Final Report Abstract

The security of today’s Internet infrastructure relies on cryptographic protocols protecting confidentiality, integrity, and authenticity of transmitted data. Such secure connection protocols are composed of two components: A key exchange protocol first establishes a shared secret key between the two communication partners over a potentially insecure network. This key is then used in the follow-up secure channel protocol to protect the actual data to be communicated. With the demands of users and providers ever increasing, protocols are regularly modified, improved, or even newly designed to cater for advances in networking technology, counter new security threats, or satisfy higher performance needs. The goal of this project was to introduce new techniques and security models to assess and strengthen the security of the most recent, real-world developments in secure connections as well as to improve our understanding of the protocols’ interaction with applications and of the foundational components that build up to their security. In this project, we analyzed the security of widely deployed connection protocols and their components, including transport-layer security protocols TLS 1.3, DTLS 1.3, and QUIC, as well as secure-messaging protocols underlying WhatsApp or Signal, each serving billions of users daily. On the protocol and interfaces side, we introduced several new security models that capture novel aspects of connection protocols deployed or being standardized. Among other things, this includes the delayed authentication of established secrets in a key exchange, the robust handling of unreliable network protocols, and a protocol’s resilience to breakdowns of cryptographic components. We further introduced new analysis techniques and concepts for components to assess the security of practical parameter choices in deployed protocols, to guide the secure implementation of components relying on multiple so-called random oracles, and to move complex protocols like Signal towards post-quantum security.

Publications

• “Breakdown Resilience of Key Exchange Protocols: NewHope, TLS 1.3, and Hybrids”. In: ESORICS 2019, Part II. Vol. 11736. LNCS. Springer, Heidelberg, 2019, pp. 521–541
  J. Brendel, M. Fischlin, and F. Günther
  (See online at https://doi.org/10.1007/978-3-030-29962-0_25)
• “Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability”. In: EUROCRYPT 2020, Part II. Vol. 12106. LNCS. Springer, Heidelberg, 2020, pp. 3–32
  M. Bellare, H. Davis, and F. Günther
  (See online at https://doi.org/10.1007/978-3-030-45724-2_1)
• “A Cryptographic Analysis of the TLS 1.3 Handshake Protocol”. In: Journal of Cryptology (2021)
  B. Dowling, M. Fischlin, F. Günther, and D. Stebila
  (See online at https://doi.org/10.1007/s00145-021-09384-1)
• “Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols”. In: 19th International Conference on Applied Cryptography and Network Security (ACNS 2021). Lecture Notes in Computer Science. Springer, 2021
  H. Davis and F. Günther
  (See online at https://doi.org/10.1007/978-3-030-78375-4_18)