Towards Secure Communication and Authentication: Provable Security Analysis and New Constructions
Total Page:16
File Type:pdf, Size:1020Kb
TOWARDS SECURE COMMUNICATION AND AUTHENTICATION: PROVABLE SECURITY ANALYSIS AND NEW CONSTRUCTIONS A Dissertation Presented to The Academic Faculty By Shan Chen In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Computer Science Georgia Institute of Technology May 2020 Copyright c Shan Chen 2020 TOWARDS SECURE COMMUNICATION AND AUTHENTICATION: PROVABLE SECURITY ANALYSIS AND NEW CONSTRUCTIONS Approved by: Dr. Alexandra Boldyreva, Advisor Dr. Paul Pearce School of Computer Science School of Computer Science Georgia Institute of Technology Georgia Institute of Technology Dr. Mustaque Ahamad Dr. Gaven Watson School of Computer Science Advanced Cryptography Georgia Institute of Technology Visa Research Dr. Vladimir Kolesnikov Date Approved: January 8, 2020 School of Computer Science Georgia Institute of Technology ACKNOWLEDGEMENTS I would like to first thank my advisor Alexandra (Sasha) Boldyreva for her generous support, great patience, and outstanding guidance throughout my doctoral study. I am also very grateful for her understanding and support of my needs besides research, which made my Ph.D. life much easier than it could have become. I was very fortunate to collaborate with many excellent researchers and talented stu- dents. My thanks go to David Pointcheval, Cristina Nita-Rotaru, Manuel Barbosa, Bogdan Warinschi, and my mentor Gaven Watson at Visa Research, as well as student co-authors Pierre-Alain Dupont, Samuel Jero, and Matthew Jagielski. I thank my proposal and thesis committee for their valuable time and helpful advice. I would also like to thank John Steinberger for introducing me to the fascinating world of cryptography and steered me in the right way towards establishing good research abilities. Finally, I would express my sincere gratitude to my parents and my girlfriend for their constant love and encouragement. I thank my labmates and all my dear friends for their support and wish them all the best in their lives. iii TABLE OF CONTENTS Acknowledgments . iii List of Tables . ix List of Figures . x Summary . xii Chapter 1: Introduction . 1 1.1 Motivation and Goal . 1 1.2 Contributions . 2 1.2.1 Human Authenticated Key Exchange . 3 1.2.2 Comparing TLS 1.3 (over TCP Fast Open) to QUIC . 7 1.2.3 Provable Security Analysis of FIDO2 . 12 1.3 Declaration of Co-Authorship and Previous Publications . 15 1.4 Road Map . 16 Chapter 2: Preliminaries . 17 2.1 Notations . 17 2.2 Pseudorandom Function . 17 2.3 Commitment Scheme . 18 iv 2.4 Message Authentication Code . 19 2.5 Authenticated Encryption . 19 2.6 Stateful Authenticated Encryption with Associated Data . 20 2.7 Collision-Resistant Hash Function Family . 21 2.8 Signature Scheme . 22 2.9 The Diffie-Hellman Assumptions . 22 2.10 Password-Authenticated Key Exchange . 23 Chapter 3: Human Authenticated Key Exchange . 26 3.1 Introduction . 26 3.1.1 Related Work . 26 3.1.2 Our Contributions . 27 3.2 HAKE Syntax and Security Model . 34 3.2.1 Protocol Syntax . 34 3.2.2 Security Model . 35 3.3 Human-Compatible Function Family . 41 3.3.1 Syntax . 41 3.3.2 Security . 42 3.3.3 Token-Based HC Function Family Instantiation . 46 3.3.4 Only-Human HC Function Family Instantiation . 46 3.4 Generic HAKE Protocols . 53 3.4.1 The Basic HAKE . 54 3.4.2 The Confirmed HAKE . 56 v 3.5 Device-Assisted HAKE Protocols . 59 3.5.1 Simplified Basic HAKE . 60 3.5.2 Time-Based HAKE . 60 Chapter 4: Comparing TLS 1.3 over TFO to QUIC . 65 4.1 Introduction . 65 4.1.1 Our Contributions . 65 4.2 Background . 68 4.2.1 TLS 1.3 over TFO . 69 4.2.2 QUIC over UDP . 73 4.2.3 QUIC with TLS 1.3 Key Exchange . 75 4.3 Multi-Stage Authenticated and Confidential Channel Establishment . 76 4.3.1 Protocol Syntax . 76 4.3.2 Security Models . 79 4.4 Provable Security Analysis . 90 4.4.1 TLS 1.3 over TFO . 90 4.4.2 QUIC over UDP . 95 4.4.3 QUIC[TLS] over UDP . 99 Chapter 5: Provable Security Analysis of FIDO2 . 102 5.1 Introduction . 102 5.1.1 Related Work and Focus . 102 5.1.2 Our Contributions . 103 5.2 IND-1$PA Security for Deterministic Encryption . 108 vi 5.3 PIN-Based Authenticator Setup and Authenticated Channel Establishment . 109 5.3.1 Protocol Syntax . 109 5.3.2 Security Model . 111 5.4 The Client to Authenticator Protocol v2.0 and its Security . 116 5.4.1 Protocol Description . 116 5.4.2 Security Results . 118 5.5 The PIN-Based Authenticator Setup and Key Exchange Protocol and its Security . 120 5.5.1 Protocol Description . 120 5.5.2 Security Results . 121 5.6 Authenticator-Assisted Passwordless User Authentication . 123 5.6.1 Protocol Syntax . 123 5.6.2 Security Model . 125 5.7 The W3C Web Authentication Protocol and its Security . 131 5.7.1 Protocol Description . 132 5.7.2 Security Results . 132 5.8 The WebAuthn+ Protocol and its Security . 133 5.9 Composition . 133 Chapter 6: Conclusion . 136 Appendix A: Proofs of Theorems . 138 A.1 Proof of Theorem 6 . 138 A.2 Proof of Theorem 7 . 139 vii A.3 Proof of Theorem 8 . 140 A.4 Proof of Theorem 9 . 141 A.5 Proof of Theorem 10 . 143 A.6 Proof of Theorem 11 . 144 A.7 Proof of Theorem 12 . 146 A.8 Proof of Theorem 13 . 146 Appendix B: QUIC and TLS 1.3’s Stateful AEAD Schemes and Their Security . 148 B.1 QUIC’s Stateful AEAD Scheme and its Security . 148 B.2 TLS 1.3’s Stateful AEAD Scheme and its Security . 149 Appendix C: msACCE-std Security of TLS 1.3 over TFO and QUIC over UDP . 151 C.1 TFO+TLS 1.3’s msACCE-std Security . 151 C.2 UDP+QUIC’s msACCE-std Security . 154 References . 164 Vita ........................................... 165 viii LIST OF TABLES 1.1 Latency comparison of layered protocols . 9 1.2 Security comparison . 11 3.1 Performance of the Time-Based Device-Assisted HAKE . 63 ix LIST OF FIGURES 2.1 Functionality FPAKE [50] . 24 3.1 Graph of the sequential oracle calls in the η-unforgeability experiment . 43 3.2 Basic HAKE construction . 54 3.3 Confirmed HAKE construction . 57 3.4 Time-Based HAKE construction . 61 4.1 TCP header. [96] . 68 4.2 UDP header. [97] . 68 4.3 TFO+TLS 1.3 (EC) DHE 2-RTT full handshake (left) and TFO+TLS 1.3 PSK-(EC) DHE 0-RTT resumption handshake (right). * indicates optional messages. () indicates messages protected using the 0-RTT keys derived from a pre-shared key. fg and [] indicate messages protected with initial and final keys. 70 4.4 QUIC 1-RTT full handshake (left) and UDP+QUIC 0-RTT resumption hand- shake (right). * indicates optional messages. fg and [] indicate messages protected with initial and final keys. 73 5.1 Communication Channels. 109 5.2 Relations between PASACE security notions..