Handshake

About: Handshake is a research topic. Over the lifetime, 1105 publications have been published within this topic receiving 15166 citations. The topic is also known as: 🤝.

Formal Analysis of the TLS Handshake Protocol

Abstract: Most applications in the Internet as e-banking, e-commerce, e-maling, etc., use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol to protect the communication channel between the client and the server. That is why it is paramount to ensure the security objectives such as confidentiality, authentication and integrity of the SSL/TLS protocol. In this paper we prove the confidentiality (secrecy) property of the SSL/TLS handshake protocol which consititues the main core of the SSL/TLS protocol. To perform this analysis, we introduce a new funcion called DINEK function that safeltly estimates the security level of messages. More precisely, this function which shares a conceptual origin with the idea of a rank function, allows to estimate a security level of a message (including the unknown messages) according to the interaction between the protocol and the intruder. This function could not be used only to verify the TLS protocol as we will show in this paper, but also to verify the secrecy property for large class of protocols and in particular Key Agreement protocols. The verification using the DINEK function is proven in this paper for unbounded number of sessions and unbounded number of nouces. 1 MOTIVATIONS AND BACKGROUND Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that aim to provide secure communication over the Internet (Hickman, 1994; Dierks and Rescorla, 2008). SSL/TLS and their versions are in widespread use in applications such as web browsing, electronic mail, e-commerce, banking, cloud computing, VPN, Internet faxing, instant messaging and voice-over-IP (VoIP). In fact, several version of SSL/TLS are used in each time a secure communication is needed. More precisely, TLS and SSL encrypt the segments of network connections above the transport layer, using asymmetric cryptography to ensure security objectives such as confidentiality, integrity and authentication. However, these security objectives are broken and many attacks and vulnerabilities (Mitchell et al., 1998; Oppliger and Gajek, 2005; Oppliger et al., 2006; Wagner and Schneier, 1996) have been discovered against the implementation and the cryptographic primitives used by this protocol rather than the protocol itself. For instance, in the implementation of SSL 2.0 some field are not well instanced what could be exploited for man-in-the-middle attack as described in (Oppliger et al., 2006). Also, a weak MAC construction is used as cryptographic primitive in SSL 2.0 as shown in (Wagner and Schneier, 1996). In the last years, many versions of SSL/TLS were been proposed to correct these flaws and vulnerabilities. Therefore, ensuring the correctness with respect to the security objectives of TLS protocol is paramount. Indeed, most of the communication over the network are based on this protocol and a simple flaw could be dearly-won and costly. Formal methods to verify the security of cryptographic protocols have received much attention in recent years since they allow to give in concrete and formal way the proof of their correctness and security. Some of these works including comparative studies could be found in (Meadows, 2003; Sabelfeld and Myers, 2003; Carlsen, 1994; Clark and Jacob, 1996; Kemmerer et al., 1994; Liebl, 1993; Meadows, 1994; Rubin and Honeyman, 1993; Syverson, 1991; Syverson, 92). However, almost of these methods are not suitable to prove the security of the SSL/TLS protocol due to their restrictions. Nevertheless, they are some attempt to prove the security of TLS protocol. For example, authors tried to prove in (Paulson, 1997a) some security properties (authentication and secrecy properties) during the handshake phase by using the inductive approach and 192 Houmani H. and Debbabi M.. Formal Analysis of the TLS Handshake Protocol. DOI: 10.5220/0004075101920205 In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 192-205 ISBN: 978-989-8565-24-2 Copyright c 2012 SCITEPRESS (Science and Technology Publications, Lda.) the theorem prover ”Isabelle”. However, the proof is not fully automatic and human interaction is needed to perform the proof which could be error prone. Moreover, the proof concerns only a simplified and abstracted version of SSL/TLS rather than the real version and the proof of the fact that the security of the simplified version of TLS is sufficient to ensure its security is not given. Also, SSL Handshake was been analyzed using a general purpose finite-state enumeration tool called Mur φ (He et al., 2005; Mitchell, 1998). As any model checker, this tool is enable to ensure the security of protocols in the absence of flaws. In independent line of research, several works (Jager et al., 2011; Morrissey et al., 2008) analyzed the security property (authentication, confidentiality and integrity) of SSL/TLS handshake protocol. However, these works make some unrealistic assumptions and abstraction on the protocol. For instance, in (Morrissey et al., 2008) authors extensively use the random oracle model (Bellare and Rogaway, 1993) to separate the three layers they define in the TLS handshake, and to switch from computational to indistinguishability based security model. While in (Jager et al., 2011), authors use the standard model (some realistic assumptions on the encryption scheme) but they prove the security of only a truncated version of the SSL/TLS handshake protocol rather than the complete and original version. In this paper, we prove the secrecy (confidentiality) property of the TLS handshake protocol on its original description the protocol. This analysis is conducted by using the interpretation functions-based method (Houmani and Mejri, 2008a; Houmani and Mejri, 2008b) which shares a conceptual origin with the idea of a rank function (Delicata and Schneider, 2005; Schneider, 1997). In fact, the main idea of the rank function-based method is to construct a message space in a way that the authentication will correspond to certain messages kept away from the intruder. The goal is to define a rank function which correctly assigns a positive rank to every message that the intruder may obtain and a negative rank for the others. As for the typing-based method, the idea consists of not decreasing the security levels of sent messages. However, the effort made to define a rank function that allows to guarantee the security of a cryptographic protocols is heavy and non-evident. In that way come the interpretation function-based method to allow defining in a semi-automatic way an interpretation function. An interpretation function could be viewed as a rank function that instead of estimating the security level of message in an absolute way, it allows to estimate in a relative and approximative way. For instance, in the rank function-based method, the rank of a message α is equal to 0 when the message is equal to sa, and equal to 1 in other cases. In the inetrpretation function, the rank of a message is calculated always by considering a set of messages. For instance, the rank of α in {α}k is equal to the rank of k that may be secret or not, and the rank of α in α.m is equal to 1 (public). This modification on the rank function allows to define rank function for a class of protocols instead of defining rank function for each protocol. Also, it allowed to have a guideline to define such functions. In addition of that, the intrepretation functionbased method generalizes the main result of the rank function-based method by proving the result for any class of protocol and any intruder capacities (including algebraic properties of cryptograhic primitives). Also, the verification is bounded and proven sufficient to guaranty the secrecy property for unbounded sessions and nouces in the presence of an active intruder who can apply an unbounded number of operations to the messages. However, the guideline of interpretation function is not suitable to define interpretation function that allows to verify the secrecy property of key agreement protocols. This due to the fact, that in this guidline we propose to give to unkown messages unknown security levels. Hence, a key that is freshly shared between two agents and which is consiered for on of them or both as unknown message and could not ensure its confidetiality. In the reminder of ths paper, we will adress this problem by giving new class of interpretation function that could be used to analyze the secrecy property for key agreement protocol. Also, we prove that these kind of functions are sufficient to prove the secrecy for unbounded number of sessions and nouces. Also, we give in this paper, a concret examples ( DEK andDINEK funcions) of such functions. With theDINEK function we prove the secrecy property of the TLS handshake protocol. 2 SSL/TLS HANDSHAKE PROTOCOL The SSL/TLS protocol (Dierks and Rescorla, 2008) is composed of five protocols: Record Layer protocol, Handshake protocol, ChangeCipherSpec protocol, Application Data and Alert protocol. In this paper, we analyze the Handshake protocol that allows to authenticate the client and the server to each other and negotiate a statefull connection by using a handshaking procedure. During this phase, the client and server Formal Analysis of the TLS Handshake Protocol

Measuring the Accessibility of Domain Name Encryption and Its Impact on Internet Filtering

Abstract: Most online communications rely on DNS to map domain names to their hosting IP address(es). Previous work has shown that DNS-based network interference is widespread due to the unencrypted and unauthenticated nature of the original DNS protocol. In addition to DNS, accessed domain names can also be monitored by on-path observers during the TLS handshake when the SNI extension is used. These lingering issues with exposed plaintext domain names have led to the development of a new generation of protocols that keep accessed domain names hidden. DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) hide the domain names of DNS queries, while Encrypted Server Name Indication (ESNI) encrypts the domain name in the SNI extension. We present DNEye, a measurement system built on top of a network of distributed vantage points, which we used to study the accessibility of DoT/DoH and ESNI, and to investigate whether these protocols are tampered with by network providers (e.g., for censorship). Moreover, we evaluate the efficacy of these protocols in circumventing network interference when accessing content blocked by traditional DNS manipulation. We find evidence of blocking efforts against domain name encryption technologies in several countries, including China, Russia, and Saudi Arabia. At the same time, we discover that domain name encryption can help with unblocking more than 55% and 95% of censored domains in China and other countries where DNS-based filtering is heavily employed.

THOR - The hardware onion router

Abstract: Security and privacy of data traversing internet have always been a major concern for all users. In this context, The Onion Routing (Tor) is the most successful protocol to anonymize global Internet traffic and is widely deployed as software on many personal computers or servers. In this paper, we explore the potential of modern reconfigurable devices to efficiently realize the Tor protocol on embedded devices. In particular, this targets the acceleration of the complex cryptographic operations involved in the handshake of routing nodes and the data stream encryption. Our hardware-based implementation on the Xilinx Zynq platform outperforms previous embedded solutions by more than a factor of 9 with respect to the cryptographic handshake - ultimately enabling quite inexpensive but highly efficient routers. Hence, we consider our work as a further milestone towards the development and the dissemination of low-cost and high performance onion relays that hopefully ultimately leads again to a more private Internet.

Analysis of Effectiveness of Slow Read DoS Attack and Influence of Communication Environment

Abstract: Slow Read DoS attack is a technique of exhausting connection resources by delaying communication after three-way handshake. In this paper, we analyze the effectiveness of Slow Read DoS attack by experiments in virtual network simulating real communication environment. We also propose a Synchronous Slow Read DoS attack method. From the analysis, we found that the communication speed and the Timeout of server affect the effectiveness of attack and we derive the optimal settings for proposed attack method. As the result, we confirmed that our method is more advantageous than previous schemes under the condition of the same total number of attack connections.

Credible Application and Realization Based on SSL

Abstract: This paper analyses the problem of distrust in the handshake of SSL protocol,discusses the principle of trustnegotiation, puts forward an extension of SSL using trust negotiation and the implementation of it.