Proxying is Enough: Security of Proxying in TLS Oracles and AEAD Context Unforgeability

Zhongtang Luo; Yanxue Jia; Yaobin Shen; Aniket Kate

Paper 2024/733

Proxying is Enough: Security of Proxying in TLS Oracles and AEAD Context Unforgeability

Zhongtang Luo

, Purdue University West Lafayette

Yanxue Jia

, Purdue University West Lafayette

Yaobin Shen

, Xiamen University

Aniket Kate

, Purdue University West Lafayette, Supra Research

Abstract

TLS oracles allow a TLS client to offer selective data provenance to an external (oracle) node such that the oracle node is ensured that the data is indeed coming from a pre-defined TLS server. Typically, the client/user supplies their credentials to the server and reveals selective data using zero-knowledge proofs to demonstrate certain server-offered information to oracles while ensuring the secrecy of the rest of the TLS transcript. Conceptually, this is a standard three-party secure computation between the TLS server, TLS client (prover), and the oracle (verifier) node; however, the key practical requirement for TLS oracles to ensure that data provenance process remains transparent to the TLS server. Recent TLS oracle protocols such as DECO enforce the communication pattern of server-client-verifier and utilize a novel three-party handshake process during TLS to ensure data integrity against potential tempering by the client. However, this approach introduces a significant performance penalty on the client/prover and the verifier. This raises the question of whether it is possible to reduce the overhead by putting the verifier (as a proxy) between the server and the client such that the correct TLS transcript is available to the verifier. This work offers both positive and negative answers to this oracle proxy question: We first formalize the oracle proxy notion that allows the verifier to directly proxy client-server TLS communication, without entering a three-party handshake or interfering with the connection in any way. We then show that for common TLS-based higher-level protocols such as HTTPS, data integrity to the verifier proxy is ensured by the variable padding built into the HTTP protocol semantics. On the other hand, if a TLS-based protocol comes without variable padding, we demonstrate that data integrity cannot be guaranteed. In this context, we then study the case where the TLS response is pre-determined and cannot be tampered with during the connection. We propose the concept of context unforgeability and show allows overcoming the impossibility. We further show that ChaCha20-Poly1305 satisfies the concept while AES-GCM does not under the standard model.

Note: General revision.

Metadata

Available format(s): PDF
Publication info: Published elsewhere. Minor revision. Science of Blockchain Conference 2024 (no proceedings)
Contact author(s): luo401 @ purdue edu
jia168 @ purdue edu
yaobin shen @ xmu edu cn
aniket @ purdue edu
History: 2024-06-19: last of 3 revisions; 2024-05-13: received; See all versions
Short URL: https://ia.cr/2024/733
License: CC BY

BibTeX

@misc{cryptoeprint:2024/733,
      author = {Zhongtang Luo and Yanxue Jia and Yaobin Shen and Aniket Kate},
      title = {Proxying is Enough: Security of Proxying in {TLS} Oracles and {AEAD} Context Unforgeability},
      howpublished = {Cryptology ePrint Archive, Paper 2024/733},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/733}},
      url = {https://eprint.iacr.org/2024/733}
}