327 research outputs found

    A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates

    Get PDF
    The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. Here we look at two related, yet slightly different candidates which were in discussion for TLS 1.3 at the point of writing of the main part of the paper in May 2015, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based. We give a cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange. An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption. We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis

    A survey of the interaction between security protocols and transport services

    Get PDF
    This document provides a survey of commonly used or notable network security protocols, with a focus on how they interact and integrate with applications and transport protocols. Its goal is to supplement efforts to define and catalog Transport Services by describing the interfaces required to add security protocols. This survey is not limited to protocols developed within the scope or context of the IETF, and those included represent a superset of features a Transport Services system may need to support

    A Cryptographic Analysis of the WireGuard Protocol

    Get PDF
    WireGuard (Donenfeld, NDSS 2017) is a recently proposed secure network tunnel operating at layer 3. WireGuard aims to replace existing tunnelling solutions like IPsec and OpenVPN, while requiring less code, being more secure, more performant, and easier to use. The cryptographic design of WireGuard is based on the Noise framework. It makes use of a key exchange component which combines long-term and ephemeral Diffie-Hellman values (along with optional preshared keys). This is followed by the use of the established keys in an AEAD construction to encapsulate IP packets in UDP. To date, WireGuard has received no rigorous security analysis. In this paper, we, rectify this. We first observe that, in order to prevent Key Compromise Impersonation (KCI) attacks, any analysis of WireGuard\u27s key exchange component must take into account the first AEAD ciphertext from initiator to responder. This message effectively acts as a key confirmation and makes the key exchange component of WireGuard a 1.5 RTT protocol. However, the fact that this ciphertext is computed using the established session key rules out a proof of session key indistinguishability for WireGuard\u27s key exchange component, limiting the degree of modularity that is achievable when analysing the protocol\u27s security. To overcome this proof barrier, and as an alternative to performing a monolithic analysis of the entire WireGuard protocol, we add an extra message to the protocol. This is done in a minimally invasive way that does not increase the number of round trips needed by the overall WireGuard protocol. This change enables us to prove strong authentication and key indistinguishability properties for the key exchange component of WireGuard under standard cryptographic assumptions

    Supporting NAT traversal and secure communications in a protocol implementation framework

    Get PDF
    Dissertação apresentada na Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa para obtenção do Grau de Mestre em Engenharia Electrotécnica e de ComputadoresThe DOORS framework is a versatile, lightweight message-based framework developed in ANSI C++. It builds upon research experience and subsequent knowledge garnered from the use and development of CVOPS and OVOPS, two well known protocol development frameworks that have obtained widespread acceptance and use in both the Finnish industry and academia. It conceptually resides between the operating system and the application, and provides a uniform development environment shielding the developer from operating system speci c issues. It can be used for developing network services, ranging from simple socket-based systems, to protocol implementations, to CORBA-based applications and object-based gateways. Originally, DOORS was conceived as a natural extension from the OVOPS framework to support generic event-based, distributed and client-server network applications. However, DOORS since then has evolved as a platform-level middleware solution for researching the provision of converged services to both packet-based and telecommunications networks, enterprise-level integration and interoperability in future networks, as well as studying application development, multi-casting and service discovery protocols in heterogeneous IPv6 networks. In this thesis, two aspects of development work with DOORS take place. The rst is the investigation of the Network Address Translation (NAT) traversal problem to give support to applications in the DOORS framework that are residing in private IP networks to interwork with those in public IP networks. For this matter this rst part focuses on the development of a client in the DOORS framework for the Session Traversal Utilities for NAT (STUN) protocol, to be used for IP communications behind a NAT. The second aspect involves secure communications. Application protocols in communication networks are easily intercepted and need security in various layers. For this matter the second part focuses on the investigation and development of a technique in the DOORS framework to support the Transport Layer Security (TLS) protocol, giving the ability to application protocols to rely on secure transport layer services

    Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE

    Get PDF
    Lattice-based cryptography offers some of the most attractive primitives believed to be resistant to quantum computers. Following increasing interest from both companies and government agencies in building quantum computers, a number of works have proposed instantiations of practical post-quantum key exchange protocols based on hard problems in ideal lattices, mainly based on the Ring Learning With Errors (R-LWE) problem. While ideal lattices facilitate major efficiency and storage benefits over their nonideal counterparts, the additional ring structure that enables these advantages also raises concerns about the assumed difficulty of the underlying problems. Thus, a question of significant interest to cryptographers, and especially to those currently placing bets on primitives that will withstand quantum adversaries, is how much of an advantage the additional ring structure actually gives in practice. Despite conventional wisdom that generic lattices might be too slow and unwieldy, we demonstrate that LWE-based key exchange is quite practical: our constant time implementation requires around 1.3ms computation time for each party; compared to the recent NewHope R-LWE scheme, communication sizes increase by a factor of 4.7×, but remain under 12 KiB in each direction. Our protocol is competitive when used for serving web pages over TLS; when partnered with ECDSA signatures, latencies increase by less than a factor of 1.6×, and (even under heavy load) server throughput only decreases by factors of 1.5× and 1.2× when serving typical 1 KiB and 100 KiB pages, respectively. To achieve these practical results, our protocol takes advantage of several innovations. These include techniques to optimize communication bandwidth, dynamic generation of public parameters (which also offers additional security against backdoors), carefully chosen error distributions, and tight security parameters

    Consumo energético de algoritmos criptográficos y protocolos de seguridad en dispositivos móviles Symbian

    Get PDF
    En los últimos años, la telefonía móvil ha redenido la forma de comunicación entre las personas. Los dispositivos electrónicos, a través de los cuales se establece dicha comunicaci ón, han evolucionado vertiginosamente en potencia, rendimiento y sobre todo en nuevas funcionalidades, pero siguen estando limitados por la autonomía que les proporciona la duración de la batería. Mientras la capacidad de procesamiento se incrementa en un 200% cada 18 meses siguiendo la Ley de Moore, el rendimiento de las baterías sólo se ha visto mejorado en un 80% en los últimos 10 años [Fit07]. Esta mejora del rendimiento y la llegada de Internet a estos dispositivos ha hecho posible la comunicación a través de diferentes canales, la búsqueda de información o la posibilidad de realizar compras, todo ello de una forma segura y condencial. Dichas conexiones seguras, bien utilizando conexiones cableadas o inalámbricas, se consiguen mediante la utilización de protocolos de seguridad, basados en algoritmos criptográcos. Estos algoritmos son seleccionados basándose en los objetivos de seguridad denidos en el protocolo de seguridad a utilizar. Entre ellos se incluyen algoritmos de encriptación simétricos y asimétricos, utilizados para proporcionar autenticación y encriptación de los datos, así como algoritmos basados en funciones hash, y, de esa manera, conseguir integridad en los mensajes intercambiados. En la actualidad, el consumo energético en dispositivos móviles es una de los principales preocupaciones de los fabricantes de dispositivos móviles. De la misma manera, la seguridad en las comunicaciones se posiciona como una área muy importante en materia de investigación y desarrollo. El uso de protocolos de seguridad no sólo afecta al rendimiento de las comunicaciones, sino que también representa un fuerte impacto en el consumo energético en estos dispositivos alimentados por baterías. De este modo, uno de los desaf íos más importantes es conseguir un balance entre rendimiento, seguridad y consumo energético, con el n de obtener un buen rendimiento y niveles de seguridad adaptados al usuario con la mínima cantidad de energía. En este contexto, Nokia corporation encargó un proyecto de investigación a la Aalto University School of Science and Technology (Helsinki, Finlandia), para analizar el consumo energético de diferentes protocolos de seguridad y algoritmos criptográcos en la plataforma móvil Symbian

    Performance Evaluation of Post-Quantum TLS 1.3 on Resource-Constrained Embedded Systems

    Get PDF
    Transport Layer Security (TLS) constitutes one of the most widely used protocols for securing Internet communications and has also found broad acceptance in the Internet of Things (IoT) domain. As we progress toward a security environment resistant to quantum computer attacks, TLS needs to be transformed to support post-quantum cryptography. However, post-quantum TLS is still not standardised, and its overall performance, especially in resource-constrained, IoT-capable, embedded devices, is not well understood. In this paper, we showcase how TLS 1.3 can be transformed into quantum-safe by modifying the TLS 1.3 architecture in order to accommodate the latest Post-Quantum Cryptography (PQC) algorithms from NIST PQC process. Furthermore, we evaluate the execution time, memory, and bandwidth requirements of this proposed post-quantum variant of TLS 1.3 (PQ TLS 1.3). This is facilitated by integrating the pqm4 and PQClean library implementations of almost all PQC algorithms selected for standardisation by the NIST PQC process, as well as the alternatives to be evaluated in a new round (Round 4). The proposed solution and evaluation focuses on the lower end of resource-constrained embedded devices. Thus, the evaluation is performed on the ARM Cortex-M4 embedded platform NUCLEO-F439ZI that provides 180180 MHz clock rate, 22 MB Flash Memory, and 256256 KB SRAM. To the authors\u27 knowledge, this is the first systematic, thorough, and complete timing, memory usage, and network traffic evaluation of PQ TLS 1.3 for all the NIST PQC process selections and upcoming candidate algorithms, that explicitly targets resource-constrained embedded systems
    corecore