Paper 2024/733
Proxying is Enough: Security of Proxying in TLS Oracles and AEAD Context Unforgeability
Abstract
TLS oracles allow a TLS client to offer selective data provenance to an external (oracle) node such that the oracle node is ensured that the data is indeed coming from a pre-defined TLS server. Typically, the client/user supplies their credentials to the server and reveals selective data using zero-knowledge proofs to demonstrate certain server-offered information to oracles while ensuring the secrecy of the rest of the TLS transcript. Conceptually, this is a standard three-party secure computation between the TLS server, TLS client (prover), and the oracle (verifier) node; however, the key practical requirement for TLS oracles to ensure that data provenance process remains transparent to the TLS server. Recent TLS oracle protocols such as DECO enforce the communication pattern of server-client-verifier and utilize a novel three-party handshake process during TLS to ensure data integrity against potential tempering by the client. However, this approach introduces a significant performance penalty on the client/prover and the verifier. This raises the question of whether it is possible to reduce the overhead by putting the verifier (as a proxy) between the server and the client such that the correct TLS transcript is available to the verifier. This work offers both positive and negative answers to this oracle proxy question: We first formalize the oracle proxy notion that allows the verifier to directly proxy client-server TLS communication, without entering a three-party handshake or interfering with the connection in any way. We then show that for common TLS-based higher-level protocols such as HTTPS, data integrity to the verifier proxy is ensured by the variable padding built into the HTTP protocol semantics. On the other hand, if a TLS-based protocol comes without variable padding, we demonstrate that data integrity cannot be guaranteed. In this context, we then study the case where the TLS response is pre-determined and cannot be tampered with during the connection. We propose the concept of context unforgeability and show allows overcoming the impossibility. We further show that ChaCha20-Poly1305 satisfies the concept while AES-GCM does not under the standard model.
Note: General revision.
Metadata
- Available format(s)
- Publication info
- Published elsewhere. Minor revision. Science of Blockchain Conference 2024 (no proceedings)
- Contact author(s)
-
luo401 @ purdue edu
jia168 @ purdue edu
yaobin shen @ xmu edu cn
aniket @ purdue edu - History
- 2024-06-19: last of 3 revisions
- 2024-05-13: received
- See all versions
- Short URL
- https://ia.cr/2024/733
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/733, author = {Zhongtang Luo and Yanxue Jia and Yaobin Shen and Aniket Kate}, title = {Proxying is Enough: Security of Proxying in {TLS} Oracles and {AEAD} Context Unforgeability}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/733}, year = {2024}, url = {https://eprint.iacr.org/2024/733} }