Skip to main content

Multipath TLS 1.3

  • 1110 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)

Abstract

In a multipath key exchange protocol (Costea et al., CCS’18) the parties communicate over multiple connection lines, implemented for example with the multipath extension of TCP. Costea et al. show that, if one assumes that an adversary cannot attack all communication paths in an active and synchronized way, then one can securely establish a shared key under mild cryptographic assumptions. This holds even if classical authentication methods like certificate-based signatures fail. They show how to slightly modify TLS to achieve this security level.

Here we discuss that the multipath security can also be achieved for TLS 1.3 without having to modify the crypto part of protocol at all. To this end one runs a regular handshake over one communication path and then a key update (or resumption) over the other path. We show that this already provides the desired security guarantees. At the same time, if only a single communication path is available, then one obtains the basic security properties of TLS 1.3 as a fall back guarantee.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_5
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.

References

  1. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11

    CrossRef  Google Scholar 

  2. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    CrossRef  Google Scholar 

  3. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28

    CrossRef  Google Scholar 

  4. de Carnavalet, X.C., Mannan, M.: Killed by proxy: analyzing client-end TLS interception software. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, 21–24 February 2016. The Internet Society (2016)

    Google Scholar 

  5. Costea, S., Choudary, M.O., Gucea, D., Tackmann, B., Raiciu, C.: Secure opportunistic multipath key exchange. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 2077–2094. ACM (2018)

    Google Scholar 

  6. Davis, H., Günther, F.: Tighter proofs for the SIGMA and TLS 1.3 key exchange protocols. IACR Cryptol. ePrint Arch. 2020, 1029 (2020). https://eprint.iacr.org/2020/1029

  7. Diemert, D., Jager, T.: On the tight security of TLS 1.3: theoretically-sound cryptographic parameters for real-world deployments. IACR Cryptol. ePrint Arch. 2020, 726 (2020). https://eprint.iacr.org/2020/726

  8. Dowling, B., Fischlin, M., GÃnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol. Cryptology ePrint Archive, Report 2020/1044 (2020). https://eprint.iacr.org/2020/1044

  9. Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 1197–1210. ACM (2015)

    Google Scholar 

  10. Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for HTTP. RFC 7469, April 2015. https://rfc-editor.org/rfc/rfc7469.txt

  11. Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 1193–1204. ACM (2014)

    Google Scholar 

  12. Fischlin, M., Günther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 60–75. IEEE (2017). https://doi.org/10.1109/EuroSP.2017.18

  13. Ford, A., Raiciu, C., Handley, M.J., Bonaventure, O., Paasch, C.: TCP extensions for multipath operation with multiple addresses. RFC 8684, March 2020. https://rfc-editor.org/rfc/rfc8684.txt

  14. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) The ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, 16–18 October 2012, pp. 38–49. ACM (2012)

    Google Scholar 

  15. Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)

    CrossRef  Google Scholar 

  16. Krawczyk, D.H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC 5869, May 2010. https://rfc-editor.org/rfc/rfc5869.txt

  17. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34

    CrossRef  Google Scholar 

  18. Langley, A.: Apple’s SSL/TLS bug. ImperialViolet (2014). https://www.imperialviolet.org/2014/02/22/applebug.html

  19. Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962, June 2013. https://rfc-editor.org/rfc/rfc6962.txt

  20. Menn, J.: E-mail breach in Iran raises surveillance fears. Financial Times, 31 August 2011 (2011)

    Google Scholar 

  21. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://rfc-editor.org/rfc/rfc8446.txt

  22. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 98–107. ACM (2002)

    Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for valuable comments. Marc Fischlin has been [co-]funded by the Deutsche Forschungsgemeinschaft (DFG) – SFB 1119 – 236615297.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Marc Fischlin .

Editor information

Editors and Affiliations

A Transport Layer Security

A Transport Layer Security

Figure 4 depicts the basic TLS 1.3 anonymous (EC)DHE handshakes including the essential steps of the Diffie–Hellman-based key derivation. The key update step has already been explained in Sect. 2.2. A session resumption is similar to the handshake but adds some additional steps. It requires the server to have issued a ticket to the client containing a nonce and identifying information which are used for the resumption handshake. The client uses an additional extension \(\mathtt {ClientPreSharedKey}\) in the first message to indicate potential identifiers. The server acknowledges one in its \(\mathtt {ServerPreSharedKey}\) extension with the second message. The parties then use the resumption secret \(RMS\) from before to compute a pre-shared key \(PSK\), which this time enters the computation \(ES\leftarrow \mathsf {HKDF}.\mathsf {Extract}(\texttt {"\!\!"},PSK)\). They also derive a binder key \(BK\) which is used to verify the key. From there on the steps are identical to the one of a handshake execution. We note that resumption can be executed with and without the Diffie-Hellman step.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Fischlin, M., Müller, SA., Münch, JP., Porth, L. (2021). Multipath TLS 1.3. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)