Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

Aviram, Nimrod; Gellert, Kai; Jager, Tibor

doi:10.1007/s00145-021-09385-0

Cited by 17 publications

(12 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The use of 0-RTT obviates the need of performing a challenge for every re-authentication through the use of a resumption secret r s , thus reducing latency. Another strong motivation for using this mechanism is that it is forward secure in the scenario we are using here [24]. We first briefly describe the TLS 0-RTT mechanism before describing a similarly inspired 0-RTT mechanism applied to the information reconciliation phase of our SKG mechanism.…”

Section: Resumption Protocolmentioning

confidence: 99%

“…When a client tries to reconnect to that server it includes its look-up identifier k l in the 0-RTT message, which allows the server to retrieve the resumption secret r s . Storing a unique resumption secret r s for each client requires server storage for each client but it provides forward security and resilience against replay attacks, when combined with a key generation mechanisms such as Diffie Hellman (or the SKG used in this paper) which are important goals for security protocols [24]. In our physical layer 0-RTT, given that a node identifier state would be required for linklayer purposes, the session cache places little comparative load and thus is the mechanism proposed here for (re-)authentication.…”

Section: Resumption Protocolmentioning

confidence: 99%

“…Note that the key k ′ can only be obtained if both the physical layer generated key and the resumption key are valid and this method can be shown to be forward secure [24].…”

Section: During the Information Reconciliation Phase Bothmentioning

confidence: 99%

“…In this study we introduce the joint use of PUF authentication and SKG in a zero-round-trip-time (0-RTT) [23,24] approach, allowing to build quick authentication mechanisms with forward security. Further, we develop an AE primitive [25][26][27] based on standard SKG schemes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Authenticated Secret Key Generation in Delay Constrained Wireless Systems

Mitev¹,

Chorti²,

Reed³

et al. 2020

Preprint

View full text Add to dashboard Cite

With the emergence of 5G low latency applications, such as haptics and V2X, low complexity and low latency security mechanisms are needed. Promising lightweight mechanisms include physical unclonable functions (PUF) and secret key generation (SKG) at the physical layer, as considered in this paper. In this framework we propose i) a zero-round-trip-time (0-RTT) resumption authentication protocol combining PUF and SKG processes; ii) a novel authenticated encryption (AE) using SKG; iii) pipelining of the AE SKG and the encrypted data transfer in order to reduce latency. Implementing the pipelining at PHY, we investigate a parallel SKG approach for multi-carrier systems, where a subset of the subcarriers are used for SKG and the rest for data transmission. The optimal solution to this PHY resource allocation problem is identified under security, power and delay constraints, by formulating the subcarrier scheduling as a subset-sum 0 − 1 knapsack optimization. A heuristic algorithm of linear complexity is proposed and shown to incur negligible loss with respect to the optimal dynamic programming solution. All of the proposed mechanisms, have the potential to

show abstract

Section: Resumption Protocolmentioning

confidence: 99%

Section: Resumption Protocolmentioning

confidence: 99%

“…Note that the key k ′ can only be obtained if both the physical layer generated key and the resumption key are valid and this method can be shown to be forward secure [24].…”

Section: During the Information Reconciliation Phase Bothmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Authenticated Secret Key Generation in Delay Constrained Wireless Systems

Mitev¹,

Chorti²,

Reed³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Such compression operations are at the heart of common hash functions like SHA256 and SHA512 [9], and are routinely assumed to behave pseudo-randomly. 2 The EtS construction of [10] starts with splitting the message input and optional associated-data input into sequences of blocks (m i ) and (ad i ). It then iteratively computes the MD hash value of these blocks, 3 where all message carrying parts are additionally protected by XORing the EtS key into the corresponding compression function input.…”

Section: Introductionmentioning

confidence: 99%

Efficiency Improvements for Encrypt-to-Self

Pijnenburg

Poettering

2020

Proceedings of the 2nd Workshop on Cyber-Security Arms Race

View full text Add to dashboard Cite

Recent work by Pijnenburg and Poettering (ESORICS'20) explores the novel cryptographic Encrypt-to-Self primitive that is dedicated to use cases of symmetric encryption where encryptor and decryptor coincide. The primitive is envisioned to be useful whenever a memory-bounded computing device is required to encrypt some data with the aim of temporarily depositing it on an untrusted storage device. While the new primitive protects the confidentiality of payloads as much as classic authenticated encryption primitives would do, it provides considerably better authenticity guarantees: Specifically, while classic solutions would completely fail in a context involving user corruptions, if an encrypt-to-self scheme is used to protect the data, all ciphertexts and messages fully remain unforgeable. To instantiate their encrypt-to-self primitive, Pijnenburg et al. propose a mode of operation of the compression function of a hash function, with a carefully designed encoding function playing the central role in the serialization of the processed message and associated data. In the present work we revisit the design of this encoding function. Without questioning its adequacy for securely accomplishing the encrypt-to-self job, we improve on it from a technical/implementational perspective by proposing modifications that alleviate certain conditions that would inevitably require implementations to disrespect memory alignment restrictions imposed by the word-wise operation of modern CPUs, ultimately leading to performance penalties. Our main contributions are thus to propose an improved encoding function, to explain why it offers better performance, and to prove that it provides as much security as its predecessor. We finally report on our open-source implementation of the encrypt-to-self primitive based on the new encoding function. For the full version of this article, see arXiv:2009.02667. CCS CONCEPTS • Security and privacy → Symmetric cryptography and hash functions.

show abstract

A Formal Security Analysis of Session Resumption Across Hostnames

Gellert

Handirk

2021

Computer Security – ESORICS 2021

View full text Add to dashboard Cite

Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

Cited by 17 publications

References 43 publications

Authenticated Secret Key Generation in Delay Constrained Wireless Systems

Authenticated Secret Key Generation in Delay Constrained Wireless Systems

Efficiency Improvements for Encrypt-to-Self

A Formal Security Analysis of Session Resumption Across Hostnames

Contact Info

Product

Resources

About