Advertisement

Hash Function Combiners in TLS and SSL

  • Marc Fischlin
  • Anja Lehmann
  • Daniel Wagner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)

Abstract

The TLS and SSL protocols are widely used to ensure secure communication over an untrusted network. Therein, a client and server first engage in the so-called handshake protocol to establish shared keys that are subsequently used to encrypt and authenticate the data transfer. To ensure that the obtained keys are as secure as possible, TLS and SSL deploy hash function combiners for key derivation and the authentication step in the handshake protocol. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. In this work, we analyze the security of the proposed TLS/SSL combiner constructions for pseudorandom functions resp. message authentication codes.

Keywords

Hash Function Message Authentication Code Compression Function Pseudorandom Function Handshake Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Boneh, D., Boyen, X.: On the Impossibility of Efficiently Combining Collision Resistant Hash Functions. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 570–583. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Bellare, B.M., Canetti, R., Krawczyk, H.: Pseudorandom Functions Revisited: The Cascade Construction and Its Concrete Security. In: FOCS 1996, pp. 514–523. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  4. 4.
    Bellare, M.: New proofs for NMAC and HMAC: Security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    De Cannière, C., Rechberger, C.: Preimages for reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008)Google Scholar
  6. 6.
    Canetti, R., Rivest, R., Sudan, M., Trevisan, L., Vadhan, S.P., Wee, H.M.: Amplifying collision resistance: A complexity-theoretic treatment. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 264–283. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Damgård, I.B.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  8. 8.
    Fischlin, M., Lehmann, A.: Security-Amplifying Combiners for Hash Functions. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 224–243. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Fischlin, M., Lehmann, A.: Robust Multi-Property Combiners for Hash Functions. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 375–392. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Fischlin, M., Lehmann, A.: Delayed-Key Message Authentication for Streams. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 288–305. Springer, Heidelberg (2010)Google Scholar
  11. 11.
    Fischlin, M., Lehmann, A., Pietrzak, K.: Robust Multi-Property Combiners for Hash Functions Revisited. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 655–666. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally Composable Security Analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Herzberg, A.: On Tolerant Cryptographic Constructions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 172–190. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Katz, J., Lindell, A.Y.: Aggregate Message Authentication Codes. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 155–169. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Krawczyk, H.: On Extract-then-Expand Key Derivation Functions and an HMAC-based KDF (2008), http://webee.technion.ac.il/~hugo/kdf/kdf.pdf
  16. 16.
    Merkle, R.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Morrissey, P., Smart, N., Warinschi, B.: A Modular Security Analysis of the TLS Handshake Protocol. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 55–73. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Pietrzak, K.: Non-Trivial Black-Box Combiners for Collision-Resistant Hash-Functions don’t Exist. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 23–33. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Pietrzak, K.: Compression from Collisions, or why CRHF Combiners have a Long Output. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 413–432. Springer, Heidelberg (2008)Google Scholar
  20. 20.
    Rescorla, E.: SSL and TLS - Designing and Building Secure Systems. Addison Wesley, Reading (2001)Google Scholar
  21. 21.
    Rogaway, P.: Formalizing Human Ignorance. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Halevi, S. (ed.) Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Hickman, K.E.B.: The SSL Protocol (Internet Draft). Technical report (1994)Google Scholar
  24. 24.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.0. Technical Report RFC 2246 (1999)Google Scholar
  25. 25.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.2. Technical Report (TLS 1.2) RFC 4346 (2006)Google Scholar
  26. 26.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  27. 27.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Marc Fischlin
    • 1
  • Anja Lehmann
    • 1
  • Daniel Wagner
    • 1
  1. 1.Darmstadt University of TechnologyGermany

Personalised recommendations