A Formal Treatment of Accountable Proxying Over TLS

Much of Internet traffic nowadays passes through active proxies, whose role is to inspect, filter, cache, or transform data exchanged between two endpoints. To perform their tasks, such proxies modify channel-securing protocols, like TLS, resulting in serious vulnerabilities. Such problems are exacerbated by the fact that middleboxes are often invisible to one or both endpoints, leading to a lack of accountability. A recent protocol, called mcTLS, pioneered accountability for proxies, which are authorized by the endpoints and given limited read/write permissions to application traffic. Unfortunately, we show that mcTLS is insecure: the protocol modifies the TLS protocol, exposing it to a new class of middlebox-confusion attacks. Such attacks went unnoticed mainly because mcTLS lacked a formal analysis and security proofs. Hence, our second contribution is to formalize the goal of accountable proxying over secure channels. Third, we propose a provably-secure alternative to soon-to-be-standardized mcTLS: a generic and modular protocol-design that care- fully composes generic secure channel-establishment protocols, which we prove secure. Finally, we present a proof-of-concept implementation of our design, instantiated with unmodified TLS 1.3, and evaluate its overheads.

[1]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..

[2]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[3]  Ueli Maurer,et al.  (De-)Constructing TLS 1.3 , 2015, INDOCRYPT.

[4]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[5]  Alfredo Pironti,et al.  FLEXTLS: A Tool for Testing TLS Implementations , 2015, WOOT.

[6]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[7]  Benjamin Richard,et al.  A Cryptographic Analysis of UMTS/LTE AKA , 2016, ACNS.

[8]  Christos Gkantsidis,et al.  And Then There Were More: Secure Communication for More Than Two Parties , 2017, CoNEXT.

[9]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[10]  Benjamin Richard,et al.  Achieving Better Privacy for the 3GPP AKA Protocol , 2016, Proc. Priv. Enhancing Technol..

[11]  Ueli Maurer,et al.  (De-)Constructing TLS , 2014, IACR Cryptol. ePrint Arch..

[12]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[14]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol , 2016, IACR Cryptol. ePrint Arch..

[15]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[16]  Benjamin Richard,et al.  Content delivery over TLS: a cryptographic analysis of keyless SSL , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[17]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[18]  Britta Hale,et al.  0-RTT Key Exchange with Full Forward Secrecy , 2017, EUROCRYPT.

[19]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[20]  Daniel Zappala,et al.  TLS Proxies: Friend or Foe? , 2014, Internet Measurement Conference.

[21]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[22]  Bogdan Warinschi,et al.  A Modular Security Analysis of the TLS Handshake Protocol , 2008, ASIACRYPT.

[23]  Karthikeyan Bhargavan,et al.  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[24]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[25]  Chris Brzuska,et al.  A Modular Security Analysis of EAP and IEEE 802.11 , 2017, Public Key Cryptography.

[26]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[27]  Douglas Stebila,et al.  Safely Exporting Keys from Secure Channels - On the Security of EAP-TLS and TLS Key Exporters , 2016, EUROCRYPT.

[28]  Marc Fischlin,et al.  Less is more: relaxed yet composable security notions for key exchange , 2013, International Journal of Information Security.

[29]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[30]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[31]  Marc Fischlin,et al.  Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[32]  Hervé Debar,et al.  TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS , 2015, AsiaCCS.