Abstract
In a multipath key exchange protocol (Costea et al., CCS’18) the parties communicate over multiple connection lines, implemented for example with the multipath extension of TCP. Costea et al. show that, if one assumes that an adversary cannot attack all communication paths in an active and synchronized way, then one can securely establish a shared key under mild cryptographic assumptions. This holds even if classical authentication methods like certificate-based signatures fail. They show how to slightly modify TLS to achieve this security level.
Here we discuss that the multipath security can also be achieved for TLS 1.3 without having to modify the crypto part of protocol at all. To this end one runs a regular handshake over one communication path and then a key update (or resumption) over the other path. We show that this already provides the desired security guarantees. At the same time, if only a single communication path is available, then one obtains the basic security properties of TLS 1.3 as a fall back guarantee.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
de Carnavalet, X.C., Mannan, M.: Killed by proxy: analyzing client-end TLS interception software. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, 21–24 February 2016. The Internet Society (2016)
Costea, S., Choudary, M.O., Gucea, D., Tackmann, B., Raiciu, C.: Secure opportunistic multipath key exchange. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 2077–2094. ACM (2018)
Davis, H., Günther, F.: Tighter proofs for the SIGMA and TLS 1.3 key exchange protocols. IACR Cryptol. ePrint Arch. 2020, 1029 (2020). https://eprint.iacr.org/2020/1029
Diemert, D., Jager, T.: On the tight security of TLS 1.3: theoretically-sound cryptographic parameters for real-world deployments. IACR Cryptol. ePrint Arch. 2020, 726 (2020). https://eprint.iacr.org/2020/726
Dowling, B., Fischlin, M., GÃnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol. Cryptology ePrint Archive, Report 2020/1044 (2020). https://eprint.iacr.org/2020/1044
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 1197–1210. ACM (2015)
Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for HTTP. RFC 7469, April 2015. https://rfc-editor.org/rfc/rfc7469.txt
Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 1193–1204. ACM (2014)
Fischlin, M., Günther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 60–75. IEEE (2017). https://doi.org/10.1109/EuroSP.2017.18
Ford, A., Raiciu, C., Handley, M.J., Bonaventure, O., Paasch, C.: TCP extensions for multipath operation with multiple addresses. RFC 8684, March 2020. https://rfc-editor.org/rfc/rfc8684.txt
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) The ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, 16–18 October 2012, pp. 38–49. ACM (2012)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)
Krawczyk, D.H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC 5869, May 2010. https://rfc-editor.org/rfc/rfc5869.txt
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Langley, A.: Apple’s SSL/TLS bug. ImperialViolet (2014). https://www.imperialviolet.org/2014/02/22/applebug.html
Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962, June 2013. https://rfc-editor.org/rfc/rfc6962.txt
Menn, J.: E-mail breach in Iran raises surveillance fears. Financial Times, 31 August 2011 (2011)
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://rfc-editor.org/rfc/rfc8446.txt
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 98–107. ACM (2002)
Acknowledgments
We thank the anonymous reviewers for valuable comments. Marc Fischlin has been [co-]funded by the Deutsche Forschungsgemeinschaft (DFG) – SFB 1119 – 236615297.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Transport Layer Security
A Transport Layer Security
Figure 4 depicts the basic TLS 1.3 anonymous (EC)DHE handshakes including the essential steps of the Diffie–Hellman-based key derivation. The key update step has already been explained in Sect. 2.2. A session resumption is similar to the handshake but adds some additional steps. It requires the server to have issued a ticket to the client containing a nonce and identifying information which are used for the resumption handshake. The client uses an additional extension \(\mathtt {ClientPreSharedKey}\) in the first message to indicate potential identifiers. The server acknowledges one in its \(\mathtt {ServerPreSharedKey}\) extension with the second message. The parties then use the resumption secret \(RMS\) from before to compute a pre-shared key \(PSK\), which this time enters the computation \(ES\leftarrow \mathsf {HKDF}.\mathsf {Extract}(\texttt {"\!\!"},PSK)\). They also derive a binder key \(BK\) which is used to verify the key. From there on the steps are identical to the one of a handshake execution. We note that resumption can be executed with and without the Diffie-Hellman step.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Fischlin, M., Müller, SA., Münch, JP., Porth, L. (2021). Multipath TLS 1.3. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-88428-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88427-7
Online ISBN: 978-3-030-88428-4
eBook Packages: Computer ScienceComputer Science (R0)