Uploaded byvpnmentor
PDF, PPTX1,817 views

Automated Analysis of TLS 1.3

The authors built a symbolic model of the TLS 1.3 specification (draft 10) using the Tamarin prover to verify key properties like secrecy of session keys and unilateral/mutual authentication. They found a potential attack during this analysis and disclosed it to the IETF TLS working group. As the specification continued evolving, they started updating their model but noted it was a moving target.

Embed presentation

Download as PDF, PPTX
Automated Analysis of TLS 1.3 0-RTT, Resumption and Delayed Authentication 2 May 2016 Cas Cremers Marko Horvat Sam Scott Thyla van der Merwe Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
What we did (nutshell) We built a symbolic model of the TLS 1.3 specification - draft 10 We wanted to verify the main properties of TLS 1.3 as an authenticated key exchange protocol secrecy of session keys unilateral (mutual) authentication We extended our draft 10 model to include the delayed authentication mechanism We found a potential attack - disclosed this to the IETF TLS WG We started updating our model but the specification is a moving target Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Where our work fits in... 2011$ 2015$ 1995$ 1996$ 1999$ 2006$ 2008$ 2016$ $$10$ 2009$ 2012$ 2013$ 2014$ 1998$ 2002$ Program' verifica-on' Provable' security' Formal' methods' Dowling(et(al.( [dra0105]( Kohlweiss(et(al.( [dra0105]( Krawczyk(and( Wee([OPTLS]( Dowling(et(al.( [dra0110]( We'are'here!' Ongoing(work(– later(talks( Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 Ku,$Kd$ Data$Link$ Internet$ Transport$ Applica7on$ TLS$h:p$ tcp$ hello, let’s chat okay, let’s agree on algorithms, establish keys to communicate securely and here’s some assurance as to my identity Ku,$Kd$ let’s exchange application data Handshake$protocol$ Record$protocol$ C S Encrypt as much of the handshake as possible Re-evaluate the handshake contents 1-RTT for initial handshake and 0-RTT for repeated handshakes Update the record protection mechanisms Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 Ku,$Kd$ Data$Link$ Internet$ Transport$ Applica7on$ TLS$h:p$ tcp$ hello, let’s chat okay, let’s agree on algorithms, establish keys to communicate securely and here’s some assurance as to my identity Ku,$Kd$ let’s exchange application data Handshake$protocol$ Record$protocol$ C S Session resumption merged with PSK mode Delayed client authentication mechanism (draft 10+) Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - the OPTLS connection OPTimized and/or One-Point-Three TLS, designed by Krawczyk and Wee Meant as the basis for the TLS 1.3 handshake Incorporates Pefect Forward Secrecy (PFS) and 0-RTT functionality Designed to be flexible, simple, textbook crypto Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - the OPTLS connection g^s$ s%$derived$from$g^xs$ atk$drived$from$g^xy$and$g^xs$ Source:$h9ps://eprint.iacr.org/2015/978.pdf$ Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - the OPTLS connection Source:(h*ps://eprint.iacr.org/2015/978.pdf( Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - the OPTLS connection Source:(h*ps://eprint.iacr.org/2015/978.pdf( Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 C S ClientHello, ClientKeyShare HelloRetryRequest ClientHello, ClientKeyShare ServerHello, ServerKeyShare, {EncryptedExtensions}, {ServerConfiguration*},{Certificate}, {CertificateRequest*}, {CertificateVerify}, {Finished} {Certificate*}, {CertificateVerify*}, {Finished} [Application data] Initial (EC)DHE handshake Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 C S ClientHello, ClientKeyShare, EarlyDataIndication, (EncryptedExtensions), (Certificate*), (Certificate Verify*), (ApplicationData) ServerHello, ServerKeyShare, EarlyDataIndication, {EncryptedExtensions}, {ServerConfiguration*},{Certificate} {CertificateRequest*}, {CertificateVerify}, {Finished} {Finished} [Application data] 0-RTT handshake Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 C S Initial handshake (see Figure (a)) [NewSessionTicket] [Application data] ClientHello, ClientKeyShare, PreSharedKeyExtension ServerHello, PreSharedKeyExtension, {EncryptedExtensions}, {Finished} {Finished} [Application data] PSK-resumption handshake Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 Source: https://www.ietf.org/proceedings/93/slides/slides-93-tls-8.pdf Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 TLS$1.2$and$below$ TLS$1.3$ Ini$al'handshake'–'RSA,'DHE,' 26RTT' Ini$al'handshake'–'(EC)DHE' only,'16RTT' Dedicated'resump$on' handshake' Resump$on'via'PSK' handshake' Dedicated'renego$a$on' handshake' Dedicated'renego$a$on' handshake'removed' No'early'data'func$onality' Early'data'–'06RTT'handshake' Different set of handshakes! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 C S ClientHello, ClientKeyShare HelloRetryRequest ClientHello, ClientKeyShare ServerHello, ServerKeyShare, {EncryptedExtensions}, {ServerConfiguration*},{Certificate}, {CertificateRequest*}, {CertificateVerify}, {Finished} {Certificate*}, {CertificateVerify*}, {Finished} [Application data] (a) Initial (EC)DHE handshake C S ClientHello, ClientKeyShare, EarlyDataIndication, (EncryptedExtensions), (Certificate*), (Certificate Verify*), (ApplicationData) ServerHello, ServerKeyShare, EarlyDataIndication, {EncryptedExtensions}, {ServerConfiguration*},{Certificate} {CertificateRequest*}, {CertificateVerify}, {Finished} {Finished} [Application data] (b) 0-RTT handshake C S Initial handshake (see Figure (a)) [NewSessionTicket] [Application data] ClientHello, ClientKeyShare, PreSharedKeyExtension ServerHello, PreSharedKeyExtension, {EncryptedExtensions}, {Finished} {Finished} [Application data] (c) PSK-resumption handshake (+ PSK-DHE) Look at the full interaction of all these components! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
TLS 1.3 - draft 10 C S ClientHello, ClientKeyShare HelloRetryRequest ClientHello, ClientKeyShare ServerHello, ServerKeyShare, {EncryptedExtensions}, {ServerConfiguration*},{Certificate}, {CertificateRequest*}, {CertificateVerify}, {Finished} {Certificate*}, {CertificateVerify*}, {Finished} [Application data] (a) Initial (EC)DHE handshake C S ClientHello, ClientKeyShare, EarlyDataIndication, (EncryptedExtensions), (Certificate*), (Certificate Verify*), (ApplicationData) ServerHello, ServerKeyShare, EarlyDataIndication, {EncryptedExtensions}, {ServerConfiguration*},{Certificate} {CertificateRequest*}, {CertificateVerify}, {Finished} {Finished} [Application data] (b) 0-RTT handshake C S Initial handshake (see Figure (a)) [NewSessionTicket] [Application data] ClientHello, ClientKeyShare, PreSharedKeyExtension ServerHello, PreSharedKeyExtension, {EncryptedExtensions}, {Finished} {Finished} [Application data] (c) PSK-resumption handshake (+ PSK-DHE) Look at the full interaction of all these components! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Symbolic analysis A symbolic model allows us to examine the logical soundness of the protocol We systematically specify and hope to exclude a class of attacks - ‘logical’ attacks (think Triple Handshake for TLS 1.2) We assume black-box cryptography We analyse the specification only Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Using Tamarin Tool details available at: http://www.infsec.ethz.ch/research/software/tamarin.html Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Using Tamarin We built our model for use in the Tamarin prover Automated tool for protocol analysis Good symbolic Diffie-Hellman support Considers an unbounded number of parties/handshakes How does it work? For simple models/properties, can prove automatically Complex models require more user interaction A proof shows that a property holds in all possible combinations of client, server, and adversary behaviours Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Using Tamarin We built our model for use in the Tamarin prover Automated tool for protocol analysis Good symbolic Diffie-Hellman support Considers an unbounded number of parties/handshakes How does it work? For simple models/properties, can prove automatically Complex models require more user interaction A proof shows that a property holds in all possible combinations of client, server, and adversary behaviours Tamarin is good because We can precisely model the TLS state machines We can accurately capture security properties Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Using Tamarin We built our model for use in the Tamarin prover Automated tool for protocol analysis Good symbolic Diffie-Hellman support Considers an unbounded number of parties/handshakes How does it work? For simple models/properties, can prove automatically Complex models require more user interaction A proof shows that a property holds in all possible combinations of client, server, and adversary behaviours Tamarin is good because We can precisely model the TLS state machines We can accurately capture security properties Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model Encode honest party and adversary actions as Tamarin ‘rules’ For honest clients and servers rules correspond to flights of messages Rules transition the protocol from one state to the next Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model rule C_1: let // Default C1 values tid = ~nc // Client Hello C = $C nc = ~nc pc = $pc S = $S // Client Key Share ga = ’g’^~a messages = <nc, pc,ga> in [ Fr(nc) , Fr(~a) ] --[ C1(tid) , Start(tid, C, ’client’) , Running(C, S, ’client’, nc) , DH(C, ~a) ]-> [ St_C_1_init(tid, C, nc, pc, S, ~a, messages, ’no_auth’) , Out(<C,nc, pc,ga>) ] Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 1: Building a model Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 2: Encoding security properties TLS 1.3 goals include: unilateral authentication of the server (mandatory) mutual authentication (optional) confidentiality and perfect forward secrecy of session keys We have Dolev-Yao style adversary that has the ability to compromise long-term keys Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 2: Encoding security properties Security property Covered by analysis Source Unilateral authentication (server) Y D.1.1 Mutual authentication Y D.1.1 Confidentiality of ephemeral secret Y D.1.1 Confidentiality of static secret Y D.1.1 Perfect forward secrecy Y D.1.1.1 Integrity of handshake messages Y D.1.3 Protection of application data N D.2 Denial of service N D.3 Version rollback N D.1.2 Table : TLS 1.3 rev 10 properties Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 2: Encoding security properties secret_session_keys: (1) "All actor peer role k #i. (2) SessionKey(actor, peer, role, <k, ’authenticated’>)@i (3) & not ((Ex #r. RevLtk(peer)@r & #r < #i) |(Ex #r. RevLtk(actor)@r & #r < #i)) (4) ==> not Ex #j. KU(k)@j" This says... for all possible values of variables on the first line (1), if key k is accepted at time point i (2), and the adversary has not revealed the long term keys of the actor or the peer before the key is accepted (3), then the adversary cannot derive the key (4). Want to show that this holds for all combinations of client, server and adversary behaviours - ALL traces Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 2: Encoding security properties secret_session_keys: (1) "All actor peer role k #i. (2) SessionKey(actor, peer, role, <k, ’authenticated’>)@i (3) & not ((Ex #r. RevLtk(peer)@r & #r < #i) |(Ex #r. RevLtk(actor)@r & #r < #i)) (4) ==> not Ex #j. KU(k)@j" This says... for all possible values of variables on the first line (1), if key k is accepted at time point i (2), and the adversary has not revealed the long term keys of the actor or the peer before the key is accepted (3), then the adversary cannot derive the key (4). Want to show that this holds for all combinations of client, server and adversary behaviours - ALL traces Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 3: Proving security properties SessionKey(….) What  can  the   adversary  do?   S2   C2_Auth   What  can  the   adversary  do?  ...and  so  on   eventually  will   boil  down  to   needing  to  break   DH     Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 3: Proving security properties Not a straightforward application of Tamarin several man-months of work specification a moving target updating takes time, can be error-prone Need an intimate knowledge of the protocol - high degree of interaction with the tool in some cases Not a push-button analysis We have 45 auxiliary lemmas Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 3: Proving security properties secret_session_keys ! es_basic psk_dhe_es_basic kc_origin psk_helper psk_helper_client psk_helper_server key_deriv_rs key_deriv_hkeys key_deriv_hkeyc psk_basic + many more ! helpers!(proof!shortcuts)! tid_invariant one_start_tid + many more ! hints! ss_basic psk!helpers! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Step 3: Proving security properties We verified the main properties of TLS 1.3 revision 10 as an authenticated key exchange protocol: Secrecy of session keys holds for both client and server forward secrecy Mutual authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication (draft 10+) c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C Auth C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication psk_id = psk_id Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Attacking client authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Cause and mitigation Prime example of an attack that can arise because of the interaction of modes No binding between the client signature and session for which it is intended Complicated to find Example of the positive interaction of analysis and design Communicated this to the IETF TLS Working Group... Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Cause and mitigation https://www.ietf.org/mail-archive/web/tls/current/ msg18215.html Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Cause and mitigation “Nice analysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Cause and mitigation “Nice analysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” “This result motivates and confirms the need to modify the handshake hashes to contain the server Finished when we add post-handshake authentication as is done in PR#316...” Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Cause and mitigation “Nice analysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” “This result motivates and confirms the need to modify the handshake hashes to contain the server Finished when we add post-handshake authentication as is done in PR#316...” Although already included in PR316, the attack highlights strict necessity of including the Finished message in the session hash and draft 11 does this - creates a binding between signature and the session Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Cause and mitigation “Nice analysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” “This result motivates and confirms the need to modify the handshake hashes to contain the server Finished when we add post-handshake authentication as is done in PR#316...” Although already included in PR316, the attack highlights strict necessity of including the Finished message in the session hash and draft 11 does this - creates a binding between signature and the session Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Where we stand We showed that draft 10 meets the goals of authenticated key exchange, and the changes in draft 11 appear to address the attack First comprehensive analysis of the interaction of the new TLS 1.3 modes we confirmed the base design is solid prevented a potential weakness Draft 11... Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Where we stand c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C Auth C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Where we stand s0start s1a−psk s1a s1 s2 s3 S 1 S 1 KC S 1 KC RecvAuth S 1 PSK S 1 PSK DHE S 1 PSK AuthS 1 PSK NoAuth S 1 NoAuthS 1 AuthReq S 1 retry S 2 S 2 RecvAuth S 2 Auth S 3 S 3 NST S send S recv S AuthReq S RecvAuth Process ClientHello + Send ServerHello Update authen- tication state Receive ClientFinished (with authentication) Update authen- tication status Got half-way through proving draft 11, then talk of major changes... Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Where we stand Draft 12 adds 0.5-RTT data But what’s next? Talk on the mailing list and IETF meetings of removing 0-RTT (EC)DHE handshake changing the key schedule Means that the specification starts to diverge from our current model Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Where we stand rev$10$ rev$10+$ rev$12$ (inc.$11)$ rev$13,$ 14,$15..?$ Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Making changes The model can be updated to accommodate changes Additions can complicate the analysis (adding loops) Reductions/simplifications are easier to handle Changes mean more man-hours http://tls13tamarin.github.io/TLS13Tamarin/ Authors: Cas Cremers cas.cremers@cs.ox.ac.uk Sam Scott sam.scott.2012@live.rhul.ac.uk Marko Horvat marko.horvat@cs.ox.ac.uk Thyla van der Merwe thyla.vandermerwe.2012@live.rhul.ac.uk Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
Making changes The model can be updated to accommodate changes Additions can complicate the analysis (adding loops) Reductions/simplifications are easier to handle Changes mean more man-hours http://tls13tamarin.github.io/TLS13Tamarin/ Authors: Cas Cremers cas.cremers@cs.ox.ac.uk Sam Scott sam.scott.2012@live.rhul.ac.uk Marko Horvat marko.horvat@cs.ox.ac.uk Thyla van der Merwe thyla.vandermerwe.2012@live.rhul.ac.uk Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3

More Related Content

PDF
TLS: Past, Present, Future
byvpnmentor
 
PDF
TLS
byDaniel Stenberg
 
PDF
How broken is TLS?
byhannob
 
PPTX
Random musings on SSL/TLS configuration
byextremeunix
 
PDF
TLS Perf: from three to zero in one spec
byNatasha Rooney
 
PPTX
All you need to know about transport layer security
byMaarten Smeets
 
PPTX
Transport Layer Security
byHuda Seyam
 
PDF
TLS/SSL Internet Security Talk
byNisheed KM
 
TLS: Past, Present, Future
byvpnmentor
 
TLS
byDaniel Stenberg
 
How broken is TLS?
byhannob
 
Random musings on SSL/TLS configuration
byextremeunix
 
TLS Perf: from three to zero in one spec
byNatasha Rooney
 
All you need to know about transport layer security
byMaarten Smeets
 
Transport Layer Security
byHuda Seyam
 
TLS/SSL Internet Security Talk
byNisheed KM
 

What's hot

PPTX
SSL And TLS
byGhanshyam Patel
 
PDF
Recover A RSA Private key from a TLS session with perfect forward secrecy
byPriyanka Aash
 
PPTX
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
byJaroslavChmurny
 
PPTX
Transport layer security
byHrudya Balachandran
 
PPT
Sniffing SSL Traffic
bydkaya
 
PPT
SSL/TLS
byDr Anjan Krishnamurthy
 
PPT
Cryptography - Overview
byMohammed Adam
 
PDF
SSL intro
byThree Lee
 
PPTX
Transport Layer Security
byChhatra Thapa
 
PPTX
SSL/TLS
bySirish Kumar
 
PPT
Introduction to Secure Sockets Layer
byNascenia IT
 
PDF
Transport Layer Security
byIbrahiem Mohammed
 
PPTX
Transport layer security (tls)
byKalpesh Kalekar
 
PDF
SSL/TLS Handshake
byArpit Agarwal
 
PPTX
TLS - Transport Layer Security
byByronKimani
 
PDF
Introduction to and survey of TLS Security
byAaron Zauner
 
PDF
DANE and DNSSEC Authentication Chain Extension for TLS
byShumon Huque
 
PDF
State of Transport Security in the E-Mail Ecosystem at Large
byAaron Zauner
 
PPTX
Transport layer security
byHrudya Balachandran
 
PPTX
Introduction to SSL and How to Exploit & Secure
byBrian Ritchie
 
SSL And TLS
byGhanshyam Patel
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
byPriyanka Aash
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
byJaroslavChmurny
 
Transport layer security
byHrudya Balachandran
 
Sniffing SSL Traffic
bydkaya
 
SSL/TLS
byDr Anjan Krishnamurthy
 
Cryptography - Overview
byMohammed Adam
 
SSL intro
byThree Lee
 
Transport Layer Security
byChhatra Thapa
 
SSL/TLS
bySirish Kumar
 
Introduction to Secure Sockets Layer
byNascenia IT
 
Transport Layer Security
byIbrahiem Mohammed
 
Transport layer security (tls)
byKalpesh Kalekar
 
SSL/TLS Handshake
byArpit Agarwal
 
TLS - Transport Layer Security
byByronKimani
 
Introduction to and survey of TLS Security
byAaron Zauner
 
DANE and DNSSEC Authentication Chain Extension for TLS
byShumon Huque
 
State of Transport Security in the E-Mail Ecosystem at Large
byAaron Zauner
 
Transport layer security
byHrudya Balachandran
 
Introduction to SSL and How to Exploit & Secure
byBrian Ritchie
 

Viewers also liked

PDF
You know what's cool? Running on a billion devices
byDaniel Stenberg
 
PPT
Automated analysis by yatin sankharva copy
byPatel Parth
 
PPTX
Automation
byRGCL
 
PDF
Auto analyzer
byTapeshwar Yadav
 
PPT
Automated analysis 112070804013
byPatel Parth
 
PPTX
Automation
byTapeshwar Yadav
 
You know what's cool? Running on a billion devices
byDaniel Stenberg
 
Automated analysis by yatin sankharva copy
byPatel Parth
 
Automation
byRGCL
 
Auto analyzer
byTapeshwar Yadav
 
Automated analysis 112070804013
byPatel Parth
 
Automation
byTapeshwar Yadav
 

Similar to Automated Analysis of TLS 1.3

ODP
Tls 13final13
byVitezslav Cizek
 
PDF
CNIT 141: 13. TLS
bySam Bowne
 
PDF
CNIT 141 13. TLS
bySam Bowne
 
PPTX
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 
ODP
Tls 1.3
byKevin OBrien
 
PDF
CNIT 141: 13. TLS
bySam Bowne
 
PPTX
TLS,OCSP.pptx
byAbrarAhmed331135
 
PPTX
Advancing IoT Communication Security with TLS and DTLS v1.3
byHannes Tschofenig
 
PPTX
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
byCheapSSLsecurity
 
PPTX
Egor Podmokov - TLS from security point of view
bySergey Arkhipov
 
PDF
Rootconf2019
byHuzaifa Sidhpurwala
 
PDF
wolfSSL and TLS 1.3
bywolfSSL
 
PPTX
Introducing TLS 1.3 – The future of Encryption
byRapidSSLOnline.com
 
PDF
SSL and TLS Theory and Practice 3rd Edition Rolf Oppliger
byaribonkathy
 
PPTX
Pentesting custom TLS stacks
byAlexandre Moneger
 
PPTX
Jim-Nitterauer-Decrypting-the-Mess-that-is-SSL-TLS-Negotiation-Preparing-for-...
byAliHaider897273
 
PDF
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
PDF
Performance Analysis of TLS Web Servers
bywebhostingguy
 
PPTX
Cours4.pptx
byBellaj Badr
 
PDF
Introduction to TLS-1.3
byVedant Jain
 
Tls 13final13
byVitezslav Cizek
 
CNIT 141: 13. TLS
bySam Bowne
 
CNIT 141 13. TLS
bySam Bowne
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 
Tls 1.3
byKevin OBrien
 
CNIT 141: 13. TLS
bySam Bowne
 
TLS,OCSP.pptx
byAbrarAhmed331135
 
Advancing IoT Communication Security with TLS and DTLS v1.3
byHannes Tschofenig
 
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
byCheapSSLsecurity
 
Egor Podmokov - TLS from security point of view
bySergey Arkhipov
 
Rootconf2019
byHuzaifa Sidhpurwala
 
wolfSSL and TLS 1.3
bywolfSSL
 
Introducing TLS 1.3 – The future of Encryption
byRapidSSLOnline.com
 
SSL and TLS Theory and Practice 3rd Edition Rolf Oppliger
byaribonkathy
 
Pentesting custom TLS stacks
byAlexandre Moneger
 
Jim-Nitterauer-Decrypting-the-Mess-that-is-SSL-TLS-Negotiation-Preparing-for-...
byAliHaider897273
 
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
Performance Analysis of TLS Web Servers
bywebhostingguy
 
Cours4.pptx
byBellaj Badr
 
Introduction to TLS-1.3
byVedant Jain
 

More from vpnmentor

PDF
On the Bit Security of Cryptographic Primitives. by Michael Walter
byvpnmentor
 
PDF
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Han
byvpnmentor
 
PPTX
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
byvpnmentor
 
PPTX
Review of Previous ETAP Forums - Deepak Maheshwari
byvpnmentor
 
PPTX
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari
byvpnmentor
 
PPTX
A research-oriented introduction to the cryptographic currencies (starting wi...
byvpnmentor
 
PPTX
Alternative cryptocurrencies
byvpnmentor
 
PPTX
Smart contracts and applications part II
byvpnmentor
 
PPTX
Mining pools and attacks
byvpnmentor
 
PPTX
Smart contracts and applications part I
byvpnmentor
 
PPTX
Alternative cryptocurrencies
byvpnmentor
 
PDF
On the Security of TLS-DHE in the Standard Model
byvpnmentor
 
PDF
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
byvpnmentor
 
On the Bit Security of Cryptographic Primitives. by Michael Walter
byvpnmentor
 
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Han
byvpnmentor
 
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
byvpnmentor
 
Review of Previous ETAP Forums - Deepak Maheshwari
byvpnmentor
 
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari
byvpnmentor
 
A research-oriented introduction to the cryptographic currencies (starting wi...
byvpnmentor
 
Alternative cryptocurrencies
byvpnmentor
 
Smart contracts and applications part II
byvpnmentor
 
Mining pools and attacks
byvpnmentor
 
Smart contracts and applications part I
byvpnmentor
 
Alternative cryptocurrencies
byvpnmentor
 
On the Security of TLS-DHE in the Standard Model
byvpnmentor
 
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
byvpnmentor
 

Automated Analysis of TLS 1.3

  • 1.
    Automated Analysis ofTLS 1.3 0-RTT, Resumption and Delayed Authentication 2 May 2016 Cas Cremers Marko Horvat Sam Scott Thyla van der Merwe Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 2.
    What we did(nutshell) We built a symbolic model of the TLS 1.3 specification - draft 10 We wanted to verify the main properties of TLS 1.3 as an authenticated key exchange protocol secrecy of session keys unilateral (mutual) authentication We extended our draft 10 model to include the delayed authentication mechanism We found a potential attack - disclosed this to the IETF TLS WG We started updating our model but the specification is a moving target Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 3.
    Where our workfits in... 2011$ 2015$ 1995$ 1996$ 1999$ 2006$ 2008$ 2016$ $$10$ 2009$ 2012$ 2013$ 2014$ 1998$ 2002$ Program' verifica-on' Provable' security' Formal' methods' Dowling(et(al.( [dra0105]( Kohlweiss(et(al.( [dra0105]( Krawczyk(and( Wee([OPTLS]( Dowling(et(al.( [dra0110]( We'are'here!' Ongoing(work(– later(talks( Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 4.
    TLS 1.3 -draft 10 Ku,$Kd$ Data$Link$ Internet$ Transport$ Applica7on$ TLS$h:p$ tcp$ hello, let’s chat okay, let’s agree on algorithms, establish keys to communicate securely and here’s some assurance as to my identity Ku,$Kd$ let’s exchange application data Handshake$protocol$ Record$protocol$ C S Encrypt as much of the handshake as possible Re-evaluate the handshake contents 1-RTT for initial handshake and 0-RTT for repeated handshakes Update the record protection mechanisms Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 5.
    TLS 1.3 -draft 10 Ku,$Kd$ Data$Link$ Internet$ Transport$ Applica7on$ TLS$h:p$ tcp$ hello, let’s chat okay, let’s agree on algorithms, establish keys to communicate securely and here’s some assurance as to my identity Ku,$Kd$ let’s exchange application data Handshake$protocol$ Record$protocol$ C S Session resumption merged with PSK mode Delayed client authentication mechanism (draft 10+) Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 6.
    TLS 1.3 -the OPTLS connection OPTimized and/or One-Point-Three TLS, designed by Krawczyk and Wee Meant as the basis for the TLS 1.3 handshake Incorporates Pefect Forward Secrecy (PFS) and 0-RTT functionality Designed to be flexible, simple, textbook crypto Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 7.
    TLS 1.3 -the OPTLS connection g^s$ s%$derived$from$g^xs$ atk$drived$from$g^xy$and$g^xs$ Source:$h9ps://eprint.iacr.org/2015/978.pdf$ Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 8.
    TLS 1.3 -the OPTLS connection Source:(h*ps://eprint.iacr.org/2015/978.pdf( Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 9.
    TLS 1.3 -the OPTLS connection Source:(h*ps://eprint.iacr.org/2015/978.pdf( Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 10.
    TLS 1.3 -draft 10 C S ClientHello, ClientKeyShare HelloRetryRequest ClientHello, ClientKeyShare ServerHello, ServerKeyShare, {EncryptedExtensions}, {ServerConfiguration*},{Certificate}, {CertificateRequest*}, {CertificateVerify}, {Finished} {Certificate*}, {CertificateVerify*}, {Finished} [Application data] Initial (EC)DHE handshake Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 11.
    TLS 1.3 -draft 10 C S ClientHello, ClientKeyShare, EarlyDataIndication, (EncryptedExtensions), (Certificate*), (Certificate Verify*), (ApplicationData) ServerHello, ServerKeyShare, EarlyDataIndication, {EncryptedExtensions}, {ServerConfiguration*},{Certificate} {CertificateRequest*}, {CertificateVerify}, {Finished} {Finished} [Application data] 0-RTT handshake Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 12.
    TLS 1.3 -draft 10 C S Initial handshake (see Figure (a)) [NewSessionTicket] [Application data] ClientHello, ClientKeyShare, PreSharedKeyExtension ServerHello, PreSharedKeyExtension, {EncryptedExtensions}, {Finished} {Finished} [Application data] PSK-resumption handshake Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 13.
    TLS 1.3 -draft 10 Source: https://www.ietf.org/proceedings/93/slides/slides-93-tls-8.pdf Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 14.
    TLS 1.3 -draft 10 TLS$1.2$and$below$ TLS$1.3$ Ini$al'handshake'–'RSA,'DHE,' 26RTT' Ini$al'handshake'–'(EC)DHE' only,'16RTT' Dedicated'resump$on' handshake' Resump$on'via'PSK' handshake' Dedicated'renego$a$on' handshake' Dedicated'renego$a$on' handshake'removed' No'early'data'func$onality' Early'data'–'06RTT'handshake' Different set of handshakes! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 15.
    TLS 1.3 -draft 10 C S ClientHello, ClientKeyShare HelloRetryRequest ClientHello, ClientKeyShare ServerHello, ServerKeyShare, {EncryptedExtensions}, {ServerConfiguration*},{Certificate}, {CertificateRequest*}, {CertificateVerify}, {Finished} {Certificate*}, {CertificateVerify*}, {Finished} [Application data] (a) Initial (EC)DHE handshake C S ClientHello, ClientKeyShare, EarlyDataIndication, (EncryptedExtensions), (Certificate*), (Certificate Verify*), (ApplicationData) ServerHello, ServerKeyShare, EarlyDataIndication, {EncryptedExtensions}, {ServerConfiguration*},{Certificate} {CertificateRequest*}, {CertificateVerify}, {Finished} {Finished} [Application data] (b) 0-RTT handshake C S Initial handshake (see Figure (a)) [NewSessionTicket] [Application data] ClientHello, ClientKeyShare, PreSharedKeyExtension ServerHello, PreSharedKeyExtension, {EncryptedExtensions}, {Finished} {Finished} [Application data] (c) PSK-resumption handshake (+ PSK-DHE) Look at the full interaction of all these components! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 16.
    TLS 1.3 -draft 10 C S ClientHello, ClientKeyShare HelloRetryRequest ClientHello, ClientKeyShare ServerHello, ServerKeyShare, {EncryptedExtensions}, {ServerConfiguration*},{Certificate}, {CertificateRequest*}, {CertificateVerify}, {Finished} {Certificate*}, {CertificateVerify*}, {Finished} [Application data] (a) Initial (EC)DHE handshake C S ClientHello, ClientKeyShare, EarlyDataIndication, (EncryptedExtensions), (Certificate*), (Certificate Verify*), (ApplicationData) ServerHello, ServerKeyShare, EarlyDataIndication, {EncryptedExtensions}, {ServerConfiguration*},{Certificate} {CertificateRequest*}, {CertificateVerify}, {Finished} {Finished} [Application data] (b) 0-RTT handshake C S Initial handshake (see Figure (a)) [NewSessionTicket] [Application data] ClientHello, ClientKeyShare, PreSharedKeyExtension ServerHello, PreSharedKeyExtension, {EncryptedExtensions}, {Finished} {Finished} [Application data] (c) PSK-resumption handshake (+ PSK-DHE) Look at the full interaction of all these components! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 17.
    Symbolic analysis A symbolicmodel allows us to examine the logical soundness of the protocol We systematically specify and hope to exclude a class of attacks - ‘logical’ attacks (think Triple Handshake for TLS 1.2) We assume black-box cryptography We analyse the specification only Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 18.
    Using Tamarin Tool detailsavailable at: http://www.infsec.ethz.ch/research/software/tamarin.html Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 19.
    Using Tamarin We builtour model for use in the Tamarin prover Automated tool for protocol analysis Good symbolic Diffie-Hellman support Considers an unbounded number of parties/handshakes How does it work? For simple models/properties, can prove automatically Complex models require more user interaction A proof shows that a property holds in all possible combinations of client, server, and adversary behaviours Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 20.
    Using Tamarin We builtour model for use in the Tamarin prover Automated tool for protocol analysis Good symbolic Diffie-Hellman support Considers an unbounded number of parties/handshakes How does it work? For simple models/properties, can prove automatically Complex models require more user interaction A proof shows that a property holds in all possible combinations of client, server, and adversary behaviours Tamarin is good because We can precisely model the TLS state machines We can accurately capture security properties Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 21.
    Using Tamarin We builtour model for use in the Tamarin prover Automated tool for protocol analysis Good symbolic Diffie-Hellman support Considers an unbounded number of parties/handshakes How does it work? For simple models/properties, can prove automatically Complex models require more user interaction A proof shows that a property holds in all possible combinations of client, server, and adversary behaviours Tamarin is good because We can precisely model the TLS state machines We can accurately capture security properties Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 22.
    Step 1: Buildinga model Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 23.
    Step 1: Buildinga model Encode honest party and adversary actions as Tamarin ‘rules’ For honest clients and servers rules correspond to flights of messages Rules transition the protocol from one state to the next Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 24.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 25.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 26.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 27.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 28.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 29.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 30.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 31.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 32.
    Step 1: Buildinga model c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 33.
    Step 1: Buildinga model rule C_1: let // Default C1 values tid = ~nc // Client Hello C = $C nc = ~nc pc = $pc S = $S // Client Key Share ga = ’g’^~a messages = <nc, pc,ga> in [ Fr(nc) , Fr(~a) ] --[ C1(tid) , Start(tid, C, ’client’) , Running(C, S, ’client’, nc) , DH(C, ~a) ]-> [ St_C_1_init(tid, C, nc, pc, S, ~a, messages, ’no_auth’) , Out(<C,nc, pc,ga>) ] Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 34.
    Step 1: Buildinga model Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 35.
    Step 2: Encodingsecurity properties TLS 1.3 goals include: unilateral authentication of the server (mandatory) mutual authentication (optional) confidentiality and perfect forward secrecy of session keys We have Dolev-Yao style adversary that has the ability to compromise long-term keys Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 36.
    Step 2: Encodingsecurity properties Security property Covered by analysis Source Unilateral authentication (server) Y D.1.1 Mutual authentication Y D.1.1 Confidentiality of ephemeral secret Y D.1.1 Confidentiality of static secret Y D.1.1 Perfect forward secrecy Y D.1.1.1 Integrity of handshake messages Y D.1.3 Protection of application data N D.2 Denial of service N D.3 Version rollback N D.1.2 Table : TLS 1.3 rev 10 properties Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 37.
    Step 2: Encodingsecurity properties secret_session_keys: (1) "All actor peer role k #i. (2) SessionKey(actor, peer, role, <k, ’authenticated’>)@i (3) & not ((Ex #r. RevLtk(peer)@r & #r < #i) |(Ex #r. RevLtk(actor)@r & #r < #i)) (4) ==> not Ex #j. KU(k)@j" This says... for all possible values of variables on the first line (1), if key k is accepted at time point i (2), and the adversary has not revealed the long term keys of the actor or the peer before the key is accepted (3), then the adversary cannot derive the key (4). Want to show that this holds for all combinations of client, server and adversary behaviours - ALL traces Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 38.
    Step 2: Encodingsecurity properties secret_session_keys: (1) "All actor peer role k #i. (2) SessionKey(actor, peer, role, <k, ’authenticated’>)@i (3) & not ((Ex #r. RevLtk(peer)@r & #r < #i) |(Ex #r. RevLtk(actor)@r & #r < #i)) (4) ==> not Ex #j. KU(k)@j" This says... for all possible values of variables on the first line (1), if key k is accepted at time point i (2), and the adversary has not revealed the long term keys of the actor or the peer before the key is accepted (3), then the adversary cannot derive the key (4). Want to show that this holds for all combinations of client, server and adversary behaviours - ALL traces Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 39.
    Step 3: Provingsecurity properties SessionKey(….) What  can  the   adversary  do?   S2   C2_Auth   What  can  the   adversary  do?  ...and  so  on   eventually  will   boil  down  to   needing  to  break   DH     Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 40.
    Step 3: Provingsecurity properties Not a straightforward application of Tamarin several man-months of work specification a moving target updating takes time, can be error-prone Need an intimate knowledge of the protocol - high degree of interaction with the tool in some cases Not a push-button analysis We have 45 auxiliary lemmas Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 41.
    Step 3: Provingsecurity properties secret_session_keys ! es_basic psk_dhe_es_basic kc_origin psk_helper psk_helper_client psk_helper_server key_deriv_rs key_deriv_hkeys key_deriv_hkeyc psk_basic + many more ! helpers!(proof!shortcuts)! tid_invariant one_start_tid + many more ! hints! ss_basic psk!helpers! Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 42.
    Step 3: Provingsecurity properties We verified the main properties of TLS 1.3 revision 10 as an authenticated key exchange protocol: Secrecy of session keys holds for both client and server forward secrecy Mutual authentication Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 43.
    Attacking client authentication(draft 10+) c0start c1−dhe c1−psk c1−kc c2a c2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C Auth C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 44.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 45.
    Attacking client authentication psk_id= psk_id Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 46.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 47.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 48.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 49.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 50.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 51.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 52.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 53.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 54.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 55.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 56.
    Attacking client authentication CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 57.
    Cause and mitigation Primeexample of an attack that can arise because of the interaction of modes No binding between the client signature and session for which it is intended Complicated to find Example of the positive interaction of analysis and design Communicated this to the IETF TLS Working Group... Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 58.
    Cause and mitigation https://www.ietf.org/mail-archive/web/tls/current/ msg18215.html CasCremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 59.
    Cause and mitigation “Niceanalysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 60.
    Cause and mitigation “Niceanalysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” “This result motivates and confirms the need to modify the handshake hashes to contain the server Finished when we add post-handshake authentication as is done in PR#316...” Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 61.
    Cause and mitigation “Niceanalysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” “This result motivates and confirms the need to modify the handshake hashes to contain the server Finished when we add post-handshake authentication as is done in PR#316...” Although already included in PR316, the attack highlights strict necessity of including the Finished message in the session hash and draft 11 does this - creates a binding between signature and the session Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 62.
    Cause and mitigation “Niceanalysis! I think that the composition of different mechanisms in the protocol is likely to be where many subtle issues lie, and analyses like this one support that concern.” “Thanks for posting this. It’s great to see people doing real formal analysis of the TLS 1.3 draft; this is really helpful in guiding the design.” “This result motivates and confirms the need to modify the handshake hashes to contain the server Finished when we add post-handshake authentication as is done in PR#316...” Although already included in PR316, the attack highlights strict necessity of including the Finished message in the session hash and draft 11 does this - creates a binding between signature and the session Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 63.
    Where we stand Weshowed that draft 10 meets the goals of authenticated key exchange, and the changes in draft 11 appear to address the attack First comprehensive analysis of the interaction of the new TLS 1.3 modes we confirmed the base design is solid prevented a potential weakness Draft 11... Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 64.
    Where we stand c0start c1−dhe c1−psk c1−kc c2ac2 c3 ClientHello Receive ServerHello/Finished + Send ClientFinished Client authentication C 1 C 1 PSK C 1 KC C 2 PSK C 2 PSK DHE C 1 KC Auth C 1 retry C 2 C 2 KC C 2 NoAuth C 2 Auth C 3 C 3 NST C send C Auth C recv Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 65.
    Where we stand s0start s1a−psk s1a s1s2 s3 S 1 S 1 KC S 1 KC RecvAuth S 1 PSK S 1 PSK DHE S 1 PSK AuthS 1 PSK NoAuth S 1 NoAuthS 1 AuthReq S 1 retry S 2 S 2 RecvAuth S 2 Auth S 3 S 3 NST S send S recv S AuthReq S RecvAuth Process ClientHello + Send ServerHello Update authen- tication state Receive ClientFinished (with authentication) Update authen- tication status Got half-way through proving draft 11, then talk of major changes... Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 66.
    Where we stand Draft12 adds 0.5-RTT data But what’s next? Talk on the mailing list and IETF meetings of removing 0-RTT (EC)DHE handshake changing the key schedule Means that the specification starts to diverge from our current model Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 67.
    Where we stand rev$10$rev$10+$ rev$12$ (inc.$11)$ rev$13,$ 14,$15..?$ Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 68.
    Making changes The modelcan be updated to accommodate changes Additions can complicate the analysis (adding loops) Reductions/simplifications are easier to handle Changes mean more man-hours http://tls13tamarin.github.io/TLS13Tamarin/ Authors: Cas Cremers cas.cremers@cs.ox.ac.uk Sam Scott sam.scott.2012@live.rhul.ac.uk Marko Horvat marko.horvat@cs.ox.ac.uk Thyla van der Merwe thyla.vandermerwe.2012@live.rhul.ac.uk Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3
  • 69.
    Making changes The modelcan be updated to accommodate changes Additions can complicate the analysis (adding loops) Reductions/simplifications are easier to handle Changes mean more man-hours http://tls13tamarin.github.io/TLS13Tamarin/ Authors: Cas Cremers cas.cremers@cs.ox.ac.uk Sam Scott sam.scott.2012@live.rhul.ac.uk Marko Horvat marko.horvat@cs.ox.ac.uk Thyla van der Merwe thyla.vandermerwe.2012@live.rhul.ac.uk Cas Cremers, Marko Horvat, Sam Scott, Thyla van der Merwe Automated Analysis of TLS 1.3