Misbinding Raw Public Keys to Identities in TLS

TL;DR

This paper analyzes the security of TLS with Raw Public Keys, revealing vulnerabilities to identity misbinding attacks through formal modeling and verification, and offers recommendations for mitigation.

Contribution

It provides the first formal analysis of TLS RPK, identifying misbinding vulnerabilities and proposing mechanisms and recommendations to enhance security.

Findings

TLS RPK is vulnerable to identity misbinding attacks

Formal models and verification confirm the susceptibility

Practical scenarios demonstrate attack feasibility

Abstract

The adoption of security protocols such as Transport Layer Security (TLS) has significantly improved the state of traffic encryption and integrity protection on the Internet. Despite rigorous analysis, vulnerabilities continue to emerge, sometimes due to fundamental flaws in the protocol specification. This paper examines the security of TLS when using Raw Public Key (RPK) authentication. This mode has not been as extensively studied as X.509 certificates and Pre-Shared Keys (PSK). We develop a formal model of TLS RPK using applied pi calculus and the ProVerif verification tool, revealing that the RPK mode is susceptible to identity misbinding attacks. Our contributions include formal models of TLS RPK with several mechanisms for binding the endpoint identity to its public key, verification results, practical scenarios demonstrating the misbinding attack, and recommendations for mitigating such vulnerabilities. These findings highlight the need for improved security measures in TLS RPK.