Paper 2017/082
Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates
Marc Fischlin and Felix Günther
Abstract
We investigate security of key exchange protocols supporting so-called zero round-trip time (0-RTT), enabling a client to establish a fresh provisional key without interaction, based only on cryptographic material obtained in previous connections. This key can then be already used to protect early application data, transmitted to the server before both parties interact further to switch to fully secure keys. Two recent prominent examples supporting such 0-RTT modes are Google's QUIC protocol and the latest drafts for the upcoming TLS version 1.3. We are especially interested in the question how replay attacks, enabled through the lack of contribution from the server, affect security in the 0-RTT case. Whereas the first proposal of QUIC uses state on the server side to thwart such attacks, the latest version of QUIC and TLS 1.3 rather accept them as inevitable. We analyze what this means for the key secrecy of both the preshared-key-based 0-RTT handshake in draft-14 of TLS 1.3 as well as the Diffie-Hellman-based 0-RTT handshake in TLS 1.3 draft-12. As part of this we extend previous security models to capture such cases, also shedding light on the limitations and options for 0-RTT security under replay attacks.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Major revision. 2nd IEEE European Symposium on Security and Privacy (EuroS&P 2017)
- Keywords
- Transport Layer Security (TLS)key exchangeprotocol analysiszero round-trip timecomposition
- Contact author(s)
- guenther @ cs tu-darmstadt de
- History
- 2017-02-06: received
- Short URL
- https://ia.cr/2017/082
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2017/082, author = {Marc Fischlin and Felix Günther}, title = {Replay Attacks on Zero Round-Trip Time: The Case of the {TLS} 1.3 Handshake Candidates}, howpublished = {Cryptology {ePrint} Archive, Paper 2017/082}, year = {2017}, url = {https://eprint.iacr.org/2017/082} }