A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3)

Hugo Krawczyk
<span title="">2016</span> <i title="ACM Press"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/rau5643b7ncwvh74y6p64hntle" style="color: black;">Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS&#39;16</a> </i> &nbsp;
We study the question of how to build "compilers" that transform a unilaterally authenticated (UA) key-exchange protocol into a mutually-authenticated (MA) one. We present a simple and efficient compiler and characterize the UA protocols that the compiler upgrades to the MA model, showing this to include a large and important class of UA protocols. The question, while natural, has not been studied widely. Our work is motivated in part by the ongoing work on the design of TLS 1.3, specifically
more &raquo; ... e design of the client authentication mechanisms including the challenging case of post-handshake authentication. Our approach supports the analysis of these mechanisms in a general and modular way, in particular aided by the notion of "functional security" that we introduce as a generalization of key exchange models and which may be of independent interest. * IBM Research. hugo@ee.technion.ac.il client -uses a digital signature as the means for public-key for authentication (even though our approach can potentially be extended to other forms of authentication). The SIGMAC Compiler. Our compiler is simple: To upgrade a unilateral protocol Π 1 into a mutually authenticated Π 2 , upon completion of Π 1 the client sends a single message comprised of: (i) the client's signature on a portion of the Π 1 's transcript; and (ii) a MAC value computed on the client and server's identities with a MAC key computed by Π 1 . The intuition of the design is simple too: First note that anyone can sign the transcript, hence just a signature by the client on the transcript is not sufficient. Just MACing the identities is clearly not sufficient either since any party that participated in the unilateral protocol can compute the MAC on any identities. Yet the combination of signature and MAC ensures a binding between an identity and the knowledge of a key (computed in the unilateral protocol). We call the compiler SIGMAC for SIGnature and MAc Compiler, and also since it is reminiscent of the SIGMA protocol [24] . While intuitively appealing, proving the compiler, namely, showing that it can upgrade a secure unilateral protocol into a secure mutual one turns out to be non-trivial, in particular regarding what information needs to be covered by the signature. One can show examples, even in natural and practical settings, where even signing the whole transcript is not enough to ensure client authentication. Fortunately, we show that the compiler works for important classes of protocols, including any protocol that derives its session key from a Diffie-Hellman exchange. A core issue is to characterize what needs to be included under the signature. For this, we find a general sufficient condition (through a notion we call transport replication security, abbreviated as "treplication security") that if satisfied by a unilateral KE protocol Π, then applying the SIGMAC compiler to Π results in a provably secure mutually authenticated KE protocol. We then show extensive classes of unilateral protocols to possess this property, including KE mechanisms used in TLS 1.3.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1145/2976749.2978325">doi:10.1145/2976749.2978325</a> <a target="_blank" rel="external noopener" href="https://dblp.org/rec/conf/ccs/Krawczyk16.html">dblp:conf/ccs/Krawczyk16</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/ryymwghsunhx5hpru3cjw3qcza">fatcat:ryymwghsunhx5hpru3cjw3qcza</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20170711020434/http://eprint.iacr.org/2016/711.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/93/e1/93e1542b3e051b46b7b96eec94cc306468b9f745.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1145/2976749.2978325"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> acm.org </button> </a>