Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in 0-RTT ( zero round-trip time ), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session\u27s encryption secrets upon receipt of the client\u27s first message. The standard techniques to achieve this are session caches or, alternatively, session tickets. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks. In this paper, we first formally define session resumption protocols as an abstract perspective on mechanisms like session caches and session tickets. We give a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs). This construction can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol. We then describe two new constructions of PPRFs, which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3. The first construction is based on the strong RSA assumption. Compared to standard session caches, for 128-bit security it reduces the required server storage by a factor of almost 20, when instantiated in a way such that key derivation and puncturing together are cheaper on average than one full exponentiation in an RSA group. Hence, a 1 GB session cache can be replaced with only about 51 MBs of storage, which significantly reduces the amount of secure memory required. For larger security parameters or in exchange for more expensive computations, even larger storage reductions are achieved. The second construction combines a standard binary tree PPRF with a new domain extension technique. For a reasonable choice of parameters, this reduces the required storage by a factor of up to 5 compared to a standard session cache. It employs only symmetric cryptography, is suitable for high-traffic scenarios, and can serve thousands of tickets per second

Practical (Post-Quantum) Key Combiners from One-Wayness and Applications to TLS

The task of combining cryptographic keys, some of which may be maliciously formed, into one key, which is (pseudo)random is a central task in cryptographic systems. For example, it is a crucial component in the widely used TLS and Signal protocols. From an analytical standpoint, current security proofs model such key combiners as dual-PRFs -- a function which is a PRF when keyed by either of its two inputs -- guaranteeing pseudo-randomness if one of the keys is compromised or even maliciously chosen by an adversary. However, in practice, protocols mostly use HKDF as a key combiner, despite the fact that HKDF was never proven to be a dual-PRF. Security proofs for these protocols usually work around this issue either by simply assuming HKDF to be a dual-PRF anyway, or by assuming ideal models (e.g. modelling underlying hash functions as random oracles). We identify several deployed protocols and upcoming standards where this is the case. Unfortunately, such heuristic approaches to security tend not to withstand the test of time, often leading to deployed systems that eventually become completely insecure. In this work, we narrow the gap between theory and practice for key combiners. In particular, we give a construction of a dual-PRF that can be used as a drop-in replacement for current heuristic key combiners in a range of protocols. Our construction follows a theoretical construction by Bellare and Lysyanskaya, and is based on concrete hardness assumptions, phrased in the spirit of one-wayness. Therefore, our construction provides security unless extremely strong attacks against the underlying cryptographic hash function are discovered. Moreover, since these assumptions are considered post-quantum secure, our construction can safely be used in new hybrid protocols. From a practical perspective, our dual-PRF construction is highly efficient, adding only a few microseconds in computation time compared to currently used (heuristic) approaches. We believe that our approach exemplifies a perfect middle-ground for practically efficient constructions that are supported by realistic hardness assumptions

Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves

Intel Software Guard Extension (SGX) offers software applications enclave to protect their confidentiality and integrity from malicious operating systems. The SSL/TLS protocol, which is the de facto standard for protecting transport-layer network communications, has been broadly deployed for a secure communication channel. However, in this paper, we show that the marriage between SGX and SSL may not be smooth sailing. Particularly, we consider a category of side-channel attacks against SSL/TLS implementations in secure enclaves, which we call the control-flow inference attacks. In these attacks, the malicious operating system kernel may perform a powerful man-in-the-kernel attack to collect execution traces of the enclave programs at page, cacheline, or branch level, while positioning itself in the middle of the two communicating parties. At the center of our work is a differential analysis framework, dubbed Stacco, to dynamically analyze the SSL/TLS implementations and detect vulnerabilities that can be exploited as decryption oracles. Surprisingly, we found exploitable vulnerabilities in the latest versions of all the SSL/TLS libraries we have examined. To validate the detected vulnerabilities, we developed a man-in-the-kernel adversary to demonstrate Bleichenbacher attacks against the latest OpenSSL library running in the SGX enclave (with the help of Graphene) and completely broke the PreMasterSecret encrypted by a 4096-bit RSA public key with only 57286 queries. We also conducted CBC padding oracle attacks against the latest GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS (i.e., mbedTLS-SGX) that runs directly inside the enclave, and showed that it only needs 48388 and 25717 queries, respectively, to break one block of AES ciphertext. Empirical evaluation suggests these man-in-the-kernel attacks can be completed within 1 or 2 hours.Comment: CCS 17, October 30-November 3, 2017, Dallas, TX, US

Adaptive Probing and Communication in Sensor Networks

Abstract. Sensor networks consist of multiple low-cost, autonomous, ad-hoc sensors, that periodically probe and react to the environment and communicate with other sensors or devices. A primary concern in the operation of sensor networks is the limited energy capacity per sensor. As a result, a common challenge is in setting the probing frequency, so as to compromise between the cost of frequent probing and the inaccuracy resulting from infrequent probing. We present adaptive probing algorithms that enable sensors to make effective selections of their next probing time, based on prior probes. We also present adaptive communication techniques, which allow reduced communication between sensors, and hence significant energy savings, without sacrificing accuracy. The presented algorithms were implemented in Motes sensors and are shown to be effective by testing them on real data.

Long term results of total hip arthroplasty with cemented and cementless tapered femoral component

Background: Excellent midterm results for total hip arthroplasties (THA) with cementless, tapered porous Taperloc® femoral stems have been reported. Reports regarding such cemented stems, however, are lacking. Objectives: To evaluate the long-term outcomes of both cemented and cementless THAs with the Taperloc femoral component. Methods: The medical records of 71 patients (76 hips), operated on between January 1991 and December 2003, who had a minimum follow-up of 10 years were available for analysis. Functional analysis was performed with the Harris hip score (HHS) questionnaire and the numerical analogue scale (NAS). Radiographic analysis was performed for subsidence, radiolucent lines and osteolysis. Results: The cohort was comprised of 47 female and 24 male patients, with a mean age of 59.7 ± 12.4 years. The mean follow-up was 17.8 ± 4.4 years. 52.6% of THAs analyzed were cementless and 47.4% were cemented. Post-operative radiographs were available for 57 surgeries. Subsidence, hypertrophic ossification, radiolucent lines and osteolysis were noted in 4 (7%), 2 (2.6%), 14 (18.4%) and 11 (14.5%) hips respectively. The average HHS score at a mean follow-up of 20.1 ± 3.9 years was 62.1 (±27.7) and the NAS score was 4.6 (±3.6). During the study period, five revision surgeries were performed due to stem-related problems, one of which was for aseptic loosening. Conclusions: Our long-term experience with the Taperloc stem, both cemented and cementless, demonstrates good outcomes, with low rates of failure. This makes this prosthesis an attractive option for THAs. Level of Evidence: I

The effect of patient body mass index and sex on the magnification factor during pre-operative templating for total hip arthroplasty

Introduction: Pre-operative templating prior to hip arthroplasty has traditionally used implant-company-provided acetates, which assumed a magnification factor between 115% and 120%. In recent years, pre-operative planning has been performed with digital calibration devices, in order to calculate the magnification factor. However, these devices are not without their limitations and are not readily available at many institutions. As previous reports suggest a wide range of magnification factors, the determination of an optimal magnification factor is currently unclear. We investigated the relationship between obesity and gender on the magnification factor in order to improve the accuracy of pre-operative templating. Patients and methods: Ninety-seven consecutive pre-operative calibrated pelvic radiographs using the KingMark calibration were analyzed using the TraumaCad templating software. The magnification factor calculated by the software was considered the true magnification factor and analysis was made in order to assess the effect of sex and body mass index (BMI) on the magnification factor. A linear regression analysis was utilized to create a predictive model for optimal magnification factor value. Results: Magnification factor was significantly affected by sex (male, 120.0% vs. female 121.2%, p < 0.01) and by categorized BMI (obese 121.8% vs. non-obese 119.9%, p < 0.001). A positive linear association was found between BMI and the magnification factor (r = 0.544). The magnification factor was significantly different between the following sub-groups: obese female, non-obese female, obese male, and non-obese male (p < 0.001). When applying the model formulated by the linear regression analysis, the calculated magnification factor was within 2% of the true magnification factor for the majority of patients (n = 83, 85.6%). Conclusions: BMI and gender have a significant effect on the magnification factor. Future determination of the magnification factor should consider the influence of these variables in order to improve the accuracy of pre-operative templating in THA