2

Can Perfect Forward Secrecy (PFS) be used to prove that a particular file was transmitted or received at a particular time? If so, how? By keeping records of the entire TLS stream?

Geremia
  • 1,636
  • 3
  • 19
  • 33

1 Answers1

-1

PFS could be used to guarantee that a given set of packets (e.g. containing a file) belonged to a given session, by using the following "protocol":

  1. Client C (handling the requests of user U1) and Server S establish a TLS session with a key k_i. The entire session is captured and stored using tamper-resistant mechanisms.

  2. C downloads a file from S.

  3. Upon request of a third party with access to the packet capture (e.g. a court), C or S discloses k_i. The third party accesses the content of the packet capture and uses k_i to decrypt it, thus showing whether or not that set of packets belonged to that session.

Note, however, that this mechanism cannot prove that U1 didn't receive the file before that session, as:

1) the same plaintext encrypted with different keys can - and normally does - yield different ciphertexts. Without knowing the keys of all previous sessions with that server (since the very first one, which could have been years before), this problem is unavoidable; and

2) U1 could have obtained the same file previously and "out of band" in many different ways, for example by another server, by having U2 download the file using his account and copying the file locally (or for that matter, stealing U2's credentials), and so on.

A. Darwin
  • 3,562
  • 2
  • 15
  • 26
  • I don't think this is entirely true. If you have access to all keys, including the HMAC key, you can modify the stream and present it to a 3rd party and it will look like has not been tampered with. – forest Apr 21 '18 at 13:26
  • With mutual authentication (client cert) no single party can spoof it (with and without DH) – eckes Apr 21 '18 at 13:42
  • @eckes How? Client authentication will not authenticate the _data_, only the HMAC key does that, so knowledge of the HMAC key allows you to modify the entire data stream. A client cert won't stop that. – forest Apr 21 '18 at 13:49
  • Well, it is not convenient so not recommended (better use some MDN styles like with AS2) but you cannot spoof a network trace without having both durable keys – eckes Apr 21 '18 at 13:50
  • (There is no file/transmission HMAC in TLS only for the single records) – eckes Apr 21 '18 at 15:27
  • @forest While this may be true, I was assuming the packet capture is performed and stored in a tamper-resistant way. – A. Darwin Apr 21 '18 at 15:57