[00:00:33]
>> Well over about it so I'm going to. Present our recent work on comparing security or the fish and Morse. Brought the calls for establishing a secure channel saw it appears appear that. This year and that some expansion no work we did a few years ago. Which here.

[00:01:04]
And I'm going to mention the walk too so it's a joint work with my student Shan Chan and I have no idea how he talked me into given a talk when I think he should have been given the talk. He says he gave the talk before when he practiced for the conference but I think he could have done nothing but some home here it's also a joint work with.

[00:01:30]
Or for all my might. To you. And Christian then you put out there all from the Northeastern. You all know you'll notice when we're open some. Pages on the browser window to this locks signs of can be of the science h.t.s. symbols which indicate that that is a secure connection established between your growers and the server you're talking to.

[00:02:11]
It it used to be that secure channel was needed to do some particular is secure communications such as you talking to a bank or you're providing your credit card number but now you. Channels I encrypt even when we do some when the something's just a few kids who are changing some video on You Tube some other things are still communication is encrypt it.

[00:02:43]
And. Doesn't go but so. It was here. So you think that's. They say like about half of the web traffic is now encrypted and this number is much higher even for Google related traffic. So Hollywood is communication encrypt it. I'm sure I'm very view have a very good idea of how it's done but they'll just Gore quickly on the bare ground without much detail on the ground so what's happening.

[00:03:25]
Usually or the server you're talking to. Has a public key your browser will know associate that secret key on that the server knows and then the client the browser and the server in gauging and through an interactive protocol which I would say you call a secure channel establishment protocol which consists of 2 major phases and the 1st phase.

[00:03:54]
Sort of in the 1st phase they communicate and try to establish a session and then the 2nd phase secure channel phase they use the symmetric session key to just communicate securely and symmetric and corruption Ok so in the little bit more detail in we will not only need you need this but just saw you know better what I'm talking about for the key exchange called to.

[00:04:28]
The bar just as the Blues the session key of that I run a well known different home key exchange where the part is just probably plea exchange different Holman shares to the exit to the why and where the exponents only unknown to the correspondent bar to this and from there at birth bar to seller some ball can easily calculate the same shared secret due to the x.y..

[00:05:02]
But. No Lattakia who just observes the communication on the different home on the assumption which is believed to be true. For the right groups so that no attacker can compute the shared secret This is of course very simplistic and this is. This is on the thing to kid the defilement key exchange which means that there are impersonation attacks possible there are men in the middle of tax possible where and the diversity can try to impersonate Alice for example and.

[00:05:40]
They end brab. Shit. Up the Nicky thinking this should be used talking to Alice and can then group messages to Alice use in the scheme but the fact that Dr knows this q. and to mitigate this problem it's we need the nothing to keep to defend Holman key exchange and this is where the public you could have told her if it comes to police because.

[00:06:10]
If a party or both partners he is them but can have nothing to give that key change when no one or both parties sun the thing ticket at them for that the party just consign the communication using its secret key and the particle very far I use in the public key that India that come with creation as a thing to.

[00:06:37]
Ok So was this you can have a nothing ticket to defeat how monkey exchange. In the simplistic terms of the part of the skin the use this symmetric key it took I mean a kid later in the real world think somewhat complicated because. There are many different issues one has to take care of.

[00:07:04]
And. That's why the real product goal of. Little complicate of the us said but all this prompts out there on their main parts. Holman shares their on that as a shared secret which. Almost like that than that our signature is going on but that is more stuff growing known because well the deal we're security is more complicated but we don't need to know about this my talking really didn't know what about these details at all I just wanted to give you the background saw what my talk is the boat it both on allies and security but for specifically for protocols we.

[00:07:50]
Know of on the radar of. Some developers on the research shows because the most efficient ones so let's talk about efficiency for no so the current standard to last 1.2 This is what current behind secure communication on the web. In terms of efficiency rates and efficiency here I'm not going to talk about the computing tional efficiency I'm going to talk about the communications efficiency of the grounds of the.

[00:08:26]
Story. Rounds of interruption so. And the interactions include the exchange in different Holman share and so forth and what they were needed on top of that so for the full brought up all in full protocol I mean when the client talks through your server for the 1st time right so there is some handshake growing on and that our exchange of the different home shares going on so you need to round trips before her part to set the session.

[00:09:06]
Date encrypted Ok if. Something happens to the connection is interrupted or for some reason Klein and the client needs to talk to the server again then the protocol can be faster because they don't have to run the full protocol they can resume that brought up whole and it can take one round trip time before the data is encrypted and this is because in tell us $1.00 There is this ticking and mechanism because during the full initial connection the server you should sit to get the client concert save from late the prison and to start the con the.

[00:09:55]
Faster. But before I continue I want to just tell you a little bit why latency of this efficiency is important so apparently it is extremely important so one granted time from New York to London takes 7 tear milliseconds and it was this to me at the that every 100 milliseconds of Lytham sick last time was on one percent of sales sounds impressive.

[00:10:29]
And also it was shown in some user status of that users snorters why on website the slower than the other just by 250 millisecond they. Don't want to use the slower website and there are other star just like. Can delay conversion rates by 7 percent I have no idea what conversion there is but but they say it's one of the most important terms in marketing so it's it is very important.

[00:11:03]
Ok so a little latency is important and people want to minimize round trips. So tell us if there are several prop or souls. Somewhat the recent proposals how to improve. Efficiency or to less $1.00 So probably the best known is the new proposed stunned tell us $1.00 which probably soon will be the new standard so it was proposed in 2018.

[00:11:44]
In the other proposal is Google's. Quick protocol which stands for quick you dippy internet connection brought up all so it's implemented in Crom for quite some quite some time so it is it is it is used and very recently there was. Who was in but that doesn't who was.

[00:12:12]
Recently there with that it was the proposal to combine day Dia's of Quicken T.L.'s is to use. To less 1.3 You brought up call but to use a very interesting feature of quick. Which is as follows saw C.L.'s $1.00 until us $1.00 They both run on top of t.c.p. but quicks idea was to.

[00:12:48]
Not run on top of to see the run on top of a few d.p.i. on the liable. Layer transport layer and kind of take care of the relay billets you shows with their the protocol itself and to improve efficiency and also probably to add some security at the it so in the combination of the suggestion is to use Tell us 130 crypto protocol but you to use quicks the functionality s..

[00:13:24]
Ok. So let's let's look. At it awfully how this protocol such you bet they fish and see it. Tell us $1.00 So for the full initial protocol shake that is the only one round trip needed before they can be encrypted. This is used by. The Allies ng. Still the session ticket is used to efficient security for the resumption but for both protocols.

[00:14:06]
That I have. Somewhat like initial keys which can be set faster but with sacrificing some security but data can descend. Fast in the beginning before the fool session keys established. And they get the ticket the you will store a speedup that assumption so for that is sumption you get it seems like you get to t. which is the ultimate goal for this particle to have 0 r.t.t. you pretty much for that is sumption you can see immediately which is good however and I ignored that one yes.

[00:15:01]
No no there are no it's not in from the. Frame I don't remember the number. So I'm a good lord this issue when I discuss 1.2 but that if this isn't the issue of the truth because people are speaking. Saurian this as its online are at member T.L.'s runs on top of t.c.p. and t.c.p. has the.

[00:15:36]
Handshake saw it actually adds around 3 point not so on so we'll have to add one more to full protocol and the resumption. So but then it seems the for that is the option that is noisy or t t. But do you keep my chief 0 r t t with 1.3 Eve you use an optimisation 40 c p r that's known as t.c.p. fast or for you and was this optimisation you could achieve 0 arc to eliminate this.

[00:16:20]
T.c.p. a round trip and they did is pretty much the same as with the tickets during the full brought up call the 3rd where you see it's a cookie which is. I'm sort of late to the client presumed to Cukier to indicate just continuing to talk to the server and we get 0 or city.

[00:16:41]
Ok this still less fun 20 quick. For quick. It's designed so that initial full handshake one round trip time of but for that is. 0 r t t the ideas are the same our That is the talk and we should. During fall brought the call to speed up the resumption and there are also you need key use we can be used to encrypt data right away but with some our weakest security before the full session key is established and because week does not run on top of t.c.p..

[00:17:31]
That's exactly what it is or. 0 r.t.t. would don't have to add anything more. Overall comparing all this product of course on the proposals we're interested in this with 0 r t t for the resume brought up all the most efficient ones. Because they'll likely. Be chosen would be used and the 3rd one it's this combination I mentioned.

[00:18:06]
So the goal for all work was to. Look at these protocols and compare their security. Here. Yes the deficiency assumes very very competent of Com comparable but. What about security or rights and that's what we want to to analyze. When we want to talk on the lies of the using the provable security here approach for those who doesn't know how it works well you define the product all or it's and.

[00:18:52]
Then you define the security mortal which is a different issue of security here and you might have different security goals you may want to capture in the formal definition the definition includes formal description of the adversarial capability us what can the Tuckers do and this should mimic practical law.

[00:19:18]
And also you define security meaning when Doesn't that to we what is the break of the scheme and then Security will be absence of such attacks and then you look at the protocol a new form only proves that that site just for security a definition by reduction meaning kind of by contradiction of someone breaks the protocol you show that you can break some hard computational problem for example the security of a building block Ok Or of course you you know you may not be able to prove security and there are in secure protocols then you're just present an attack.

[00:20:02]
Of course were made the 1st 2 on a lie security of this an important brought up polls C.L.'s 1.3 he was. Quoted extensively in the security it. Was the only thing is like all works only a look. At the key exchange part. But if you want to have the security of the whole protocol meaning key exchange data exchanges secure a channel part sometime security you can pull from composition for tell us 1.3 doesn't quite fall or and the problem is some technical subtle problems that are some dependences between the phases.

[00:20:49]
So one who done the lies the protocol as a whole but no one really did we just hope that works people believe it works so for quick again it's just change part was the lies but fish Lyn Gunter in for tea and and but it's also just for the key exchange part and also that I dependences issues which would prevent the full product all on all of us.

[00:21:25]
In this work this is actually a. Us and my former student prober leech of another so we this is the Oakland paper mentioned this is where we're on the list quick as a whole brought the whole section independent. Work out from the other doesn't say it seems like Ok so the prep that one ally is the proven secure so then it seems like you can say Ok.

[00:21:55]
They have comparable security and what to do but the cause a lucrative deals that they actually there is a lot still to do it when the when not when no done. Because. This is because here for if it is as you saw for efficiency it matters that the protocol solely at the transport layer which is used is important and the works or until last they never come see either the issue was that and.

[00:22:32]
There are many of. You may say it's not strictly security but it's very related there. Meaning forcible attacks I would say like the lead docs when it's not exactly if someone breaks security and discovers the underlying they've been sound but attackers may be compromised. Efficiency of the protocol they can do something so that it becomes slower for example falls back to the slower version one or to 2 versions and since 0 r.t.t. is the goal here it's important to prevent such attacks again.

[00:23:17]
Works until I was looking into this they don't concede or docs like this then look don't look at the work backwards they just really are on the lies the. Crypto core so in Quicken the all the paper we started to do this. This eval ability analysis. Or security of the whole network.

[00:23:44]
Is done and so forth but now we have the some comparable mortals and we didn't do everything in their paper so we just want to. Have some of the same Wardle workin on the layers everything we want including availability and compare the protocols. So this is why we need to do something more and while 1st this all go fast we defined the security immortal which fits both quick and tell us their combination.

[00:24:22]
And. I hear. Those germs and germs and germs. So we defined. The syntax namely would consider this mall to stay each. The course of a cold the security of more than mall to see it stands for authenticated that the income for then channel stablish month Prata call so there are several phases of the key exchange data exchange and this is 2 more the this initial key is the final key is some there may be more than 2 stages here yes.

[00:25:09]
There is a c.c. people you know we didn't want we were on the show that would just the mix then some book the thing that's so good that's. Ok and then the main part will spend the more time when that's very Corman the 4 works like the. For many practical brought out calls the defining security for a model is.

[00:25:38]
The most time consuming thing because that are so many issues. And so we. Force our security more though I'm not going to tell you the details codes done it's like 5 pages in the paper it's tedious but they do years so forth we compter the standard more the notion so girls of security for.

[00:26:02]
4. Stablished meant brought our calls. So well just feel strong got our Pers who care. Who cannot be up to Valley are. They can do many things of course they can read all the communication the they can my defied the communication they can impersonate part is they can corrupt they can learn session keys and so forth but at the end we're required that So if the client sets the session key it knows that it's with the server it's talking to and knows the steroid by the public key and no one else and also this ski is private than the sounds that has absolutely no information about this key and the key.

[00:27:02]
Yes or no information to The whatsoever and then of course the communications with this key should have they to come for then shallots in the strong sounds. Should. Have integrity of ciphertext for the earth than to sit in and they're going to purposes so this is somewhat stunned that we just have to adopt the Tor our protocol definition.

[00:27:31]
But those are mentioned in the edition so would really want to pay out them to the availabilities security goals. This is somewhat normal for that we just look at. Messages The bait is delivered where the. Packets and. Several had their Us have their scripts pointed into various Lears And so we're talking about the.

[00:28:10]
Network layer and all had the same port done because. Even then not broke probably at least nothing to the. Many possibly to have done so that's why we need to pay attention and this is why in our security a model of course this is I mentioned to a defiant sort of us tend to channel security here.

[00:28:40]
One of the new goals like come sorts of a have what the of the I p. Field What happens if it's not authenticated because even if it's not authenticated that then that tactic in mind if I it though that can cause the server to accept connections spurious connections from someone they didn't from clients it didn't supposed to talk to us so this is called a piece and Ok so we do one thing you want to take the server into talking to the right part just so we define.

[00:29:22]
The IP spoofing prevention the no more though and I'm not going to talk just you know just believe that we just define this then we come theatre this problem about. Backup then they're great. For the backups they to send during key exchange because the standard mortal they they just define them they're going to tear but all of the data sent during the.

[00:29:58]
During the secure channel they did change but for the what about for the key exchange and was separate the goals he had to integrity and payload then there grittier Ok because just to have more fine grained not less so we define this more defined this notion. And. And.

[00:30:28]
We also want to define back at the end they're going to be your own data privacy and. Integrity and we used to have the integrity just for the secure channel data exchange phase because. This is not done because the standard models just look at the payload and they're gritty.

[00:30:50]
And finally we decided to like step or pay attention to the packets which are not explicitly used you cannot say this is the key exchange or this is the exchange because there are special packets which aim for them to nothing to Kishon for them is important and one of them are that is Sept back it's.

[00:31:16]
Ok and we just think it's important. Nor adversity just the issue. Receptive Achatz the connection because of that the effects of a liability so we did define this notion on top server They're all this together we do get them or don't and after we get the security more deal with all this formal security goals defined we just have to take all this particles very 5 where the they satisfy the goal the goal send This is the somewhere near or follow results.

[00:31:59]
So the marks I'm Blair. This is what follows from prior work. With some of course we need that kind of freedom to some things because to make it all uniform but mostly it forwards from prior works. And prayer works the Oakland paper here called the prior work and this.

[00:32:23]
Table. Marks him grief in this. Good results which I knew which will have to. Prove And so the red marks this somewhat bad results for the protocol so soon new results which have practical implications those long time courses mean that. We have stereotypical lot that's when the choice of the practical attacks match in this Ok so yeah.

[00:33:00]
Like I'll spend the last 10 minutes just going over some of the results with you. Ok so IP spoofing prevention. So it's a good thing we all 3. Say we because really it's from the both papers that is are. We sure that all 3 protocols side just by spoofing perfect prevention and will prove this results then that's.

[00:33:36]
They satisfy so for put T.L.'s. The IP spoofing prevention Hughes's relies on this t. afford to see. Cooking mechanisms that were on the list of the it seems like no one looked at the security with this it's simple but still you need to go on the lies that would prove that the protocol so just for.

[00:34:03]
Prevention assuming the bloke's a for which is part of the kooky mechanism is a pseudo random function. And for quick world so prove the such just for spoofing prevention and. Here we just need the thing to get that encryption scheme which is used as part of this secure and the intuition here is the.

[00:34:34]
That is this sticky source address talk. Which prevents a piece porphyrin but the smacked or find it was the sus then ticket that then corruption and if it's secure then you can my defrayed Ok. So big jump in so for the reception authentic is an interesting li. Neither tailless one that he nor quick are so despite it so for T.L.'s.

[00:35:10]
To you Shawn is why it doesn't achieve it's because. There are some had their own lives back of the special Becket's which are not authenticated. Similarly for quick they have this reset packets North authentic it and therefore you come that outcome just. Fake. Packets but the good thing is that seems like of the combined protocol not seem like we wish sure that it does it she puts their wrists at that than to kitchen.

[00:35:54]
And this is just due to slick some smarter way how it's done just to start talking the sound in a secure channel phase where everything is authentic it. You can't. Fake that a setback it's Ok no more. Secure channel Heather integrity it's a bar with the integrity of the headers.

[00:36:23]
In the secure channel phase when the data isn't crypt so and here it's. Like the intuition I think or how it the intuition this simple for tell is the insecurity comes from just on the thing to keep it that t.c.p. headers and fork We security. Comes from the.

[00:36:54]
Kind of quick and. Quick with think it's done intentional ascends quick runs on top of u.d.p. there have to then have to take care of but a liable in order delivery. Was this extra work that the air at cryptography to this task saw or the had our thing ticket that.

[00:37:20]
It's a very good thing because. Who are to listen security or even though we're the 1st like the formally defined people knew for many years in the networking community more. People pointed to the security issues servile Leadville a t. issue was the informal and so are is all just like matches the attacks which are known such just disappear for floor control manipulation to secure acknowledgement injection and other things Ok so.

[00:38:00]
For the hand integrity for the backup had their sound during key exchange phase. No one of the protocols. But that a slight difference. In the because with think fortell is that attack some more serious than for quick because for quick they seem to be more of the 3rd tickle interest when it seems more serious or to let us.

[00:38:32]
And because 1.3 The doesn't have this have been there grittier we. Would design and then implement and another Tuck. Which since practical and that's simple but it's a boat to carry a mobile. So this is at member this. Part door. Open for you and Ok saw. What happened.

[00:39:13]
This disappear. If you move by that security is not really violated but this servo will regard. This new is the new to see pecan actually because Cook is not coming our and will ignore a new 0 r. t. t. they eat a sound bite of the client. So it's really not good.

[00:39:37]
It's really not good and the reason is because of the head then they're going to. Keep change face. Ok and then they just slows the whole brought the call down and the problem is with we think that this starts out this serious because. Unlike just broken come next this time.

[00:40:04]
It's hard to detect. And dropping some packets this is the detected the but then this case. It's really it's it's really hard to see because it will just proceed there's a different protocol it will think just the server doesn't support. For right so. It may think like Ok the server doesn't support your 4 so I just have to do a longer protocol.

[00:40:34]
Are sort of for quick this property is also an old site this Friday and we observed the therapeutical attacks in the previous paper. But this they know they don't to be seem to be that serious and that 1st of all days easier to detect. Ok And finally. I'll just say a few words that all were all it seems.

[00:41:04]
This combine brought the call of. Does better than the other even those the worst one plays but if it seems to be like when we'll look at the So there are no. Well. I don't know how to judge but still overall seems to be the best bet because of this this 2 points seem to be more important than this this 2 positive things seem more important than this one of course we would like to have a product all which is secure and old the sound system maybe it makes sense to receiving what was done the days we don't know exactly the best way how to do it.

[00:41:53]
But honestly we didn't spend time on this. Yet But so this is some summary of source some results of the later paper is just this normal proof new availability out docs and of course the security mortal which allows to compare it yes the scum provided in the security and more though probably the main contribution and then just figuring out all the fine grain on the ol us as to.

[00:42:26]
Know someone who can understand better what do protocols probably right and what they don't hopefully All right thank you. Yeah. The whole. World. Will know. What it's. All 1.3 is. In it's cool store adoption I don't have a good estimate of where I am but I don't follow quite the recent developments but I'm pretty sure it's very close like year 2 years 35 years it will be there there are some talks I don't know about this.

[00:43:29]
What quick Will Google will do with regard to quick. Eve where this come by and protocol where there was a suggestion whether they decided after 1.3 years standardize the let's all do one thing and go with the one that could happen I don't know year or so but I'm sure there is it will all change to one of these or 2 of this very soon but the.

[00:44:01]
Rules. Say. Well. We don't like. Before any of these works. The love affect them unless something's broken completely but 1.3 working group seems to be doing with doing much better job as normal because before they just designed the protocol that's like stunned that everyone runs a bug here they're careful that it's been many years when they welcome all darker Democritus collaborate clause it's go slow and that's good because they do pay attention the works on the over thing are.

[00:44:56]
So I don't know hopeful I don't have specific. Like beta to sail it or will talk to them they're going to do this I don't know but I'm hopeful Howard tell us one point that he is developing. Yeah. What. Sort of can you get people. Like. You know.

[00:45:41]
About the insecurity is well. Known this is still kind of. Solemn some I think. No one really in their nose. Proud to do a read because with this c.c.p. to c.p. is more a secure product color you can do a little things and they were in this new gear for they do little things but that's put fish and send Not forth in ticket and everything and preventing security here.

[00:46:22]
It's just hard been like that's what they sell like what could be did but that it required but he designed the whole new protocol quick right saw north. It's hard to do right it's almost like they did it then that's great it's still not perfect but that's exactly like these seem like purposely took care of one of the security issues was to see if you for example are and again this combination of quick until a seems to be doing birth of the separate protocol saw that it's good but.

[00:47:03]
That's what I do like what they see are good things to do fixing everything else hard. Because no one wants to begin the design the whole thing from scratch and also these are tasks probably seem to this are not like complete breaks it's not that someone like clone banks or gallons of lost all the passwords and so all of this is like not serious you have to make over one change or them home.

[00:47:42]
No we consider one so it's authentic Asian on them. Yeah. Yeah yeah yeah yeah. Right. No but there. It can be different trailer so I just saw. There was like a surprise like. Raw it but. Yeah that's a good question. But I view it more like No I think like for them.

[00:49:01]
I don't know if. The browser. Decides they want Yeah so it's more like what's our there would manage so I don't know I don't know what. I don't know. We'll see yeah. All right thanks.