A Cryptographic Look at Multi-Party Channels

Cryptographic channels aim to enable authenticated and confidential communication over the Internet. The general understanding seems to be that providing security in the sense of authenticated encryption for every (unidirectional) point-to-point link suffices to achieve this goal. As recently shown (in FSE17/ToSC17), however, the security properties of the unidirectional links do not extend, in general, to the bidirectional channel as a whole. Intuitively, the reason for this is that the increased interaction in bidirectional communication can be exploited by an adversary. The same applies, a fortiori, in a multi-party setting where several users operate concurrently and the communication develops in more directions. In the cryptographic literature, however, the targeted goals for group communication in terms of channel security are still unexplored. Applying the methodology of provable security, we fill this gap by defining exact (game-based) authenticity and confidentiality goals for broadcast communication, and showing how to achieve them. Importantly, our security notions also account for the causal dependencies between exchanged messages, thus naturally extending the bidirectional case where causal relationships are automatically captured by preserving the sending order. On the constructive side we propose a modular and yet efficient protocol that, assuming only point-to-point links between users, leverages (non-cryptographic) broadcast and standard cryptographic primitives to a full-fledged broadcast channel that provably meets the security notions we put forth

Security Notions for Bidirectional Channels

This paper closes a definitional gap in the context of modeling cryptographic two-party channels. We note that, while most security models for channels consider exclusively unidirectional communication, real-world protocols like TLS and SSH are rather used for bidirectional interaction. The motivational question behind this paper is: Can analyses conducted with the unidirectional setting in mind—including the current ones for TLS and SSH—also vouch for security in the case of bidirectional channel usage? And, in the first place, what does security in the bidirectional setting actually mean? After developing confidentiality and integrity notions for bidirectional channels, we analyze a standard way of combining two unidirectional channels to realize one bidirectional channel. Although it turns out that this construction is, in general, not as secure as commonly believed, we confirm that for many practical schemes security is provided also in the bidirectional sense

Practical Secure Logging: Seekable Sequential Key Generators

In computer forensics, log files are indispensable resources that support auditors in identifying and understanding system threats and security breaches. If such logs are recorded locally, i.e., stored on the monitored machine itself, the problem of log authentication arises: if a system intrusion takes place, the intruder might be able to manipulate the log entries and cover her traces. Mechanisms that cryptographically protect collected log messages from manipulation should ideally have two properties: they should be *forward-secure* (the adversary gets no advantage from learning current keys when aiming at forging past log entries), and they should be *seekable* (the auditor can verify the integrity of log entries in any order or access pattern, at virtually no computational cost). We propose a new cryptographic primitive, a *seekable sequential key generator* (SSKG), that combines these two properties and has direct application in secure logging. We rigorously formalize the required security properties and give a provably-secure construction based on the integer factorization problem. We further optimize the scheme in various ways, preparing it for real-world deployment. As a byproduct, we develop the notion of a *shortcut one-way permutation* (SCP), which might be of independent interest. Our work is highly relevant in practice. Indeed, our SSKG implementation has become part of the logging service of the systemd system manager, a core component of many modern commercial Linux-based operating systems

On the Non-malleability of the Fiat-Shamir Transform

The Fiat-Shamir transform is a well studied paradigm for removing interaction from public-coin protocols. We investigate whether the resulting non-interactive zero-knowledge (NIZK) proof systems also exhibit non-malleability properties that have up to now only been studied for NIZK proof systems in the common reference string model: first, we formally define simulation soundness and a weak form of simulation extraction in the random oracle model (ROM). Second, we show that in the ROM the Fiat-Shamir transform meets these properties under lenient conditions. A consequence of our result is that, in the ROM, we obtain truly efficient non malleable NIZK proof systems essentially for free. Our definitions are sufficient for instantiating the Naor-Yung paradigm for CCA2-secure encryption, as well as a generic construction for signature schemes from hard relations and simulation-extractable NIZK proof systems. These two constructions are interesting as the former preserves both the leakage resilience and key-dependent message security of the underlying CPA-secure encryption scheme, while the latter lifts the leakage resilience of the hard relation to the leakage resilience of the resulting signature scheme

Data Is a Stream: Security of Stream-Based Channels

The common approach to defining secure channels in the literature is to consider transportation of discrete messages provided via atomic encryption and decryption interfaces. This, however, ignores that many practical protocols (including TLS, SSH, and QUIC) offer streaming interfaces instead, moreover with the complexity that the network (possibly under adversarial control) may deliver arbitrary fragments of ciphertexts to the receiver. To address this deficiency, we initiate the study of stream-based channels and their security. We present notions of confidentiality and integrity for such channels, akin to the notions for atomic channels, but taking the peculiarities of streams into account. We provide a composition result for our setting, saying that combining chosen-plaintext confidentiality with integrity of the transmitted ciphertext stream lifts confidentiality of the channel to chosen-ciphertext security. Notably, for our proof of this theorem in the streaming setting we need an additional property, called error predictability. We give an AEAD-based construction that achieves our notion of a secure stream-based channel. The construction matches rather well the one used in TLS, providing validation of that protocol\u27s design. Finally, we study how applications that actually aim at transporting atomic messages can do so safely over a stream-based channel. We provide corresponding security notions and a generic and secure \u27encode-then-stream\u27 paradigm

A Cryptographic Analysis of OPACITY

We take a closer look at the Open Protocol for Access Control, Identification, and Ticketing with privacY (OPACITY). This Diffie--Hellman-based protocol is supposed to provide a secure and privacy-friendly key establishment for contactless environments. It is promoted by the US Department of Defense and meanwhile available in several standards such as ISO/IEC 24727-6 and ANSI 504-1. To the best of our knowledge, so far no detailed cryptographic analysis has been publicly available. Thus, we investigate in how far the common security properties for authenticated key exchange and impersonation resistance, as well as privacy-related properties like untraceability and deniability, are met. OPACITY is not a single protocol but, in fact, a suite consisting of two protocols, one called Zero-Key Management (ZKM) and the other one named Fully Secrecy (FS). Our results indicate that the ZKM version does not achieve even very basic security guarantees. The FS protocol, on the other hand, provides a decent level of security for key establishment. Yet, our results show that the persistent-binding steps, for re-establishing previous connections, conflict with fundamental privacy properties

PoTS - A Secure Proof of TEE-Stake for Permissionless Blockchains

Proof-of-Stake (PoS) protocols have been actively researched for the past few years. PoS finds direct applicability in permissionless blockchain platforms and emerges as one of the strongest candidates to replace the largely inefficient Proof of Work mechanism that is currently plugged in the majority of existing permissionless blockchain systems. Although a number of PoS variants have been proposed, these protocols suffer from a number of security shortcomings. Namely, most existing PoS variants are either subject to the nothing at stake, the long range, or the stake grinding attacks which considerably degrade security in the blockchain. These shortcomings do not result from a lack of foresight when designing these protocols, but are inherently due to the ease of manipulating stake when compared to other more established variants, such as work . In this paper, we address these problems and propose a secure Proof of Stake protocol, PoTS, that leverages Trusted Execution Environments (TEEs), such as Intel SGX, to ensure that each miner can generate at most one block per height for strictly increasing heights—thus thwarting the problem of nothing at stake and a large class of long-range attacks. In combination with TEEs, PoTS additionally uses cryptographic techniques to also prevent grinding attacks and protect against posterior corruption. We show that our protocol is secure, in the sense of well-established cryptographic notions for blockchain protocols, down to realistic hardware assumptions on TEE and well-established cryptographic assumptions. Finally, we evaluate the performance of our proposal by means of implementation. Our evaluation results show that PoTS offers a strong tradeoff between security of performance of the underlying PoS protocol

Real-World Aspects of Secure Channels: Fragmentation, Causality, and Forward Security

A secure channel is a cryptographic protocol that adds security to unprotected network connections. Prominent examples include the Transport Layer Security (TLS) and the Secure Shell (SSH) protocols. Because of their large-scale deployment, these protocols received a lot of attention from academia. Starting with the seminal work of Bellare, Kohno, and Namprempre (BKN; CCS 2002) on the security of SSH, numerous authors analyzed channel protocols using the same approach of BKN to model a channel as a stateful authenticated encryption scheme. However, deployed protocols such as TLS and SSH are inherently complex, and a single mathematical abstraction can hardly capture all aspects that are relevant to security. In this thesis we reconsider the suitability of the stateful authenticated encryption abstraction for the analysis of real-world channel protocols. In particular, we highlight that such an abstraction is too restrictive, in a sense that we clarify next, to capture three important aspects that do not appear in existing cryptographic models for secure channels. Firstly, we question the common approach that treats secure channels using atomic encryption and decryption interfaces to transport a sequence of messages. This approach ignores that many real-world protocols, including TLS and SSH, offer a streaming interface instead. To formalize the non-atomic behavior of these protocols we initiate the study of stream-based channels and their security. We formalize notions of confidentiality and integrity by extending the BKN model for stateful authenticated encryption to take the peculiarities of streams into account. Inspired by the TLS 1.3 protocol we present a generic construction of a stream-based channel from any authenticated encryption scheme with associated data (AEAD), and prove its security. Secondly, we note that while TLS, SSH, and many other channel protocols are typically used for bidirectional interaction, cryptographic models assessing the security of these protocols exclusively account for unidirectional communication, from one sender to one receiver. We correspondingly ask: Do security results for unidirectional channels extend to the bidirectional case? And, in the first place, what does security in the bidirectional setting actually mean? How does all this scale when more than two participants are involved? To answer these questions we conduct a rigorous study of security notions for bidirectional channels and their generalization to the broadcast setting with more than two participants. In a broadcast scenario, confidentiality and integrity need to capture aspects related to the causality of events in distributed systems that have no counterpart in the much simpler unidirectional case. The causality between exchanged messages is particularly relevant, both in terms of functionality and of security, in the context of instant messaging protocols such as TextSecure. Furthermore, we provide generic constructions of broadcast channels from AEAD. We also analyze and validate a traditional heuristic (used, among others, in TLS) of combining two unidirectional channels to realize a bidirectional one. Finally, we look at forward security, which strengthens regular security by demanding that even if an adversary eventually obtains the secret key in use (by corruption), past uses of the cryptosystem are not compromised. While being a standard requirement for authenticated key exchange, so far, providing forward security was not considered a goal of cryptographic channels in the BKN model and its follow-ups. However, it is considered folklore that forward-secure authenticated encryption schemes can be constructed in a modular way by replacing the key generation procedure with one that produces a sequence of forward-secure keys and then using these keys for re-keying the encryption and decryption routines in use. This approach may also be applied for realizing forward-secure channels. Following this idea, in the last part of the thesis we leave the domain of channels and focus on building forward-secure key generation mechanisms. Secure solutions for the latter primitive have been proposed already in the past. In this thesis we complement the current picture by contributing certain efficiency improvements for sequential key generators. In particular, we illustrate that our solutions find a natural application in the authentication of log files. Implementations of one of our schemes are installed on millions of computers world-wide