Paper 2023/913
Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and Signal
, Ericsson ResearchAbstract
Transport Layer Security (TLS) 1.3 and the Signal protocol are very important and widely used security protocols. We show that the key update function in TLS 1.3 and the symmetric key ratchet in Signal can be modeled as non-additive synchronous stream ciphers. This means that the efficient Time Memory Tradeoff Attacks for stream ciphers can be applied. The implication is that TLS 1.3, QUIC, DTLS 1.3, and Signal offer a lower security level against TMTO attacks than expected from the key sizes. We provide detailed analyses of the key update mechanisms in TLS 1.3 and Signal, illustrate the importance of ephemeral key exchange, and show that the process that DTLS 1.3 and QUIC use to calculate AEAD limits is flawed. We provide many concrete recommendations for the analyzed protocols.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Minor revision. CANS 2023: Cryptology and Network Security
- DOI
- 10.1007/978-981-99-7563-1_12
- Keywords
- TLS 1.3QUICSignalSecret-key CryptographyKey DerivationRatchetKey ChainStream CipherCryptanalysisTMTO
- Contact author(s)
- john mattsson @ ericsson com
- History
- 2023-12-15: last of 4 revisions
- 2023-06-12: received
- See all versions
- Short URL
- https://ia.cr/2023/913
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/913,
author = {John Preuß Mattsson},
title = {Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and Signal},
howpublished = {Cryptology ePrint Archive, Paper 2023/913},
year = {2023},
doi = {10.1007/978-981-99-7563-1_12},
note = {\url{https://eprint.iacr.org/2023/913}},
url = {https://eprint.iacr.org/2023/913}
}
