In this talk, we will first look at two recent attacks on network security protocols:
1. Misbinding attacks on secure device pairing and bootstrapping: In identity misbinding attacks against, a legitimate but compromised participant manipulates the honest parties so that the victim becomes unknowingly associated with a third party. These attacks are well known, and resistance to misbinding is considered a critical requirement for security protocols on the Internet. We will show that most device pairing and bootstrapping protocols are however vulnerable to misbinding.
2. Selfie attack on TLS 1.3 External Pre-Shared Key (PSK) mode: TLS 1.3 is finally an Internet standard and is published as RFC 8446. It has undergone roughly 5 years of standardization at the IETF and has been received significant contributions from the security community (about 90 contributors listed in the RFC). TLS 1.3 allows the use of external PSKs for authentication (instead of certificates). This was one of the features specifically requested from the IoT community. Unfortunately, the TLS 1.3 external PSK mode is vulnerable to Selfie attack. Selfie attack is a special case of misbinding attacks.
We will try to understand these complex attacks and their consequences. With these two attacks in mind, we will discuss why it is important for us update the Internet threat model specified in RFC 3552. Finally, we will look at some basic design guidelines which are important to keep in mind when designing security protocols.