Selfie: reflections on TLS 1.3 with PSK

Nir Drucker; Shay Gueron

doi:10.1007/s00145-021-09387-y

Selfie: reflections on TLS 1.3 with PSK

Nir Drucker, Shay Gueron

Department of Mathematics

Research output: Contribution to journal › Article › peer-review

Abstract

TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “Selfie.” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol’s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.

Original language	English
Pages (from-to)	1-18
Journal	Journal of Cryptology
Volume	34
Issue number	3
DOIs	https://doi.org/10.1007/s00145-021-09387-y
State	Published - Jul 2021

Bibliographical note

Funding Information:
This research was supported by: The Israel Science Foundation (Grant No. 1018/ 16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office; the Center for Cyber Law & Policy at the University of Haifa, in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.

Publisher Copyright:
© 2021, The Author(s), under exclusive licence to International Association for Cryptologic Research.

Keywords

Network security
Reflection attack
Selfie attack
TLS 1.3

ASJC Scopus subject areas

Software
Computer Science Applications
Applied Mathematics

Access to Document

10.1007/s00145-021-09387-y

Cite this

@article{e89e21bd06f546048edb14533008a2f8,

title = "Selfie: reflections on TLS 1.3 with PSK",

abstract = "TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “Selfie.” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol{\textquoteright}s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.",

keywords = "Network security, Reflection attack, Selfie attack, TLS 1.3",

author = "Nir Drucker and Shay Gueron",

note = "Funding Information: This research was supported by: The Israel Science Foundation (Grant No. 1018/ 16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister{\textquoteright}s Office; the Center for Cyber Law & Policy at the University of Haifa, in conjunction with the Israel National Cyber Directorate in the Prime Minister{\textquoteright}s Office. Publisher Copyright: {\textcopyright} 2021, The Author(s), under exclusive licence to International Association for Cryptologic Research.",

year = "2021",

month = jul,

doi = "10.1007/s00145-021-09387-y",

language = "English",

volume = "34",

pages = "1--18",

journal = "Journal of Cryptology",

issn = "0933-2790",

publisher = "Springer New York",

number = "3",

}

TY - JOUR

T1 - Selfie

T2 - reflections on TLS 1.3 with PSK

AU - Drucker, Nir

AU - Gueron, Shay

N1 - Funding Information: This research was supported by: The Israel Science Foundation (Grant No. 1018/ 16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office; the Center for Cyber Law & Policy at the University of Haifa, in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office. Publisher Copyright: © 2021, The Author(s), under exclusive licence to International Association for Cryptologic Research.

PY - 2021/7

Y1 - 2021/7

N2 - TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “Selfie.” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol’s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.

AB - TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “Selfie.” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol’s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.

KW - Network security

KW - Reflection attack

KW - Selfie attack

KW - TLS 1.3

UR - http://www.scopus.com/inward/record.url?scp=85107211810&partnerID=8YFLogxK

U2 - 10.1007/s00145-021-09387-y

DO - 10.1007/s00145-021-09387-y

M3 - Article

AN - SCOPUS:85107211810

SN - 0933-2790

VL - 34

SP - 1

EP - 18

JO - Journal of Cryptology

JF - Journal of Cryptology

IS - 3

ER -

Selfie: reflections on TLS 1.3 with PSK

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this