research-article

A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3)

Author:

Hugo KrawczykAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

Pages 1438 - 1450

https://doi.org/10.1145/2976749.2978325

Published: 24 October 2016 Publication History

Abstract

We study the question of how to build "compilers" that transform a unilaterally authenticated (UA) key-exchange protocol into a mutually-authenticated (MA) one. We present a simple and efficient compiler and characterize the UA protocols that the compiler upgrades to the MA model, showing this to include a large and important class of UA protocols. The question, while natural, has not been studied widely. Our work is motivated in part by the ongoing work on the design of TLS 1.3, specifically the design of the client authentication mechanisms including the challenging case of post-handshake authentication. Our approach supports the analysis of these mechanisms in a general and modular way, in particular aided by the notion of "functional security" that we introduce as a generalization of key exchange models and which may be of independent interest.

References

[1]

M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 232--249. Springer, 1993. ISBN 3--540--57766--1.

Digital Library

[2]

M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In 30th ACM STOC, pages 419--428. ACM Press, May 1998.

Digital Library

[3]

vaud, Fournet, Kohlweiss, Pironti, Strub, and Zinzindohoue}smackB. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy, 2015.

Digital Library

[4]

K. Bhargavan and G. Leurent. Transcript collision attacks: Breaking authentication in tls, IKE and SSH. In 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21--24, 2016. The Internet Society, 2016. URL http://www.internetsociety.org/events/ndss-symposium-2016.

[5]

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In IEEE Symposium on Security and Privacy, 2013. URL http://mitls.rocq.inria.fr/.

Digital Library

[6]

vaud, Fournet, Pironti, and Strub}BDFPS14K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, SP, pages 98--113, 2014.

Digital Library

[7]

K. Bhargavan, A. Delignat-Lavaud, and A. Pironti. Verified contributive channel bindings for compound authentication. In NDSS, 2015.

[8]

C. Brzuska, M. Fischlin, N. P. Smart, B. Warinschi, and S. C. Williams. Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Sec., 12 (4): 267--297, 2013. Cryptology ePrint Archive, Report 2012/242.

Digital Library

[9]

R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In EUROCRYPT, pages 453--474, 2001. See also Cryptology ePrint Archive, Report 2001/040.

Digital Library

[10]

R. Canetti and H. Krawczyk. Universally composable notions of key exchange and secure channels. In EUROCRYPT, pages 337--351, 2002. See also Cryptology ePrint Archive, Report 2002/059.

Digital Library

[11]

C. Cremers, M. Horvat, S. Scott, and T. van der Merwe. Automated verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In IEEE S&P 2016., 2016.

[12]

B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In ACM CCS, 2015. Also, Cryptology ePrint Archive, Report 2015/914.

Digital Library

[13]

B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081, 2016.

[14]

M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google's QUIC protocol. In ACM CCS, 2014. pages 1193--1204, 2014.

Digital Library

[15]

M. Fischlin, F. Günther, G. A. Marson, and K. G. Paterson. Data is a stream: Security of stream-based channels. In R. Gennaro and M. J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pages 545--564. Springer, Heidelberg, Aug. 2015. 10.1007/978--3--662--48000--7_27.

[16]

I. Goldberg, D. Stebila, and B. Ustaoglu. Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptography, 67 (2): 245--269, 2013. 10.1007/s10623-011--9604-z. URL http://dx.doi.org/10.1007/s10623-011--9604-z.

Digital Library

[17]

S. Halevi and H. Krawczyk. Public-key cryptography and password protocols. ACM Transactions on Information and System Security, 2 (3): 230--268, Aug. 1999.

Digital Library

[18]

S. Halevi and H. Krawczyk. One-pass HMQV and asymmetric key-wrapping. In PKC 2011, pages 317--334, 2011.

Digital Library

[19]

T. Jager, F. Kohlar, S. Schage, and J. Schwenk. Generic compilers for authenticated key exchange. In M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 232--249. Springer, Heidelberg, Dec. 2010.

[20]

T. Jager, F. Kohlar, S. Schage, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO, pages 273--293, 2012. Also Cryptology ePrint Archive, Report 2011/219.

Digital Library

[21]

F. Kohlar, S. Schage, and J. Schwenk. On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367, 2013. http://eprint.iacr.org/.

[22]

M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (De-)constructing TLS. Cryptology ePrint Archive, Report 2014/020, 2014. revised Apr 2015.

[23]

M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (de-)constructing TLS 1.3. In Progress in Cryptology - INDOCRYPT 2015 - 16th International Conference on Cryptology in India, Bangalore, India, December 6--9, 2015, Proceedings, pages 85--102, 2015.

Digital Library

[24]

H. Krawczyk. SIGMA: The "SIGn-and-MAc" approach to authenticated Diffie-Hellman and its use in the IKE protocols. In CRYPTO, pages 400--425, 2003.

[25]

H. Krawczyk and H. Wee. The OPTLS protocol and TLS 1.3. In EuroS&P, 2016.

[26]

H. Krawczyk, K. G. Paterson, and H. Wee. On the security of the TLS protocol: A systematic analysis. In CRYPTO (1), pages 429--448, 2013. Also, Cryptology ePrint Archive, Report 2013/339.

[27]

A. Langley and W.-T. Chang. QUIC crypto, 2013. URL http://tinyurl.com/lrrjyjs.

[28]

R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru. How secure and quick is QUIC? Provable security and performance analyses. In IEEE Symposium on Security and Privacy, pages 214--231, 2015.

Digital Library

[29]

U. Maurer, B. Tackmann, and S. Coretti. Key exchange with unilateral authentication: Composable security definition and modular protocol design. IACR Cryptology ePrint Archive, 2013: 555, 2013. URL http://eprint.iacr.org/2013/555.

[30]

P. Morrissey, N. P. Smart, and B. Warinschi. A modular security analysis of the TLS handshake protocol. In ASIACRYPT, pages 55--73, 2008.

Digital Library

[31]

K. G. Paterson, T. Ristenpart, and T. Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In ASIACRYPT, pages 372--389, 2011.

Digital Library

[32]

M. D. Raimondo, R. Gennaro, and H. Krawczyk. Deniable authentication and key exchange. In ACM CCS, 2006.

Digital Library

[33]

E. Rescorla. The transport layer security (TLS) protocol version 1.3 (draft 13), Dec. 2015. URL https://tools.ietf.org/html/draft-ietf-tls-tls13--13.

[34]

V. Shoup. On formal models for secure key exchange. Cryptology ePrint Archive, Report 1999/012, 1999. http://eprint.iacr.org/.

Cited By

Wei JChen XWang JSusilo WYou I(2023)Towards secure asynchronous messaging with forward secrecy and mutual authenticationInformation Sciences10.1016/j.ins.2023.01.052626(114-132)Online publication date: May-2023
https://doi.org/10.1016/j.ins.2023.01.052
Brzuska CDelignat-Lavaud AEgger CFournet CKohbrok KKohlweiss M(2023)Key-Schedule Security for the TLS 1.3 StandardAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22963-3_21(621-650)Online publication date: 25-Jan-2023
https://doi.org/10.1007/978-3-031-22963-3_21
Davis HDiemert DGünther FJager T(2022)On the Concrete Security of TLS 1.3 PSK ModeAdvances in Cryptology – EUROCRYPT 202210.1007/978-3-031-07085-3_30(876-906)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1007/978-3-031-07085-3_30
Show More Cited By

Index Terms

A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3)
1. Security and privacy
  1. Cryptography
    1. Key management
  2. Network security
    1. Security protocols

Recommendations

Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Anonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
Read More
Universally Composable Notions of Key Exchange and Secure Channels
EUROCRYPT '02: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology

Recently, Canetti and Krawczyk (Eurocrypt'2001) formulated a notion of security for key-exchange (ke) protocols, called SK-security, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice ...
Read More
Deniable authentication and key exchange
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

We extend the definitional work of Dwork,Naor and Sahai from deniable authentication to deniable key-exchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
513
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)2

Other Metrics

View Author Metrics

Citations

Cited By

Wei JChen XWang JSusilo WYou I(2023)Towards secure asynchronous messaging with forward secrecy and mutual authenticationInformation Sciences10.1016/j.ins.2023.01.052626(114-132)Online publication date: May-2023
https://doi.org/10.1016/j.ins.2023.01.052
Brzuska CDelignat-Lavaud AEgger CFournet CKohbrok KKohlweiss M(2023)Key-Schedule Security for the TLS 1.3 StandardAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22963-3_21(621-650)Online publication date: 25-Jan-2023
https://doi.org/10.1007/978-3-031-22963-3_21
Davis HDiemert DGünther FJager T(2022)On the Concrete Security of TLS 1.3 PSK ModeAdvances in Cryptology – EUROCRYPT 202210.1007/978-3-031-07085-3_30(876-906)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1007/978-3-031-07085-3_30
Diemert DJager T(2021)On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World DeploymentsJournal of Cryptology10.1007/s00145-021-09388-x34:3Online publication date: 4-Jun-2021
https://doi.org/10.1007/s00145-021-09388-x
Dowling BFischlin MGünther FStebila D(2021)A Cryptographic Analysis of the TLS 1.3 Handshake ProtocolJournal of Cryptology10.1007/s00145-021-09384-134:4Online publication date: 30-Jul-2021
https://doi.org/10.1007/s00145-021-09384-1
Akhmetzyanova LAlekseev ESmyshlyaeva ESokolov A(2020)On post-handshake authentication and external PSKs in TLS 1.3Journal of Computer Virology and Hacking Techniques10.1007/s11416-020-00352-0Online publication date: 23-Apr-2020
https://doi.org/10.1007/s11416-020-00352-0
Schäge SSchwenk JLauer S(2020)Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2Public-Key Cryptography – PKC 202010.1007/978-3-030-45388-6_20(567-596)Online publication date: 29-Apr-2020
https://doi.org/10.1007/978-3-030-45388-6_20
Brendel JFischlin MGünther F(2019)Breakdown Resilience of Key Exchange Protocols: NewHope, TLS 1.3, and HybridsComputer Security – ESORICS 201910.1007/978-3-030-29962-0_25(521-541)Online publication date: 15-Sep-2019
https://doi.org/10.1007/978-3-030-29962-0_25
Miao YMa JLiu XLi XJiang QZhang J(2017)Attribute-Based Keyword Search over Hierarchical Data in Cloud ComputingIEEE Transactions on Services Computing10.1109/TSC.2017.2757467(1-1)Online publication date: 2017
https://doi.org/10.1109/TSC.2017.2757467
Bhargavan KBlanchet BKobeissi N(2017)Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.26(483-502)Online publication date: May-2017
https://doi.org/10.1109/SP.2017.26
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents