Organizer: Stefanie Kettler, CROSSING
The common approach in secure communication channel protocols is to rely on ciphertexts arriving in-order and to close the connection upon any rogue ciphertext. Cryptographic security models for channels generally reflect such design. This is reasonable when running atop lower-level transport protocols like TCP ensuring in-order delivery, as for example is the case with TLS or SSH. However, channels such as QUIC or DTLS which run over a non-reliable transport protocol like UDP, do not---and in fact cannot---close the connection if packets are lost or arrive in a different order. Those protocols instead have to carefully catch effects arising naturally in unreliable networks, usually by using a sliding-window technique where ciphertexts can be decrypted correctly as long as they are not misplaced too far.
In this talk, we introduce a new property of cryptographic channels called robustness that captures unreliable network behavior and guarantees that adversarial tampering cannot hinder ciphertexts that can be decrypted correctly from being accepted. Equipped with this, we argue that robustness is orthogonal to the common notion of integrity for channels, but together with integrity and chosen-plaintext security it provides a robust analogue of chosen-ciphertext security of channels.
Finally, I show that the packet encryption in the record layer protocol of QUIC achieves the desired strong security property.
Christian Janson has completed his PhD at Royal Holloway, University of London in 2016 under the supervision of Carlos Cid and then started a postdoc in the cryptoplexity group at TU Darmstadt with Marc Fischlin. In April 2021 Christian became an Athene Young Investigator.