SpringerLink
Log in

Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and Signal

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14342))

Included in the following conference series:

  • 391 Accesses

Abstract

Transport Layer Security (TLS) 1.3 and the Signal protocol are very important and widely used security protocols. We show that the key update function in TLS 1.3 and the symmetric key ratchet in Signal can be modeled as non-additive synchronous stream ciphers. This means that the efficient Time Memory Tradeoff Attacks for stream ciphers can be applied. The implication is that TLS 1.3, QUIC, DTLS 1.3, and Signal offer a lower security level against TMTO attacks than expected from the key sizes. We provide detailed analyses of the key update mechanisms in TLS 1.3 and Signal, illustrate the importance of ephemeral key exchange, and show that the process that DTLS 1.3 and QUIC use to calculate AEAD limits is flawed. We provide many concrete recommendations for the analyzed protocols.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Spain)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 69.54
Price includes VAT (Spain)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 85.27
Price includes VAT (Spain)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Agence nationale de la sécurité des systèmes d’information: Recommendations for securing networks with IPsec (2015). https://www.ssi.gouv.fr/uploads/2015/09/NT_IPsec_EN.pdf

  2. APNIC: how to: detect and prevent common data exfiltration attacks. https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/

  3. Babbage, S.: Improved “exhaustive search” attacks on stream ciphers. In: 1995 European Convention on Security and Detection, pp. 161–166 (1995). https://doi.org/10.1049/cp:19950490

  4. Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol. RFC 9420 (2023). https://doi.org/10.17487/RFC9420

  5. Barnes, R., et al.: Confidentiality in the face of pervasive surveillance: a threat model and problem statement. RFC 7624 (2015). https://doi.org/10.17487/RFC7624

  6. Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10

    Chapter  Google Scholar 

  7. Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S.: A more complete analysis of the signal double ratchet algorithm. Cryptology ePrint Archive, Report 2022/355 (2022). https://eprint.iacr.org/2022/355

  8. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_1

    Chapter  Google Scholar 

  9. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. Cryptology ePrint Archive, Report 2016/1013 (2016). https://eprint.iacr.org/2016/1013

  10. Ekdahl, P., Johansson, T., Maximov, A., Yang, J.: SNOW-Vi: an extreme performance variant of SNOW-V for lower grade CPUs. Cryptology ePrint Archive, Report 2021/236 (2021). https://eprint.iacr.org/2021/236

  11. Fielding, R.T., Nottingham, M., Reschke, J.: HTTP Semantics. RFC 9110 (2022). https://doi.org/10.17487/RFC9110

  12. Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980). https://ee.stanford.edu/~hellman/publications/36.pdf

  13. Hoang, V.T., Tessaro, S., Thiruvengadam, A.: The multi-user security of GCM, revisited: tight bounds for nonce randomization. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018: 25th Conference on Computer and Communications Security, pp. 1429–1440. ACM Press, Toronto, ON, Canada, 15–19 October 2018. https://doi.org/10.1145/3243734.3243816

  14. Höglund, R., Tiloca, M.: Key update for OSCORE (KUDOS). Internet-Draft draft-ietf-core-oscore-key-update-05, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/05/, work in Progress

  15. Intercept, T.: How spies stole the keys to the encryption castle. https://theintercept.com/2015/02/19/great-sim-heist/

  16. Iyengar, J., Thomson, M.: QUIC: a UDP-based multiplexed and secure transport. RFC 9000 (2021). https://doi.org/10.17487/RFC9000

  17. Krawczyk, D.H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC 5869 (2010). https://doi.org/10.17487/RFC5869

  18. Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24

    Chapter  Google Scholar 

  19. Mattsson, J.: Stream cipher design - an evaluation of the eSTREAM candidate Polar Bear. Master’s thesis, Royal Institute of Technology (2006). https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.108.40

  20. McGrew, D., Rescorla, E.: Datagram transport layer security (DTLS) extension to establish keys for the secure real-time transport protocol (SRTP). RFC 5764 (2010). https://doi.org/10.17487/RFC5764

  21. McKay, K., Cooper, D.: Guidelines for the selection, configuration, and use of transport layer security (TLS) implementations (2019). https://doi.org/10.6028/NIST.SP.800-52r2

  22. National Institute of Standards and Technology: Implementing a zero trust architecture (2023). https://www.nccoe.nist.gov/sites/default/files/2023-07/zta-nist-sp-1800-35b-preliminary-draft-3.pdf

  23. National Security Agency: Embracing a zero trust security model (2021). https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

  24. Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF protocols. RFC 8439 (2018). https://doi.org/10.17487/RFC8439

  25. Preuß Mattsson, J., Sethi, M.: EAP-TLS 1.3: using the extensible authentication protocol with TLS 1.3. RFC 9190 (2022). https://doi.org/10.17487/RFC9190

  26. Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446 (2018). https://doi.org/10.17487/RFC8446

  27. Rescorla, E.: The Transport layer security (TLS) protocol version 1.3. Internet-Draft draft-ietf-tls-rfc8446bis-09, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8446bis/09/, work in Progress

  28. Rescorla, E., Tschofenig, H., Modadugu, N.: The datagram transport layer security (DTLS) protocol version 1.3. RFC 9147 (2022). https://doi.org/10.17487/RFC9147

  29. Selander, G., Preuß Mattsson, J., Palombini, F.: Ephemeral Diffie-Hellman over COSE (EDHOC). Internet-Draft draft-ietf-lake-edhoc-22, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/22/, work in Progress

  30. Selander, G., Preuß Mattsson, J., Palombini, F., Seitz, L.: Object security for constrained RESTful environments (OSCORE). RFC 8613 (2019). https://doi.org/10.17487/RFC8613

  31. Signal: signal technical documentation. https://signal.org/docs/

  32. Tüxen, M., Rescorla, E., Seggelmann, R.: Datagram transport layer security (DTLS) for stream control transmission protocol (SCTP). RFC 6083 (2011). https://doi.org/10.17487/RFC6083

  33. Westerlund, M., Preuß Mattsson, J., Porfiri, C.: Datagram transport layer security (DTLS) over stream control transmission protocol (SCTP). Internet-Draft draft-ietf-tsvwg-dtls-over-sctp-bis-06, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/06/, work in Progress

  34. Zenner, E.: On the role of the inner state size in stream ciphers. Cryptology ePrint Archive, Report 2004/003 (2004). https://eprint.iacr.org/2004/003

Download references

Acknowledgements

The authors would like to thank Patrik Ekdahl, Loïc Ferreira, Alexander Maximov, Ben Smeets, Erik Thormarker, and other reviewers for their helpful comments and suggestions.

Author information

Authors and Affiliations

  1. Ericsson Research, Stockholm, Sweden

    John Preuß Mattsson

Authors
  1. John Preuß Mattsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John Preuß Mattsson .

Editor information

Editors and Affiliations

  1. University of North Carolina, Greensboro, NC, USA

    **g Deng

  2. Georgia Institute of Technology, Atlanta, GA, USA

    Vladimir Kolesnikov

  3. Augusta University, Augusta, GA, USA

    Alexander A. Schwarzmann

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Preuß Mattsson, J. (2023). Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and Signal. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_12

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-7563-1_12

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-7562-4

  • Online ISBN: 978-981-99-7563-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation