Hash Function Combiners in TLS and SSL

The TLS and SSL protocols are widely used to ensure secure communication over an untrusted network. Therein, a client and server first engage in the so-called handshake protocol to establish shared keys that are subsequently used to encrypt and authenticate the data transfer. To ensure that the obtained keys are as secure as possible, TLS and SSL deploy hash function combiners for key derivation and the authentication step in the handshake protocol. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. In this work, we analyze the security of the proposed TLS/SSL combiner constructions for pseudorandom functions resp. message authentication codes.

[1]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[2]  Yevgeniy Dodis,et al.  Getting the Best Out of Existing Hash Functions; or What if We Are Stuck with SHA? , 2008, ACNS.

[3]  Phong Q. Nguyen Progress in Cryptology - VIETCRYPT 2006 , 2007 .

[4]  Dan Boneh,et al.  On the Impossibility of Efficiently Combining Collision Resistant Hash Functions , 2006, CRYPTO.

[5]  Shoichi Hirose,et al.  A Note on the Strength of Weak Collision Resistance , 2004 .

[6]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[7]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[8]  Jonathan Katz,et al.  Aggregate Message Authentication Codes , 1995 .

[9]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[10]  Marc Fischlin,et al.  Multi-property Preserving Combiners for Hash Functions , 2008, TCC.

[11]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[12]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[13]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[14]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[15]  Luca Trevisan,et al.  Amplifying Collision Resistance: A Complexity-Theoretic Treatment , 2007, CRYPTO.

[16]  Phillip Rogaway,et al.  Formalizing Human Ignorance , 2006, VIETCRYPT.

[17]  電子情報通信学会 IEICE transactions on fundamentals of electronics, communications and computer sciences , 1992 .

[18]  Marc Fischlin,et al.  Security-Amplifying Combiners for Collision-Resistant Hash Functions , 2007, CRYPTO.

[19]  P. Hoffman Internet Draft , 1998 .

[20]  Krzysztof Pietrzak,et al.  Non-trivial Black-Box Combiners for Collision-Resistant Hash-Functions Don't Exist , 2007, EUROCRYPT.

[21]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[22]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[23]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[24]  Bogdan Warinschi,et al.  A Modular Security Analysis of the TLS Handshake Protocol , 2008, ASIACRYPT.

[25]  Krzysztof Pietrzak,et al.  Compression from Collisions, or Why CRHF Combiners Have a Long Output , 2008, CRYPTO.

[26]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[27]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[28]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[29]  Bruce Schneier One-way hash functions , 1991 .

[30]  Tal Malkin Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008. Proceedings , 2008, CT-RSA.

[31]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[32]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[33]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[34]  Josef Pieprzyk,et al.  Advances in Cryptology - ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7-11, 2008. Proceedings , 2008, ASIACRYPT.

[35]  Amir Herzberg,et al.  On Tolerant Cryptographic Constructions , 2005, CT-RSA.

[36]  Hugo Krawczyk,et al.  On Extract-then-Expand Key Derivation Functions and an HMAC-based KDF ∗ , 2008 .

[37]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[38]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[39]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[40]  Marc Fischlin,et al.  Robust Multi-property Combiners for Hash Functions Revisited , 2008, ICALP.

[41]  Marc Fischlin,et al.  Delayed-Key Message Authentication for Streams , 2010, TCC.

[42]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[43]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[44]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[45]  Mihir Bellare,et al.  Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions , 1999, CRYPTO.