Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 98-113

  Bhargavan, Karthikeyan ^a   Delignat Lavaud, Antoine ^a   Fournet, Cédric ^b   Pironti, Alfredo ^a   Strub, Pierre Yves ^c  

^a INRIA ROCQUENCOURT   (France)

^b MICROSOFT RESEARCH   (United States)

^c IMDEA SOFTWARE INSTITUTE   (Spain)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION;

APPLICATION SECURITY; AUTHENTICATION METHODS; CHALLENGE RESPONSE PROTOCOLS; CHANNEL ABSTRACTIONS; DESIGN AND IMPLEMENTS; DIFFIE-HELLMAN KEY EXCHANGE; IMPERSONATION ATTACK; NETWORK CONNECTION;

SEEBECK EFFECT;

EID: 84914174218     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.14     Document Type: Conference Paper

References (57)

1. [MS-PEAP]: Protected Extensible Authentication Protocol (PEAP). http://msdn.microsoft.com/en-us/library/cc238354.aspx, 2013.
2. HTTPS Everywhere. https://www.eff.org/https-everywhere, 2014.
3. M. Abadi. Security protocols and their properties. In Foundations of Secure Computation, 2000.
4. N. AlFardan, D. Bernstein, K. Paterson, B. Poettering, and J. Schuldt. On the Security of RC4 in TLS. In USENIX Security, 2013.
5. N. J. AlFardan and K. G. Paterson. Lucky thirteen: breaking the TLS and DTLS record protocols. In IEEE S&P, 2013.
6. J. Altman, N. Williams, and L. Zhu. Channel Bindings for TLS. IETF RFC 5929, 2010.
7. R. Anderson and S. Vaudenay. Minding your p's and q's. In ASIACRYPT, 1996.
8. N. Asokan, V. Niemi, and K. Nyberg. Man-in-the-middle in tunnelled authentication protocols. In Security Protocols. 2005.
9. B. Aziz and G. Hamilton. Detecting man-in-the-middle attacks by precise timing. In SECUREWARE, 2009.
10. D. Balfanz and R. Hamilton. Transport Layer Security (TLS) Channel IDs. IETF Internet Draft v01, 2013.
11. E. Barker, D. Johnson, and M. Smid. NIST Special Publication 800-56A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), 2007.
12. A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In ACM CCS, 2008.
13. D. Berbecaru and A. Lioy. On the Robustness of Applications Based on the SSL and TLS Security Protocols. In PKI. 2007.
14. K. Bhargavan, C. Fournet, R. Corin, and E. Žalinescu. Verified Cryptographic Implementations for TLS. ACM TISSEC, 15(1):1-32, 2012.
15. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P. Strub. Implementing TLS with verified cryptographic security. In IEEE S&P, 2013.
16. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and S. Zanella-Beguelin. Proving the TLS handshake (as it is). 2013. Unpublished Draft.
17. S. Blake-Wilson and A. Menezes. Unknown key-share attacks on the station-to-station (STS) protocol. In PKC, 1999.
18. A. Bortz, A. Barth, and A. Czeskis. Origin cookies: Session integrity for Web applications. In W2SP, 2011.
19. A. Cassola, W. Robertson, E. Kirda, and G. Noubir. A practical, targeted, and stealthy attack against WPA enterprise authentication. In NDSS, 2013.
20. S. Chaki and A. Datta. ASPIER: An automated framework for verifying security protocol implementations. In IEEE CSF, 2009.
21. L. Chen. NIST Special Publication 800-108: Recommendation for Key Derivation Using Pseudorandom Functions, 2009.
22. J. Clark and P. van Oorschot. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. In IEEE S&P, 2013.
23. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246, 2008.
24. M. Dietz, A. Czeskis, D. Balfanz, and D. S. Wallach. Origin-bound certificates: a fresh approach to strong client authentication for the web. In USENIX Security, 2012.
25. T. Duong and J. Rizzo. The CRIME attack. In Ekoparty, 2012.
26. C. Fournet, M. Kohlweiss, and P.-Y. Strub. Modular code-based cryptographic verification. In ACM CCS, 2011.
27. P. Funk and S. Blake-Wilson. Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0. IETF RFC 5281, 2008.
28. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In ACM CCS, 2012.
29. F. Giesen, F. Kohlar, and D. Stebila. On the security of TLS renegotiation. In ACM CCS, 2013.
30. J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS). IETF RFC 6797, 2012.
31. P. Hoffman. Additional Master Secret Inputs for TLS. IETF RFC 6358, 2012.
32. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO, 2012.
33. S. Josefsson and N. Williams. Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family. IETF RFC 5801, 2010.
34. B. S. Kaliski Jr. An unknown key-share attack on the MQV key agreement protocol. ACM TISSEC, 4(3):275-288, 2001.
35. H. Krawczyk, K. G. Paterson, and H. Wee. On the Security of the TLS Protocol: A Systematic Analysis. In CRYPTO, 2013.
36. G. Lowe. An attack on the needham-schroeder public-key authentication protocol. Information Processing Letters, 56(3):131-133, 1995.
37. M. Marlinspike. More Tricks For Defeating SSL In Practice. Black Hat USA, 2009.
38. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In ACM CCS, 2012.
39. A. Menon-Sen, N. Williams, A. Melnikov, and C. Newman. Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms. IETF RFC 5802, 2010.
40. C. Meyer and J. Schwenk. Lessons learned from previous SSL/TLS attacks - A brief chronology of attacks and weaknesses. In IACR Cryptology ePrint Archive, 2013.
41. R. Oppliger, R. Hauser, and D. Basin. SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle. Computer Communications, 29(12):2238-2246, 2006.
42. A. Palekar, D. Simon, J. Salowey, H. Zhou, G. Zorn, and S. Josefsson. Protected EAP protocol (PEAP) version 2. IETF Internet Draft v10, 2004.
43. K. G. Paterson, T. Ristenpart, and T. Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In ASIACRYPT, 2011.
44. J. Puthenkulam, V. Lortz, A. Palekar, D. Simon, and B. Aboba. The compound authentication binding problem. IETF Internet Draft v04, 2003.
45. M. Ray and S. Dispensa. Renegotiating TLS, 2009.
46. J.-F. Raymond and A. Stiglic. Security issues in the Diffie-Hellman key agreement protocol. IEEE Transactions on Information Theory, 22:1-17, 2000.
47. E. Rescorla. HTTP over TLS. IETF RFC 2818, 2000.
48. E. Rescorla. Keying Material Exporters for Transport Layer Security (TLS). IETF RFC 5705, 2010.
49. E. Rescorla, M. Ray, S. Dispensa, and N. Oskov. TLS renegotiation indication extension. IETF RFC 5746, 2010.
50. J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. TLS session resumption without server-side state. IETF RFC 5077, 2008.
51. D. Simon, B. Aboba, and R. Hurst. The EAP-TLS Authentication Protocol. IETF RFC 5216, 2008.
52. B. Smyth and A. Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. In USENIX WOOT, 2013.
53. E. Stark, L.-S. Huang, D. Israni, C. Jackson, and D. Boneh. The case for prefetching and prevalidating TLS server certificates. In NDSS, 2012.
54. P. van Oorschot. Extending cryptographic logics of belief to key agreement protocols. In ACM CCS, 1993.
55. D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In USENIX Electronic Commerce, 1996.
56. N. Williams. On the use of channel bindings to secure channels. IETF RFC 5056, 2007.
57. M. Zalewski. Browser Security Handbook. http://code.google.com/p/browsersec/.