Abstract
Transport Layer Security (TLS) 1.3 and the Signal protocol are very important and widely used security protocols. We show that the key update function in TLS 1.3 and the symmetric key ratchet in Signal can be modeled as non-additive synchronous stream ciphers. This means that the efficient Time Memory Tradeoff Attacks for stream ciphers can be applied. The implication is that TLS 1.3, QUIC, DTLS 1.3, and Signal offer a lower security level against TMTO attacks than expected from the key sizes. We provide detailed analyses of the key update mechanisms in TLS 1.3 and Signal, illustrate the importance of ephemeral key exchange, and show that the process that DTLS 1.3 and QUIC use to calculate AEAD limits is flawed. We provide many concrete recommendations for the analyzed protocols.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Agence nationale de la sécurité des systèmes d’information: Recommendations for securing networks with IPsec (2015). https://www.ssi.gouv.fr/uploads/2015/09/NT_IPsec_EN.pdf
APNIC: how to: detect and prevent common data exfiltration attacks. https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/
Babbage, S.: Improved “exhaustive search” attacks on stream ciphers. In: 1995 European Convention on Security and Detection, pp. 161–166 (1995). https://doi.org/10.1049/cp:19950490
Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol. RFC 9420 (2023). https://doi.org/10.17487/RFC9420
Barnes, R., et al.: Confidentiality in the face of pervasive surveillance: a threat model and problem statement. RFC 7624 (2015). https://doi.org/10.17487/RFC7624
Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10
Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S.: A more complete analysis of the signal double ratchet algorithm. Cryptology ePrint Archive, Report 2022/355 (2022). https://eprint.iacr.org/2022/355
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_1
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. Cryptology ePrint Archive, Report 2016/1013 (2016). https://eprint.iacr.org/2016/1013
Ekdahl, P., Johansson, T., Maximov, A., Yang, J.: SNOW-Vi: an extreme performance variant of SNOW-V for lower grade CPUs. Cryptology ePrint Archive, Report 2021/236 (2021). https://eprint.iacr.org/2021/236
Fielding, R.T., Nottingham, M., Reschke, J.: HTTP Semantics. RFC 9110 (2022). https://doi.org/10.17487/RFC9110
Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980). https://ee.stanford.edu/~hellman/publications/36.pdf
Hoang, V.T., Tessaro, S., Thiruvengadam, A.: The multi-user security of GCM, revisited: tight bounds for nonce randomization. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018: 25th Conference on Computer and Communications Security, pp. 1429–1440. ACM Press, Toronto, ON, Canada, 15–19 October 2018. https://doi.org/10.1145/3243734.3243816
Höglund, R., Tiloca, M.: Key update for OSCORE (KUDOS). Internet-Draft draft-ietf-core-oscore-key-update-05, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/05/, work in Progress
Intercept, T.: How spies stole the keys to the encryption castle. https://theintercept.com/2015/02/19/great-sim-heist/
Iyengar, J., Thomson, M.: QUIC: a UDP-based multiplexed and secure transport. RFC 9000 (2021). https://doi.org/10.17487/RFC9000
Krawczyk, D.H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC 5869 (2010). https://doi.org/10.17487/RFC5869
Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24
Mattsson, J.: Stream cipher design - an evaluation of the eSTREAM candidate Polar Bear. Master’s thesis, Royal Institute of Technology (2006). https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.108.40
McGrew, D., Rescorla, E.: Datagram transport layer security (DTLS) extension to establish keys for the secure real-time transport protocol (SRTP). RFC 5764 (2010). https://doi.org/10.17487/RFC5764
McKay, K., Cooper, D.: Guidelines for the selection, configuration, and use of transport layer security (TLS) implementations (2019). https://doi.org/10.6028/NIST.SP.800-52r2
National Institute of Standards and Technology: Implementing a zero trust architecture (2023). https://www.nccoe.nist.gov/sites/default/files/2023-07/zta-nist-sp-1800-35b-preliminary-draft-3.pdf
National Security Agency: Embracing a zero trust security model (2021). https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF protocols. RFC 8439 (2018). https://doi.org/10.17487/RFC8439
Preuß Mattsson, J., Sethi, M.: EAP-TLS 1.3: using the extensible authentication protocol with TLS 1.3. RFC 9190 (2022). https://doi.org/10.17487/RFC9190
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446 (2018). https://doi.org/10.17487/RFC8446
Rescorla, E.: The Transport layer security (TLS) protocol version 1.3. Internet-Draft draft-ietf-tls-rfc8446bis-09, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8446bis/09/, work in Progress
Rescorla, E., Tschofenig, H., Modadugu, N.: The datagram transport layer security (DTLS) protocol version 1.3. RFC 9147 (2022). https://doi.org/10.17487/RFC9147
Selander, G., Preuß Mattsson, J., Palombini, F.: Ephemeral Diffie-Hellman over COSE (EDHOC). Internet-Draft draft-ietf-lake-edhoc-22, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/22/, work in Progress
Selander, G., Preuß Mattsson, J., Palombini, F., Seitz, L.: Object security for constrained RESTful environments (OSCORE). RFC 8613 (2019). https://doi.org/10.17487/RFC8613
Signal: signal technical documentation. https://signal.org/docs/
Tüxen, M., Rescorla, E., Seggelmann, R.: Datagram transport layer security (DTLS) for stream control transmission protocol (SCTP). RFC 6083 (2011). https://doi.org/10.17487/RFC6083
Westerlund, M., Preuß Mattsson, J., Porfiri, C.: Datagram transport layer security (DTLS) over stream control transmission protocol (SCTP). Internet-Draft draft-ietf-tsvwg-dtls-over-sctp-bis-06, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/06/, work in Progress
Zenner, E.: On the role of the inner state size in stream ciphers. Cryptology ePrint Archive, Report 2004/003 (2004). https://eprint.iacr.org/2004/003
Acknowledgements
The authors would like to thank Patrik Ekdahl, Loïc Ferreira, Alexander Maximov, Ben Smeets, Erik Thormarker, and other reviewers for their helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Preuß Mattsson, J. (2023). Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and Signal. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_12
Download citation
DOI: https://doi.org/10.1007/978-981-99-7563-1_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7562-4
Online ISBN: 978-981-99-7563-1
eBook Packages: Computer ScienceComputer Science (R0)