Downgrade Resilience in Key-Exchange Protocols

Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

Volumn , Issue , 2016, Pages 506-525

  Bhargavan, Karthikeyan ^a   Brzuska, Christina ^b   Fournet, Cedric ^c   Green, Matthew ^d   Kohlweiss, Markulf ^c   Zanella Beguelin, Santiago ^c  

^a INRIA ROCQUENCOURT   (France)

^b HAMBURG UNIVERSITY OF TECHNOLOGY   (Germany)

^c MICROSOFT RESEARCH   (United States)

^d JOHNS HOPKINS UNIVERSITY   (United States)

Author keywords

Cryptography; IKE; IPSec; Key Exchange; Protocols; Security; SSH; TLS; ZRTP

Indexed keywords

CRYPTOGRAPHY; NETWORK PROTOCOLS; SEEBECK EFFECT; THALLIUM;

CRYPTOGRAPHIC ALGORITHMS; IPSEC; KEY EXCHANGE; KEY EXCHANGE PROTOCOLS; LOCAL CONFIGURATIONS; SECURITY; SECURITY PROPERTIES; ZRTP;

INTERNET PROTOCOLS;

EID: 84987664765     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2016.37     Document Type: Conference Paper

References (46)

1. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, "Extensible Authentication Protocol (EAP)," IETF RFC 3748, 2004
2. D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thome, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Beguelin, and P. Zimmermann, "Imperfect forward secrecy: How Diffie-Hellman fails in practice," in 22nd ACM Conference on Computer and Communications Security, 2015, pp. 5-17
3. N. J. AlFardan and K. G. Paterson, "Lucky thirteen: Breaking the TLS and DTLS record protocols," in 2013 IEEE Symposium on Security and Privacy, 2013, pp. 526-540
4. N. J. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt, "On the security of RC4 in TLS," in 22th USENIX Security Symposium, 2013, pp. 305-320
5. N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. K asper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt, "DROWN: Breaking TLS with SSLv2," https://drownattack.com/, Mar. 2016
6. R. Barnes, M. Thomson, A. Pironti, and A. Langley, "Deprecating Secure Sockets Layer Version 3.0," IETF RFC 7568, 2015
7. G. Barthe, B. Gregoire, S. Heraud, and S. Zanella-Beguelin, "Computer-aided security proofs for the working cryptographer," in Advances in Cryptology, CRYPTO 2011, 2011, pp. 71-90
8. M. Bellare and P. Rogaway, "Entity authentication and key distribution," in CRYPTO 1993, 1993, pp. 232-249
9. F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, and D. Stebila, "Multi-ciphersuite security of the secure shell (SSH) protocol," in 21st ACM Conference on Computer and Communications Security, 2014, pp. 369-381
10. B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. Zinzindohoue, "A Messy State of the Union: Taming the Composite State Machines of TLS," in 2015 IEEE Symposium on Security and Privacy, 2015, pp. 535-552
11. K. Bhargavan and G. Leurent, "Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH," in Network and Distributed System Security Symposium (NDSS'16), 2016
12. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P. Strub, "Implementing TLS with verified cryptographic security," in 2013 IEEE Symposium on Security and Privacy, 2013, pp. 445-459
13. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and S. Zanella-Beguelin, "Proving the TLS handshake secure (as it is)," in CRYPTO 2014, 2014, pp. 235-255
14. K. Bhargavan, C. Brzuska, C. Fournet, M. Green, M. Kohlweiss, and S. Zanella-Bguelin, "Downgrade resilience in key-exchange protocols," Cryptology ePrint Archive, Report 2016/072, 2016, http://eprint.iacr.org
15. S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen, and T. Wright, "Transport Layer Security (TLS) Extensions," IETF RFC 3546, 2003
16. Blanchet, "A computationally sound mechanized prover for security protocols," Dependable and Secure Computing, IEEE Transactions on, vol. 5, no. 4, pp. 193-207, 2008
17. B. Blanchet, "An efficient cryptographic protocol verifier based on prolog rules," in 14th IEEE Computer Security Foundations Workshop, CSFW 2014, 2001, pp. 82-96
18. R. Canetti and H. Krawczyk, "Security analysis of IKE's signature-based key-exchange protocol," in CRYPTO 2002, 2002, pp. 143-161
19. C. J. F. Cremers, "Key exchange in IPsec revisited: Formal analysis of IKEv1 and IKEv2," in 16th European Symposium on Research in Computer Security-ESORICS 2011, 2011, pp. 315-334
20. A. Delignat-Lavaud and K. Bhargavan, "Network-based origin confusion attacks against HTTPS virtual hosting," in 24th International Conference on World Wide Web, WWW 2015, 2015, pp. 227-237
21. B. Dowling and D. Stebila, "Modelling ciphersuite and version negotiation in the TLS protocol," in 20th Australasian Conference on Information Security and Privacy, ACISP 2015, 2015, pp. 270-288
22. B. Dowling, M. Fischlin, F. Gunther, and D. Stebila, "A cryptographic analysis of the TLS 1.3 handshake protocol candidates," in 22nd ACM Conference on Computer and Communications Security, 2015, pp. 1197-1210
23. C. Garman, K. G. Paterson, and T. V. der Merwe, "Attacks only get better: Password recovery attacks against RC4 in TLS," in 24th USENIX Security Symposium, 2015, pp. 113-128
24. D. Harkins and D. Carrel, "The internet key exchange (IKE)," IETF RFC 2409, 1998. [Online]. Available: http://www.ietf.org/rfc/rfc2409.txt
25. T. Jager, F. Kohlar, S. Schage, and J. Schwenk, "On the security of TLS-DHE in the standard model," in CRYPTO 2012, 2012, pp. 273-293
26. M. Just and S. Vaudenay, "Authenticated multi-party key agreement," in ASIACRYPT 1996, 1996, pp. 36-49
27. C. Kaufman, P. Hoffman, Y. Nir, and P. Eronen, "Internet Key Exchange Protocol Version 2 (IKEv2)," IETF RFC 5996, 2010
28. V. Klima, O. Pokorny, and T. Rosa, "Attacking RSAbased sessions in SSL/TLS," in 5th International Workshop on Cryptographic Hardware and Embedded Systems-CHES 2003. Springer, 2003, pp. 426-440
29. K. Kobara, S. Shin, and M. Strefler, "Partnership in key exchange protocols," in 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, 2009, pp. 161-170
30. H. Krawczyk, "SIGMA the 'SIGn-and-MAc' approach to authenticated Diffie-Hellman and its use in the IKE protocols," in CRYPTO 2003, 2003, pp. 400-425
31. H. Krawczyk, K. G. Paterson, and H. Wee, "On the security of the TLS protocol: A systematic analysis," in CRYPTO 2013, 2013, pp. 429-448
32. A. Langley, N. Modadugu, and B. Moeller, "Transport Layer Security (TLS) False Start," Internet Draft, 2010
33. G. Lowe, "A hierarchy of authentication specification," in 10th Computer Security Foundations Workshop (CSFW '97). IEEE Computer Society, 1997, pp. 31-44
34. R. H. M. Salter, E. Rescorla, "Suite B Profile for Transport Layer Security (TLS)," IETF RFC 5430, 2009
35. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel, "A cross-protocol attack on the TLS protocol," in 19th ACM Conference on Computer and Communications Security, 2012, pp. 62-72
36. C. Meadows, "Analysis of the internet key exchange protocol using the NRL protocol analyzer," in 1999 IEEE Symposium on Security and Privacy, 1999, pp. 216-231
37. S. Meier, B. Schmidt, C. Cremers, and D. Basin, "The tamarin prover for the symbolic analysis of security protocols," in 25th International Conference on Computer Aided Verification, CAV 2013, 2013, pp. 696-701
38. B. Moeller and A. Langley, "TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks," IETF RFC 7507, 2015
39. B. Moller, T. Duong, and K. Kotowicz, "This POODLE Bites: Exploiting The SSL 3.0 Fallback," Available at https://www.openssl.org/~bodo/ssl-poodle.pdf, 2014
40. E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.3, Draft 10," Internet Draft, 2015
41. S. Turner and T. Polk, "Prohibiting Secure Sockets Layer (SSL) Version 2.0," IETF RFC 6176, 2011
42. University of Michigan, "Tracking the FREAK Attack," Available at https://freakattack.com/, November 2015
43. D. Wagner and B. Schneier, "Analysis of the SSL 3.0 protocol," in 2nd USENIX Workshop on Electronic Commerce, WOEC 1996, 1996, pp. 29-40
44. T. Ylonen and C. Lonvick, "The secure shell (SSH) authentication protocol," IETF RFC 4252, 2006
45. The secure shell (SSH) transport layer protocol," IETF RFC 4253, 2006
46. P. Zimmermann, "RFC 6189bis: ZRTP: Media Path Key Agreement for Unicast Secure RTP," 2012