Mitigating TLS compromise with ECDHE and SRP
Aron Wussler
TL;DR
This paper presents an enhanced TLS implementation using ECDHE and SRP to improve security and authentication for sensitive data transfer, exemplified by ProtonMail's secure communication system.
Contribution
It introduces a novel TLS extension incorporating SRP and ECDHE for improved security and authentication, with a flexible, easy-to-implement model leveraging existing PGP libraries.
Findings
Enhanced security with ECDHE and SRP in TLS
Successful integration with ProtonMail's infrastructure
Encrypted data transfer with AES-128-GCM
Abstract
The paper reviews an implementation of an additional encrypted tunnel within TLS to further secure and authenticate the traffic of personal information between ProtonMail's frontends and the backend, implementing its key exchange, symmetric packet encryption, and validation. Technologies such as Secure Remote Password (SRP) and the Elliptic Curves Diffie Hellman Ephemeral (ECDHE) exchange are used for the key exchange, verifying the public parameters through PGP signatures. The data is then transferred encrypted with AES-128-GCM. This project is meant to integrate TLS security for high security data transfer, offering a flexible model that is easy to implement in the frontends by reusing part of the standard already existing in the PGP libraries.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptographic Implementations and Security · Security and Verification in Computing · Advanced Malware Detection Techniques