Verified Contributive Channel Bindings for Compound Authentication

Compound authentication protocols, such as EAP in IKEv2 or SASL over TLS, bind application-level authentication to a transport-level authenticated channel in order to obtain strong composite authentication under weak trust assumptions. Despite their wide deployment, these protocols remain poorly understood, leading to several credential forwarding man-in-themiddle attacks. We present formal models for several compound authentication protocols, and analyze them against a rich threat model that includes compromised certificates, leaked session keys, and Diffie-Hellman small subgroup confinement. Our analysis uncovers new compound authentication attacks on TLS renegotiation, SSH re-exchange, IKEv2 resumption, and a number of other channel binding proposals. We propose new channel bindings and formally evaluate their effectiveness using the automated symbolic cryptographic protocol verifier, ProVerif. In particular, we present the first formal models that can reconstruct the recently published triple handshake attacks on TLS, and the first automated analysis of its proposed countermeasure. I. COMPOUND AUTHENTICATION Mutual authentication of clients and servers is an important security goal of any distributed system architecture. To this end, cryptographic protocols such as Transport Layer Security (TLS), Secure Shell (SSH), and Internet Protocol Security (IPsec) offer several mutual authentication modes based on well-studied cryptographic constructions called Authenticated Key Exchanges (AKEs). However, a common deployment scenario for these protocols, as depicted in Figure 1, does not use mutual authentication. Instead the transport-level protocol authenticates only the server and establishes a unilaterally-authenticated secure channel where the client is anonymous. The client (or user) is authenticated by a subsequent application-level authentication protocol that is tunneled within the transport channel. The composition of these two protocols aims to provide compound authentication: a guarantee that the same two participants engaged in both protocols, and hence both agree upon the identities of each other (and other session parameters). Examples of such compound authentication protocols are widespread, and we list some that use TLS as the transportlevel protocol. TLS servers almost universally use only server User u