Safely Exporting Keys from Secure Channels - On the Security of EAP-TLS and TLS Key Exporters
نویسندگان
چکیده
We investigate how to safely export additional cryptographic keys from secure channel protocols, modelled with the authenticated and confidential channel establishment (ACCE) security notion. For example, the EAP-TLS protocol uses the Transport Layer Security (TLS) handshake to output an additional shared secret which can be used for purposes outside of TLS, and the RFC 5705 standard specifies a general mechanism for exporting keying material from TLS. We show that, for a class of ACCE protocols we call “TLS-like” protocols, the EAP-TLS transformation can be used to export an additional key, and that the result is a secure AKE protocol in the Bellare–Rogaway model. Interestingly, we are able to carry out the proof without looking at the specifics of the TLS protocol itself (beyond the notion that it is “TLS-like”), but rather are able to use the ACCE property in a semi black-box way. To facilitate our modular proof, we develop a novel technique, notably an encryption-based key checking mechanism that is used by the security reduction. Our results imply that EAP-TLS using secure TLS 1.2 ciphersuites is a secure authenticated key exchange protocol.
منابع مشابه
Selecting a Standard Outer Method for EAP
This paper outlines the problems in currently available authentication methods, such as EAP-TTLS, EAP-PEAP and EAP-FAST, and describes the desirable properties of a standard outer method. We examine the interaction between inner and outer methods and the types of issues that presently exist. We propose a new authentication method, EAP-PSK [PSK] with tunneling support (EAP-TLS-PSK), as an EAP pr...
متن کاملPerformance Analysis of Signaling Cost on EAP-TLS Authentication Protocol based on Cryptography
With the wide applications of wireless communication in the air inter-face, needs secure connections, efficient decryption and strong authentication mechanisms. In general,authentication procedure adds extra messages to the original message flow and results in throughput reduction/ increase in processing time. Reducing the processing time spent on authentication procedure is very important for ...
متن کاملOn the Security of the Pre-shared Key Ciphersuites of TLS
TLS is by far the most important protocol on the Internet for negotiating secure session keys and providing authentication. Only very recently, the standard ciphersuites of TLS have been shown to provide provably secure guarantees under a new notion called Authenticated and Confidential Channel Establishment (ACCE) introduced by Jager et al. at CRYPTO’12. In this work, we analyse the variants o...
متن کاملA Modular Security Analysis of the TLS Handshake Protocol
We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher level applications are obtained from a master key, which in turn is derived, through interaction, from a pre-master key. Our first con...
متن کاملOn the Security of TLS-DH and TLS-RSA in the Standard Model
TLS is the most important cryptographic protocol in the Internet. At CRYPTO 2012, Jager et al. presented the first proof of the unmodified TLS with ephemeral Diffie-Hellman key exchange (TLS-DHE) for mutual authentication. Since TLS cannot be proven secure under the classical definition of authenticated key exchange (AKE), they introduce a new security model called authenticated and confidentia...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2016 شماره
صفحات -
تاریخ انتشار 2016