On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

Jager, Tibor; Schwenk, Jörg; Somorovsky, Juraj

doi:10.1145/2810103.2813657

Cited by 52 publications

(34 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This attack found by ProVerif directly corresponds to the cross-protocol Bleichenbacher attacks described in [53,8]. It shows that removing RSA key Inria transport from TLS 1.3 is not enough, one must disable the use of TLS 1.2 RSA mode on any server whose certificate may be accepted by a TLS 1.3 client.…”

Section: Inriamentioning

confidence: 73%

“…A version downgrade attack was found in Draft-12 and its countermeasure in Draft-13 was proved secure [16]. A cross-protocol attack on RSA signatures was described in [53]. Even in this paper, we describe two vulnerabilities in 0-RTT client authentication that we discovered and reported, which influenced the subsequent designs of Draft-7 and -13.…”

Section: Introductionmentioning

confidence: 82%

“…Although countermeasures to this attack have been incorporated into TLS, they remains hard to implement securely [65] resulting in continued attacks such as DROWN [8]. Furthermore, such padding oracles can sometimes even be converted to signature oracles for the corresponding private key [53].…”

Section: A Realistic Threat Model For Tlsmentioning

confidence: 99%

“…Second, none of these symbolic or cryptographic analyses, with the exception of [16], consider the composition of TLS 1.3 with legacy versions like TLS 1.2. Hence, they do not account for attacks like [53] that exploit weak legacy crypto in TLS 1.2 to break the modern cryptographic constructions of TLS 1.3. Third, none of these works addresses TLS 1.3 implementations.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Bhargavan

Blanchet

Kobeissi

2017

2017 IEEE Symposium on Security and Privacy (SP)

132

View full text Add to dashboard Cite

TLS 1.3 is the next version of the Transport Layer Security (TLS) protocol. Its clean-slate design is a reaction both to the increasing demand for low-latency HTTPS connections and to a series of recent high-profile attacks on TLS. The hope is that a fresh protocol with modern cryptography will prevent legacy problems; the danger is that it will expose new kinds of attacks, or reintroduce old flaws that were fixed in previous versions of TLS. After 18 drafts, the protocol is nearing completion, and the working group has appealed to researchers to analyze the protocol before publication. This paper responds by presenting a comprehensive analysis of the TLS 1.3 Draft-18 protocol. We seek to answer three questions that have not been fully addressed in previous work on TLS 1.3: (1) Does TLS 1.3 prevent well-known attacks on TLS 1.2, such as Logjam or the Triple Handshake, even if it is run in parallel with TLS 1.2? (2) Can we mechanically verify the computational security of TLS 1.3 under standard (strong) assumptions on its cryptographic primitives? (3) How can we extend the guarantees of the TLS 1.3 protocol to the details of its implementations? To answer these questions, we propose a methodology for developing verified symbolic and computational models of TLS 1.3 hand-in-hand with a high-assurance reference implementation of the protocol. We present symbolic ProVerif models for various intermediate versions of TLS 1.3 and evaluate them against a rich class of attacks to reconstruct both known and previously unpublished vulnerabilities that influenced the current design of the protocol. We present a computational CryptoVerif model for TLS 1.3 Draft-18 and prove its security. We present RefTLS, an interoperable implementation of TLS 1.0-1.3 and automatically analyze its protocol core by extracting a ProVerif model from its typed JavaScript code. Résumé : TLS 1.3 est la prochaine version du protocole TLS (Transport Layer Security). Sa conception à partir de zéro est une réaction à la fois à la demande croissante de connexions HTTPS à faible latence et à une série d'attaques récentes de haut niveau sur TLS. L'espoir est qu'un nouveau protocole avec de la cryptographie moderne éviterait d'hériter des problèmes des versions précédentes; le danger est que cela pourrait exposer à de nouveaux types d'attaques ou réintroduire d'anciens défauts corrigés dans les versions précédentes de TLS. Après 18 versions préliminaires, le protocole est presque terminé, et le groupe de travail a appelé les chercheurs à analyser le protocole avant publication. Cet article répond en présentant une analyse globale du protocole TLS 1.3 Draft-18.Nous cherchons à répondre à trois questions qui n'ont pas été entièrement traitées dans les travaux antérieurs sur TLS 1.3: (1) TLS 1.3 empêche-t-il les attaques connues sur TLS 1.2, comme Logjam ou Triple Handshake, même s'il est exécuté en parallèle avec TLS 1.2 ? (2) Peuton vérifier mécaniquement la sécurité calculatoire de TLS 1.3 sous des hypothèses standard (fortes) sur ses primitives...

show abstract

Section: Inriamentioning

confidence: 73%

Section: Introductionmentioning

confidence: 82%

Section: A Realistic Threat Model For Tlsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Bhargavan

Blanchet

Kobeissi

2017

2017 IEEE Symposium on Security and Privacy (SP)

132

View full text Add to dashboard Cite

show abstract

“…We note that this is not just a theoretical concern. Attacks against deployed cryptography that reuse keys in unintended ways have been previously reported [27,19,20].…”

Section: Introductionmentioning

confidence: 98%

Generic Forward-Secure Key Agreement Without Signatures

Guilhem

Smart

Warinschi

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We present a generic, yet simple and efficient transformation to obtain a forward secure authenticated key exchange protocol from a two-move passively secure unauthenticated key agreement scheme (such as standard Diffie-Hellman or Frodo or NewHope). Our construction requires only an IND-CCA public key encryption scheme (such as RSA-OAEP or a method based on ring-LWE), and a message authentication code. Particularly relevant in the context of the stateof-the-art of postquantum secure primitives, we avoid the use of digital signature schemes: practical candidate post-quantum signature schemes are less accepted (and require more bandwidth) than candidate post-quantum public key encryption schemes. An additional feature of our proposal is that it helps avoid the bad practice of using long term keys certified for encryption to produce digital signatures. We prove the security of our transformation in the random oracle model.

show abstract

Analysis of QUIC Session Establishment and Its Implementations

Gagliardi

Levillain

2020

Information Security Theory and Practice

View full text Add to dashboard Cite

In the recent years, the major web companies have been working to improve the user experience and to secure the communications between their users and the services they provide. QUIC is such an initiative, and it is currently being designed by the IETF. In a nutshell, QUIC originally intended to merge features from TCP/SCTP, TLS 1.3 and HTTP/2 into one big protocol. The current specification proposes a more modular definition, where each feature (transport, cryptography, application, packet reemission) are defined in separate internet drafts. We studied the QUIC internet drafts related to the transport and cryptographic layers, from version 18 to version 23, and focused on the connection establishment with existing implementations. We propose a first implementation of QUIC connection establishment using Scapy, which allowed us to forge a critical opinion of the current specification, with a special focus on the induced difficulties in the implementation. With our simple stack, we also tested the behaviour of the existing implementations with regards to security-related constraints (explicit or implicit) from the internet drafts. This gives us an interesting view of the state of QUIC implementations.

show abstract

On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

Cited by 52 publications

References 26 publications

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Generic Forward-Secure Key Agreement Without Signatures

Analysis of QUIC Session Establishment and Its Implementations

Contact Info

Product

Resources

About