Skip to main content
SpringerLink
Log in

Selfie: reflections on TLS 1.3 with PSK

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “Selfie.” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol’s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. D. Adrian, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, P. Zimmermann, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J.A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, P. Zimmermann, Imperfect forward secrecy: how diffie-hellman fails in practice. in: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS ’15, (ACM, New York, NY, USA), CCS ’15, pp 5–17, (2015) https://doi.org/10.1145/2810103.2813707

  2. N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J.A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, Y. Shavitt, DROWN : Breaking TLS using SSLv2. in proceedings of the 25th USENIX security symposium (August):1–18, (2016) https://www.semanticscholar.org/paper/DROWN%3A-Breaking-TLS-Using-SSLv2-Aviram-Schinzel/2aa0e44b8529de8ee75138eade8aba0bfb9f008f

  3. M. Bellare, P. Rogaway, Entity Authentication and Key Distribution. in Stinson DR (ed) Advances in Cryptology — CRYPTO’ 93, (Springer Berlin Heidelberg, Berlin, Heidelberg), pp. 232–249, (1994) https://doi.org/10.1007/3-540-48329-2_21

  4. D. Benjamin, C.A. Wood, Importing External PSKs for TLS. Internet-Draft draft-ietf-tls-external-psk-importer-02, Internet Engineering Task Force, https://datatracker.ietf.org/doc/html/draft-ietf-tls-external-psk-importer-02, work in Progress (2019)

  5. K. Bhargavan, B. Blanchet, N. Kobeissi, Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate. in 2017 IEEE symposium on security and privacy (SP), IEEE, pp. 483–502, (2017) https://doi.org/10.1109/SP.2017.26

  6. C. Cremers, M. Horvat, S. Scott, T. van der Merwe, Automated Analysis and Verification of TLS 1.3: 0-RTT, resumption and delayed authentication. in: 2016 IEEE Symposium on Security and Privacy (SP), pp. 470–485, (2016) https://doi.org/10.1109/SP.2016.35

  7. C. Cremers, M. Horvat, J. Hoyland, S. Scott, T. van der Merwe, A Comprehensive Symbolic Analysis of TLS 1.3. in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’17, pp. 1773–1788, (2017) https://doi.org/10.1145/3133956.3134063

  8. B. David, C. Cas, D. Jannik, M. Simon, S. Ralf, S. Benedikt, Tamarin prover. (2019) https://tamarin-prover.github.io/#

  9. A. Delignat-Lavaud, K. Bhargavan, Network-based origin confusion attacks against HTTPS virtual hosting. in: Proceedings of the 24th International Conference on World Wide Web, International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, WWW ’15, pp. 227–237, (2015) https://doi.org/10.1145/2736277.2741089

  10. B. Dowling, M. Fischlin, F. Günther, D. Stebila, A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2016/081 (2017)

  11. N. Drucker, S. Gueron, Selfie : reflections on TLS 1.3 with PSK. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2019/347 (2019)

  12. Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, J.A. Halderman, The Matter of Heartbleed. in Proceedings of the 2014 Conference on Internet Measurement Conference, (ACM, New York, NY, USA), IMC ’14, pp. 475–488, (2014) https://doi.org/10.1145/2663716.2663755

  13. M. Fischlin, F. Günther, Multi-Stage Key Exchange and the Case of Google’s QUIC Protocol. in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’14, pp. 1193–1204, (2014) https://doi.org/10.1145/2660267.2660308

  14. M. Fischlin, F. Günther, Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2017/082.pdf (2017a)

  15. M. Fischlin, F. Günther, Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. in 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 60–75, (2017b) https://doi.org/10.1109/EuroSP.2017.18

  16. M. Fischlin, F. Gunther, B. Schmidt, B. Warinschi, Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. in 2016 IEEE Symposium on Security and Privacy (SP), pp. 452–469, (2016) https://doi.org/10.1109/SP.2016.34

  17. F. Hao, On Robust Key Agreement Based on Public Key Authentication. in R. Sion, (ed) Financial Cryptography and Data Security, (Springer Berlin Heidelberg, Berlin, Heidelberg), pp. 383–390, (2010) https://doi.org/10.1007/978-3-642-14577-3_33

  18. F. Hao, S.F. Shahandashti, The SPEKE protocol revisited”, Security Standardisation Research. (Springer International Publishing, Cham), pp. 26–38, (2014) https://doi.org/10.1007/978-3-319-14054-4_2

  19. N. Heninger, Z. Durumeric, E. Wustrow, J.A. Halderman, Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. in Presented as part of the 21st\(\{\)USENIX\(\}\)Security Symposium (\(\{\)USENIX\(\}\) Security 12), USENIX, (Bellevue, WA), pp. 205–220, (2012) https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger

  20. R. Holz, J. Amann, O. Mehani, M. Wachs, M.A. Kaafar, D. Csiro, TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication. NDSS pp. 21–24, (2016) https://doi.org/10.14722/ndss.2016.23055

  21. R. Housley, TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key. Internet-Draft draft-ietf-tls-tls13-cert-with-extern-psk-00, Internet Engineering Task Force, https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-cert-with-extern-psk-00, work in Progress (2019)

  22. R. Housley, J. Hoyland, M. Sethi, C.A. Wood, Guidance for External PSK Usage in TLS. Internet-Draft draft-dt-tls-external-psk-guidance-01, Internet Engineering Task Force, https://datatracker.ietf.org/doc/html/draft-dt-tls-external-psk-guidance-01, work in Progress (2020)

  23. T. Jager, J. Schwenk, J. Somorovsky, On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 V1.5 encryption. in: Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’15, pp. 1185–1196, (2015) https://doi.org/10.1145/2810103.2813657

  24. H. Krawczyk, P. Eronen, HMAC-based extract-and-expand key derivation function (HKDF). (2010) https://tools.ietf.org/html/rfc5869

  25. H. Krawczyk, H. Wee, The OPTLS Protocol and TLS 1.3. IEEE, pp 81–96, (2016) https://doi.org/10.1109/EuroSP.2016.18

  26. H. Krawczyk, M. Bellare, R. Canetti, HMAC: Keyed-Hashing for Message Authentication. (1997) https://tools.ietf.org/html/rfc2104

  27. X. Li, J. Xu, Z. Zhang, D. Feng, H. Hu, Multiple handshakes security of TLS 1.3 candidates. in 2016 IEEE Symposium on Security and Privacy (SP), pp. 486–505, (2016) https://doi.org/10.1109/SP.2016.36

  28. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, B. Preneel, A cross-protocol attack on the TLS protocol. in Proceedings of the 2012 ACM Conference on Computer and Communications Security, (ACM, New York, NY, USA), CCS ’12, pp. 62–72, (2012) https://doi.org/10.1145/2382196.2382206

  29. A. Menezes, B. Ustaoglu, On reusing ephemeral keys in diffie-hellman key agreement protocols. Int J Appl Cryptol 2(2), 154–158, (2010) https://doi.org/10.1504/IJACT.2010.038308

  30. T. van der Merwe, An Analysis of the Transport Layer Security Protocol Thyla van der Merwe. PhD thesis, Royal Holloway, University of London, (2018) http://www.isg.rhul.ac.uk/~kp/theses/TvdMthesis.pdf

  31. Mininet Mininet - An Instant Virtual Network on your Laptop (or other PC) version mininet-2.2.2-170321-ubuntu-14.04.4-server-amd64.zip. (2019) http://mininet.org/

  32. OpenSSL OpenSSL commit 38023b87f037f4b832c236dfce2a76272be08763. (2019) https://github.com/openssl/openssl/commit/38023b87f037f4b832c236dfce2a76272be08763

  33. Oracle VirtualBox 5.1. (2018) https://www.virtualbox.org/

  34. T. Perrin, [noise] selfie attack. (2019) https://moderncrypto.org/mail-archive/noise/2019/002010.html

  35. E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, (2018) https://doi.org/10.17487/RFC8446, https://rfc-editor.org/rfc/rfc8446.txt

  36. S. Scott, TLS 1.3 modelled in Tamarin. (2018) https://samscott89.github.io/TLS13_Tamarin/

  37. M. Sethi, A. Peltonen, T. Aura, Misbinding Attacks on Secure Device Pairing and Bootstrapping. in Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, (Association for Computing Machinery, New York, NY, USA), Asia CCS ’19, pp. 453–464, (2019) https://doi.org/10.1145/3321705.3329813

  38. H. Tschofenig, P. Eronen, Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279, (2005) https://doi.org/10.17487/RFC4279, https://rfc-editor.org/rfc/rfc4279.txt

Download references

Acknowledgements

We thank Matt Campagna, Adam Langley, Colm MacCarthaigh, Kenny Paterson, and Eric Rescorla for useful discussions and suggestions. We thank Gilad Ram for recommending Mininet for the demonstration.

This research was supported by: The Israel Science Foundation (Grant No. 1018/ 16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office; the Center for Cyber Law & Policy at the University of Haifa, in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.

Author information

Authors and Affiliations

  1. University of Haifa, Haifa, Israel

    Nir Drucker & Shay Gueron

  2. Amazon, Seattle, WA, USA

    Nir Drucker & Shay Gueron

Authors
  1. Nir Drucker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shay Gueron
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nir Drucker.

Additional information

Communicated by Colin Boyd.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A Demonstrating the Selfie Attack

A Demonstrating the Selfie Attack

Fig. 3
figure 3

Network configuration. a Normal configuration; both hosts communicate with each other (as intended); b the Selfie attack configuration: all packets sent to port P1 are reflected back to the sender, where the MAC and IP addresses are swapped

Full size image

This section describes a demonstration of the Selfie attack in a way that it can be repeated by the reader. For completeness we also describe the system that we use for the experiments: a Linux (Ubuntu 16.04.3 LTS) OS running on a platform equipped with the latest \(7^{th}\) Generation Intel\(^{\textregistered }\) Core\(Y^{TM}\) processor (“Kaby Lake”)—Intel\(^{\textregistered }\) Xeon\(^{\textregistered }\) Platinum 8124M CPU at 3.00 GHz Core\(^{\textregistered }\) i\(5-750\).

The smallest network configuration for the Selfie attack requires at least one node that acts as a server and as a client (Alice) and a switch that acts as the Selfie mirror (Mallory). Our experiment was executed on a single desktop machine as follows. We emulated a virtual network using Mininet [31]. To run its virtual machine image, we used VirtualBox [33]. Inside the virtual machine, we installed the latest version of OpenSSL [32] configured to enable TLS 1.3.

We started the virtual network inside the virtual machine by executing

figure c

This generates a network with two nodes (Host 1 is Alice and Host 2 is Bob) and an ovsk switch (Mallory) as illustrated in Fig. 3. We used two configurations for the switch in order to simulate the normal intended operation (Fig. 3, panel a) and the Selfie attack scenario (panel b). The associated command lines for the normal configuration, where packets from port 1 (P1) are forwarded to port 2 (P2) and vice versa are

figure d

For the Selfie attack configuration. We use the commands

figure e

and

figure f

The first command reflects every packet that arrives to P1 back to its origin (which is Host 1). However, note that the source and destination (IP and MAC address) are flipped. The second command tells the switch how to handle Address Resolution Protocol (ARP) requests. It is important (for this experiment) to set the priority of the second command to be higher than the priority of the first command. This allows ARP replies (otherwise, the second host is unidentified and will not receive any ARP messages).

In both hosts, we set the PSK to have the (arbitrary) value

figure g

Now we opened a TLS 1.3 server (with OpenSSL) on both hosts that are configured to listen to port 1443 as follows

figure h

Subsequently, we opened a client on Host 1 with the command

figure i

Remark 2

We comment about the specific TLS 1.3 implementation of OpenSSL. Here, the client always offers the psk_dhe_ke KE mode to the server. The server prefers the psk_dhe_ke mode over the psk_ke mode (because it provides FS). Therefore, our demonstration shows an attack on TLS 1.3 with external PSK in the psk_dhe_ke KE mode. Clearly, the Selfie attack is also possible in the psk_ke mode (see details in Sect. 3.1).

1.1 The Outcome

In the normal mode, the operation was as intended: Host 1 is communicating with Host 2 and the TLS 1.3 with PSK session was established correctly. By contrast, under the Selfie attack, Host 1 ended up communicating with itself consuming exactly the same messages that it delivered. The implications were discussed above.

It is interesting to note that this experiment cannot be repeated with BoringSSL (and not OpenSSL) as the underlying cryptographic library. While BoringSSL enables TLS 1.3 by default, in the client and server, it does not support (implement) the option of using PSK without certificates.

1.2 Demonstrating the Attack on a TLS 1.3 Without Ephemeral Keys

The Selfie attack can also be mounted without using ephemeral keys, i.e., for TLS 1.3 with PSKs in psk_ke mode (without FS). We verified this by an experiment. To this end, we prepared a patched version of OpenSSL that disables the psk_dhe_ke mode for the TLS client. Subsequently, we ran the above demonstration with the patched OpenSSL and added the -allow_no_dhe_kex flag to the client and server commands.

Remark 3

We comment on OpenSSL’s implementation of TLS. The TLS 1.3 server application (s_server) of OpenSSL provides two flags -no_dhe and -allow_no_dhe_kex with the following documented description “Disable ephemeral DH” and “In TLS v1.3 allow non-(ec)dhe based key exchange on resumption,” respectively. Therefore, we expect that using these flags will cause the server to operate only in the psk_ke mode. However, this did not give the expected results because the client always offers the psk_dhe_ke mode. We could not find a (intuitive) way to run the client in psk_ke mode. Therefore, we patched the client code to disable the psk_dhe_ke mode. This allows us to demonstrate that the Selfie attack is valid also in the psk_ke mode and not only in the psk_dhe_ke mode as above. Note that the attack relies on a property of TLS and not on a specific implementation of OpenSSL.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Drucker, N., Gueron, S. Selfie: reflections on TLS 1.3 with PSK. J Cryptol 34, 27 (2021). https://doi.org/10.1007/s00145-021-09387-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-021-09387-y

Keywords

Search

Navigation