The Transport Layer Security (TLS) protocol suffers from legacy bloat: after 20 years of evolution, it features many versions, extensions, and ciphersuites, some of which are obsolete and known to be insecure. Implementations and deployments of TLS deal with this complexity by implementing composite state machines that allow new and old features to coexist for interoperability, while waiting for deprecated features to be disabled over time. Getting this composition right is tricky, and any flaw can result in a serious attack that bypasses the expected security of TLS.
This talk will discuss three recent vulnerabilities discovered in our group: SKIP uses state machine flaws in Oracle’s JSSE to hijack TLS connections between a Java client and any web server; FREAK uses legacy support for export-grade RSA cipher suites to break into connections between mainstream browsers and 25% of the web; Logjam exploits a protocol flaw to confuse DHE key exchanges into using export-grade Diffie-Hellman groups. These attacks rely on a combination of protocol-level weaknesses, implementation bugs, and weak cryptography. The talk will advocate principled methods to avoid such weaknesses in the future, such as software verification and new robust designs for new protocols like TLS 1.3.
Karthik is a researcher at INRIA, the French national lab for computer science. He is based in Paris where he leads a team called Prosecco (“programming securely with cryptography”) and is the principal investigator of an ERC starting grant on provably secure implementations of cryptographic protocols. Karthik and his colleagues develop new programming languages like F* (fstar-lang.org) and use them to build and verify protocols like TLS (milts.org). Along the way, they sometimes find and disclose implementation bugs and protocol flaws like Triple Handshake (secure-resumption.com), FREAK (smacktls.com), and Logjam (weakdh.org). Partly as a consequence of these attacks, and partly motivated by stronger security theorems for the web, Karthik is loosely involved with the TLS working group in the design on TLS 1.3. Karthik was trained at IIT New Delhi and the University of Pennsylvania. Before coming to Paris in 2009, he worked as a researcher at Microsoft Research in Cambridge, England for several years.