Presentation is loading. Please wait.

Presentation is loading. Please wait.

TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.

Published byBarrie McCoy Modified over 8 years ago

Similar presentations

Presentation on theme: "TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS."— Presentation transcript:

1 TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS

2 Multi-use PRF Issues came up with defining TLS mechanisms for PKCS11 PRF is used in functions which produce both public (e.g. finish message tag, IVs) and private (key material) data The Key Derivation Function based on the PRF produces both public and private data – PRF (master_key, “key expansion”, otherpublicdata) => 2 mac, 2 encryption, 2 ivs. – Single key stream sliced into pieces – But what happens if we re-run the KDF with same params, but request 0 length mac, 0 length encryption keys? Key material leaks to IVs. This makes implementing hardware protection difficult If you can call the TLS_PRF directly with the same key, it’s even more trivial to extract key secrets.

3 Proposed solution Cryptographically isolate the three types of data produced by PRF – PRF is no longer a directly callable construct, but a part of the other constructs – Build a TLS_MAC construct which only produces public data (integrity tag for finished message).. – Build a TLS_KDF construct which only produces private key data Mix-in length of keys and possibly types of keys. Provide a fixed label string for the construct that’s mixed in with any user provided label. – Build a TLS_RANDOM_DATA construct which only produces pseudo-random data. (E.g. use this for IV’s) Provide a fixed label string for the construct that’s mixed in with any user provided label. Ensure that these three constructs are cryptographically isolated from each other. I.e., even if same user label, key and random data are used in multiple constructs, the output streams can’t be replicated by a different construct.

4 Details TLS_MAC ::= PRF (secret,”mac tls”, finished_label, Hash(handshake_messages)) – Produces public integrity tag TLS_KDF ::= PRF (secret, “kdf tls”, label, keyLength 1 [,keyLength N * …],public_data) – Key stream is   1..N keyLength bytes split into N keys. – No mixing of key and IV’s on output. TLS_RANDOM_DATA ::= PRF (secret, “rand tls”, label, public_data) – Produces generic public data.

5 Threat Model Insider has access to HSM token credentials. Can reuse the keys in the token, but can’t necessarily extract them. Prevent back door extraction of TLS session keys.

Download ppt "TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
CT-KIP Magnus Nyström, RSA Security 23 May 2005. Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.

CT-KIP Magnus Nyström, RSA Security 23 May Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Web security: SSL and TLS

Web security: SSL and TLS
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google