Multi-Stage Key Exchange and the Case of Google’s QUIC Protocol Felix Günther
Multi-Stage Key Exchange
and the Case of Google’s QUIC Protocol
Marc Fischlin and Felix Günther
Technische Universität Darmstadt, Germany
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 1
Key Exchange
so far. . .
corruption
key reveal
eavesdroppig
active attacks
pkB , skA
pkA , skB
KE
BR ’93
$
???
test
K
BFWW @CCS’11
K
secure composition
Channel
Thanks to Giorgia Azzurra Marson for the drawings.
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 2
But what if. . . ?
pkB , skA
pkA , skB
KE
K1
K1
Channel(K1 )
“multi-stage KE”
K2
K2
Channel(K2 )
...
I
I
I
key exchange establishes more than one key?
. . . even uses the intermediary keys within the key exchange or channel?
not covered by KE models so far
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 3
Should we care?
I
QUIC (“Quick UDP Internet Connections”, Google 2013)
I
I
I
I
I
“low-latency transport protocol with security equivalent to TLS”
Diffie–Hellman-based key agreement
aims at 0-RTT, i.e., immediately encrypts under intermediate key K1
later rekeys to forward-secure K2
intermediate key K1 used to establish K2 (i.e., in KE part)
Client C
knows server’s pkS
ephemeral eskC , epkC
K1 = DH(eskC , pkS )
K2 = DH(eskC , epkS )
Server S
skS
epkC
{data}K1
{epkS }K1
{data}K2
Stage 1
K1 = DH(epkC , skS )
ephemeral eskS , epkS
K2 = DH(epkC , eskS )
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 4
Stage 2
Should we care?
I
QUIC (“Quick UDP Internet Connections”, Google 2013)
I
I
I
I
I
I
“low-latency transport protocol with security equivalent to TLS”
Diffie–Hellman-based key agreement
aims at 0-RTT, i.e., immediately encrypts under intermediate key K1
later rekeys to forward-secure K2
intermediate key K1 used to establish K2 (i.e., in KE part)
TLS with session resumption
I
I
I
I
I
client and server already established session and hold master key
client resumes session later
new session key is derived using (old) master key and fresh nonces
can also be though of as a multi-stage key exchange (keeps state)
related: TLS renegotiation considered as phases (GKS @ CCS’13)
but renegotiation is new key exchange, not reusing the master key
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 4
Model for Multi-Stage Key Exchange
corruption
key Ki reveal
eavesdroppig
pkB , skA
active attacks
pkA , skB
KE
???
K1
$
K1
test Ki
K2
...
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 5
K2
That’s it?
Model for Multi-Stage Key Exchange
Security Aspects to consider
I
(Session-)Key Dependence
I multi-stage ⇒ derived keys might build upon each other
I
we have to disallow trivial reveal queries
ex: QUIC
Client C
ephemeral eskC , epkC
K1 = DH(eskC , pkS )
Server S
epkC
{epkS }K1
K2 = DH(eskC , epkS )
K1 = DH(epkC , skS )
ephemeral eskS , epkS
K2 = DH(epkC , eskS )
disclosure of K1 compromises K2
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 6
Model for Multi-Stage Key Exchange
Security Aspects to consider
I
(Session-)Key Dependence
I multi-stage ⇒ derived keys might build upon each other
I
we have to disallow trivial reveal queries
I
I
key-dependent KE: disclosure of Ki before acceptance of Ki+1 compromises Ki+1
key-independent KE: disclosure of Ki before acceptance of Ki+1 without harm
I
Note: revealing Ki after acceptance of Ki+1 is okay (even with testing Ki+1 )
state of execution
K1
K1
K2
K2
K3
K3
key dependence
reveal K2
key dependence
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 6
Model for Multi-Stage Key Exchange
Security Aspects to consider (cont’d)
I
Forward Security
I multi-stage ⇒ forward security might kick in only at some stage j
I
has to be considered in case of corruptions
I
non-forward-secure KE: all session keys compromised by corruption
stage-j-forward-secure KE: accepted keys at stages i ≥ j remain secure
ex: QUIC aims at stage-2 forward security
I
I
Unilateral Authentication
I
I
I
I
(independent of multi-stage setting)
distinguish one side authenticated vs. both sides authenticated
unilateral authentication: only one side authenticated (here: responder)
mutual authentication: both sides authenticated
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 7
Model for Multi-Stage Key Exchange
Let’s talk about security. . .
Multi-Stage Security
I
Bellare–Rogaway-like key secrecy in the multi-stage setting
I
adversary has to distinguish real from random keys
I
adversary must not reveal and test same key (in single or partnered sessions)
I
Flavors
+
+
key-dependent
non-forward-secure
unilateral authentication
or
or
or
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 8
key-independent
stage-j-forward-secure
mutual authentication
Model for Multi-Stage Key Exchange
Multi-Stage Security Flavors
I
key dependence, forward security, unilateral authentication are orthogonal
I
in principle one can think of any combination
I
combinations form an ordered hierarchy
KD,1-FS,M
KD,M-FS,M
KD,2-FS,M
KD,1-FS,U
KI,NFS,U
KI,M-FS,U
KI,2-FS,U
KI,1-FS,U
KI,NFS,M
KI,M-FS,M
KI,2-FS,M
KI,1-FS,M
KD,2-FS,U
KD,NFS,M
KD,M-FS,U
KD,NFS,U
key-dependent (KD), stage-2-forward-secure (2-FS), unilateral authentication (U)
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 9
Model for Multi-Stage Key Exchange
pkB , skA
pkA , skB
KE
???
K1
K1
K2
K2
$
Channel
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 10
What about composition?
Composition
recap: BR-secure KE + symmetric-key protocol = secure composition (BFWW’11)
can we have the same for multi-stage key exchange?
Goal
I
secure multi-stage key exchange
(with some properties. . . )
I
+ symmetric-key protocol using keys of stage i
I
= secure composition
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 11
Composition
Our Composition Result
Take
I
secure multi-stage key exchange protocol
I
I
I
I
I
key-independent
stage-j-forward-secure
mutual authentication (extension to unilateral case possible)
efficient session matching (BFWW’11)
symmetric-key protocol
I
secure w.r.t. some security notion
session partnering deducible
from adversary communication
Then composition is secure for forward-secure stages (i ≥ j).
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 12
Composition
Proof idea (similar to BR-secure composition)
protocol1 ($)
1. key replacement
I
I
protocol2 ($)
gradually replace session keys Ki by random values (hybrid)
A distinguishes ⇒ we break Multi-Stage security
...
protocolλ ($)
protocolλ+1 (K)
...
2. reduction to protocol security
I all keys random ⇒ independent of KE
I
breaking is equivalent to breaking protocol security directly
composition
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 13
protocol
Composition
Proof ingredient example: key independence
I
guarantees that compromising (reveal) Ki 0 (i 0 < i) doesn’t affect stage-i keys
I
otherwise replacing Ki with random key can be inconsistent
...
reveal Ki 0
...
Ki 0
Ki 0
Ki
$
key dependence
hybrid proof step
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 14
Google’s Quick UDP Internet Connections
UDP (+ handling)
Client C
knows server’s pkS
ephemeral eskC , epkC
K1 = KDF (DH(n, eskC , pkS ))
K2 = KDF (DH(n, eskC , epkS ))
public scfg
(certified)
inchoate hello
scfg, [nonceS ]
strike
register
Server S
skS
KE
nonceC , epkC
{data}K1
{epkS }K1
{data}K2
K1 = KDF (DH(n, epkC , skS ))
ephemeral eskS , epkS
K2 = KDF (DH(n, epkC , eskS ))
AEAD: AES-GCM, Salsa20/Poly1305
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 15
Google’s QUIC
Client C
ephemeral eskC , epkC
K1 = KDF (DH(n, eskC , pkS ))
Server S
nonceC , epkC
{epkS }K1
K2 = KDF (DH(n, eskC , epkS ))
K1 = KDF (DH(n, epkC , skS ))
ephemeral eskS , epkS
K2 = KDF (DH(n, epkC , eskS ))
Our (Multi-Stage) Security Result for QUIC’s 0-RTT Key Exchange
I
key-dependent
I
stage-2-forward-secure
I
(responder-authenticated) unilateral
assuming
I
I
I
Gap-Diffie-Hellman is hard
authenticated channel for 2nd message {epkS }K1
(HMAC-based) key derivation function: extraction, expansion = random oracles
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 16
Google’s QUIC
What about Composition?
I
requirements:
I
I
I
key independence
stage-j forward security
mutual authentication
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 17
Google’s QUIC
What about Composition?
I
what QUIC achieves:
I
I
I
I
7
3
(3)
but QUIC can be easily turned into a key-independent variant QUICi:
I
I
I
key independence
stage-2 forward security
unilateral authentication
TLS-like idea: keep some (master) secret not exposed in Reveals
let an additional secret value from KDF in stage 1 enter KDF in stage 2
QUICi + composition result ⇒ (forward-)secure channels from stage 2
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 17
Summary
So far, KE models could not capture protocols that establish more than one key.
We
I
I
I
propose a model for multi-stage key exchange
give composition results under certain conditions
(session-key independence matters!)
show that Google’s QUIC is multi-stage secure
(key-dependent, stage-2-forward-secure, unilateral)
for our composition: add key-independence
Thank You!
November 6th, 2014 | ACM CCS 2014, Scottsdale, Arizona, USA | Felix Günther (TU Darmstadt) | 18
K1
K1
K2
K2
K3
K3
composition
Client C
ephemeral eskC , epkC
K1 = DH(eskC , pkS )
protocol
Server S
epkC
{epkS }K1
K2 = DH(eskC , epkS )
Reveal
K1 = DH(epkC , skS )
ephemeral eskS , epkS
K2 = DH(epkC , eskS )
© Copyright 2024