Security vulnerability in TLS 1.3 PSK mode?

Cryptology ePrint Archive: Report 2019/347

Selfie: reflections on TLS 1.3 with PSK Nir Drucker and Shay Gueron Abstract:

TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed Pre Shared Key (PSK). This PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency.

We identify a security vulnerability in this TLS 1.3 path, by showing a new reflection attack that we call ``Selfie''. The Selfie attack breaks the mutual authentication. It leverages the fact that TLS does not mandate explicit authentication of the server and the client in every message.

The paper explains the root cause of this TLS 1.3 vulnerability, demonstrates the Selfie attack on the TLS implementation of OpenSSL and proposes appropriate mitigation.

The attack is surprising because it breaks some assumptions and uncovers an interesting gap in the existing TLS security proofs. We explain the gap in the model assumptions and subsequently in the security proofs. We also provide an enhanced Multi-Stage Key Exchange (MSKE) model that captures the additional required assumptions of TLS 1.3 in its current state. The resulting security claims in the case of external PSKs are accordingly different.

Category / Keywords: cryptographic protocols / TLS 1.3, Reflection attack, Network security, Multi-Stage Key Exchange model Date: received 31 Mar 2019, last revised 5 Apr 2019 Contact author: shay gueron at gmail com,drucker nir@gmail com Available format(s): |()[

]