Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro

2018-06-11

Horst Görtz Institute for IT Security

Chair for Network and Data Security

Generalization and Modularization of the ACCE Model

SKECH Workshop

Benjamin Dowling, Paul Rösler, Jörg Schwenk

KE + Channel = ?

Generalization of ACCE

Modularization of ACCE

Application to Noise

Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 2

Agenda

• Key Exchange + Channel = ?

• Generalization of ACCE

• Modularization of ACCE

• Application to Noise

KE + Channel = ?





Key Exchange + Channel = ?

• Key exchange then symmetric protocol

• Brzuska et al.: Composability of Bellare-Rogaway

Key Exchange Protocols CCS11

●

k k

KE + Channel = ?





c





• Channel establishment• Jager et al.: On the Security of TLS-DHE in the

Standard Model C12

●

k k

m m

f(k)

KE + Channel = ?





c






Standard Model C12

●

k

m m

f(k)

k

KE + Channel = ?










Standard Model C12

• Key exchange and symmetric protocol

• Fischlin, Günther: Multi-Stage Key Exchange and

the Case of Google's QUIC Protocol CCS14

●

k k

k k

k k

KE + Channel = ?





c






Standard Model C12




●

k k

m m

c

k k

m m

c

k k

m m

KE + Channel = ?





c






Standard Model C12




●

k k

m m

c

k k

m m

c

k k

m m

Authentication from first message

KE + Channel = ?





c






Standard Model C12



the Case of Google's QUIC Protocol + DFGS15

●

k k

m m

c

k k

m m

c

k k

m m

Authentication more modular

KE + Channel = ?





c






Standard Model C12



the Case of Google's QUIC Protocol + DFGS15 +

FG17

●

k k

m m

c

k k

m m

c

k k

m mReplay attacks

allowed, internal keys…?!

KE + Channel = ?





c






Standard Model C12




FG17

●

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?










Standard Model C12




FG17

• Two stage channel establishment

• Lychev et al.: How Secure and Quick is QUIC?

Provable Security and Performance Analyses

S&P15

●

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?










Standard Model C12




FG17

• Two stage channel establishment

• Lychev et al.: How Secure and Quick is QUIC?

Provable Security and Performance Analyses

S&P15

• What is so new about it?

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?





c

Generic and Modular ACCE

• What is so new about it?• Generic model

(i.e., independent ofanalyzed protocol)

●

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?





c




• Channel security under key usage in KE, full modularity for security properties

●

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?








• Channel security under key usage in KE, full modularity for security properties

• Allows to analyze protocols as they are

• Signal*

• Noise

→ Wireguard

* Composition of X3DH and DRAlg?

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)





KE + Channel = ?






• ACCE modeled with TLS 1.2 in mind

• QACCE modeled with QUIC in mind

• ACCE is an own primitive

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?









• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?









• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?









• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?









• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?









• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?• Initiator = client, responder = server, unilateral authentication = server authentication?

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?









contains whole transcript

• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?• Initiator = client, responder = server, unilateral authentication = server authentication?

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)





KE + Channel = ?






• Channel can provide several properties• Authentication

• KCI resistance

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?







• KCI resistance

• Forward secrecy

• Resistance against replay attacks

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?







• KCI resistance

• Forward secrecy


• Resistance against weak randomness

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?







• KCI resistance

• Forward secrecy



• We keep channel simple (i.e., stAE)

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?







• KCI resistance

• Forward secrecy




• Properties can be reached…• … for each party separately

●

c

k k

m m

c

k k

m m

c

k k

m m

f(k)

KE + Channel = ?







• KCI resistance

• Forward secrecy





• … at different stages during the protocol execution (via round trips [RTs])

●

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

KE + Channel = ?







• … at different stages during theprotocol execution (via RTs)

• Round trips:

●

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

KE + Channel = ?








• Round trips:• Interaction between parties

• Denote epochs in communication

●

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

KE + Channel = ?










• No keys to defines stages (as in MS-KE)

●

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

KE + Channel = ?











• Usual in KE, ratcheting (see Signal, Bertram’s talk)

●

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

KE + Channel = ?











• Usual in KE, ratcheting (see Signal, Bertram’s talk)

• Further extension within RTs• Too complex for the use-case here

●

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

m

m…m

KE + Channel = ?








• For each party separately:

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?








• For each party separately:• Authentication A-to-B with message A-to-B

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?









• E.g. resistance against weak randomnessnot direction-dependent

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?










• 5*2+1 counters index our security definition:aui,aur, kci,kcr, fsi,fsr, rpi,rpr, ori,orr,eck ∈ {0,0.5,1,1.5,… ,∞}

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?










• 5*2+1 counters index our security definition:aui,aur, kci,kcr, fsi,fsr, rpi,rpr, ori,orr,eck ∈ {0,0.5,1,1.5,… ,∞}

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?






• Adversary has to guess a challenge bit• Enc and Dec embed challenges (stAE)

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?






• Adversary has to guess a challenge bit• Enc and Dec embed challenges (stAE)

• Adversarial behavior leaks bits of someRTs, but some must stay secure

→ Challenge bits for each RT

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?






• Adversary can• Actively attack sessions

• Corrupt parties

• Reveal session randomness

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?







• Corrupt parties


• Reveal session states• There are no keys anymore (by syntax)

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?







• Corrupt parties



• What does independence of sessions mean inprotocols of long duration (idea of Reveal in BR93)?

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?







• Corrupt parties



• What does independence of sessions mean inprotocols of long duration (idea of Reveal in BR93)?

• What are the effects of replay attacks w.r.t. session independence?

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?






• Resistance against replay attacks• Within session modeled by stateful AE

●

m

m

m

m

m

m

…

…

…

KE + Channel = ?







• Inter session: Impact of state Reveal

• Not only dependents on symmetric key

• Also on ephemeral asymmetric secrets

●

m

m

m

m

m

m

…

…

…

gB

ga

f(gaB)

KE + Channel = ?







• Inter session: Impact of state Reveal

rpi,rpr denote RT after which revealedstate cannot be used to reestablishsession

• Not only dependents on symmetric key

• Also on ephemeral asymmetric secrets

●

m

m

m

m

m

m

…

…

…

gB

ga

f(gaB)





KE + Channel = ?






• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF

• for different scenarios (15 patterns):

●

KE + Channel = ?







• for different scenarios (15 patterns):• Who knows whom a priori?

• Who should authenticate?

• How fast should messages be transmitted?

• Which further properties shall be reached(forward secrecy, identity hiding, …)?

●

KE + Channel = ?








• implemented in Java, C, Haskell, Python, Javascript, …

• used in WhatsApp, Wireguard, Slack, …

• for homogenous networks(i.e., all parties are configured equally)

●

KE + Channel = ?








• implemented in Java, C, Haskell, Python, Javascript, …

• used in WhatsApp, Wireguard, Slack, …

• for homogenous networks(i.e., all parties are configured equally)

• Security claimed but not proven yet• Concurrent work by Nadim Kobeissi

(noiseexplorer.com) using ProVerif

●

KE + Channel = ?





Application to Noise●

KE + Channel = ?






KE + Channel = ?






KE + Channel = ?






KE + Channel = ?






KE + Channel = ?






KE + Channel = ?






• Security claimed but not proven yet• Authentication + KCI resistance

●

KE + Channel = ?







• Confidentiality + Forward secrecy+ Resistance against replay attacks

●

KE + Channel = ?








●

KE + Channel = ?








●

KE + Channel = ?








●

KE + Channel = ?








●

KE + Channel = ?








●

KE + Channel = ?









●

KE + Channel = ?






KE + Channel = ?






KE + Channel = ?





Outlook


• Modularization of ACCE(as MS-KE modularizes BR93)

• Computational security proofs for Noise

KE + Channel = ?





Outlook




• Further extensions regarding• Intra-epoch properties• Channel properties

KE + Channel = ?





Outlook





• Further properties of Noise• Negotiation• Identity hiding

KE + Channel = ?





Outlook





• Further properties of Noise• Negotiation• Identity hiding

• Discussions• What means sessions are independent

in protocols of long duration?

• Is ACCE as bad as it is advertised?

• What can MS-KE learn from our model?

• Can abstract (MS-)KE with channel in which key is used to a higher level?

Documents

Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro