On the se­cu­ri­ty of TLS re­ne­go­tia­ti­on

Flo­ri­an Berg­s­ma, Flo­ri­an Kohlar, Doug­las Ste­bi­la

ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty

Ab­stract

The Trans­port Layer Se­cu­ri­ty (TLS) pro­to­col is the most wi­de­ly used se­cu­ri­ty pro­to­col on the In­ter­net. It sup­ports ne­go­tia­ti­on of a wide va­rie­ty of cryp­to­gra­phic pri­mi­ti­ves through dif­fe­rent ci­pher sui­tes, va­rious modes of cli­ent au­then­ti­ca­ti­on, and ad­di­tio­nal fea­tures such as re­ne­go­tia­ti­on. De­s­pi­te its wi­des­pread use, only re­cent­ly has the full TLS pro­to­col been pro­ven se­cu­re, and only the core cryp­to­gra­phic pro­to­col with no ad­di­tio­nal fea­tures. These ad­di­tio­nal fea­tures have been the cause of se­ver­al prac­tical at­tacks on TLS. In 2009, Ray and Dis­pen­sa de­mons­tra­ted how TLS re­ne­go­tia­ti­on al­lows an at­ta­cker to spli­ce to­ge­ther its own ses­si­on with that of a victim, re­sul­ting in a man-in-the-midd­le at­tack on TLS-re­li­ant ap­p­li­ca­ti­ons such as HTTP. TLS was sub­se­quent­ly patched with two de­fence me­cha­nis­ms for pro­tec­tion against this at­tack.

We pre­sent the first for­mal tre­at­ment of re­ne­go­tia­ti­on in se­cu­re chan­nel es­ta­blish­ment pro­to­cols. We add op­tio­nal re­ne­go­tia­ti­on to the au­then­ti­ca­ted and con­fi­den­ti­al chan­nel es­ta­blish­ment model of Jager et al., an ad­ap­ta­ti­on of the Bel­la­re--Ro­ga­way au­then­ti­ca­ted key ex­chan­ge model. We de­scri­be the at­tack of Ray and Dis­pen­sa on TLS wi­t­hin our model. We show ge­ne­ri­cal­ly that the pro­po­sed fixes for TLS offer good pro­tec­tion against re­ne­go­tia­ti­on at­tacks, and give a sim­ple new coun­ter­me­a­su­re that pro­vi­des re­ne­go­tia­ti­on se­cu­ri­ty for TLS even in the face of stron­ger ad­ver­sa­ries.

Tags: