Skip to main content

Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7073)

Abstract

We analyze the security of the TLS Record Protocol, a MAC-then-Encode-then-Encrypt (MEE) scheme whose design targets confidentiality and integrity for application layer communications on the Internet. Our main results are twofold. First, we give a new distinguishing attack against TLS when variable length padding and short (truncated) MACs are used. This combination will arise when standardized TLS 1.2 extensions (RFC 6066) are implemented. Second, we show that when tags are longer, the TLS Record Protocol meets a new length-hiding authenticated encryption security notion that is stronger than IND-CCA.

Keywords

  • Encryption Scheme
  • Block Cipher
  • Message Authentication Code
  • Message Length
  • Transport Layer Security

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. Abadi, M., Rogaway, P.: Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption). J. Cryptology 20(3), 395 (2007)

    CrossRef  Google Scholar 

  2. Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 394–403. IEEE (1997)

    Google Scholar 

  3. Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  4. Bellare, M., Kohno, T., Namprempre, C.: Authenticated encrytion in SSH: Provably fixing the SSH binary packet protocol. In: ACM Conference on Computer and Communications Security, pp. 1–11 (2002)

    Google Scholar 

  5. Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  6. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing Chosen Ciphertext Security of Encryption Schemes. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  7. Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: Foundations of Computer Science – FOCS (2001)

    Google Scholar 

  8. Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  9. Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS Channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  10. Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246 (January 1999), http://www.ietf.org/rfc/rfc2246.txt

  11. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (April 2006), http://www.ietf.org/rfc/rfc4346.txt

  12. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (August 2008), http://www.ietf.org/rfc/rfc5246.txt

  13. Eastlake III, D.: Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066 (January 2011), http://www.ietf.org/rfc/rfc6066.txt

  14. GnuTLS Documentation (2011), http://www.gnu.org/software/gnutls/documentat.html

  15. Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (or: How Secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  16. Liberatore, M., Levine, B.: Inferring the source of encrypted HTTP connections. In: ACM Conference on Computer and Communications Security, pp. 255–263 (2006)

    Google Scholar 

  17. Manral, V.: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 4835 (April 2007), http://www.ietf.org/rfc/rfc4835.txt

  18. Maurer, U., Tackmann, B.: On the Soundness of Authenticate-then-Encrypt: Formalizing the Malleability of Symmetric Encryption. In: Proc. 2010 ACM Conference on Computer and Communications Security (CCS 2010), pp. 505–515. ACM (2010)

    Google Scholar 

  19. Möller, B.: Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures, http://www.openssl.org/~bodo/tls-cbc.txt

  20. Rogaway, P., Shrimpton, T.: A Provable-Security Treatment of the Key-Wrap Problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  21. Sun, Q., Simon, D., Wang, Y., Russell, W., Padmanabhan, V., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: IEEE Symposium on Security and Privacy, pp. 19–30 (2002)

    Google Scholar 

  22. Vaudenay, S.: Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  23. White, A., Matthews, A., Snow, K., Monrose, F.: Phonotactic Reconstruction of Encrypted VoIP conversations: Hookt on fon-iks. In: IEEE Symposium on Security and Privacy (2011)

    Google Scholar 

  24. Wright, C., Ballard, L., Coull, S., Monrose, F., Masson, G.: Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations. In: IEEE Symposium on Security and Privacy, pp. 35–49 (2008)

    Google Scholar 

  25. Wright, C., Ballard, L., Coull, S., Monrose, F., Masson, G.: Uncovering Spoken Phrases in Encrypted Voice over IP Conversations. ACM Trans. Inf. Syst. Secur. 13(4) (2010)

    Google Scholar 

  26. Wright, C., Monrose, F., Masson, G.: On Inferring Application Protocol Behaviors in Encrypted Network Traffic. Journal of Machine Learning Research 6, 2745–2769 (2006)

    MathSciNet  Google Scholar 

  27. Wright, C., Coull, S., Monrose, F.: Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In: Network and Distributed Security Symposium – NDSS (2009)

    Google Scholar 

Download references

Author information

Affiliations

Authors

Rights and permissions

Reprints and Permissions

Copyright information

© 2011 International Association for Cryptologic Research

About this paper

Cite this paper

Paterson, K.G., Ristenpart, T., Shrimpton, T. (2011). Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol. In: Lee, D.H., Wang, X. (eds) Advances in Cryptology – ASIACRYPT 2011. ASIACRYPT 2011. Lecture Notes in Computer Science, vol 7073. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25385-0_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25385-0_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25384-3

  • Online ISBN: 978-3-642-25385-0

  • eBook Packages: Computer ScienceComputer Science (R0)