Multipath TLS 1.3

AutorFischlin, Marc; Müller, Sven-Andre; Münch, Jean-Pierre; Porth, Lars
ArtConference Proceedings
AbstraktIn a multipath key exchange protocol (Costea et al., CCS’18) the parties communicate over multiple connection lines, implemented for example with the multipath extension of TCP. Costea et al. show that, if one assumes that an adversary cannot attack all communication paths in an active and synchronized way, then one can securely establish a shared key under mild cryptographic assumptions. This holds even if classical authentication methods like certificate-based signatures fail. They show how to slightly modify TLS to achieve this security level. Here we discuss that the multipath security can also be achieved for TLS 1.3 without having to modify the crypto part of protocol at all. To this end one runs a regular handshake over one communication path and then a key update (or resumption) over the other path. We show that this already provides the desired security guarantees. At the same time, if only a single communication path is available, then one obtains the basic security properties of TLS 1.3 as a fall back guarantee.
Konferenz26th European Symposium on Research in Computer Security
SerieLecture Notes in Computer Science
InComputer Security - ESORICS 2021, p.86-105