Britta J. Hale
Degree: Ph.D.
Graduation year: 2017
Supervisor: Colin A. Boyd
Title: Low-latency key exchange and secure channels

In this growing and changing world, flexibility and adaptability in communication are increasingly prioritized. As such, security demands must also adapt, and there is an ever-present challenge to achieve optimal security in these new settings. Consequently, this thesis addresses security considerations under non-traditional settings. We start by considering data sent before a key exchange, progressing to data sent in parallel to a protocol, and then to varying data and channel demands after a key exchange has taken place. These results are meaningful for researchers and implementors alike, providing constructions and models and enabling identification of the strengths and weaknesses of cryptographic schemes and protocols.
In particular, this thesis considers the design and modeling of low-latency (0-RTT) protocols, which are intended to allow for the sending of cryptographically protected data before the completion of a normal key exchange protocol, i.e. in what can be considered a “pre-session channel” phase. Due to protocol designs thus far, where a static server public key is used, forward secrecy is a major concern in 0-RTT protocols; compromise of the server’s long-term private key allows an attacker to compute past session keys and leads directly to the compromise of past 0-RTT data. Thus, in addition to a general 0-RTT model and construction, this thesis demonstrates how forward secrecy can be achieved for 0-RTT, providing an appropriate security model and a construction based on evolving the server secret state.
Data security is also investigated in the “mid-session channel” context, under the analysis of an authentication protocol (ISO 9798-2.4) which allows additional data to be sent along with the protocol flows. Comprehensively, several variants of the authentication protocol are analyzed.
“Post-session channel” security considerations are addressed in the context of hierarchies of authentication and authenticated encryption demands, where a session key has already been established. These hierarchies capture various real-world security demands which are appropriate for varying reliability levels for packet delivery, such as in the cases of TLS, 802.11 (WiFi security), QUIC, and DTLS. Furthermore, the thesis addresses modeling of secure channels, including: multiple keys derived from a main session key, parallel channels, and secure termination of channels where a receiver is guaranteed to have received all sent messages. These “post-session channel” results are applied to TLS 1.2, and extend the understanding of the protocol’s security guarantees.

Presentation: slides
Trial lecture
Topic: Functional encryption
Presentation: slides
Evaluation committee