Paper 2023/913

Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and Signal

John Preuß Mattsson, Ericsson Research
Abstract

Transport Layer Security (TLS) 1.3 and the Signal protocol are very important and widely used security protocols. We show that the key update function in TLS 1.3 and the symmetric key ratchet in Signal can be modeled as non-additive synchronous stream ciphers. This means that the efficient Time Memory Tradeoff Attacks for stream ciphers can be applied. The implication is that TLS 1.3, QUIC, DTLS 1.3, and Signal offer a lower security level against TMTO attacks than expected from the key sizes. We provide detailed analyses of the key update mechanisms in TLS 1.3 and Signal, illustrate the importance of ephemeral key exchange, and show that the process that DTLS 1.3 and QUIC use to calculate AEAD limits is flawed. We provide many concrete recommendations for the analyzed protocols.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. CANS 2023: Cryptology and Network Security
DOI
10.1007/978-981-99-7563-1_12
Keywords
TLS 1.3QUICSignalSecret-key CryptographyKey DerivationRatchetKey ChainStream CipherCryptanalysisTMTO
Contact author(s)
john mattsson @ ericsson com
History
2023-12-15: last of 4 revisions
2023-06-12: received
See all versions
Short URL
https://ia.cr/2023/913
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/913,
      author = {John Preuß Mattsson},
      title = {Hidden Stream Ciphers and {TMTO} Attacks on {TLS} 1.3, {DTLS} 1.3, {QUIC}, and Signal},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/913},
      year = {2023},
      doi = {10.1007/978-981-99-7563-1_12},
      url = {https://eprint.iacr.org/2023/913}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.