Abstract
Secure channels are one of the most pivotal building blocks of cryptography today. Internet connections, secure messaging, protected IoT data, etc., all rely upon the security of the underlying channel. In this work we define channel protocols, as well as security for channels constructed from stateful length-hiding authenticated encryption (stLHAE) schemes. Furthermore, we initiate the concept of secure termination where, upon receipt of a signifying message, a receiver is guaranteed to have received every message that has been sent, and will ever be sent, on the channel. We apply our results to real-world protocols, linking the channel environment to previous analyses of TLS 1.2, and demonstrating that TLS 1.2 achieves secure termination via fatal alerts and \(\texttt {close\_notify}\) messages, per the specification of the Alert Protocol.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Acar, T., Belenkiy, M., Bellare, M., Cash, D.: Cryptographic agility and its relation to circular encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 403–422. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_21
Badertscher, C., Matt, C., Maurer, U., Rogaway, P., Tackmann, B.: Augmented secure channels and the goal of the TLS 1.3 record layer. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 85–104. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26059-4_5
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)
Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J., Stebila, D.: Multi-ciphersuite security of the secure shell (SSH) protocol. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 369–381. ACM (2014). https://doi.org/10.1145/2660267.2660286
Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy, pp. 98–113. IEEE Computer Society Press, May 2014
Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (As It Is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_14
Boyd, C., Hale, B., Mjølsnes, S.F., Stebila, D.: From stateless to stateful: generic authentication and authenticated encryption constructions with application to TLS. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 55–71. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_4
Brier, E., Peyrin, T.: A forward-secure symmetric-key derivation protocol. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 250–267. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_15
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Cohen, R., Coretti, S., Garay, J., Zikas, V.: Probabilistic Termination and Composability of Cryptographic Protocols (2016). http://eprint.iacr.org/
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2 (2008). https://tools.ietf.org/html/rfc5426. RFC 5426
Fischlin, M., Günther, F., Marson, G.A., Paterson, K.G.: Data is a stream: security of stream-based channels. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 545–564. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_27
Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13, pp. 387–398. ACM Press , November 2013
Günther, F., Mazaheri, S.: A formal treatment of multi-key channels. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 587–618. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_20
Haber, S., Pinkas, B.: Securely combining public-key cryptosystems. In: ACM CCS 2001, pp. 215–224. ACM Press, November 2001
Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_2
Hoang, V.T., Reyhanitabar, R., Rogaway, P., Vizár, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (Aug (2015)
Hoepman, J.-H.: The ephemeral pairing problem. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 212–226. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27809-2_22
IEEE 802.11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications (2012). https://doi.org/10.1109/IEEESTD.2012.6178212
Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_17
Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_20
Krawczyk, H.: Cryptographic Extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_24
Marson, G., Poettering, B.: Security Notions for Bidirectional Channels. In: IACR Transactions on Symmetric Cryptology. vol. 2017, pp. 405–426. http://ojs.ub.rub.de/index.php/ToSC/article/view/602
Maurer, U., Tackmann, B.: On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 2010, pp. 505–515. ACM Press, October 2010
Maurer, U.M.: Perfect cryptographic security from partially independent channels. In: 23rd ACM STOC, pp. 561–571. ACM Press, May 1991
Microsoft-Inria Joint Centre: miTLS: A verified reference TLS implementation (2012). https://www.mitls.org/pages/attacks
Namprempre, C.: Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 515–532. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_32
Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size Does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_20
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3: draft-ietf-tls-tls13-20, April 2017. https://tools.ietf.org/pdf/draft-ietf-tls-tls13-20.pdf. Expires 30 October 2017
Rescorla, E., Modadugu, N.: Datagram Transport Layer Security (2006). https://tools.ietf.org/html/rfc4347. RFC 4347
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, November 2002
Rogaway, P., Shrimpton, T.: Deterministic authenticated-encryption: a provable-security treatment of the key-wrap problem. Cryptology ePrint Archive, Report 2006/221 (2006). http://eprint.iacr.org/2006/221
Shrimpton, T.: A characterization of authenticated-encryption as a form of chosen-ciphertext security. Cryptology ePrint Archive, Report 2004/272 (2004). http://eprint.iacr.org/2004/272
Smyth, B., Pironti, A.: Truncating TLS connections to violate beliefs in web applications. In: 7th USENIX Workshop on Offensive Technologies, WOOT 2013 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A stLHAE Syntax and Security
A stLHAE Syntax and Security
Definition 14
(Stateful Length-Hiding AEAD). A stateful length-hiding AEAD scheme \(\varPi \) for a message space \(\mathcal M\), an associated data space \(\mathcal {AD}\), a key space \(\mathcal K\), and a ciphertext space \(\mathcal C\), is a tuple of algorithms:
-
\(\mathrm {Kgn}() {\mathop {\rightarrow }\limits ^{\$}}k\): A probabilistic key generation algorithm that outputs a key k.
-
\(\mathrm {Enc}(k, {\ell }, \mathtt {ad}, {m}, st_{\mathrm {S}}) {\mathop {\rightarrow }\limits ^{\$}}(c, st_{\mathrm {S}}') \): A probabilistic encryption algorithm that takes as input a key \(k \in \mathcal K\), a length \({\ell }\in \mathbb {Z}\cup \{\bot \}\), associated data \(\mathtt {ad}\in \mathcal {AD}\), a message \(m \in \mathcal M\), and an write state \(st_{\mathrm {S}}\), and outputs a ciphertext \(c \in \mathcal C\) or an error symbol \(\bot \), and updated state \(st_{\mathrm {S}}'\).
-
\(\mathrm {Dec}(k, \mathtt {ad},c, st_{\mathrm {R}}) \rightarrow (m,st_{\mathrm {R}}')\): A deterministic decryption algorithm that takes as input a key \(k \in \mathcal K\), associated data \(\mathtt {ad}\in \mathcal {AD}\), a ciphertext c, and a read state \(st_{\mathrm {R}}\), and outputs a message \(m \in \mathcal M\) or an error symbol \(\bot \), and an updated state \(st_{\mathrm {R}}'\).
If \({\ell }\ne \bot \), then we say that \(\varPi \) is length-hiding.
Correctness is defined in the obvious way, based on scheme correctness from Definition 1.
Definition 15
(Stateful Length-Hiding AEAD Security). Let \(\varPi \) be a stateful length-hiding AEAD scheme and let \(\mathcal {A}\) be an PPT adversarial algorithm. The stateful length-hiding AEAD experiment for \(\varPi \) with bit b is given by \(\mathsf {Exp}^{\mathsf {stlhae}_{}}_{\varPi }(\mathcal {A})\) in Fig. 6. We define
Note that the state variables \(st_{\mathrm {S}}\), \(st_{\mathrm {R}}\) in Fig. 6 are considered substate variables in terms of the channel environment (e.g. \(\pi _s^P.cxn_\mathtt {W}^i.{substate}\), \(\pi _s^P.cxn_\mathtt {R}^i.{substate}\)). This is due to the increased state considerations of the environment.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Boyd, C., Hale, B. (2019). Secure Channels and Termination: The Last Word on TLS. In: Lange, T., Dunkelman, O. (eds) Progress in Cryptology – LATINCRYPT 2017. LATINCRYPT 2017. Lecture Notes in Computer Science(), vol 11368. Springer, Cham. https://doi.org/10.1007/978-3-030-25283-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-25283-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25282-3
Online ISBN: 978-3-030-25283-0
eBook Packages: Computer ScienceComputer Science (R0)