DTU Compute, Department of Applied Mathematics and Computer Science, Technical University of Denmark, Richard Petersens Plads, 2800 Kongens Lyngby, Denmark.
Sensors (Basel). 2021 Sep 29;21(19):6524. doi: 10.3390/s21196524.
In recent years, the Transport Layer Security (TLS) protocol has enjoyed rapid growth as a security protocol for the Internet of Things (IoT). In its newest iteration, TLS 1.3, the Internet Engineering Task Force (IETF) has standardized a zero round-trip time (0-RTT) session resumption sub-protocol, allowing clients to already transmit application data in their first message to the server, provided they have shared session resumption details in a previous handshake. Since it is common for IoT devices to transmit periodic messages to a server, this 0-RTT protocol can help in reducing bandwidth overhead. Unfortunately, the sub-protocol has been designed for the Web and is susceptible to replay attacks. In our previous work, we adapted the 0-RTT protocol to strengthen it against replay attacks, while also reducing bandwidth overhead, thus making it more suitable for IoT applications. However, we did not include a formal security analysis of the protocol. In this work, we address this and provide a formal security analysis using OFMC. Further, we have included more accurate estimates on its performance, as well as making minor adjustments to the protocol itself to reduce implementation ambiguity and improve resilience.
近年来,传输层安全 (TLS) 协议作为物联网 (IoT) 的安全协议得到了快速发展。在其最新版本 TLS 1.3 中,互联网工程任务组 (IETF) 标准化了一个零往返时间 (0-RTT) 会话恢复子协议,允许客户端在向服务器发送的第一条消息中已经传输应用数据,前提是它们在以前的握手中共享了会话恢复详细信息。由于物联网设备通常向服务器发送周期性消息,因此此 0-RTT 协议有助于减少带宽开销。不幸的是,该子协议是为 Web 设计的,容易受到重播攻击。在我们之前的工作中,我们改编了 0-RTT 协议以加强其对重播攻击的防御能力,同时还减少了带宽开销,从而使其更适合物联网应用。但是,我们没有对协议进行正式的安全性分析。在这项工作中,我们解决了这个问题,并使用 OFMC 进行了正式的安全分析。此外,我们还对其性能进行了更准确的估计,并对协议本身进行了微小调整,以减少实现的模糊性并提高弹性。
