Secure Channels and Termination: The Last Word on TLS

Abstract

Secure channels are one of the most pivotal building blocks of cryptography today. Internet connections, secure messaging, protected IoT data, etc., all rely upon the security of the underlying channel. In this work we define channel protocols, as well as security for channels constructed from stateful length-hiding authenticated encryption (stLHAE) schemes. Furthermore, we initiate the concept of secure termination where, upon receipt of a signifying message, a receiver is guaranteed to have received every message that has been sent, and will ever be sent, on the channel. We apply our results to real-world protocols, linking the channel environment to previous analyses of TLS 1.2, and demonstrating that TLS 1.2 achieves secure termination via fatal alerts and \(\texttt {close\_notify}\) messages, per the specification of the Alert Protocol.

A stLHAE Syntax and Security

Definition 14

(Stateful Length-Hiding AEAD). A stateful length-hiding AEAD scheme \(\varPi \) for a message space \(\mathcal M\), an associated data space \(\mathcal {AD}\), a key space \(\mathcal K\), and a ciphertext space \(\mathcal C\), is a tuple of algorithms:

• \(\mathrm {Kgn}() {\mathop {\rightarrow }\limits ^{\$}}k\): A probabilistic key generation algorithm that outputs a key k.

• \(\mathrm {Enc}(k, {\ell }, \mathtt {ad}, {m}, st_{\mathrm {S}}) {\mathop {\rightarrow }\limits ^{\$}}(c, st_{\mathrm {S}}') \): A probabilistic encryption algorithm that takes as input a key \(k \in \mathcal K\), a length \({\ell }\in \mathbb {Z}\cup \{\bot \}\), associated data \(\mathtt {ad}\in \mathcal {AD}\), a message \(m \in \mathcal M\), and an write state \(st_{\mathrm {S}}\), and outputs a ciphertext \(c \in \mathcal C\) or an error symbol \(\bot \), and updated state \(st_{\mathrm {S}}'\).

• \(\mathrm {Dec}(k, \mathtt {ad},c, st_{\mathrm {R}}) \rightarrow (m,st_{\mathrm {R}}')\): A deterministic decryption algorithm that takes as input a key \(k \in \mathcal K\), associated data \(\mathtt {ad}\in \mathcal {AD}\), a ciphertext c, and a read state \(st_{\mathrm {R}}\), and outputs a message \(m \in \mathcal M\) or an error symbol \(\bot \), and an updated state \(st_{\mathrm {R}}'\).

If \({\ell }\ne \bot \), then we say that \(\varPi \) is length-hiding.

Correctness is defined in the obvious way, based on scheme correctness from Definition 1.

Definition 15

(Stateful Length-Hiding AEAD Security). Let \(\varPi \) be a stateful length-hiding AEAD scheme and let \(\mathcal {A}\) be an PPT adversarial algorithm. The stateful length-hiding AEAD experiment for \(\varPi \) with bit b is given by \(\mathsf {Exp}^{\mathsf {stlhae}_{}}_{\varPi }(\mathcal {A})\) in Fig. 6. We define

$$ \mathbf {Adv}^{\mathsf {stlhae}_{}}_{\varPi }(\mathcal {A}) =2 \Pr \left[ \mathsf {Exp}^{\mathsf {stlhae}_{}}_{\varPi }(\mathcal {A}) \right] -1 \ . $$

Note that the state variables \(st_{\mathrm {S}}\), \(st_{\mathrm {R}}\) in Fig. 6 are considered substate variables in terms of the channel environment (e.g. \(\pi _s^P.cxn_\mathtt {W}^i.{substate}\), \(\pi _s^P.cxn_\mathtt {R}^i.{substate}\)). This is due to the increased state considerations of the environment.

Fig. 6.

Stateful length-hiding AEAD experiment \(\mathsf {stlhae}_{}\) for stateful length-hiding AEAD scheme \(\varPi =(\mathrm {Kgn},\mathrm {Enc},\mathrm {Dec})\) and adversary \(\mathcal {A}\).