scispace - formally typeset
Open AccessBook ChapterDOI

KEMTLS with Delayed Forward Identity Protection in (Almost) a Single Round Trip

- pp 253-272
Reads0
Chats0
TLDR
In this article , the authors proposed a variant of KEMTLS tailored to the IoT and embedded settings, which leverages the fact that clients know the server public keys in advance to decrease handshake latency while protecting client identities.
Abstract
The recent KEMTLS protocol (Schwabe, Stebila and Wiggers, CCS’20) is a promising design for a quantum-safe TLS handshake protocol. Focused on the web setting, wherein clients learn server public-key certificates only during connection establishment, a drawback of KEMTLS compared to TLS 1.3 is that it introduces an additional round trip before the server can send data, and an extra one for the client as well in the case of mutual authentication. In many scenarios, including IoT and embedded settings, client devices may however have the targeted server certificate pre-loaded, so that such performance penalty seems unnecessarily restrictive. This work proposes a variant of KEMTLS tailored to such scenarios. Our protocol leverages the fact that clients know the server public keys in advance to decrease handshake latency while protecting client identities. It combines medium-lived with long-term server public keys to enable a delayed form of forward secrecy even from the first data flow on, and full forward secrecy upon the first round trip. The new protocol is proved to achieve strong security guarantees, based on the security of the underlying building blocks, in a new model for multi-stage key exchange with medium-lived keys.

read more

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI

A tale of two models: formal verification of KEMTLS via Tamarin

TL;DR: In this article , the authors presented computer-verified symbolic analyses of KEMTLS and KEMTs-PDK using two distinct Tamarin models, one based on the detailed Tamarin model of TLS 1.3 and the other based on a multi-stage key exchange security model from prior pen-and-paper proofs.
References
More filters
Book ChapterDOI

Entity authentication and key distribution

TL;DR: This work provides the first formal treatment of entity authentication and authenticated key distribution appropriate to the distributed environment and presents a definition, protocol, and proof that the protocol meets its goal, assuming only the existence of a pseudorandom function.
Book ChapterDOI

Keying Hash Functions for Message Authentication

TL;DR: Two new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths.
ReportDOI

The Transport Layer Security (TLS) Protocol Version 1.3

Eric Rescorla
TL;DR: This document specifies version 1.3 of the Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.
Book ChapterDOI

Key-Privacy in Public-Key Encryption

TL;DR: It is proved that the El Gamal scheme provides anonymity under chosen-plaintext attack assuming the Decision Diffie-Hellman problem is hard and that the Cramer-Shoup scheme providing anonymity under choosing-ciphertext attack under the same assumption.
Book ChapterDOI

SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols

TL;DR: The SIGMA family of key exchange protocols as mentioned in this paper provides perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures, and is specifically designed to ensure sound cryptographic key exchange while providing a variety of features and trade-offs required in practical scenarios.
Related Papers (5)