Security Notions for Fully Encrypted Protocols

Security Notions for Fully Encrypted Protocols
Slide Note
Embed
Share

Dive into the realm of Fully Encrypted Protocols as experts explore the challenges, solutions, and value they bring in the domain of secure communication. Discover the nuances of FEPs, their mathematical underpinnings, and their role in circumventing censorship while safeguarding metadata. Uncover the innovations and potential future developments in this crucial area of cybersecurity.

  • Security
  • Encrypted Protocols
  • Censorship Circumvention
  • Metadata Protection
  • Cybersecurity
kun_ahe
kun_ahe Follow

Uploaded on Feb 17, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Security Notions for Fully Encrypted Protocols Ellis Fenske (U.S. Naval Academy) Aaron Johnson (U.S. Naval Research Lab) February 15th, 2023 Free and Open Communications on the Internet (FOCI 23)

  2. Fully Encrypted Protocols (FEPs) Communication protocol All bytes look random Packet lengths variable Used in some censorship- circumvention systems obfs4 (Tor) shadowsocks Obfuscated SSH OpenVPN + XOR patch Vmess (V2Ray) App1 App2 FEP1 FEP2 2

  3. Fully Encrypted Protocols (FEPs) Problem: No mathematical definition of FEPs Security cannot be proven Goal seems inherently mathematical IND$-CPA: similar goal but for atomic messaging Solution: New security definitions for FEPs and a candidate secure FEP construction 1. Passively secure: FEP-CPFA (Fully Encrypted Protocol under Chosen Plaintext-Fragment Attacks) 2. Actively secure: FEP-CCFA (Fully Encrypted Protocol under Chosen Ciphertext-Fragment Attacks) 3. Packet sizes: Length shaping 3

  4. Terminology Other terms used Obfuscated protocol Look-like-nothing / look-like-random protocol Randomized / randomizer protocol Why fully encrypted protocols? Unused for other concepts Positive connotation Abbreviates (FEPs) Exposing the Great Firewall's Dynamic Blocking of Fully Encrypted Traffic by Anonymous, Kevin Bock, Jackson Sippe, Shelikhoo, David Fifield, Eric Wustrow, Dave Levin, Amir Houmansadr. June 2022. 4

  5. Value of FEPs Censorship circumvention Not easily detected as carrying proxied traffic Very limited metadata for selective blocking (e.g. targeting applications) - China is blocking FEPs ( Exposing the Great Firewall's Dynamic Blocking of Fully Encrypted Traffic by Anonymous et al.) Natural endpoint of secure communication protocols Maximally protects metadata Modern protocols protect more metadata: QUIC, TLS 1.3 Encrypted Client Hello, Noise protocol framework IETF Internet-Draft: Pseudorandom Extension for cTLS a cTLS extension that allows each party to emit a purely pseudorandom bitstream TODO: More precise security properties and security proof. The goal we're after hasn't been widely considered in the literature so far, at least as far as we can tell. 5

  6. Setting Datastream setting* Inputs and outputs treated as byte streams Reliable, in-order delivery Models TCP Unidirectional channel Pre-shared key (or: data transport phase) App1 App2 SEND RECV Plaintext fragmentation Ciphertext fragmentation *Marc Fischlin, Felix G nther, Giorgia Azzurra Marson, and Kenneth G. Paterson. Data is a stream: Security of stream 6

  7. Protocol Model SEND RECV Input m : plaintext message p : packet length f : flush flag Output c : ciphertext Input c : ciphertext Output m : plaintext message C : channel close flag In implementation, SEND and RECV would interact with sockets. 7

  8. Passive security: FEP-CPFA (Chosen Plaintext-Fragment Attacks) Security experiment Random World Real World 1. Challenger chooses bit b. 2. Adversary can query stateful oracle O 3. Adversary outputs guess b . 4. Success if b =b. O0 O1 SEND(m,p,f) SEND(m,p,f) b SEND. Outputs |SEND(m,p,f)| random bytes Outputs SEND(m,p,f) Definition:Protocol is FEP-CPFA if success probability is negligible. 8

  9. Passive security: FEP-CPFA (Chosen Plaintext-Fragment Attacks) Security experiment Random World Real World 1. Challenger chooses bit b. 2. Adversary can query stateful oracle O 3. Adversary outputs guess b . 4. Success if b =b. O0 O1 SEND(m,p,f) SEND(m,p,f) b SEND. Outputs |SEND(m,p,f)| random bytes Outputs SEND(m,p,f) Definition:Protocol is FEP-CPFA if success probability is negligible. Obfuscated OpenSSH: without an optional pre-shared key, all key material is observable, and so it does not satisfy FEP-CPFA. 9

  10. Active security: FEP-CCFA (Chosen Ciphertext-Fragment Attacks) Security experiment CS: Outputs from O CR: Inputs to O CLOSE(CS, CR): Ideal channel close behavior Real World Random World b SEND O0 O1 b SEND(m,p,f) SEND(m,p,f) RECV Outputs |SEND(m,p,f)| random bytes Outputs SEND(m,p,f) 1. Challenger chooses bit b. 2. Adversary can query stateful oracles O O 3. Adversary outputs guess b . 4. Success if b =b. b SEND and O0 O1 RECV(c) RECV(c) b RECV. Always returns channel close flag C. Does not return output message m unless out of sync. Returns channel close flag CLOSE(CS, CR). Does not return output message m. Definition:Protocol is FEP-CCFA if success probability is negligible. 10

  11. Active security: FEP-CCFA (Chosen Ciphertext-Fragment Attacks) Security experiment CS: Outputs from O CR: Inputs to O CLOSE(CS, CR): Ideal channel close behavior Real World Random World b SEND O0 O1 b SEND(m,p,f) SEND(m,p,f) RECV Outputs |SEND(m,p,f)| random bytes Outputs SEND(m,p,f) 1. Challenger chooses bit b. 2. Adversary can query stateful oracles O O 3. Adversary outputs guess b . 4. Success if b =b. b SEND and O0 O1 RECV(c) RECV(c) b SEND. Always returns channel close flag C. Does not return output message m unless out of sync. Returns channel close flag CLOSE(CS, CR). Does not return output message m. obfs4: The channel is closed immediately upon decryption error, and so it does not satisfy FEP-CCFA with CLOSE=0. Definition:Protocol is FEP-CCFA if success probability is negligible. 11

  12. Channel behaviors Ideal channel closure CLOSE(CS, CR) examples Never close (e.g. shadowsocks) Close after timeout Close after first sync byte received after a modified byte TCP reveals more than closures, e.g. congestion window. 12

  13. Length Shaping Definition:Protocol satisfies length shaping if, for all messages m and p 0, |SEND(m,p,f=0)| = p, and |SEND(m,p,f=1)| p. Enables arbitrary traffic shaping Generalizes padding functionality of existing FEPs Requires buffering when output bytes aren t sufficient. 13

  14. Length Shaping Definition:Protocol satisfies length shaping if, for all messages m and p 0, |SEND(m,p,f=0)| = p, and |SEND(m,p,f=1)| p. Enables arbitrary traffic shaping Generalizes padding functionality of existing FEPs Requires buffering when output bytes aren t sufficient. padding, it does not satisfy length shaping. shadowsocks: without any support for 14

  15. Other FEP security requirements* IND-CCFA Indistinguishability Under Chosen-Ciphertext Fragment Attacks Provides confidentiality Not implied by FEP-CCFA because ciphertext lengths can leak plaintexts INT-CST Integrity of Ciphertext Streams Provides integrity Not implied by FEP-CPFA Probably implied by FEP-CCFA *Marc Fischlin, Felix G nther, Giorgia Azzurra Marson, and Kenneth G. Paterson. Data is a stream: Security of stream 15

  16. FEP-CCFA construction for CLOSE(CS, CR) = 0 : length ciphertext (AEAD) : data ciphertext (AEAD) lenc: length of data ciphertext lenp: length of padding m: plaintext message lenc MAC1 lenp m MAC2 0 0 Ciphertext format 16

  17. FEP-CCFA construction for CLOSE(CS, CR) = 0 : length ciphertext (AEAD) : data ciphertext (AEAD) lenc: length of data ciphertext lenp: length of padding m: plaintext message lenc MAC1 lenp m MAC2 0 0 Ciphertext format SEND(m,p,f ) 1. Padding added to yield at least p ciphertext bytes in buffer. Output buffer p 17

  18. FEP-CCFA construction for CLOSE(CS, CR) = 0 : length ciphertext (AEAD) : data ciphertext (AEAD) lenc: length of data ciphertext lenp: length of padding m: plaintext message lenc MAC1 lenp m MAC2 0 0 Ciphertext format SEND(m,p,f ) 1. Padding added to yield at least p ciphertext bytes in buffer. 2. p bytes sent from output buffer Output buffer p 18

  19. FEP-CCFA construction for CLOSE(CS, CR) = 0 : length ciphertext (AEAD) : data ciphertext (AEAD) lenc: length of data ciphertext lenp: length of padding m: plaintext message lenc MAC1 lenp m MAC2 0 0 Ciphertext format SEND(m,p,f ) 1. Padding added to yield at least p ciphertext bytes in buffer. 2. p bytes sent from output buffer Output buffer 19

  20. FEP-CCFA construction for CLOSE(CS, CR) = 0 : length ciphertext (AEAD) : data ciphertext (AEAD) lenc: length of data ciphertext lenp: length of padding m: plaintext message lenc MAC1 lenp m MAC2 0 0 Ciphertext format SEND(m,p,f ) 1. Padding added to yield at least p ciphertext bytes in buffer. 2. p bytes sent from output buffer Output buffer RECV(c) 1. Length then data ciphertexts decrypted and both removed. Input buffer 20

  21. FEP-CCFA construction for CLOSE(CS, CR) = 0 : length ciphertext (AEAD) : data ciphertext (AEAD) lenc: length of data ciphertext lenp: length of padding m: plaintext message lenc MAC1 lenp m MAC2 0 0 Ciphertext format SEND(m,p,f ) 1. Padding added to yield at least p ciphertext bytes in buffer. 2. p bytes sent from output buffer Output buffer RECV(c) 1. Length then data ciphertexts decrypted and both removed. 2. Output m is concatenated plaintexts; channel not closed Input buffer 21

  22. FEP-CCFA construction for CLOSE(CS, CR) = 0 : length ciphertext (AEAD) : data ciphertext (AEAD) lenc: length of data ciphertext lenp: length of padding m: plaintext message lenc MAC1 lenp m MAC2 0 0 Ciphertext format SEND(m,p,f ) 1. Padding added to yield at least p ciphertext bytes in buffer. 2. p bytes sent from output buffer Output buffer RECV(c) 1. Length then data ciphertexts decrypted and both removed. 2. Output m is concatenated plaintexts; channel not closed Input buffer 22

  23. Future Work Proving security of our construction Deriving relations between the security definitions Addressing forward secrecy via key exchange in the protocol Extending our definitions to the datagram setting 23

Related


Update on SWAG Protocols and New NICE TA Progress Report

Update on SWAG Protocols and New NICE TA Progress Report

lowie
Consistency Protocols in Distributed Systems

Consistency Protocols in Distributed Systems

rune
Fully Homomorphic Encryption: Foundations and Applications

Fully Homomorphic Encryption: Foundations and Applications

kora
Configuring Local Storage and File System in Linux System Administration

Configuring Local Storage and File System in Linux System Administration

yahya
Secure Memory Encryption Techniques for Virtual Machines across Multiple Hosts

Secure Memory Encryption Techniques for Virtual Machines across Multiple Hosts

joyce
Security with Functional Re-Encryption in Cryptography

Security with Functional Re-Encryption in Cryptography

persis
Secure Composition of Key Exchange Protocols

Secure Composition of Key Exchange Protocols

forb_470
Efficient Rekeying for Encrypted Deduplication Storage

Efficient Rekeying for Encrypted Deduplication Storage

miraklewo
WhatsApp End-to-End Encrypted Backup Protocol Security Analysis

WhatsApp End-to-End Encrypted Backup Protocol Security Analysis

chae_220
Encrypted Deduplication for Secure Cloud Storage

Encrypted Deduplication for Secure Cloud Storage

mui_ena
Homomorphic Encryption Overview

Homomorphic Encryption Overview

kol_ba
Securing Protocols with Fully Encrypted Protocols (FEPs)

Securing Protocols with Fully Encrypted Protocols (FEPs)

perreira_n
Bootstrapping in Fully Homomorphic Encryption

Bootstrapping in Fully Homomorphic Encryption

elaysia
Homomorphic Encryption and RLWE Schemes Overview

Homomorphic Encryption and RLWE Schemes Overview

galletta_n
Encrypted Data Deletion for Cloud Storage Servers

Encrypted Data Deletion for Cloud Storage Servers

avrd662
Cryptanalysis: Key Concepts and Techniques

Cryptanalysis: Key Concepts and Techniques

nik_hen
Strong Asymmetric PAKE Protocols

Strong Asymmetric PAKE Protocols

yamil
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

kol_lov
Franco-Japanese Cybersecurity Workshop Highlights and Future Plans

Franco-Japanese Cybersecurity Workshop Highlights and Future Plans

dkist
Secure Out-of-Band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds

Secure Out-of-Band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds

barn_z
Modular Security Analysis for Key Exchange and Authentication Protocols

Modular Security Analysis for Key Exchange and Authentication Protocols

area290
Comprehensive DevOps Security Training Overview

Comprehensive DevOps Security Training Overview

jahv_808

More Related Content