Misbinding Raw Public Keys to Identities in TLS
Mariam Moustafa, Mohit Sethi, Tuomas Aura
TL;DR
This paper analyzes TLS Raw Public Key (RPK) authentication, uncovering identity misbinding vulnerabilities arising from binding identities to RPKs without a PKI. It uses formal modeling with applied pi calculus and ProVerif to model TLS RPK handshake scenarios and two out-of-band binding mechanisms (pre-configured keys and DANE) and to identify misbinding attacks on servers and clients. The authors show concrete misbinding scenarios, including server misbinding under DANE, multi-named servers, and pre-configured key setups, and illustrate the practicality of these attacks with implementation evidence across common TLS libraries and a mail-server example. To mitigate these risks, they propose binding identities in the handshake, consider self-signed certificates with PKIX/DANE, and advocate application-layer verification within the TLS tunnel, urging updates to TLS RPK standards.
Abstract
The adoption of security protocols such as Transport Layer Security (TLS) has significantly improved the state of traffic encryption and integrity protection on the Internet. Despite rigorous analysis, vulnerabilities continue to emerge, sometimes due to fundamental flaws in the protocol specification. This paper examines the security of TLS when using Raw Public Key (RPK) authentication. This mode has not been as extensively studied as X.509 certificates and Pre-Shared Keys (PSK). We develop a formal model of TLS RPK using applied pi calculus and the ProVerif verification tool, revealing that the RPK mode is susceptible to identity misbinding attacks. Our contributions include formal models of TLS RPK with several mechanisms for binding the endpoint identity to its public key, verification results, practical scenarios demonstrating the misbinding attack, and recommendations for mitigating such vulnerabilities. These findings highlight the need for improved security measures in TLS RPK.