TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
CT-KIP Magnus Nyström, RSA Security 23 May Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.
Lecture 5: Cryptographic Hashes
Web security: SSL and TLS
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Digital Signatures and Hash Functions. Digital Signatures.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Chalmers University of Technology Wireless security Breaking WEP and WPA.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
IEEE Wireless Local Area Networks (WLAN’s).
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh.
Tolga Acar 24 Feb Distributed Key Management and Cryptographic Agility.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
TLS 1.2 and NIST SP A Tim Polk November 10, 2006.
PKCS11 Key Protection And the Insider Threat.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
SIP Security BY, Vivek Nemarugommula. vulnerabilities Registration Hijacking.
The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.
“Implementation of a RC5 block cipher algorithm and implementing an attack on it” Cryptography Team Presentation 1.
1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions.
1 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland draft-urien-tls-keygen-00.txt TLS Key Generation
Your Wireless Network has No Clothes* William A. Arbaugh, Narendar Shankar Y.C. Justin Wan University of Maryland Presentation by Eddy Purnomo,
PKCS #5: Password-Based Cryptography Standard
ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
PKCS #5 v2.0: Password-Based Cryptography Standard
8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.
6.033 Quiz3 Review Spring How can we achieve security? Authenticate agent’s identity Verify the integrity of the request Check the agent’s authorization.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
© Synopsys IP Licensing Recommendations for P1735 Rev 4/16/12.
RSA Laboratories’ PKCS Series - a Tutorial
TinySec: Security for TinyOS
CSE 4095 Transport Layer Security TLS
Cryptography Lecture 12.
Cryptography Lecture 10.
Unit 2 “Implementation of a RC5 block cipher algorithm and implementing an attack on it”
Cryptography Lecture 11.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Cryptography Lecture 12.
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Presentation transcript:

TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS

Multi-use PRF Issues came up with defining TLS mechanisms for PKCS11 PRF is used in functions which produce both public (e.g. finish message tag, IVs) and private (key material) data The Key Derivation Function based on the PRF produces both public and private data – PRF (master_key, “key expansion”, otherpublicdata) => 2 mac, 2 encryption, 2 ivs. – Single key stream sliced into pieces – But what happens if we re-run the KDF with same params, but request 0 length mac, 0 length encryption keys? Key material leaks to IVs. This makes implementing hardware protection difficult If you can call the TLS_PRF directly with the same key, it’s even more trivial to extract key secrets.

Proposed solution Cryptographically isolate the three types of data produced by PRF – PRF is no longer a directly callable construct, but a part of the other constructs – Build a TLS_MAC construct which only produces public data (integrity tag for finished message).. – Build a TLS_KDF construct which only produces private key data Mix-in length of keys and possibly types of keys. Provide a fixed label string for the construct that’s mixed in with any user provided label. – Build a TLS_RANDOM_DATA construct which only produces pseudo-random data. (E.g. use this for IV’s) Provide a fixed label string for the construct that’s mixed in with any user provided label. Ensure that these three constructs are cryptographically isolated from each other. I.e., even if same user label, key and random data are used in multiple constructs, the output streams can’t be replicated by a different construct.

Details TLS_MAC ::= PRF (secret,”mac tls”, finished_label, Hash(handshake_messages)) – Produces public integrity tag TLS_KDF ::= PRF (secret, “kdf tls”, label, keyLength 1 [,keyLength N * …],public_data) – Key stream is   1..N keyLength bytes split into N keys. – No mixing of key and IV’s on output. TLS_RANDOM_DATA ::= PRF (secret, “rand tls”, label, public_data) – Produces generic public data.

Threat Model Insider has access to HSM token credentials. Can reuse the keys in the token, but can’t necessarily extract them. Prevent back door extraction of TLS session keys.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.