4: Cryptography and TLS

Need for Encryption

It’s always possible for Internet traffic to go to the wrong places - you can’t control where packets go and everyone would be able to see what you send.

Needham-Schroeder Public Key Protocol

A protocol that sets up a symmetric key between two parties using public keys.

Needham-Schroeder Protocol - Notation

• A → B: E_B(N_a, A)

  • Alice encrypts a message with Bob’s public key, saying “I am Alice and here is my nonce”

• B → A: E_A(N_a, N_b)

  • Bob encrypts a message with Alice’s public key, saying “Here’s your nonce back to prove I am the person you sent the message to, here’s mine too”

• A → B: E_B(N_b)

  • Alice returns Bob’s nonce encrypted with his public key, proving it is her.

Needham-Schroeder Protocol - Vulnerability

Can be MITM’d, with an adversary - C - pretending to be A.

• A → C: E_C(N_a, A)

  • C(A) → B: E_B(N_a, A)

• B → C(A): E_A(N_a, N_b)

  • C → A: E_A(N_a, N_b)

• A → C: E_C(N_b)

  • C(A) → B: E_B(N_b)

A knows it’s talking to C, but B thinks it’s talking to A when it’s actually talking to C.

Forward Secrecy

A protocol that even if an attacker has a recording and long term keys of the principal, cannot be broken.

Station to Station Protocol (STS)

A key exchange protocol that achieves forward secrecy by discarding important values after the protocol has finished.

Station to Station Protocol (STS) - Notation

• A → B: g^x

• B → A: g^y, {S_B(g^y, g^x)}_g^xy

• A → B: {S_A(g^y, g^x)}_g^xy

• B → A: {M}_g^xy

x, y and g^xy are discarded after the protocol is run, with keys only used for signing to verify both identities.

Diffie-Hellman Key Exchange

A key exchange algorithm that relies on computational intensity, picking a large prime number and a primitive root.

Diffie-Hellman Key Exchange - Process

• Two parameters, p and g, are chosen and shared in plaintext

  • p is a prime number

  • g is a primitive root

  • g < p and gcd(g, p - 1) = 1

• Each party chooses a value between 2 and p - 2.

  • A = g^a mod p

  • B = g^b mod p

• A and B are shared with the other party.

• A shared key is then derived:

  • K = B^a = g^ba

  • K = A^b = g^ab

Important/Ideal Properties in a Protcol

• They must provide secrecy

• The keys must be fresh

• Both parties should authenticate who they’re talking to

• The protocol should be forward secret

• The protocol should not support weak cipher suites

• The protocol should not allow KCI (key compromise impersonation) attacks

• The protocol should not be overly complex or have lots and lots of different modes

Transport Layer Security (TLS)

A form of encryption used on the Internet as part of HTTPS.

Transport Layer Security (TLS) - Notation

• C → S: N_c, possible ciphersuites

• S → C: N_s, Cert_s, chosen ciphersuite

• C → S: E_S(K_seed), {Hash1}_Kcs

  • Where Hash1 = #(N_C, N_S, E_S(K_seed))

• S → C: {Hash2}_Kcs

  • Where Hash2 = #(N_C, N_S, E_S(K_seed), {Hash1}_Kcs)

K_CS is a session key based on the key derivation function (KDF) that uses N_C, N_S and K_seed.

TLS-DHE

An extension of TLS1.2 that uses Diffie-Hellman to make the protocol forward secret.

TLS-DHE - Notation

• C → S: N_c, possible ciphersuites

• S → C: N_s, g^x, Cert_S, Sign_S(#(N_C, N_S, g^x)), chosen ciphersuite

• C → S: g^y, {#(all previous messages)}_K

• S → C: {#(all previous messages)}_K

K = kdf(N_C, N_S, g^xy)

TLS - Authentication

Only server authentication is done, but client authentication can be done as well by having the client send their certificate over and verified accordingly.

TLS1.2 Deprecation

It had a lot of configurable options (e.g. client certification) that made it vulnerable - there were attacks against rare options, certain ciphersuites and implementation errors.

• It also required 2 round-trips before sending data.

Key Compromise Impersonation Attacks

Any client with a known key can be fooled into thinking it’s talking to someone else.

KCI with Static DHE and Client Certificates

• C → S: N_C, possible ciphersuites

• S → A(C): N_S, Cert_S, g^x, Sign_S(#(N_C, N_S, g^x))

  • A(S) → C: N_S, Cert_S, g^x, Sign_S(#(N_C, N_S, g^x)), Request Cert

• C → A(S): g^c, Cert_C(g^c), {#(previous message)}_{kdf(Nc, Ns, g^xc)}

  • Because of Cert(g^c), the attacker now knows c and can find g^xc (the key)

• A(S) → C: {#(previous message)}_{kdf(Nc, Ns, g^xc)}

TLS v1.3

An upgrade of TLS from 1.2 that attempts to resolve the issues 1.2 had.

TLS v1.3 - Forward Secrecy

Uses Diffie-Hellman from the very start to include forward secrecy in every communication.

TLS v1.3 - Notation

• C → S: N_C, ciphersuites, g^x

• S → C: N_S, ciphersuites, g^y,

  • {Certificate: (pk_s)}_{kdf1(g^xym log1)},

  • {CertVerify: (sign_skS (H(log2))}_{kdf1(g^xy, log1)},

  • {Finished: mac_{kdf2(g^xy, log1)}(H(log3))}_{kdf1(g^xy, log1)}

• C → S: {Finished: mac_{kdf3(g^xy, log1)}(H(log4))}_{kdf4(g^xy, log1)}

  • Data encrypted with kdf5(g^xy, log5)

• S → C: Data encrypted with kdf6(g^xy, log5)

log(x) is a log of all previous messages.