Verified Contributive Channel Bindings for Compound Authentication

22nd Annual Network and Distributed System Security Symposium, NDSS 2015

Volumn , Issue , 2015, Pages

  Bhargavan, Karthikeyan ^a   Delignat Lavaud, Antoine ^a   Pironti, Alfredo ^a  

^a INRIA ROCQUENCOURT   (France)

Author keywords

[No Author keywords available]

Indexed keywords

FORMAL METHODS; NETWORK SECURITY; SEEBECK EFFECT;

APPLICATION LEVEL; AUTHENTICATED CHANNEL; AUTHENTICATION ANALYSIS; AUTHENTICATION PROTOCOLS; DIFFIE HELLMAN; FORMAL MODELING; MAN IN THE MIDDLE; SESSION KEY; THREAT MODELING; TRUST ASSUMPTIONS;

AUTHENTICATION;

EID: 85180555442     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2015.23277     Document Type: Conference Paper

References (54)

1. N. Asokan, V. Niemi, and K. Nyberg, “Man-in-the-middle in tunnelled authentication protocols, ” in Security Protocols, 2005.
2. J. Puthenkulam, V. Lortz, A. Palekar, D. Simon, and B. Aboba, “The compound authentication binding problem, ” IETF Draft v04, 2003.
3. M. Ray and S. Dispensa, “Authentication gap in TLS renegotiation, ” 2009.
4. M. Rex, “Mitm attack on delayed TLS-client auth through renegotiation, ” 2009, http://ietf.org/mail-archive/web/tls/current/msg03928.html.
5. R. Oppliger, R. Hauser, and D. Basin, “SSL/TLS session-aware user authentication - or how to effectively thwart the man-in-the-middle, ” Comput. Commun., vol. 29, no. 12, pp. 2238-2246, 2006.
6. M. Dietz, A. Czeskis, D. Balfanz, and D. S. Wallach, “Origin-bound certificates: a fresh approach to strong client authentication for the web, ” in USENIX Security, 2012.
7. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, “Extensible Authentication Protocol (EAP), ” IETF RFC 3748, 2004.
8. A. Palekar, D. Simon, J. Salowey, H. Zhou, G. Zorn, and S. Josefsson, “Protected EAP protocol (PEAP) version 2, ” IETF Draft vlO, 2004.
9. P. Funk and S. Blake-Wilson, “EAP-TTLSvO: Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol version 0, ” IETF RFC 5281, 2008.
10. N. Williams, “On the use of channel bindings to secure channels, ” IETF RFC 5056, 2007.
11. J. Altman, N. Williams, and L. Zhu, “Channel bindings for TLS, ” IETF RFC 5929, 2010.
12. E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, “Transport Layer Security (TLS) Renegotiation Indication Extension, ” RFC 5746, 2010.
13. Microsoft, “Extended protection for authentication in integrated Windows authentication, ” 2009, http://support.microsoft.com/kb/968389.
14. D. Balfanz and R. Hamilton, “TLS Channel IDs, ” IETF Draft vOl, 2013.
15. F. Giesen, F. Kohlar, and D. Stebila, “On the security of TLS renegotiation, ” in ACM CCS, 2013.
16. K. Bhargavan, A. D. Lavaud, C. Fournet, A. Pironti, and P.-Y. Strub, “Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS, ” in S&P, 2014.
17. M. Abadi and C. Fournet, “Mobile values, new names, and secure communication, ” SIGPLAN Not., vol. 36, pp. 104-115, January 2001.
18. B. Blanchet, “An efficient cryptographic protocol verifier based on Prolog rules, ” in CSF, 2001, pp. 82-96.
19. K. Bhargavan, A. Delignat-Lavaud, A. Pironti, A. Langley, and M. Ray, “TLS session hash and extended master secret, ” IETF Draft, 2014.
20. D. Dolev and A. Yao, “On the security of public key protocols, ” IEEE Transactions on IT, vol. IT-29, no. 2, pp. 198-208, 1983.
21. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, “The most dangerous code in the world: validating SSL certificates in non-browser software, ” in ACM CCS, 2012.
22. D. Akhawe, B. Amann, M. Vallentin, and R. Sommer, “Here's my cert, so trust me, maybe?: understanding TLS errors on the Web, ” in WWW, 2013, pp. 59-70.
23. A. Cassola, W. Robertson, E. Kirda, and G. Noubir, “A practical, targeted, and stealthy attack against WPA enterprise authentication, ” in NDSS, 2013.
24. C. Soghoian and S. Stamm, ''Certified lies: Detecting and defeating government interception attacks against SSL, ” in FC, 2012.
25. A. Menon-Sen, N. Williams, A. Melnikov, and C. Newman, “Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms, ” IETF RFC 5802, 2010.
26. T. Hardjono and N. Klingenstein, “SAML v2.0 channel binding extensions version 1.0, ” OASIS Committee Specification, 2013.
27. Y. Sheffer and H. Tschofenig, “IKEv2 session resumption, ” IETF RFC 5723, 2010.
28. J. Schönwalder, G. Chulkov, E. Asgarov, and M. Cretu, “Session resumption for the Secure Shell protocol, ” in Integrated Network Management, 2009, pp. 157-163.
29. Z. Cao, B. He, Y. Shi, Q. Wu, and G. Zorn, “EAP extensions for the EAP re-authentication protocol (ERP), ” IETF RFC 6696, 2012.
30. K. Welter, “Reauthentication extension for IKEv2, ” IETF Draft, 2011.
31. G. Lowe, “Breaking and fixing the Needham-Schroeder public-key protocol using FDR, ” in TACAS, 1996, pp. 147-166.
32. R. Anderson and S. Vaudenay, “Minding your p's and q's, ” in ASIACRYPT, 1996.
33. E. Barker, D. Johnson, and M. Smid, NIST Special Publication 800-56A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), 2007.
34. Y. Sheffer and S. Fluhrer, “Additional Diffie-Hellman tests for IKEv2, ” IETF RFC 6989, 2013.
35. M. Lepinski and S. Kent, “Additional Diffie-Hellman groups for use with IETF standards, ” IETF RFC 5114, 2008.
36. N. Williams, “Unique channel bindings for IPsec using IKEv2, ” IETF Draft, 2008.
37. D. J. Bernstein, “Curve25519: new Diffie-Hellman speed records, ” in Public Key Crypto. Springer, 2006, pp. 207-228.
38. R. Kusters and T. Truderung, “Using ProVerif to analyze protocols with Diffie-Hellman exponentiation, ” in CSF, 2009, pp. 157-171.
39. B. Schmidt, S. Meier, C. Cremers, and D. Basin, “Automated analysis of Diffie-Hellman protocols and advanced security properties, ” in CSF, 2012, pp. 78-94.
40. R. Gelashvili, “Attacks on re-keying and renegotiation in key exchange protocols, ” Master's thesis, ETH Zurich, 2012.
41. K. Bhargavan, C. Fournet, R. Corin, and E. Zälinescu, “Verified cryptographic implementations for TLS, ” TISSEC, vol. 15, no. 1, p. 3, 2012.
42. M. Avalle, A. Pironti, D. Pozza, and R. Sisto, “JavaSPI: A framework for security protocol implementation, ” JSSE, vol. 2, p. 34-48. 2011.
43. E. Poll and A. Schubert, “Verifying an implementation of SSH, ” in WITS, 2007, pp. 164-177.
44. A. Pironti, D. Pozza, and R. Sisto, “Formally based semi-automatic implementation of an open security protocol, ” Journal of Systems and Software, vol. 85, no. 4, pp. 835-849, 2012.
45. C. Cremers, “Key exchange in IPsec revisited: Formal analysis of IKEvl and IKEv2, ” in ESORICS, 2011, pp. 315-334.
46. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub, “Implementing TLS with verified cryptographic security, ” in S&P, 2013.
47. H. Krawczyk, K. G. Paterson, and H. Wee, “On the Security of the TLS Protocol: A Systematic Analysis, ” in CRYPTO, 2013.
48. P. Morrissey, N. P. Smart, and B. Warinschi, “A modular security analysis of the TLS handshake protocol, ” in ASIACRYPT, 2008, pp. 55-73.
49. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and S. Z. Béguelin, “Proving the TLS handshake secure (as it is), ” in CRYPTO, 2014, pp. 235-255.
50. S. C. Williams, “Analysis of the SSH key exchange protocol, ” in Cryptography and Coding, 2011, pp. 356-374.
51. D. Cadé and B. Blanchet, “From computationally-proved protocol specifications to implementations, ” in ARES', 2012, pp. 65-74.
52. T. Groß and S. Modersheim, “Vertical protocol composition, ” in CSF, 2011, pp. 235-250.
53. S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, and J. Schwenk, “Universally composable security analysis of TLS, ” in Provable Security, 2008, pp. 313-327.
54. C. He, M. Sundararajan, A. Datta, A. Derek, and J. C. Mitchell, “A modular correctness proof of IEEE 802.1 li and TLS, ” in ACM CCS, 2005, pp. 2-15.