Abstract
TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “Selfie.” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol’s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.
Similar content being viewed by others
References
D. Adrian, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, P. Zimmermann, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J.A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, P. Zimmermann, Imperfect forward secrecy: how diffie-hellman fails in practice. in: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS ’15, (ACM, New York, NY, USA), CCS ’15, pp 5–17, (2015) https://doi.org/10.1145/2810103.2813707
N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J.A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, Y. Shavitt, DROWN : Breaking TLS using SSLv2. in proceedings of the 25th USENIX security symposium (August):1–18, (2016) https://www.semanticscholar.org/paper/DROWN%3A-Breaking-TLS-Using-SSLv2-Aviram-Schinzel/2aa0e44b8529de8ee75138eade8aba0bfb9f008f
M. Bellare, P. Rogaway, Entity Authentication and Key Distribution. in Stinson DR (ed) Advances in Cryptology — CRYPTO’ 93, (Springer Berlin Heidelberg, Berlin, Heidelberg), pp. 232–249, (1994) https://doi.org/10.1007/3-540-48329-2_21
D. Benjamin, C.A. Wood, Importing External PSKs for TLS. Internet-Draft draft-ietf-tls-external-psk-importer-02, Internet Engineering Task Force, https://datatracker.ietf.org/doc/html/draft-ietf-tls-external-psk-importer-02, work in Progress (2019)
K. Bhargavan, B. Blanchet, N. Kobeissi, Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate. in 2017 IEEE symposium on security and privacy (SP), IEEE, pp. 483–502, (2017) https://doi.org/10.1109/SP.2017.26
C. Cremers, M. Horvat, S. Scott, T. van der Merwe, Automated Analysis and Verification of TLS 1.3: 0-RTT, resumption and delayed authentication. in: 2016 IEEE Symposium on Security and Privacy (SP), pp. 470–485, (2016) https://doi.org/10.1109/SP.2016.35
C. Cremers, M. Horvat, J. Hoyland, S. Scott, T. van der Merwe, A Comprehensive Symbolic Analysis of TLS 1.3. in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’17, pp. 1773–1788, (2017) https://doi.org/10.1145/3133956.3134063
B. David, C. Cas, D. Jannik, M. Simon, S. Ralf, S. Benedikt, Tamarin prover. (2019) https://tamarin-prover.github.io/#
A. Delignat-Lavaud, K. Bhargavan, Network-based origin confusion attacks against HTTPS virtual hosting. in: Proceedings of the 24th International Conference on World Wide Web, International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, WWW ’15, pp. 227–237, (2015) https://doi.org/10.1145/2736277.2741089
B. Dowling, M. Fischlin, F. Günther, D. Stebila, A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2016/081 (2017)
N. Drucker, S. Gueron, Selfie : reflections on TLS 1.3 with PSK. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2019/347 (2019)
Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, J.A. Halderman, The Matter of Heartbleed. in Proceedings of the 2014 Conference on Internet Measurement Conference, (ACM, New York, NY, USA), IMC ’14, pp. 475–488, (2014) https://doi.org/10.1145/2663716.2663755
M. Fischlin, F. Günther, Multi-Stage Key Exchange and the Case of Google’s QUIC Protocol. in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’14, pp. 1193–1204, (2014) https://doi.org/10.1145/2660267.2660308
M. Fischlin, F. Günther, Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2017/082.pdf (2017a)
M. Fischlin, F. Günther, Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. in 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 60–75, (2017b) https://doi.org/10.1109/EuroSP.2017.18
M. Fischlin, F. Gunther, B. Schmidt, B. Warinschi, Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. in 2016 IEEE Symposium on Security and Privacy (SP), pp. 452–469, (2016) https://doi.org/10.1109/SP.2016.34
F. Hao, On Robust Key Agreement Based on Public Key Authentication. in R. Sion, (ed) Financial Cryptography and Data Security, (Springer Berlin Heidelberg, Berlin, Heidelberg), pp. 383–390, (2010) https://doi.org/10.1007/978-3-642-14577-3_33
F. Hao, S.F. Shahandashti, The SPEKE protocol revisited”, Security Standardisation Research. (Springer International Publishing, Cham), pp. 26–38, (2014) https://doi.org/10.1007/978-3-319-14054-4_2
N. Heninger, Z. Durumeric, E. Wustrow, J.A. Halderman, Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. in Presented as part of the 21st\(\{\)USENIX\(\}\)Security Symposium (\(\{\)USENIX\(\}\) Security 12), USENIX, (Bellevue, WA), pp. 205–220, (2012) https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger
R. Holz, J. Amann, O. Mehani, M. Wachs, M.A. Kaafar, D. Csiro, TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication. NDSS pp. 21–24, (2016) https://doi.org/10.14722/ndss.2016.23055
R. Housley, TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key. Internet-Draft draft-ietf-tls-tls13-cert-with-extern-psk-00, Internet Engineering Task Force, https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-cert-with-extern-psk-00, work in Progress (2019)
R. Housley, J. Hoyland, M. Sethi, C.A. Wood, Guidance for External PSK Usage in TLS. Internet-Draft draft-dt-tls-external-psk-guidance-01, Internet Engineering Task Force, https://datatracker.ietf.org/doc/html/draft-dt-tls-external-psk-guidance-01, work in Progress (2020)
T. Jager, J. Schwenk, J. Somorovsky, On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 V1.5 encryption. in: Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’15, pp. 1185–1196, (2015) https://doi.org/10.1145/2810103.2813657
H. Krawczyk, P. Eronen, HMAC-based extract-and-expand key derivation function (HKDF). (2010) https://tools.ietf.org/html/rfc5869
H. Krawczyk, H. Wee, The OPTLS Protocol and TLS 1.3. IEEE, pp 81–96, (2016) https://doi.org/10.1109/EuroSP.2016.18
H. Krawczyk, M. Bellare, R. Canetti, HMAC: Keyed-Hashing for Message Authentication. (1997) https://tools.ietf.org/html/rfc2104
X. Li, J. Xu, Z. Zhang, D. Feng, H. Hu, Multiple handshakes security of TLS 1.3 candidates. in 2016 IEEE Symposium on Security and Privacy (SP), pp. 486–505, (2016) https://doi.org/10.1109/SP.2016.36
N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, B. Preneel, A cross-protocol attack on the TLS protocol. in Proceedings of the 2012 ACM Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’12, pp. 62–72, (2012) https://doi.org/10.1145/2382196.2382206
A. Menezes, B. Ustaoglu, On reusing ephemeral keys in diffie-hellman key agreement protocols. Int J Appl Cryptol 2(2), 154–158, (2010) https://doi.org/10.1504/IJACT.2010.038308
T. van der Merwe, An Analysis of the Transport Layer Security Protocol Thyla van der Merwe. PhD thesis, Royal Holloway, University of London, (2018) http://www.isg.rhul.ac.uk/~kp/theses/TvdMthesis.pdf
Mininet Mininet - An Instant Virtual Network on your Laptop (or other PC) version mininet-2.2.2-170321-ubuntu-14.04.4-server-amd64.zip. (2019) http://mininet.org/
OpenSSL OpenSSL commit 38023b87f037f4b832c236dfce2a76272be08763. (2019) https://github.com/openssl/openssl/commit/38023b87f037f4b832c236dfce2a76272be08763
Oracle VirtualBox 5.1. (2018) https://www.virtualbox.org/
T. Perrin, [noise] selfie attack. (2019) https://moderncrypto.org/mail-archive/noise/2019/002010.html
E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, (2018) https://doi.org/10.17487/RFC8446, https://rfc-editor.org/rfc/rfc8446.txt
S. Scott, TLS 1.3 modelled in Tamarin. (2018) https://samscott89.github.io/TLS13_Tamarin/
M. Sethi, A. Peltonen, T. Aura, Misbinding Attacks on Secure Device Pairing and Bootstrap**. in Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, (Association for Computing Machinery, New York, NY, USA), Asia CCS ’19, pp. 453–464, (2019) https://doi.org/10.1145/3321705.3329813
H. Tschofenig, P. Eronen, Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279, (2005) https://doi.org/10.17487/RFC4279, https://rfc-editor.org/rfc/rfc4279.txt
Acknowledgements
We thank Matt Campagna, Adam Langley, Colm MacCarthaigh, Kenny Paterson, and Eric Rescorla for useful discussions and suggestions. We thank Gilad Ram for recommending Mininet for the demonstration.
This research was supported by: The Israel Science Foundation (Grant No. 1018/ 16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office; the Center for Cyber Law & Policy at the University of Haifa, in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Colin Boyd.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A Demonstrating the Selfie Attack
A Demonstrating the Selfie Attack
This section describes a demonstration of the Selfie attack in a way that it can be repeated by the reader. For completeness we also describe the system that we use for the experiments: a Linux (Ubuntu 16.04.3 LTS) OS running on a platform equipped with the latest \(7^{th}\) Generation Intel\(^{\textregistered }\) Core\(Y^{TM}\) processor (“Kaby Lake”)—Intel\(^{\textregistered }\) Xeon\(^{\textregistered }\) Platinum 8124M CPU at 3.00 GHz Core\(^{\textregistered }\) i\(5-750\).
The smallest network configuration for the Selfie attack requires at least one node that acts as a server and as a client (Alice) and a switch that acts as the Selfie mirror (Mallory). Our experiment was executed on a single desktop machine as follows. We emulated a virtual network using Mininet [31]. To run its virtual machine image, we used VirtualBox [33]. Inside the virtual machine, we installed the latest version of OpenSSL [32] configured to enable TLS 1.3.
We started the virtual network inside the virtual machine by executing
This generates a network with two nodes (Host 1 is Alice and Host 2 is Bob) and an ovsk switch (Mallory) as illustrated in Fig. 3. We used two configurations for the switch in order to simulate the normal intended operation (Fig. 3, panel a) and the Selfie attack scenario (panel b). The associated command lines for the normal configuration, where packets from port 1 (P1) are forwarded to port 2 (P2) and vice versa are
For the Selfie attack configuration. We use the commands
and
The first command reflects every packet that arrives to P1 back to its origin (which is Host 1). However, note that the source and destination (IP and MAC address) are flipped. The second command tells the switch how to handle Address Resolution Protocol (ARP) requests. It is important (for this experiment) to set the priority of the second command to be higher than the priority of the first command. This allows ARP replies (otherwise, the second host is unidentified and will not receive any ARP messages).
In both hosts, we set the PSK to have the (arbitrary) value
Now we opened a TLS 1.3 server (with OpenSSL) on both hosts that are configured to listen to port 1443 as follows
Subsequently, we opened a client on Host 1 with the command
Remark 2
We comment about the specific TLS 1.3 implementation of OpenSSL. Here, the client always offers the psk_dhe_ke KE mode to the server. The server prefers the psk_dhe_ke mode over the psk_ke mode (because it provides FS). Therefore, our demonstration shows an attack on TLS 1.3 with external PSK in the psk_dhe_ke KE mode. Clearly, the Selfie attack is also possible in the psk_ke mode (see details in Sect. 3.1).
1.1 The Outcome
In the normal mode, the operation was as intended: Host 1 is communicating with Host 2 and the TLS 1.3 with PSK session was established correctly. By contrast, under the Selfie attack, Host 1 ended up communicating with itself consuming exactly the same messages that it delivered. The implications were discussed above.
It is interesting to note that this experiment cannot be repeated with BoringSSL (and not OpenSSL) as the underlying cryptographic library. While BoringSSL enables TLS 1.3 by default, in the client and server, it does not support (implement) the option of using PSK without certificates.
1.2 Demonstrating the Attack on a TLS 1.3 Without Ephemeral Keys
The Selfie attack can also be mounted without using ephemeral keys, i.e., for TLS 1.3 with PSKs in psk_ke mode (without FS). We verified this by an experiment. To this end, we prepared a patched version of OpenSSL that disables the psk_dhe_ke mode for the TLS client. Subsequently, we ran the above demonstration with the patched OpenSSL and added the -allow_no_dhe_kex flag to the client and server commands.
Remark 3
We comment on OpenSSL’s implementation of TLS. The TLS 1.3 server application (s_server) of OpenSSL provides two flags -no_dhe and -allow_no_dhe_kex with the following documented description “Disable ephemeral DH” and “In TLS v1.3 allow non-(ec)dhe based key exchange on resumption,” respectively. Therefore, we expect that using these flags will cause the server to operate only in the psk_ke mode. However, this did not give the expected results because the client always offers the psk_dhe_ke mode. We could not find a (intuitive) way to run the client in psk_ke mode. Therefore, we patched the client code to disable the psk_dhe_ke mode. This allows us to demonstrate that the Selfie attack is valid also in the psk_ke mode and not only in the psk_dhe_ke mode as above. Note that the attack relies on a property of TLS and not on a specific implementation of OpenSSL.
Rights and permissions
About this article
Cite this article
Drucker, N., Gueron, S. Selfie: reflections on TLS 1.3 with PSK. J Cryptol 34, 27 (2021). https://doi.org/10.1007/s00145-021-09387-y
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-021-09387-y