Data Is a Stream: Security of Stream-Based Channels

The common approach to defining secure channels in the literature is to consider transportation of discrete messages provided via atomic encryption and decryption interfaces. This, however, ignores that many practical protocols (including TLS, SSH, and QUIC) offer streaming interfaces instead, moreover with the complexity that the network (possibly under adversarial control) may deliver arbitrary fragments of ciphertexts to the receiver. To address this deficiency, we initiate the study of stream-based channels and their security. We present notions of confidentiality and integrity for such channels, akin to the notions for atomic channels, but taking the peculiarities of streams into account. We provide a composition result for our setting, saying that combining chosen-plaintext confidentiality with integrity of the transmitted ciphertext stream lifts confidentiality of the channel to chosen-ciphertext security. Notably, for our proof of this theorem in the streaming setting we need an additional property, called error predictability. We finally give an AEAD-based construction that achieves our notion of a secure stream-based channel. The construction matches rather well the one used in TLS, providing validation of that protocol’s design.

[1]  Kenneth G. Paterson,et al.  A Surfeit of SSH Cipher Suites , 2016, CCS.

[2]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing , 2014, RFC.

[3]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[4]  Chanathip Namprempre,et al.  Online Ciphers and the Hash-CBC Construction , 2001, CRYPTO.

[5]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[6]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[7]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[8]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[9]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[10]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[11]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[12]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[13]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[15]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[16]  Kenneth G. Paterson,et al.  On Symmetric Encryption with Distinguishable Decryption Failures , 2013, FSE.

[17]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[18]  Nikhil Swamy,et al.  Implementing and Proving the TLS 1.3 Record Layer , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[19]  Antoine Joux,et al.  Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC , 2002, CRYPTO.

[20]  Rafail Ostrovsky,et al.  Private Searching on Streaming Data , 2005, Journal of Cryptology.

[21]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[22]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[23]  Damian Vizár,et al.  Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance , 2015, CRYPTO.

[24]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[25]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[26]  Kenneth G. Paterson,et al.  Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR , 2010, IACR Cryptol. ePrint Arch..

[27]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[28]  Tadayoshi Kohno,et al.  Building Secure Cryptographic Transforms, or How to Encrypt and MAC , 2003, IACR Cryptol. ePrint Arch..

[29]  Antoine Joux,et al.  Authenticated On-Line Encryption , 2003, Selected Areas in Cryptography.

[30]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[31]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[32]  Gregory V. Bard Blockwise-Adaptive Chosen-Plaintext Attack and Online Modes of Encryption , 2007, IMACC.

[33]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation , 2012, IACR Cryptol. ePrint Arch..

[34]  Alfredo Pironti,et al.  Truncating TLS Connections to Violate Beliefs in Web Applications , 2013, WOOT.

[35]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[36]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[37]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[38]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[39]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[40]  Ueli Maurer,et al.  Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer , 2015, ProvSec.

[41]  Gaven J. Watson,et al.  An analysis of the EMV channel establishment protocol , 2013, IACR Cryptol. ePrint Arch..

[42]  Martijn Stam,et al.  Rogue Decryption Failures: Reconciling AE Robustness Notions , 2015, IMACC.

[43]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[44]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[45]  Chanathip Namprempre,et al.  Secure Channels Based on Authenticated Encryption Schemes: A Simple Characterization , 2002, ASIACRYPT.

[46]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[47]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[48]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[49]  Ueli Maurer,et al.  On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption , 2010, CCS '10.

[50]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[51]  Periklis A. Papakonstantinou,et al.  Cryptography with Streaming Algorithms , 2014, CRYPTO.

[52]  Antoine Joux,et al.  Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes , 2004, Selected Areas in Cryptography.

[53]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[54]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[55]  Alexandra Boldyreva,et al.  Online Encryption Schemes: New Security Notions and Constructions , 2004, CT-RSA.