Organizer: Daniel Demmler
Secure connections are at the heart of today's Internet infrastructure, protecting confidentiality, authenticity, and integrity of communications. Cryptographically, secure connections consist of two building blocks. First, a key-exchange protocol is run to establish a shared secret key between two parties over an insecure connection. Then, a secure-channel protocol uses the established key to securely transport the actual application data. In this talk, I will present some of our insights into the design and security of recent protocols establishing secure connections, with a particular focus on the upcoming next Transport Layer Security (TLS) protocol version 1.3.
In the first part, I will discuss the key-exchange component. Recent protocol designs challenge traditional security models by establishing more than one key and, moreover, using them already within the key exchange phase. For such settings, I will introduce our multi-stage key exchange security model, an extension of the classical Bellare--Rogaway model towards protocols establishing multiple keys, which we also used to analyze Google's QUIC protocol. I will then present the results of our recent security analyses for several draft versions of TLS 1.3, covering the main (EC)DHE handshake as well as abbreviated pre-shared key/resumption and 0-RTT (zero round-trip time) handshakes.
In the second part, I will focus on the secure-channel component. While classical models for secure channels consider transportation of discrete messages, many practical protocols (including TLS, SSH, and QUIC) offer streaming interfaces and may deliver arbitrary fragments of messages. This has, in the past, led to a mismatch of provable security guarantees for secure channels and their real-world security, enabling critical attacks on, e.g., SSH and TLS. I will present our recent study of stream-based channels and their security, addressing this deficiency. In this context, we introduce notions of confidentiality and integrity for such channels, taking the peculiarities of streams into account. Our generic construction of a stream-based channel from authenticated encryption, beyond demonstrating feasibility, matches rather well the one used in TLS and hence, as a side effect, also provides validation of that protocol's design.
Felix Günther is a Ph.D. candidate in Computer Science at Technische Universität Darmstadt, Germany, and a member of Professor Marc Fischlin's group “Cryptography and Complexity Theory”. His research interests are the privacy and (provable) security of cryptographic protocols, with a particular focus on key-exchange protocols and secure channels.