On the security of TLS renegotiation

The Transport Layer Security (TLS) protocol is the most widely used security protocol on the Internet. It supports negotiation of a wide variety of cryptographic primitives through different cipher suites, various modes of client authentication, and additional features such as renegotiation. Despite its widespread use, only recently has the full TLS protocol been proven secure, and only the core cryptographic protocol with no additional features. These additional features have been the cause of several practical attacks on TLS. In 2009, Ray and Dispensa demonstrated how TLS renegotiation allows an attacker to splice together its own session with that of a victim, resulting in a man-in-the-middle attack on TLS-reliant applications such as HTTP. TLS was subsequently patched with two defence mechanisms for protection against this attack. We present the first formal treatment of renegotiation in secure channel establishment protocols. We add optional renegotiation to the authenticated and confidential channel establishment model of Jager et al., an adaptation of the Bellare--Rogaway authenticated key exchange model. We describe the attack of Ray and Dispensa on TLS within our model. We show generically that the proposed fixes for TLS offer good protection against renegotiation attacks, and give a simple new countermeasure that provides renegotiation security for TLS even in the face of stronger adversaries.

Modelling ciphersuite and version negotiation in the TLS protocol

Real-world cryptographic protocols such as the widely used Transport Layer Security (TLS) protocol support many different combinations of cryptographic algorithms (called ciphersuites) and simultaneously support different versions. Recent advances in provable security have shown that most modern TLS ciphersuites are secure authenticated and confidential channel establishment (ACCE) protocols, but these analyses generally focus on single ciphersuites in isolation. In this paper we extend the ACCE model to cover protocols with many different sub-protocols, capturing both multiple ciphersuites and multiple versions, and define a security notion for secure negotiation of the optimal sub-protocol. We give a generic theorem that shows how secure negotiation follows, with some additional conditions, from the authentication property of secure ACCE protocols. Using this framework, we analyse the security of ciphersuite and three variants of version negotiation in TLS, including a recently proposed mechanism for detecting fallback attacks.

Post-quantum key exchange for the TLS protocol from the ring learning with errors problem

Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. We demonstrate the practicality of post-quantum key exchange by constructing cipher suites for the Transport Layer Security (TLS) protocol that provide key exchange based on the ring learning with errors (R-LWE) problem, we accompany these cipher suites with a rigorous proof of security. Our approach ties lattice-based key exchange together with traditional authentication using RSA or elliptic curve digital signatures: the post-quantum key exchange provides forward secrecy against future quantum attackers, while authentication can be provided using RSA keys that are issued by today's commercial certificate authorities, smoothing the path to adoption. Our cryptographically secure implementation, aimed at the 128-bit security level, reveals that the performance price when switching from non-quantum-safe key exchange is not too high. With our R-LWE cipher suites integrated into the Open SSL library and using the Apache web server on a 2-core desktop computer, we could serve 506 RLWE-ECDSA-AES128-GCM-SHA256 HTTPS connections per second for a 10 KiB payload. Compared to elliptic curve Diffie-Hellman, this means an 8 KiB increased handshake size and a reduction in throughput of only 21%. This demonstrates that provably secure post-quantum key-exchange can already be considered practical.

An analysis of TLS handshake proxying

Content delivery networks (CDNs) are an essential component of modern website infrastructures: edge servers located closer to users cache content, increasing robustness and capacity while decreasing latency. However, this situation becomes complicated for HTTPS content that is to be delivered using the Transport Layer Security (TLS) protocol: the edge server must be able to carry out TLS handshakes for the cached domain. Most commercial CDNs require that the domain owner give their certificate's private key to the CDN's edge server or abandon caching of HTTPS content entirely. We examine the security and performance of a recently commercialized delegation technique in which the domain owner retains possession of their private key and splits the TLS state machine geographically with the edge server using a private key proxy service. This allows the domain owner to limit the amount of trust given to the edge server while maintaining the benefits of CDN caching. On the performance front, we find that latency is slightly worse compared to the insecure approach, but still significantly better than the domain owner serving the content directly. On the security front, we enumerate the security goals for TLS handshake proxying and identify a subtle difference between the security of RSA key transport and signed-Diffie--Hellman in TLS handshake proxying; we also discuss timing side channel resistance of the key server and the effect of TLS session resumption.

A cryptographic analysis of the TLS 1.3 handshake protocol candidates

The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. This is even more important as there are two related, yet slightly different, candidates in discussion for TLS 1.3, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based. We give a cryptographic analysis of the primary ephemeral Diffie–Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare–Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange. An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption. We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.

Electronically tunable zero order resonator based on CRLH-TLs

Composite Right/Left Handed (CRLH) transmission line (TL) based electronically tunable 1.5 cell zero order resonator (ZOR) is demonstrated with microstrip technology by use of varactors. A novel mechanism for DC bias for the varactor is proposed. This is achieved by patterning the ground plane of microstrip thereby reducing the complexity of DC feed mechanism. This approach also mitigates the effect of parasitics arising from DC feed choke appearing in the RF signal path.

一种基于SSL／TLS的Web安全代理的设计与实现

SSL Web代理能有效保护Internet上数据传输和存有敏感信息的Web服务器的安全。但是SSL协议中大量的数据处理带来的性能瓶须和协议实现中受到的安全威胁将严亚影响SSL Web代理的效用。该文在分析SSL/TLS协议性能和安全的基础上，设计并实现了一种高效的、安全的SSL-TLS Web代理。

Use of Novel Algorithms MAJE4 and MACJER-320 for Achieving Confidentiality and Message Authentication in SSL & TLS

Extensive use of the Internet coupled with the marvelous growth in e-commerce and m-commerce has created a huge demand for information security. The Secure Socket Layer (SSL) protocol is the most widely used security protocol in the Internet which meets this demand. It provides protection against eaves droppings, tampering and forgery. The cryptographic algorithms RC4 and HMAC have been in use for achieving security services like confidentiality and authentication in the SSL. But recent attacks against RC4 and HMAC have raised questions in the confidence on these algorithms. Hence two novel cryptographic algorithms MAJE4 and MACJER-320 have been proposed as substitutes for them. The focus of this work is to demonstrate the performance of these new algorithms and suggest them as dependable alternatives to satisfy the need of security services in SSL. The performance evaluation has been done by using practical implementation method.

Use of Novel Algorithms MAJE4 and MACJER-320 for Achieving Confidentiality and Message Authentication in SSL & TLS.

Extensive use of the Internet coupled with the marvelous growth in e-commerce and m-commerce has created a huge demand for information security. The Secure Socket Layer (SSL) protocol is the most widely used security protocol in the Internet which meets this demand. It provides protection against eaves droppings, tampering and forgery. The cryptographic algorithms RC4 and HMAC have been in use for achieving security services like confidentiality and authentication in the SSL. But recent attacks against RC4 and HMAC have raised questions in the confidence on these algorithms. Hence two novel cryptographic algorithms MAJE4 and MACJER-320 have been proposed as substitutes for them. The focus of this work is to demonstrate the performance of these new algorithms and suggest them as dependable alternatives to satisfy the need of security services in SSL. The performance evaluation has been done by using practical implementation method.

Characterization of the potential role for RNA-binding protein FUS/TLS in DNA damage response: A quantitative proteomic approach

FUS/TLS (fused in sarcoma/translocated in liposarcoma) is a ubiquitously expressed RNA-binding protein of the hnRNP family, that has been discovered as fused to transcription factors, through chromosomal translocations, in several human sarcomas and found in protein aggregates in neurons of patients with an inherited form of Amyotrophic Lateral Sclerosis (ALS) [1]. To date, FUS/TLS has been implicated in a variety of cellular processes such as gene expression control, transcriptional regulation, pre-mRNA splicing and miRNA processing [2]. In addition, some evidences link FUS/TLS to genome stability control and DNA damage response. In fact, mice lacking FUS/TLS are hypersensitive to ionizing radiation (IR) and show high levels of chromosome instability and in response to double-strand breaks, FUS/TLS gets phosphorylated by the protein kinase ATM [3,4,5]. Furthermore, the inducible depletion of FUS/TLS in a neuroblastoma cell line (SH-SY5Y FUS/TLS TET-off iKD) subjected to genotoxic stress (IR) resulted in an increased phosphorylation of γH2AX respect to control cells, suggesting an higher activation of the DNA damage response. The study aims to investigate the specific role of FUS/TLS in DNA damage response through the characterization of the proteomic profile of SH-SY5Y FUS/TLS iKD cells subjected to DNA damage stress, by mass spectrometry-based quantitative proteomics (e.g. SILAC). Preliminary results of mass spectrometric identification of FUS/TLS interacting proteins in HEK293 cells, expressing a recombinant flag-tagged FUS/TLS protein, highlighted the interactions with several proteins involved in DNA damage response, such as DNA-PK, XRCC-5/-6, and ERCC-6, raising the possibilities that FUS/TLS is involved in this pathway, even thou its exact role still need to be addressed.

Proteomic characterization of the FUS/TLS interactome

FUS/TLS (fused in sarcoma/translocated in liposarcoma) is a ubiquitously expressed RNA-binding protein, that has been discovered as fused to transcription factors in several human sarcomas and found in protein aggregates in neurons of patients with an inherited form of Amyotrophic Lateral Sclerosis [1]. To date, FUS has been implicated in a variety of cellular processes such as gene expression control, transcriptional regulation, pre-mRNA splicing and miRNA processing [2]. In addition, some evidences link FUS to genome stability control and DNA damage response. In fact, mice lacking FUS are hypersensitive to ionizing radiation and show high levels of chromosome instability and in response to double-strand breaks, FUS gets phosphorylated by the protein kinase ATM [3, 4, 5]. Moreover, upon DNA damage stress, FUS mediates Ebp1 (ErbB3 receptor-binding protein) SUMOylation, a post-translational modification that is required for its onco-suppressive activity, by acting as SUMO E3 ligase [6]. The study aims to investigate the role of FUS in DNA damage response and SUMOylation, two cellular pathways tightly interconnected to each other. Moreover, we will exploit biochemical and mass spectrometry-based approaches in order to identify other potential substrates of the E3 SUMO ligase activity of FUS. Preliminary results of mass spectrometric identification of FUS interacting proteins, in HEK293 and SHSY5Y cells, highlighted the interaction of FUS with several proteins involved in DNA damage response and many of those have been described already as target of SUMOylation, such as XRCC5, DDX5, PARP1, Nucleophosmin, and others. These evidences strengthen the hypothesis that FUS might represent a link between these pathways, even thou its exact role still needs to be clearly addressed. [1] Vance C. et al. (2009) Science 323(5918): p. 1208-11 [2] Fiesel FC., Kahle PJ. (2011) FEBS J. 278(19): p. 3550-68 [3] Kuroda M. et al. (2000) Embo J. 19(3): p. 453-62 [4] Hicks GG. et al. (2000) Nat Genet. 24(2):p. 175-9 [5] Gardiner M. et al. (2008) Biochem J. 415(2): p. 297-307 [6] Oh SM. et al. (2010) Oncogene 29(7): p. 1017-30

FUS/TLS contributes to replication-dependent histone gene expression by interaction with U7 snRNPs and histone-specific transcription factors.

Replication-dependent histone genes are up-regulated during the G1/S phase transition to meet the requirement for histones to package the newly synthesized DNA. In mammalian cells, this increment is achieved by enhanced transcription and 3' end processing. The non-polyadenylated histone mRNA 3' ends are generated by a unique mechanism involving the U7 small ribonucleoprotein (U7 snRNP). By using affinity purification methods to enrich U7 snRNA, we identified FUS/TLS as a novel U7 snRNP interacting protein. Both U7 snRNA and histone transcripts can be precipitated by FUS antibodies predominantly in the S phase of the cell cycle. Moreover, FUS depletion leads to decreased levels of correctly processed histone mRNAs and increased levels of extended transcripts. Interestingly, FUS antibodies also co-immunoprecipitate histone transcriptional activator NPAT and transcriptional repressor hnRNP UL1 in different phases of the cell cycle. We further show that FUS binds to histone genes in S phase, promotes the recruitment of RNA polymerase II and is important for the activity of histone gene promoters. Thus, FUS may serve as a linking factor that positively regulates histone gene transcription and 3' end processing by interacting with the U7 snRNP and other factors involved in replication-dependent histone gene expression.