12 Hits in 2.8 sec

PRF-ODH: Relations, Instantiations, and Impossibility Results [chapter]

Jacqueline Brendel, Marc Fischlin, Felix Günther, Christian Janson
2017 Lecture Notes in Computer Science  
The pseudorandom-function oracle-Diffie-Hellman (PRF-ODH) assumption has been introduced recently to analyze a variety of DH-based key exchange protocols, including TLS 1.2 and the TLS 1.3 candidates,  ...  Evaluating the PRF-ODH Assumptions Consequently, and to capture all of the above assumptions simultaneously, we generally speak of the lrPRF-ODH assumption, allowing the adversary no (l, r = n), a single  ...  This work has been co-funded by the DFG as part of project S4 within the CRC 1119 CROSSING and as part of project D.2 within the RTG 2050  ... 
doi:10.1007/978-3-319-63697-9_22 fatcat:gjowiufwmrg7nk72swbcyy6hvu

A Formal Security Analysis of the Signal Messaging Protocol

Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, Douglas Stebila
2017 2017 IEEE European Symposium on Security and Privacy (EuroS&P)  
We have found no major flaws in the design, and hope that our presentation and results can serve as a starting point for other analyses of this widely adopted protocol.  ...  Signal is a new security protocol and accompanying app that provides end-to-end encryption for instant messaging.  ...  Acknowledgements The authors acknowledge helpful discussions with Marc Fischlin and Felix Günther (TU Darmstadt) and valuable comments from Chris Brzuska (TU Hamburg) and Trevor Perrin (Open Whisper Systems  ... 
doi:10.1109/eurosp.2017.27 dblp:conf/eurosp/Cohn-GordonCDGS17 fatcat:z2sx2btynja57dvc5ge4vj5ltq

Future-Proofing Key Exchange Protocols

Jacqueline Brendel
Security-wise, we generally demand of key exchange protocols to achieve key secrecy and authentication.  ...  Key exchange protocols, first introduced by Diffie and Hellman in 1976, are one of the most widely-deployed cryptographic protocols.  ...  sym-nnPRF-ODH sym-snPRF-ODH Figure 7.8: Relations result in the symmetric PRF-ODH setting. StDH + prog. ROM StDH + prog.  ... 
doi:10.25534/tuprints-00009642 fatcat:2edjtbzotbanjblfy4kv5e7rui

On the Tight Security of TLS 1.3: Theoretically-Sound Cryptographic Parameters for Real-World Deployments [article]

Denis Diemert, Tibor Jager
2020 IACR Cryptology ePrint Archive  
In contrast, standard-model proofs often require a PRF-ODH-like assumption [ ]. However, these assumptions are closely related.  ...  Namely, as shown by Brendel et al. [ ], PRF-ODH is implied by SDH in the random oracle model (see also [ ] for an analysis of various variants of the PRF-ODH assumption).  ...  We thank the anonymous reviewers for their extensive and valuable comments that helped to improve the presentation of the paper a lot.  ... 
dblp:journals/iacr/DiemertJ20 fatcat:wum7b5pykngvvlwwnr3zrfw2zm

A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol

Benjamin Lipp, Bruno Blanchet, Karthikeyan Bhargavan
2019 2019 IEEE European Symposium on Security and Privacy (EuroS&P)  
WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework.  ...  We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay  ...  Donenfeld (the author of WireGuard), Nadim Kobeissi, and the anonymous reviewers of EuroS&P'19 for their helpful feedback on our work.  ... 
doi:10.1109/eurosp.2019.00026 dblp:conf/eurosp/LippBB19 fatcat:gmelbvda2bcvjgzzhna4x5cary

A Formal Treatment of Accountable Proxying Over TLS

Karthikeyan Bhargavan, Ioana Boureanu, Antoine Delignat-Lavaud, Pierre-Alain Fouque, Cristina Onete
2018 2018 IEEE Symposium on Security and Privacy (SP)  
Finally, we present a proof-of-concept implementation of our design, instantiated with unmodified TLS 1.3 draft 23, and evaluate its overheads.  ...  To perform their tasks, such proxies modify channel-securing protocols, like TLS, resulting in serious vulnerabilities.  ...  on the PRF-ODH assumption already in place for key indistinguishability, and that it is likely to be added in the future by the miTLS authors.  ... 
doi:10.1109/sp.2018.00021 dblp:conf/sp/BhargavanBDFO18 fatcat:hml3dbswn5g4fpoi46eidiqsh4

Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC

Shan Chen, Samuel Jero, Matthew Jagielski, Alexandra Boldyreva, Cristina Nita-Rotaru
2021 Journal of Cryptology  
We hope that our models will help protocol designers in their future protocol analyses and that our results will help practitioners better understand the advantages and limitations of secure channel establishment  ...  By including packet-level attacks in our analysis, our results shed light on how the reliability, flow control, and congestion control of the above layered protocols compare, in adversarial settings.  ...  In particular, Encrypt queries related to 0-RTT keys can be allowed even if the server is corrupted, but the corruption must occur after the server gets reconfigured (via a NextTP query); this is fine  ... 
doi:10.1007/s00145-021-09389-w fatcat:7vcxpatn6zblnhf5bhopjnlxcy

Multi-Ciphersuite Security of the Secure Shell (SSH) Protocol

Florian Bergsma, Benjamin Dowling, Florian Kohlar, Jörg Schwenk, Douglas Stebila
2014 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS '14  
We introduce a new generic multi-ciphersuite composition framework to achieve this result in a black-box way.  ...  We show that the signed-Diffie-Hellman SSH ciphersuites of the SSH protocol are secure: each is a secure authenticated and confidential channel establishment (ACCE) protocol, the same security definition  ...  The research leading to these results has received funding from the European Community (  ... 
doi:10.1145/2660267.2660286 dblp:conf/ccs/BergsmaDKSS14 fatcat:rmycihwfobh5fmlqc3f46zrqwm

The privacy of the TLS 1.3 protocol

Ghada Arfaoui, Xavier Bultel, Pierre-Alain Fouque, Adina Nedelcu, Cristina Onete
2019 Proceedings on Privacy Enhancing Technologies  
Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them.  ...  On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones.  ...  however, we deem it acceptable for two reasons: (1) previous analyses of TLS 1.3 do show that the keys obtained through HKDF are indistinguishable from random [15] , under stronger assumptions like PRF-ODH  ... 
doi:10.2478/popets-2019-0065 dblp:journals/popets/ArfaouiBFNO19 fatcat:bu25qcwgjfdnpkiiobgnfczfvi

Breakdown Resilience of Key Exchange Protocols and the Cases of NewHope and TLS 1.3 [article]

Jacqueline Brendel, Marc Fischlin, Felix Günther
2017 IACR Cryptology ePrint Archive  
Broken cryptographic algorithms and hardness assumptions are a constant threat to realworld protocols.  ...  To this date there exists no security notion for key exchange protocols that could capture the scenario of breakdowns of arbitrary cryptographic primitives to argue security of prior or even ongoing and  ...  Acknowledgments Felix Günther is supported in part by Research Fellowship grant GU 1859/1-1 of the DFG and National Science Foundation (NSF) grants CNS-1526801 and CNS-1717640.  ... 
dblp:journals/iacr/BrendelFG17 fatcat:ixaxyx6d45cabiadb2xt4knziu

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol

Benjamin Dowling, Marc Fischlin, Felix Günther, Douglas Stebila
Compared to the original MSKE model of Fischlin and Günther [FG14], the most notable changes in our model are the addition which models upgradeable authentication and accommodating both public and pre-shared  ...  We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie-Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption  ...  Acknowledgments We thank Markulf Kohlweiss for insightful discussions on the necessity of the PRF-ODH assumption for proofs of the TLS 1.3 handshakes.  ... 
doi:10.3929/ethz-b-000438744 fatcat:3x7ufexpsnfulbvr3ob62uq7rq

Simple and flexible universal composability : definition of a framework and applications [article]

Daniel Rausch, Universität Stuttgart
Such models allow for designing and analyzing small parts of a protocol in isolation and then reusing these security results in the context of the overall protocol.  ...  a solid framework for designing and analyzing essentially any protocol and application in a modular, universally composable, and sound manner.  ...  As mentioned earlier, we leave a formulation of F crypto based on the PRF-ODH assumption for future work.  ... 
doi:10.18419/opus-11125 fatcat:zjjwr2rpujepllzhojugzatu7y