generalization and modularization of the acce modelroeslpa.de/files/180626_skech_macce.pdf ·...
TRANSCRIPT
2018-06-11
Horst Görtz Institute for IT Security
Chair for Network and Data Security
Generalization and Modularization of the ACCE Model
SKECH Workshop
Benjamin Dowling, Paul Rösler, Jörg Schwenk
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 2
Agenda
• Key Exchange + Channel = ?
• Generalization of ACCE
• Modularization of ACCE
• Application to Noise
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 3
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
●
k k
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 4
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
●
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 5
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
●
k
m m
f(k)
k
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 6
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol CCS14
●
k k
k k
k k
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 7
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol CCS14
●
k k
m m
c
k k
m m
c
k k
m m
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 8
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol CCS14
●
k k
m m
c
k k
m m
c
k k
m m
Authentication from first message
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 9
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15
●
k k
m m
c
k k
m m
c
k k
m m
Authentication more modular
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 10
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
●
k k
m m
c
k k
m m
c
k k
m mReplay attacks
allowed, internal keys…?!
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 11
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
●
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 12
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
• Two stage channel establishment
• Lychev et al.: How Secure and Quick is QUIC?
Provable Security and Performance Analyses
S&P15
●
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 13
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
• Two stage channel establishment
• Lychev et al.: How Secure and Quick is QUIC?
Provable Security and Performance Analyses
S&P15
• What is so new about it?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 14
c
Generic and Modular ACCE
• What is so new about it?• Generic model
(i.e., independent ofanalyzed protocol)
●
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 15
c
Generic and Modular ACCE
• What is so new about it?• Generic model
(i.e., independent ofanalyzed protocol)
• Channel security under key usage in KE, full modularity for security properties
●
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 16
Generic and Modular ACCE
• What is so new about it?• Generic model
(i.e., independent ofanalyzed protocol)
• Channel security under key usage in KE, full modularity for security properties
• Allows to analyze protocols as they are
• Signal*
• Noise
→ Wireguard
* Composition of X3DH and DRAlg?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
Key Exchange + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 18
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 19
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 20
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 21
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 22
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 23
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?• Initiator = client, responder = server, unilateral authentication = server authentication?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 24
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
contains whole transcript
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?• Initiator = client, responder = server, unilateral authentication = server authentication?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
Key Exchange + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 26
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 27
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 28
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 29
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
• We keep channel simple (i.e., stAE)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 30
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
• We keep channel simple (i.e., stAE)
• Properties can be reached…• … for each party separately
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 31
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
• We keep channel simple (i.e., stAE)
• Properties can be reached…• … for each party separately
• … at different stages during the protocol execution (via round trips [RTs])
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 32
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 33
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 34
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
• No keys to defines stages (as in MS-KE)
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 35
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
• No keys to defines stages (as in MS-KE)
• Usual in KE, ratcheting (see Signal, Bertram’s talk)
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 36
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
• No keys to defines stages (as in MS-KE)
• Usual in KE, ratcheting (see Signal, Bertram’s talk)
• Further extension within RTs• Too complex for the use-case here
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 37
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 38
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 39
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
• E.g. resistance against weak randomnessnot direction-dependent
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 40
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
• E.g. resistance against weak randomnessnot direction-dependent
• 5*2+1 counters index our security definition:aui,aur, kci,kcr, fsi,fsr, rpi,rpr, ori,orr,eck ∈ {0,0.5,1,1.5,… ,∞}
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 41
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
• E.g. resistance against weak randomnessnot direction-dependent
• 5*2+1 counters index our security definition:aui,aur, kci,kcr, fsi,fsr, rpi,rpr, ori,orr,eck ∈ {0,0.5,1,1.5,… ,∞}
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 42
Modularization of ACCE
• Adversary has to guess a challenge bit• Enc and Dec embed challenges (stAE)
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 43
Modularization of ACCE
• Adversary has to guess a challenge bit• Enc and Dec embed challenges (stAE)
• Adversarial behavior leaks bits of someRTs, but some must stay secure
→ Challenge bits for each RT
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 44
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 45
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
• Reveal session states• There are no keys anymore (by syntax)
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 46
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
• Reveal session states• There are no keys anymore (by syntax)
• What does independence of sessions mean inprotocols of long duration (idea of Reveal in BR93)?
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 47
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
• Reveal session states• There are no keys anymore (by syntax)
• What does independence of sessions mean inprotocols of long duration (idea of Reveal in BR93)?
• What are the effects of replay attacks w.r.t. session independence?
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 48
Modularization of ACCE
• Resistance against replay attacks• Within session modeled by stateful AE
●
m
m
m
m
m
m
…
…
…
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 49
Modularization of ACCE
• Resistance against replay attacks• Within session modeled by stateful AE
• Inter session: Impact of state Reveal
• Not only dependents on symmetric key
• Also on ephemeral asymmetric secrets
●
m
m
m
m
m
m
…
…
…
gB
ga
f(gaB)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 50
Modularization of ACCE
• Resistance against replay attacks• Within session modeled by stateful AE
• Inter session: Impact of state Reveal
rpi,rpr denote RT after which revealedstate cannot be used to reestablishsession
• Not only dependents on symmetric key
• Also on ephemeral asymmetric secrets
●
m
m
m
m
m
m
…
…
…
gB
ga
f(gaB)
Key Exchange + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 52
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 53
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):• Who knows whom a priori?
• Who should authenticate?
• How fast should messages be transmitted?
• Which further properties shall be reached(forward secrecy, identity hiding, …)?
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 54
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):
• implemented in Java, C, Haskell, Python, Javascript, …
• used in WhatsApp, Wireguard, Slack, …
• for homogenous networks(i.e., all parties are configured equally)
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 55
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):
• implemented in Java, C, Haskell, Python, Javascript, …
• used in WhatsApp, Wireguard, Slack, …
• for homogenous networks(i.e., all parties are configured equally)
• Security claimed but not proven yet• Concurrent work by Nadim Kobeissi
(noiseexplorer.com) using ProVerif
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 56
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 57
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 58
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 59
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 60
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 61
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 62
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 63
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 64
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 65
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 66
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 67
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 68
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 69
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
• Resistance against weak randomness
●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 70
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 71
Application to Noise●
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 72
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 73
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
• Further extensions regarding• Intra-epoch properties• Channel properties
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 74
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
• Further extensions regarding• Intra-epoch properties• Channel properties
• Further properties of Noise• Negotiation• Identity hiding
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 75
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
• Further extensions regarding• Intra-epoch properties• Channel properties
• Further properties of Noise• Negotiation• Identity hiding
• Discussions• What means sessions are independent
in protocols of long duration?
• Is ACCE as bad as it is advertised?
• What can MS-KE learn from our model?
• Can abstract (MS-)KE with channel in which key is used to a higher level?