Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS

Bhargavan, Karthikeyan; Lavaud, Antoine Delignat; Fournet, Cédric; Pironti, A.; Strub, Pierre Yves

doi:10.1109/sp.2014.14

Cited by 126 publications

(83 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It may seem desirable to guarantee a strong relationship between such connections, but our Property (4) guarantees agreement only for the sequence of epochs over a single connection. Indeed, the natural extension of this property to multiple connections does not hold for TLS, as shown by the triple handshake attack of Bhargavan et al [10]. In this attack, an unsafe server-authenticated session is resumed on a new connection and then renegotiated with a new safe mutually-authenticated session.…”

Section: Discussionmentioning

confidence: 99%

“…Consequently, it is possible for a client and server instance to have a safe epoch but inconsistent variable assignments for the session associated with a prior resumed epoch; this leads to a variety of attacks, similar to the renegotiation attacks of Ray [56]. A stronger agreement can be achieved either at the application level, by checking agreement on prior connections, or by a protocol extension that includes a hash of the log of the original session in resumption handshakes [10]; we leave the modeling of this extension and its security for future work.…”

Section: Discussionmentioning

confidence: 99%

“…This is in sharp contrast with prior work on the provable security of TLS [30,37,39], which focus on a fixed run of the protocol, for a fixed choice of algorithms. (See §7.1 for a detailed discussion of related work on provable security for TLS, and [10] for recent attacks involving triple handshakes. )…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Proving the TLS Handshake Secure (As It Is)

Bhargavan

Fournet

Kohlweiss

et al. 2014

Advances in Cryptology – CRYPTO 2014

Self Cite

View full text Add to dashboard Cite

The TLS Internet Standard features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now well-understood in isolation, their composition remains problematic, and yet it is critical to obtain practical security guarantees for TLS. We experimentally confirm that all mainstream implementations of TLS share key materials between different algorithms, some of them of dubious strength. We outline attacks in their handling of resumption and renegotiation, stressing the need to model multiple related instances of the handshake.We study the provable security of the TLS handshake, as it is implemented and deployed. To capture the details of the standard and its main extensions, we rely on miTLS, a verified reference implementation of the protocol. miTLS inter-operates with mainstream browsers and servers for many protocol versions, configurations, and ciphersuites; and it provides application-level, provable security for some.We propose new agile security definitions and assumptions for the signatures, key encapsulation mechanisms (KEM), and key derivation algorithms used by the TLS handshake. By necessity, our definitions are stronger than those expected with simple modern protocols. To validate our model of key encapsulation, we prove that both RSA and Diffie-Hellman ciphersuites satisfy our definition for the KEM. In particular, we formalize the use of PKCS#1v1.5 encryption in TLS, including recommended countermeasures against Bleichenbacher attacks, and build a 3,000-line EasyCrypt proof of the security of the resulting master secret KEM against replayable chosen-ciphertext attacks under the assumption that ciphertexts are hard to re-randomize.Based on our new agile definitions, we construct a modular proof of security for the miTLS reference implementation of the handshake, including ciphersuite negotiation, key exchange, renegotiation, and resumption, treated as a detailed 3,600-line executable model. We present our main definitions, constructions, and proofs for an abstract model of the protocol, featuring series of related runs of the handshake with different ciphersuites. We also describe its refinement to account for the whole reference implementation, based on automated verification tools.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Proving the TLS Handshake Secure (As It Is)

Bhargavan

Fournet

Kohlweiss

et al. 2014

Advances in Cryptology – CRYPTO 2014

Self Cite

View full text Add to dashboard Cite

show abstract

“…The Triple Handshake Attack [14] shows that TLS channel binding via tls-unique and tls-server-endpoint are not secure when session resumption is allowed, since an attacker can cause two distinct sessions to have the same tls-unique binding value via resumption. In order for the techniques proposed in Sects.…”

Section: Tls Channel Bindingsmentioning

confidence: 99%

Secure modular password authentication for the web using channel bindings

Manulis

Stebila

Kiefer³

et al. 2016

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Secure protocols for password-based user authentication are well-studied in the cryptographic literature but have failed to see wide-spread adoption on the internet; most proposals to date require extensive modifications to the Transport Layer Security (TLS) protocol, making deployment challenging. Recently, a few modular designs have been proposed in which a cryptographically secure password-based mutual authentication protocol is run inside a confidential (but not necessarily authenticated) channel such as TLS; the password protocol is bound to the established channel to prevent active attacks. Such protocols are useful in practice for a variety of reasons: security no longer relies on users' ability to validate server certificates and can potentially be implemented with no modifications to the secure channel protocol library. We provide a systematic study of such authentication protocols. Building on recent advances in modeling TLS, we give a formal definition of the intended security goal, which we call password-authenticated and confidential channel establishment (PACCE). We show generically that combining a secure Queensland University of Technology, Brisbane, Australia channel protocol, such as TLS, with a password authentication or password-authenticated key exchange protocol, where the two protocols are bound together using the transcript of the secure channel's handshake, the server's certificate, or the server's domain name, results in a secure PACCE protocol. Our prototypes based on TLS are available as a cross-platform client-side Firefox browser extension as well as an Android application and a server-side web application that can easily be installed on servers.

show abstract

“…Triple Handshake (CVE-2014(CVE- -1295 The triple handshake attack [BhargavanDFPS14] enables the attacker to cause two TLS connections to share keying material. This leads to a multitude of attacks, e.g., man-in-the-middle, breaking safe renegotiation, and breaking channel binding via TLS Exporter [RFC5705] or "tls-unique" [RFC5929].…”

Section: Certificate and Rsa-related Attacksmentioning

confidence: 99%