Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS

Abstract : TLS was designed as a transparent channel abstraction to allow developers with no cryptographic expertise to protect their application against attackers that may control some clients, some servers, and may have the capability to tamper with network connections. However, the security guarantees of TLS fall short of those of a secure channel, leading to a variety of attacks. We show how some widespread false beliefs about these guarantees can be exploited to attack popular applications and defeat several standard authentication methods that rely too naively on TLS. We present new client impersonation attacks against TLS renegotiations, wireless networks, challenge-response protocols, and channel-bound cookies. Our attacks exploit combinations of RSA and Diffie-Hellman key exchange, session resumption, and renegotiation to bypass many recent countermeasures. We also demonstrate new ways to exploit known weaknesses of HTTP over TLS. We investigate the root causes for these attacks and propose new countermeasures. At the protocol level, we design and implement two new TLS extensions that strengthen the authentication guarantees of the handshake. At the application level, we develop an exemplary HTTPS client library that implements several mitigations, on top of a previously verified TLS implementation, and verify that their composition provides strong, simple application security.
Type de document :
Communication dans un congrès
IEEE Symposium on Security & Privacy, Apr 2014, San Jose, United States. IEEE, 〈10.1109/SP.2014.14〉
Liste complète des métadonnées

Littérature citée [50 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01102259
Contributeur : Bruno Blanchet <>
Soumis le : lundi 4 avril 2016 - 14:37:41
Dernière modification le : vendredi 25 mai 2018 - 12:02:06
Document(s) archivé(s) le : lundi 14 novembre 2016 - 15:31:05

Fichier

triple-handshakes-and-cookie-c...
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti, Pierre-Yves Strub. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. IEEE Symposium on Security & Privacy, Apr 2014, San Jose, United States. IEEE, 〈10.1109/SP.2014.14〉. 〈hal-01102259〉

Partager

Métriques

Consultations de la notice

181

Téléchargements de fichiers

218