Study Examines Vulnerabilities in TLS Raw Public Key Authentication
/ 4 min read
Quick take - A study presented at NordSec 2024 highlights security vulnerabilities in the use of Raw Public Key (RPK) authentication in Transport Layer Security (TLS), particularly concerning identity misbinding attacks, and recommends strategies for improving security in IoT communications.
Fast Facts
- A study presented at NordSec 2024 highlights vulnerabilities in Transport Layer Security (TLS) using Raw Public Key (RPK) authentication, particularly for IoT devices.
- The research identifies significant risks, including identity misbinding attacks, server misbinding, and vulnerabilities linked to DNS TLSA records.
- The authors developed a formal model using applied pi calculus and ProVerif, revealing inadequate security analysis of RPK compared to X.509 certificates and Pre-Shared Keys (PSK).
- Recommendations to mitigate these vulnerabilities include mandatory Server Name Indication (SNI) verification and the use of self-signed certificates for identity embedding.
- The study emphasizes the need for improved secure protocol design and explicit identity verification to enhance the security of TLS implementations.
Misbinding Raw Public Keys to Identities in TLS
A recent study presented at the NordSec 2024 conference examines the security of Transport Layer Security (TLS) using Raw Public Key (RPK) authentication. The research was conducted by Mariam Moustafa, Mohit Sethi, and Tuomas Aura from Aalto University, Finland.
Importance of RPK in IoT Security
This method, which is less extensively studied than traditional X.509 certificates and Pre-Shared Keys (PSK), is crucial for securing communications, especially in resource-constrained Internet of Things (IoT) devices. The study identifies the TLS authentication methods as X.509 certificates, Pre-Shared Keys (PSK), and Raw Public Keys (RPK). RPK was introduced to minimize message size and processing overhead, particularly beneficial for lightweight IoT devices. However, its implementation and study have lagged behind X.509 certificates, raising concerns about its security.
Vulnerabilities Identified
The authors developed a formal model of TLS RPK using applied pi calculus and utilized the ProVerif verification tool. Their findings reveal vulnerabilities to identity misbinding attacks in the TLS RPK mode. One identified vulnerability is server misbinding, which involves the incorrect association of a public key with a server’s identity, causing clients to connect to unintended servers. Another vulnerability is server authentication with DANE, where manipulation of DNS TLSA records links an incorrect identity with a public key. The study also highlights a multi-named server attack, where multiple servers share the same public key, allowing clients to inadvertently connect to the wrong server.
The research underscores several security challenges associated with TLS RPK, including inadequate analysis compared to other methods. Weaknesses in identity binding mechanisms increase the risk of misbinding attacks.
Recommendations and Implications
To address these vulnerabilities, the authors recommend several mitigation strategies. One recommendation is mandatory Server Name Indication (SNI) verification. Another suggestion is the utilization of self-signed certificates to embed identity within the TLS handshake. Verification of endpoint identities at the application layer is also recommended, though this may not be feasible in all cases.
The practical implications of these attacks were demonstrated on widely used TLS libraries, including OpenSSL, GnuTLS, and wolfSSL. The study shows that misbinding attacks can be executed by simply altering DNS records. The findings emphasize the importance of formal verification in security protocols and caution against the risks associated with relying on insufficiently verified identity binding methods.
The study notes the impact of these vulnerabilities on the integrity and trustworthiness of secure communications. Given that RPK is designed for IoT applications, potential exploitation in critical infrastructure poses serious risks. The research stresses the need for improved secure protocol design and effective DNS security measures. Explicit identity verification in TLS implementations is necessary to fortify the TLS ecosystem against emerging threats.
Overall, this comprehensive analysis serves as a crucial reminder of the necessity for ongoing scrutiny and enhancement of security protocols, particularly in the context of evolving technologies and their applications.
Original Source: Read the Full Article Here
