Establishing Secure Connections: A Cryptographer's Perspective and the Case of TLS 1.3
Secure connections are at the heart of today's Internet infrastructure, protecting confidentiality, authenticity, and integrity of communications. Cryptographically, secure connections consist of two building blocks. First, a key-exchange protocol is run to establish a shared secret key between two parties over an insecure connection. Then, a secure-channel protocol uses the established key to securely transport the actual application data. In this talk, I will present some of our insights into the design and security of recent protocols for establishing secure connections, with a particular focus on the upcoming next Transport Layer Security (TLS) protocol version 1.3.
In the first part, I will discuss the key-exchange component. Recent protocol designs challenge traditional security models by establishing more than one key and, moreover, using them already within the key exchange phase. For such settings, I will introduce our multi-stage key exchange security model, an extension of the classical Bellare--Rogaway model towards protocols establishing multiple keys, which we also used to analyze Google's QUIC protocol. I will then present the results of our recent security analyses for several draft versions of TLS 1.3, covering the main (EC)DHE handshake as well as abbreviated pre-shared key/resumption and 0-RTT (zero round-trip time) handshakes.
In the second part, I will focus on the secure-channel component. While classical models for secure channels consider transportation of discrete messages, many practical protocols (including TLS, SSH, and QUIC) offer streaming interfaces and may deliver messages in an arbitrarily fragmented way. This has, in the past, led to a mismatch of provable security guarantees for secure channels and their real-world security, enabling critical attacks on, e.g., SSH and TLS. I will present our recent study of stream-based channels and their security, addressing this deficiency. In this context, we introduce notions of confidentiality and integrity for such channels, taking the peculiarities of streams into account. Our generic construction of a stream-based channel from authenticated encryption, beyond demonstrating feasibility, matches rather well the one used in TLS and hence, as a side effect, also provides validation of that protocol's design.
Felix Günther is a Ph.D. candidate in Computer Science at Technische Universität Darmstadt, Germany, and a member of Prof. Marc Fischlin's group "Cryptography and Complexity Theory". His research interests are in applied cryptography and computer security, with a particular focus on provable security and interest in narrowing the gap between the theoretical understanding and practical security of real-world cryptographic systems.