14 research outputs found
Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT
The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in 0-RTT ( zero round-trip time ), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session\u27s encryption secrets upon receipt of the client\u27s first message. The standard techniques to achieve this are session caches or, alternatively, session tickets. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks.
In this paper, we first formally define session resumption protocols as an abstract perspective on mechanisms like session caches and session tickets. We give a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs). This construction can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol.
We then describe two new constructions of PPRFs, which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3. The first construction is based on the strong RSA assumption. Compared to standard session caches, for 128-bit security it reduces the required server storage by a factor of almost 20, when instantiated in a way such that key derivation and puncturing together are cheaper on average than one full exponentiation in an RSA group. Hence, a 1 GB session cache can be replaced with only about 51 MBs of storage, which significantly reduces the amount of secure memory required. For larger security parameters or in exchange for more expensive computations, even larger storage reductions are achieved.
The second construction combines a standard binary tree PPRF with a new domain extension technique. For a reasonable choice of parameters, this reduces the required storage by a factor of up to 5 compared to a standard session cache. It employs only symmetric cryptography, is suitable for high-traffic scenarios, and can serve thousands of tickets per second
Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)
Diffie-Hellman key exchange (DHKE) is a widely adopted method for exchanging cryptographic key material in realworld protocols like TLS-DH(E). Past attacks on TLS-DH(E) focused on weak parameter choices or missing parameter validation. The confidentiality of the computed DH share, the premaster secret, was never questioned; DHKE is used as a generic method to avoid the security pitfalls of TLS-RSA.
We show that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary. Our main result is a novel side-channel attack, named Raccoon attack, which exploits a timing vulnerability in TLS-DH(E), leaking the most significant bits of the shared Diffie-Hellman secret. The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret. If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem. The Raccoon attack takes advantage of uncommon DH modulus sizes, which depend on the properties of the used hash functions. We describe a fully feasible remote attack against an otherwisesecure TLS configuration: OpenSSL with a 1032-bit DH modulus. Fortunately, such moduli are not commonly used on the Internet.
Furthermore, with our large-scale scans we have identified implementation-level issues in production-grade TLS implementations that allow for executing the same attack by directly observing the contents of server responses, without resorting to timing measurements
Practical (Post-Quantum) Key Combiners from One-Wayness and Applications to TLS
The task of combining cryptographic keys, some of which may be maliciously formed, into one key, which is (pseudo)random is a central task in cryptographic systems. For example, it is a crucial component in the widely used TLS and Signal protocols. From an analytical standpoint, current security proofs model such key combiners as dual-PRFs -- a function which is a PRF when keyed by either of its two inputs -- guaranteeing pseudo-randomness if one of the keys is compromised or even maliciously chosen by an adversary.
However, in practice, protocols mostly use HKDF as a key combiner, despite the fact that HKDF was never proven to be a dual-PRF. Security proofs for these protocols usually work around this issue either by simply assuming HKDF to be a dual-PRF anyway, or by assuming ideal models (e.g. modelling underlying hash functions as random oracles). We identify several deployed protocols and upcoming standards where this is the case. Unfortunately, such heuristic approaches to security tend not to withstand the test of time, often leading to deployed systems that eventually become completely insecure.
In this work, we narrow the gap between theory and practice for key combiners. In particular, we give a construction of a dual-PRF that can be used as a drop-in replacement for current heuristic key combiners in a range of protocols. Our construction follows a theoretical construction by Bellare and Lysyanskaya, and is based on concrete hardness assumptions, phrased in the spirit of one-wayness. Therefore, our construction provides security unless extremely strong attacks against the underlying cryptographic hash function are discovered. Moreover, since these assumptions are considered post-quantum secure, our construction can safely be used in new hybrid protocols. From a practical perspective, our dual-PRF construction is highly efficient, adding only a few microseconds in computation time compared to currently used (heuristic) approaches. We believe that our approach exemplifies a perfect middle-ground for practically efficient constructions that are supported by realistic hardness assumptions
Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves
Intel Software Guard Extension (SGX) offers software applications enclave to
protect their confidentiality and integrity from malicious operating systems.
The SSL/TLS protocol, which is the de facto standard for protecting
transport-layer network communications, has been broadly deployed for a secure
communication channel. However, in this paper, we show that the marriage
between SGX and SSL may not be smooth sailing.
Particularly, we consider a category of side-channel attacks against SSL/TLS
implementations in secure enclaves, which we call the control-flow inference
attacks. In these attacks, the malicious operating system kernel may perform a
powerful man-in-the-kernel attack to collect execution traces of the enclave
programs at page, cacheline, or branch level, while positioning itself in the
middle of the two communicating parties. At the center of our work is a
differential analysis framework, dubbed Stacco, to dynamically analyze the
SSL/TLS implementations and detect vulnerabilities that can be exploited as
decryption oracles. Surprisingly, we found exploitable vulnerabilities in the
latest versions of all the SSL/TLS libraries we have examined.
To validate the detected vulnerabilities, we developed a man-in-the-kernel
adversary to demonstrate Bleichenbacher attacks against the latest OpenSSL
library running in the SGX enclave (with the help of Graphene) and completely
broke the PreMasterSecret encrypted by a 4096-bit RSA public key with only
57286 queries. We also conducted CBC padding oracle attacks against the latest
GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS
(i.e., mbedTLS-SGX) that runs directly inside the enclave, and showed that it
only needs 48388 and 25717 queries, respectively, to break one block of AES
ciphertext. Empirical evaluation suggests these man-in-the-kernel attacks can
be completed within 1 or 2 hours.Comment: CCS 17, October 30-November 3, 2017, Dallas, TX, US
Adaptive Probing and Communication in Sensor Networks
Abstract. Sensor networks consist of multiple low-cost, autonomous, ad-hoc sensors, that periodically probe and react to the environment and communicate with other sensors or devices. A primary concern in the operation of sensor networks is the limited energy capacity per sensor. As a result, a common challenge is in setting the probing frequency, so as to compromise between the cost of frequent probing and the inaccuracy resulting from infrequent probing. We present adaptive probing algorithms that enable sensors to make effective selections of their next probing time, based on prior probes. We also present adaptive communication techniques, which allow reduced communication between sensors, and hence significant energy savings, without sacrificing accuracy. The presented algorithms were implemented in Motes sensors and are shown to be effective by testing them on real data.
Long term results of total hip arthroplasty with cemented and cementless tapered femoral component
Background: Excellent midterm results for total hip arthroplasties (THA) with cementless, tapered porous Taperloc® femoral stems have been reported. Reports regarding such cemented stems, however, are lacking. Objectives: To evaluate the long-term outcomes of both cemented and cementless THAs with the Taperloc femoral component. Methods: The medical records of 71 patients (76 hips), operated on between January 1991 and December 2003, who had a minimum follow-up of 10 years were available for analysis. Functional analysis was performed with the Harris hip score (HHS) questionnaire and the numerical analogue scale (NAS). Radiographic analysis was performed for subsidence, radiolucent lines and osteolysis. Results: The cohort was comprised of 47 female and 24 male patients, with a mean age of 59.7 ± 12.4 years. The mean follow-up was 17.8 ± 4.4 years. 52.6% of THAs analyzed were cementless and 47.4% were cemented. Post-operative radiographs were available for 57 surgeries. Subsidence, hypertrophic ossification, radiolucent lines and osteolysis were noted in 4 (7%), 2 (2.6%), 14 (18.4%) and 11 (14.5%) hips respectively. The average HHS score at a mean follow-up of 20.1 ± 3.9 years was 62.1 (±27.7) and the NAS score was 4.6 (±3.6). During the study period, five revision surgeries were performed due to stem-related problems, one of which was for aseptic loosening. Conclusions: Our long-term experience with the Taperloc stem, both cemented and cementless, demonstrates good outcomes, with low rates of failure. This makes this prosthesis an attractive option for THAs. Level of Evidence: I
The effect of patient body mass index and sex on the magnification factor during pre-operative templating for total hip arthroplasty
Introduction: Pre-operative templating prior to hip arthroplasty has traditionally used implant-company-provided acetates, which assumed a magnification factor between 115% and 120%. In recent years, pre-operative planning has been performed with digital calibration devices, in order to calculate the magnification factor. However, these devices are not without their limitations and are not readily available at many institutions. As previous reports suggest a wide range of magnification factors, the determination of an optimal magnification factor is currently unclear. We investigated the relationship between obesity and gender on the magnification factor in order to improve the accuracy of pre-operative templating. Patients and methods: Ninety-seven consecutive pre-operative calibrated pelvic radiographs using the KingMark calibration were analyzed using the TraumaCad templating software. The magnification factor calculated by the software was considered the true magnification factor and analysis was made in order to assess the effect of sex and body mass index (BMI) on the magnification factor. A linear regression analysis was utilized to create a predictive model for optimal magnification factor value. Results: Magnification factor was significantly affected by sex (male, 120.0% vs. female 121.2%, p < 0.01) and by categorized BMI (obese 121.8% vs. non-obese 119.9%, p < 0.001). A positive linear association was found between BMI and the magnification factor (r = 0.544). The magnification factor was significantly different between the following sub-groups: obese female, non-obese female, obese male, and non-obese male (p < 0.001). When applying the model formulated by the linear regression analysis, the calculated magnification factor was within 2% of the true magnification factor for the majority of patients (n = 83, 85.6%). Conclusions: BMI and gender have a significant effect on the magnification factor. Future determination of the magnification factor should consider the influence of these variables in order to improve the accuracy of pre-operative templating in THA
Radiological Comparison of Canal Fill between Collared and Non-Collared Femoral Stems: A Two-Year Follow-Up after Total Hip Arthroplasty
Collared femoral stems in total hip arthroplasty (THA) offer reduced subsidence and periprosthetic fractures but raise concerns about fit accuracy and stem sizing. This study compares collared and non-collared stems to assess the stem–canal fill ratio (CFR) and fixation indicators, aiming to guide implant selection and enhance THA outcomes. This retrospective single-center study examined primary THA patients who received Corail cementless stems between August 2015 and October 2020, with a minimum of two years of radiological follow-up. The study compared preoperative bone quality assessments, including the Dorr classification, the canal flare index (CFI), the morphological cortical index (MCI), and the canal bone ratio (CBR), as well as postoperative radiographic evaluations, such as the CFR and component fixation, between patients who received a collared or a non-collared femoral stem. The study analyzed 202 THAs, with 103 in the collared cohort and 99 in the non-collared cohort. Patients’ demographics showed differences in age (p = 0.02) and ASA classification (p = 0.01) but similar preoperative bone quality between groups, as suggested by the Dorr classification (p = 0.15), CFI (p = 0.12), MCI (p = 0.26), and CBR (p = 0.50). At the two-year follow-up, femoral stem CFRs (p = 0.59 and p = 0.27) were comparable between collared and non-collared cohorts. Subsidence rates were almost doubled for non-collared patients (19.2 vs. 11.7%, p = 0.17), however, not to a level of clinical significance. The findings of this study show that both collared and non-collared Corail stems produce comparable outcomes in terms of the CFR and radiographic indicators for stem fixation. These findings reduce concerns about stem under-sizing and micro-motion in collared stems. While this study provides insights into the collar design debate in THA, further research remains necessary