (responder) instances π t2 j , . .…”

Section: Replay Attacks State Reveals and Their Relationmentioning

confidence: 99%

“…As a consequence, only replays of ciphertexts, sent by an initiator to (multiple) responder(s) without any reply from the latter, must be considered harmful in our security experiment. These replay attacks cannot be prevented if the receiver's long-term secret is defined static (which we do in contrast to e.g., [19]) and the initiator has never received a ciphertext. Our definition of replay attack resistance consequently focuses on the security damage that is caused by such replay attacks: it considers how soon the secrets, established by a (replayed) ciphertext, are independent among the sender and the (other) receivers of this replayed ciphertext.…”

Section: Flexible Security Notionmentioning

confidence: 99%

See 2 more Smart Citations

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Dowling

Rösler

Schwenk

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The Noise protocol framework is a suite of channel establishment protocols, of which each individual protocol ensures various security properties of the transmitted messages, but keeps specification, implementation, and configuration relatively simple. Implementations of the Noise protocols are themselves, due to the employed primitives, very performant. Thus, despite its relative youth, Noise is already used by large-scale deployed applications such as WhatsApp and Slack. Though the Noise specification describes and claims the security properties of the protocol patterns very precisely, there has been no computational proof yet. We close this gap. Noise uses only a limited number of cryptographic primitives which makes it an ideal candidate for reduction-based security proofs. Due to its patterns' characteristics as channel establishment protocols, and the usage of established keys within the handshake, the authenticated and confidential channel establishment (ACCE) model (Jager et al. CRYPTO 2012) seems to perfectly fit for an analysis of Noise. However, the ACCE model strictly divides protocols into two non-overlapping phases: the preaccept phase (i.e., the channel establishment) and post-accept phase (i.e., the channel). In contrast, Noise allows the transmission of encrypted messages as soon as any key is established (for instance, before authentication between parties has taken place), and then incrementally increases the channel's security guarantees. By proposing a generalization of the original ACCE model, we capture security properties of such staged channel establishment protocols flexibly-comparably to the multi-stage key exchange model (Fischlin and Günther CCS 2014). We give security proofs for eight of the 15 basic Noise patterns in the full version (EPRINT 2019/436) and exemplify them by the proof of the XK pattern in this article.

show abstract

Section: Flexibility and Generalization For Acce Originally The Authementioning

confidence: 99%

Section: Replay Attacks State Reveals and Their Relationmentioning

confidence: 99%

Section: Flexible Security Notionmentioning

confidence: 99%

See 1 more Smart Citation

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Dowling

Rösler

Schwenk

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…APPENDIX A. RELATED WORK Two-party authenticated key-exchange protocols are an old and well-studied primitive [2] and various notions of channel security have been formalized and applied to TLS 1.2 [20], [25], [8], [22], [31], [36], [27] and 1.3 [13], [14], [19], [16], [3], [28], [23], [26], [21]. However, as Bhargavan et al [4] showed in the context of TLS, and as Alt et al [1] and Fouque et al [17] -in the context of mobile networks, expanding two-party handshakes to include even a single, dedicated middlebox can expose the obtained channel to serious attacks.…”

Section: Prototype Implementationmentioning

confidence: 99%

A Formal Treatment of Accountable Proxying Over TLS

Bhargavan

Boureanu

Delignat-Lavaud

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Much of Internet traffic nowadays passes through active proxies, whose role is to inspect, filter, cache, or transform data exchanged between two endpoints. To perform their tasks, such proxies modify channel-securing protocols, like TLS, resulting in serious vulnerabilities. Such problems are exacerbated by the fact that middleboxes are often invisible to one or both endpoints, leading to a lack of accountability. A recent protocol, called mcTLS, pioneered accountability for proxies, which are authorized by the endpoints and given limited read/write permissions to application traffic.Unfortunately, we show that mcTLS is insecure: the protocol modifies the TLS protocol, exposing it to a new class of middlebox-confusion attacks. Such attacks went unnoticed mainly because mcTLS lacked a formal analysis and security proofs. Hence, our second contribution is to formalize the goal of accountable proxying over secure channels. Third, we propose a provably-secure alternative to soon-to-be-standardized mcTLS: a generic and modular protocol-design that carefully composes generic secure channel-establishment protocols, which we prove secure. Finally, we present a proof-of-concept implementation of our design, instantiated with unmodified TLS 1.3 draft 23, and evaluate its overheads.

show abstract

“…There are by now several constructions of key-exchange protocols (in settings which are sometimes different from ours) which start from KEMs. For example, Boyd et al [8] construct authenticated key exchange from KEMs, meeting the eCK stronger security requirement, and Gunther et al [14] show how to add forward security to KEMs to obtain forward security when these are used as a full-key exchange protocol that enables forward secure 0-RTT. Both transformations work in the ID-based setting, use pairings and therefore are not generic.…”

Section: Introductionmentioning

confidence: 99%

Generic Forward-Secure Key Agreement Without Signatures

Guilhem

Smart

Warinschi

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We present a generic, yet simple and efficient transformation to obtain a forward secure authenticated key exchange protocol from a two-move passively secure unauthenticated key agreement scheme (such as standard Diffie-Hellman or Frodo or NewHope). Our construction requires only an IND-CCA public key encryption scheme (such as RSA-OAEP or a method based on ring-LWE), and a message authentication code. Particularly relevant in the context of the stateof-the-art of postquantum secure primitives, we avoid the use of digital signature schemes: practical candidate post-quantum signature schemes are less accepted (and require more bandwidth) than candidate post-quantum public key encryption schemes. An additional feature of our proposal is that it helps avoid the bad practice of using long term keys certified for encryption to produce digital signatures. We prove the security of our transformation in the random oracle model.

show abstract

0-RTT Key Exchange with Full Forward Secrecy

Cited by 66 publications

References 34 publications

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

A Formal Treatment of Accountable Proxying Over TLS

Generic Forward-Secure Key Agreement Without Signatures

Contact Info

Product

Resources

About