Paper 2019/347
Selfie: reflections on TLS 1.3 with PSK
Nir Drucker and Shay Gueron
Abstract
TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed Pre Shared Key (PSK). This PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. We identify a security vulnerability in this TLS 1.3 path, by showing a new reflection attack that we call ``Selfie''. The Selfie attack breaks the mutual authentication. It leverages the fact that TLS does not mandate explicit authentication of the server and the client in every message. The paper explains the root cause of this TLS 1.3 vulnerability, demonstrates the Selfie attack on the TLS implementation of OpenSSL and proposes appropriate mitigation. The attack is surprising because it breaks some assumptions and uncovers an interesting gap in the existing TLS security proofs. We explain the gap in the model assumptions and subsequently in the security proofs. We also provide an enhanced Multi-Stage Key Exchange (MSKE) model that captures the additional required assumptions of TLS 1.3 in its current state. The resulting security claims in the case of external PSKs are accordingly different.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- TLS 1.3Reflection attackNetwork securityMulti-Stage Key Exchange model
- Contact author(s)
-
shay gueron @ gmail com
drucker nir @ gmail com - History
- 2019-04-05: revised
- 2019-04-03: received
- See all versions
- Short URL
- https://ia.cr/2019/347
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2019/347,
author = {Nir Drucker and Shay Gueron},
title = {Selfie: reflections on {TLS} 1.3 with {PSK}},
howpublished = {Cryptology {ePrint} Archive, Paper 2019/347},
year = {2019},
url = {https://eprint.iacr.org/2019/347}
}
