Showing papers on "Handshake published in 2020"

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd

Abstract: The WPA3 certification aims to secure home networks, while EAP-pwd is used by certain enterprise Wi-Fi networks to authenticate users. Both use the Dragonfly handshake to provide forward secrecy and resistance to dictionary attacks. In this paper, we systematically evaluate Dragonfly’s security. First, we audit implementations, and present timing leaks and authentication bypasses in EAP-pwd and WPA3 daemons. We then study Dragonfly’s design and discuss downgrade and denial-of-service attacks. Our next and main results are side-channel attacks against Dragonfly’s password encoding method (e.g. hash-to-curve). We believe that these side-channel leaks are inherent to Dragonfly. For example, after our initial disclosure, patched software was still affected by a novel side-channel leak. We also analyze the complexity of using the leaked information to brute-force the password. For instance, brute-forcing a dictionary of size 1010 requires less than $1 in Amazon EC2 instances. These results are also of general interest due to ongoing standardization efforts on Dragonfly as a TLS handshake, Password-Authenticated Key Exchanges (PAKEs), and hash-to-curve. Finally, we discuss backwards-compatible defenses, and propose protocol fixes that prevent attacks. Our work resulted in a new draft of the protocols incorporating our proposed design changes.

Who2com: Collaborative Perception via Learnable Handshake Communication

Abstract: In this paper, we propose the problem of collaborative perception, where robots can combine their local observations with those of neighboring agents in a learnable way to improve accuracy on a perception task. Unlike existing work in robotics and multi-agent reinforcement learning, we formulate the problem as one where learned information must be shared across a set of agents in a bandwidth-sensitive manner to optimize for scene understanding tasks such as semantic segmentation. Inspired by networking communication protocols, we propose a multi-stage handshake communication mechanism where the neural network can learn to compress relevant information needed for each stage. Specifically, a target agent with degraded sensor data sends a compressed request, the other agents respond with matching scores, and the target agent determines who to connect with (i.e., receive information from). We additionally develop the AirSim-CP dataset and metrics based on the AirSim simulator where a group of aerial robots perceive diverse landscapes, such as roads, grasslands, buildings, etc. We show that for the semantic segmentation task, our handshake communication method significantly improves accuracy by approximately 20% over decentralized baselines, and is comparable to centralized ones using a quarter of the bandwidth.

Exploiting Dissent: Towards Fuzzing-Based Differential Black-Box Testing of TLS Implementations

Abstract: The Transport Layer Security (TLS) protocol is one of the most widely used security protocols on the internet. Yet do implementations of TLS keep on suffering from bugs and security vulnerabilities. In large part is this due to the protocol's complexity which makes implementing and testing TLS notoriously difficult. In this paper, we present our work on using differential testing as effective means to detect issues in black-box implementations of the TLS handshake protocol. We introduce a novel fuzzing algorithm for generating large and diverse corpuses of mostly-valid TLS handshake messages. Stimulating TLS servers when expecting a ClientHello message, we find messages generated with our algorithm to induce more response discrepancies and to achieve a higher code coverage than those generated with American Fuzzy Lop, TLS-Attacker , or NEZHA . In particular, we apply our approach to OpenSSL , BoringSSL , WolfSSL , mbedTLS , and MatrixSSL , and find several real implementation bugs; among them a serious vulnerability in MatrixSSL 3.8.4 . Besides do our findings point to imprecision in the TLS specification. We see our approach as presented in this paper as the first step towards fully interactive differential testing of black-box TLS protocol implementations. Our software tools are publicly available as open source projects.

A Formal Analysis of IEEE 802.11’s WPA2: Countering the Kracks Caused by Cracking the Counters

Abstract: The IEEE 802.11 WPA2 protocol is widely used across the globe to protect network connections. The protocol, which is specified on more than three-thousand pages and has received various patches over the years, is extremely complex and therefore hard to analyze. In particular, it involves various mechanisms that interact with each other in subtle ways, which offers little hope for modular reasoning. Perhaps because of this, there exists no formal or cryptographic argument that shows that the patches to the core protocol indeed prevent the corresponding attacks, such as, e.g., the notorious KRACK attacks from 2017. In this work, we address this situation and present an extensive formal analysis of the WPA2 protocol design. Our model is the first that is detailed enough to detect the KRACK attacks; it includes mechanisms such as the four-way handshake, the group-key handshake, WNM sleep mode, the data-confidentiality protocol, and their complex interactions. Our analysis provides the first security argument, in any formalism, that the patched WPA2 protocol meets its claimed security guarantees in the face of complex modern attacks.

An Adaptive High-Throughput Multichannel MAC Protocol for VANETs

Abstract: IEEE 802.11p standard, operating over the 75-MHz spectrum at 5.9-GHz band with one control channel (CCH) and six service channels (SCHs), has been poised to provide V2X services over vehicular ad hoc networks (VANETs). However, due to the absence of central coordinator and the nature of high vehicular mobility, it is difficult to achieve reliable multichannel coordination and adaptive resource reservation to make full use of SCHs, resulting in dramatic throughput degradation. To mitigate this, in this article, we propose an adaptive high-throughput multichannel medium access control (MAC) protocol, namely, AHT-MAC, which can effectively handle the data transmissions over SCHs. With AHT-MAC, the data transmission range (TR) is adjusted according to the beacon TR over the CCH so that a transmitting node can determine proper communication candidates and prepare available resources for both communication nodes before transmissions. Moreover, the communication coordination is done through a two-way handshake. During the handshake, adaptive resource reservation is realized following the proposed resource sharing mechanism, where nodes first utilize as much resource as possible and then share them with others proactively. To increase the success probability of the communication handshake, a request conflict resolution mechanism is also designed to nullify improper handshakes. Therefore, AHT-MAC can reduce the resource wastage due to handshake failures and extra overheads for retransmission requests. Our performance analysis shows that AHT-MAC can significantly improve the system throughput and reduce the channel access period.

DTLShps: SDN-Based DTLS Handshake Protocol Simplification for IoT

Abstract: Datagram transport layer security (DTLS) protocol is widely used in Internet of Things (IoT) for providing security services. The computational overhead makes it hard to implement DTLS on resource-constrained IoT devices. The two significant costly computations in the DTLS handshake are the Diffie–Hellman (DH) key exchange and the certificate verification. A simplified handshake protocol of DTLS (DTLShps) is proposed to reduce the computational overhead of the IoT devices for a general scenario of end-to-end communications based on software-defined networking (SDN). First, a controller is utilized to generate a symmetric key dynamically, then encrypt and distribute this key to two communicating IoT devices. Second, the certificate verification is shifted from the IoT device to the more powerful controller. Third, the controller replaces the DTLS server to make a cookie exchange with the DTLS client. Furthermore, the BAN logic and the tool Scyther are used to validate the security of our scheme. The performance evaluation shows that not only the computational overhead and the energy consumption in the IoT devices are effectively decreased but also the overall duration of the whole handshake is reduced.

Formal analysis of QUIC handshake protocol using ProVerif

Abstract: This paper presents a formal analysis of the QUIC protocol. This newly proposed protocol is currently under the process of standardization, and it is still unknown whether the proposed protocol provides the claimed security guarantees. To fill this gap, we model the QUIC handshake protocol in the applied pi calculus and perform a comprehensive formal analysis using ProVerif. To the best of our knowledge, this is the first thorough study on the formal analysis of QUIC handshake protocol.

Using TLS Fingerprints for OS Identification in Encrypted Traffic

Abstract: Asset identification plays a vital role in situational awareness building. However, the current trends in communication encryption and the emerging new protocols turn the well-known methods into a decline as they lose the necessary data to work correctly. In this paper, we examine the traffic patterns of the TLS protocol and its changes introduced in version 1.3. We train a machine learning model on TLS handshake parameters to identify the operating system of the client device and compare its results to well-known identification methods. We test the proposed method in a large wireless network. Our results show that precise operating system identification can be achieved in encrypted traffic of mobile devices and notebooks connected to the wireless network.

Construction and Security Analysis of 0-RTT Protocols

Abstract: If two parties want to communicate over an insecure channel, they typically execute an interactive cryptographic handshake to establish a shared secret, before any application data is sent. In contrast, zero round-trip time (0-RTT) protocols allow a sender to immediately send encrypted application data (0-RTT data) to a receiver without executing an interactive handshake. One of the major challenges when designing 0-RTT protocols is to guarantee forward security for the 0-RTT data. Forward security ensures that compromise of a communicating party does not impact security of past communications. However, the lack of interactivity in 0-RTT protocols renders it difficult to achieve forward security for the 0-RTT data. Only recently, novel techniques to overcome this challenge have been discovered. This thesis investigates design approaches to 0-RTT protocols and proposes new constructions of 0-RTT protocols with forward security for all sent data. This thesis starts with a discussion on the concept of forward security in noninteractive settings. Traditionally, forward security can be achieved if communication partners interactively agree on fresh secrets. However, this view limits the understanding of what forward security should mean in a non-interactive setting. Hence, we propose new terminology for a unified treatment of forward security, capturing both interactive and non-interactive communication settings. The remainder of this thesis can be split into two parts. The first part focuses on the design of 0-RTT key exchange protocols. We investigate how to build 0-RTT key exchange protocols from Bloom filter key encapsulation mechanisms, and describe the first mechanism with constant-size ciphertexts. We then use this scheme to construct the first multi-hop 0-RTT protocol for efficient connection establishment in the context of anonymous communications. The second part of this thesis focuses in 0-RTT session resumption protocols. Session resumption protocols require an already established secret shared between sender and recipient. This secret can then be used to re-establish a secure connection. Despite prior belief, we present the first 0-RTT session resumption protocol that indeed achieves forward security for all messages. In contrast to existing 0-RTT key exchange protocols, our 0-RTT session resumption protocol is highly efficient as it only relies on symmetric primitives. We show that our protocol can be incorporated into the recently standardized TLS 1.3 handshake without modifications to client-side implementations. This means that our protocol is immediately deployable by content providers without requiring changes to the standard.

An Anthropology of the Handshake

Abstract: In addition to its mounting health and financial consequences, the current COVID-19 crisis may also fundamentally alter one of the most common human gestures: the handshakeUS president Donald Tr

ME-TLS: Middlebox-Enhanced TLS for Internet-of-Things Devices

Abstract: In-network middleboxes are vital for the Internet-of-Things (IoT) system security, but the widely adopted transport layer security (TLS) protocol blinds application-level middleboxes due to the encryption of traffic data. To resolve this problem, many solutions have been proposed to date. Among them, SplitTLS is widely adopted in the industry by proxy manufacturers. It requires TLS client to install customized root certificates and incurs additional security flaws, e.g., disabling server authentication and using weak cipher suites. Another approach is to customize the TLS protocol where middleboxes are enabled via either performing handshake directly with TLS endpoints or receiving session key materials in an out-of-band manner. Overall, current solutions would either jeopardize the original TLS handshake procedure or incur additional overheads on the endpoints. In this article, we design a new middlebox-enhanced TLS (ME-TLS), which enables endpoints to introduce authenticated middleboxes into a TLS session while control middleboxes’ access permission and processing order of traffic data. Particularly, in our proposed ME-TLS, the handshake structure of TLS keeps unchanged and middleboxes work in a passive manner. That is, middleboxes in the ME-TLS could recover session key materials by monitoring handshake messages passively instead of interacting with endpoints; secondary secure channels for key transmission are also not needed in our ME-TLS. We implement our ME-TLS based on the TLS 1.3 protocol and evaluate its performances. The experimental results demonstrate that our proposal is practical and deployable for real-world IoT scenarios.

Effects of Handshake Duration on Other Nonverbal Behavior

Abstract: Although detailed descriptions of proper handshakes partly comprise many etiquette books, how a normal handshake can be described, its proper duration, and the consequences of violating handshake e...

Enhanced Performance and Privacy for TLS over TCP Fast Open

Abstract: Small TCP flows make up the majority of web flows. For them, the TCP three-way handshake induces significant delay overhead. The TCP Fast Open (TFO) protocol can significantly decrease this delay via zero round-trip time (0-RTT) handshakes for all TCP handshakes that follow a full initial handshake to the same host. However, this comes at the cost of privacy limitations and also has some performance limitations. In this paper, we investigate the TFP deployment on popular websites and browsers. We found that a client revisiting a web site for the first time fails to use an abbreviated TFO handshake in 40% of all cases due to web server load-balancing using multiple IP addresses. Our analysis further reveals significant privacy problems of the protocol design and implementation. Network-based attackers and online trackers can exploit TFO to track the online activities of users. As a countermeasure, we introduce a novel protocol called TCP Fast Open Privacy (FOP). TCP FOP prevents tracking by network attackers and impedes third-party tracking, while still allowing 0-RTT handshakes as in TFO. As a proof-of-concept, we have implemented the proposed protocol for the Linux kernel and a TLS library. Our measurements indicate that TCP FOP outperforms TLS over TFO when websites are served from multiple IP addresses.

The Million Dollar Handshake: Secure and Attested Communications in the Cloud

Abstract: The number of applications and services that are hosted on cloud platforms is constantly increasing. Nowadays, more and more applications are hosted as services on cloud platforms, co-existing with other services in a mutually untrusted environment. Facilities such as virtual machines, containers and encrypted communication channels aim to offer isolation between the various applications and protect sensitive user data. However, such techniques are not always able to provide a secure execution environment for sensitive applications nor they offer guarantees that data are not monitored by an honest but curious provider once they reach the cloud infrastructure. The recent advancements of trusted execution environments within commodity processors, such as Intel SGX, provide a secure reverse sandbox, where code and data are isolated even from the underlying operating system. Moreover, Intel SGX provides a remote attestation mechanism, allowing the communicating parties to verify their identity as well as prove that code is executed on hardware-assisted software enclaves. Many approaches try to ensure code and data integrity, as well as enforce channel encryption schemes such as TLS, however, these techniques are not enough to achieve complete isolation and secure communications without hardware assistance or are not efficient in terms of performance. In this work, we design and implement a practical attestation system that allows the service provider to offer a seamless attestation service between the hosted applications and the end clients. Furthermore, we implement a novel caching system that is capable to eliminate the latencies introduced by the remote attestation process. Our approach allows the parties to attest one another before each communication attempt, with improved performance when compared to a standard TLS handshake.

Evaluation of the Handshake Turing Test for anthropomorphic Robots

Abstract: Handshakes are fundamental and common greeting and parting gestures among humans. They are important in shaping first impressions as people tend to associate character traits with a person's handshake. To widen the social acceptability of robots and make a lasting first impression, a good handshaking ability is an important skill for social robots. Therefore, to test the human-likeness of a robot handshake, we propose an initial Turing-like test, primarily for the hardware interface to future AI agents. We evaluate the test on an android robot's hand to determine if it can pass for a human hand. This is an important aspect of Turing tests for motor intelligence where humans have to interact with a physical device rather than a virtual one. We also propose some modifications to the definition of a Turing test for such scenarios taking into account that a human needs to interact with a physical medium.

Stupify: A Hardware Countermeasure of KRACKs in WPA2 using Physically Unclonable Functions

Abstract: A digital communication network is typically the backbone of world wide web and web based applications. Security protocols, specifically in wireless network has undergone several rounds of modifications and upgrades in order to prevent supplicants (or clients) or authenticators (or access points) from attackers either sitting physically around the wireless coverage area or being hooked up to a wired network connected to wireless clients. The latest security protocol in the series is WPA2 (Wi-Fi Protected Access II) which has been implemented in most of the Wi-Fi stations (clients or access points) that are being used in traditional wireless networking as well as recent IoT and CPS devices. Recently a severe replay attack named Key Reinstallation AttaCK (KRACK) has shown that the handshake in WPA2 protocol suite can be compromised and enforce the stations to reuse an old set of initialization vectors (IVs). In this work, we propose to use an unconventional hardware security primitive named Physically Unclonable Functions (PUFs) to nullify the impact of KRACK attack by ensuring a mutual authentication before establishing the communication between the authenticators and the supplicants. In this demo, we show i) how the hardware intrinsic properties of a device can be leveraged to embed a PUF instance in each device, ii) a working prototype of PUF based authentication protocol using Z-Turn board integrated with dual-core ARM Cortex-A9 processor and Artix-7 FPGA, iii) how this protocol can be integrated with existing handshake protocol in WiFi network to resist against KRACK attacks.

The Mandatory Handshake in Danish Naturalisation Procedures: A Critical Race Studies Perspective

Abstract: This article examines the recent introduction of a mandatory handshake in Danish naturalisation procedures from the perspectives of ‘racism’ and ‘race discrimination’. Drawing upon Critical Race Theory, it employs a discursive, deconstructive and contextual analysis to uncover the racist underpinnings and effects of the handshake requirement. The article is divided into two main parts. Part I demonstrates why the handshake requirement needs to be understood as racism. The analysis focuses on three aspects of the handshake requirement: 1) the ‘racializing narratives’ drawn upon in the legislative process; 2) the motivations behind the legislation; and 3) the ways in which the handshake requirement manifests as racism in society. Part II assesses the relevance of this finding from the perspective of anti-discrimination law. It examines the discriminatory nature of the handshake, before discussing some of the shortcomings of current international and European law in relation to race discrimination. The article closes by discussing the importance of developing a more ‘race-aware’ approach to the law in European legal scholarship.

A New Construction for Linkable Secret Handshake

Abstract: In this paper, we introduce a new construction for linkable secret handshake that allows authenticated users to perform handshake anonymously within allowable times. We define formal security models for the new construction, and prove that it can achieve session key security, anonymity, untraceability and linkable affiliation-hiding. In particular, the proposed construction ensures that (i) anyone can trace the real identities of dishonest users who perform handshakes for more than k times; and (ii) an optimal communication cost between authorized users is achieved by exploiting the proof of knowledges.

Modelling of 802.11 4-Way Handshake Attacks and Analysis of Security Properties

Abstract: The IEEE 802.11 standard defines a 4-way handshake between a supplicant and an authenticator for secure communication. Many attacks such as KRACK, cipher downgrades, and key recovery attacks have been recently discovered against it. These attacks raise the question as to whether the implementation violates one of the required security properties or whether the security properties are insufficient. To the best of our knowledge, this is the first work that shows how to answer this question using formal methods. We model and analyse a variety of these attacks using the Tamarin prover against the security properties mandated by the standard for the 4-way handshake. This lets us see which security properties are violated. We find that our Tamarin models vulnerable to the KRACK attacks do not violate any of the standard’s security properties, indicating that the properties, as specified by the standard, are insufficient. We propose an additional security property and show that it is violated by systems vulnerable to KRACK attacks, and that enforcing this property is successful in stopping them. We demonstrate how to use Tamarin to automatically test the adequacy of a set of security properties against attacks, and that the suggested mitigations make 802.11 secure against these attacks.

Forward-Secure 0-RTT Goes Live: Implementation and Performance Analysis in QUIC

Abstract: Modern cryptographic protocols, such as TLS 1.3 and QUIC, can send cryptographically protected data in “zero round-trip times (0-RTT)”, that is, without the need for a prior interactive handshake. Such protocols meet the demand for communication with minimal latency, but those currently deployed in practice achieve only rather weak security properties, as they may not achieve forward security for the first transmitted payload message and require additional countermeasures against replay attacks.

A Case for SmartNIC-accelerated Private Communication

Abstract: Transport Layer Security (TLS) has become a key building block for private network communication in modern Internet. While recent advancement of CPU has substantially improved the data encryption performance, TLS key exchange still remains the bottleneck for short-lived transactions. Dedicated hardware crypto accelerators promise good performance, but they often require invasive modification of the application due to its inherent architecture of asynchronous processing. In this paper, we explore a potential for offloading TLS handshake to network interface cards (NICs) with a hardware crypto accelerator. We envision a split TLS processing architecture for TCP that handles TCP connection setup and TLS handshake on NIC while carrying out the remaining operations in the CPU-based host stack. We present our rationale for the design and discuss a set of challenges towards our goal. Our proof-of-concept implementation on existing SmartNIC shows a promising result as it brings 5.9x throughput improvement than that of a single CPU core.

Designing Reverse Firewalls for the Real World

Abstract: Reverse firewalls (RFs) were introduced by Mironov and Stephens-Davidowitz to address algorithm-substitution attacks (ASAs) in which an adversary subverts the implementation of a provably-secure cryptographic primitive to make it insecure. This concept was applied by Dodis et al. in the context of secure key exchange (handshake phase), where the adversary wants to exfiltrate sensitive information by using a subverted client implementation. RFs are used as a means of “sanitizing” the client-side protocol in order to prevent this exfiltration. In this paper, we propose a new security model for both the handshake and record layers, a.k.a. secure channel. We present a signed, Diffie-Hellman based secure channel protocol, and show how to design a provably-secure reverse firewall for it. Our model is stronger since the adversary has a larger surface of attacks, which makes the construction challenging. Our construction uses classical and off-the-shelf cryptography.

pretty Easy privacy (pEp): Contact and Channel Authentication through Handshake

Abstract: In interpersonal messaging end-to-end encryption means for public key distribution and verification of its authenticity are needed; the latter to prevent man-in-the-middle (MITM) attacks. This document proposes a new method to easily verify a public key is authentic by a Handshake process that allows users to easily authenticate their communication channel. The new method is targeted to Opportunistic Security scenarios and is already implemented in several applications of pretty Easy privacy (pEp).

Efficient Post-Quantum TLS Handshakes using Identity-Based Key Exchange from Lattices.

Abstract: Identity-Based Encryption (IBE) is considered an alternative to traditional certificate-based public key cryptography to reduce communication overheads in wireless sensor networks. In this work, we build on the well-known lattice-based DLP-IBE scheme to construct an ID-based certificateless authenticated key exchange for post-quantum Transport Layer Security (TLS) handshakes. We also propose concrete parameters for the underlying lattice computations and provide detailed implementation results. Finally, we compare the combined computation and communication cost of our ID-based certificate-less handshake with the traditional certificate-based handshake, both using lattice-based algorithms at similar postquantum security levels, and show that our ID-based handshake is 3.7× more energy-efficient, thus highlighting the advantage of ID-based key exchange for post-quantum TLS.

Reduced bandwidth handshake communication

Abstract: Broadly speaking, embodiments of the present technique provide methods, apparatuses and systems for performing a TLS/DTLS handshake process between machines in a manner that reduces the amount of data sent during the handshake process.

Performance Analysis of DCF- Two Way Handshake vs RTS/CTS During Train-Trackside Communication in CBTC based on WLAN802.11b

Abstract: Wireless Local Area Network (WLAN) is used primarily in CBTC because of easy availability of commercial WLAN equipment. In present scenario, WLAN Medium Access Control (MAC) protocol is a well-known protocol which is used to satisfy real-time traffic and delay- sensitive applications. The bidirectional train-trackside communication is the fundamental key of train control in CBTC. DCF describes two basic techniques used for packet transmission: First technique is a Two Way Handshake (TWH) mechanism and another is Four Way Handshake (FWH) mechanisms. RTS/CTS FWH protocol specified by IEEE802.11b is introduced to rectify the Hidden Node Problem (HNP) encounters in TWH protocol. That is why the TWH mechanism of DCF technique suffers from higher average packet delay time when this protocol is applied to CBTC. DCF- Four Way Handshake (FWH), Request To Send (RTS) and Clear To Send (CTS) delay model is proposed to develop Communication Based Train Control (CBTC) system. FWH is applied in CBTC to overcome the packet delay and throughput limitations of Two Way Handshake (TWH) mechanism of distributed coordination function (DCF) based technique. An experiment is designed to simulate and compare the performance of RTS/CTS delay model against TWH mechanism of DCF. It was found that the Average packet delay is slightly higher and throughput is lesser in RTS/CTS in comparison to TWH method. By comparing the performance of these two medium access mechanism in CBTC it was found that for multiple retransmissions with various data rates the RTS/CTS model had better packet delay time than TWH.

Method of performing smart hybrid acceleration on resources, device, medium and apparatus

Abstract: A smart hybrid acceleration method includes receiving a handshake request from a client terminal, and determining whether the handshake request contains a self-defined resource extension field. If not, a target domain name with which the client terminal is to connect is acquired from the handshake request, and whether to use a hardware acceleration or a software acceleration is determined according to a level of the target domain name. If so, a resource level of a resource accessed by the client terminal is determined according to content in the self-defined resource extension field, and whether to use the hardware acceleration or the software acceleration is determined according to the resource level.

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol.

Abstract: We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption/“PSK” mode which uses a pre-shared key for authentication (with optional (EC)DHE key exchange and zero round-trip time key establishment). Our analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties (such as unauthenticated versus unilaterally authenticated versus mutually authenticated, whether it is intended to provide forward security, how it is used in the protocol, and whether the key is protected against replay attacks). We show that these TLS 1.3 handshake protocol modes establish session keys with their desired security properties under standard cryptographic assumptions.

Early Identification of Services in HTTPS Traffic.

Abstract: Traffic monitoring is essential for network management tasks that ensure security and QoS. However, the continuous increase of HTTPS traffic undermines the effectiveness of current service-level monitoring that can only rely on unreliable parameters from the TLS handshake (X.509 certificate, SNI) or must decrypt the traffic. We propose a new machine learning-based method to identify HTTPS services without decryption. By extracting statistical features on TLS handshake packets and on a small number of application data packets, we can identify HTTPS services very early in the session. Extensive experiments performed over a significant and open dataset show that our method offers a good accuracy and a prototype implementation confirms that the early identification of HTTPS services is satisfied.