vtTLS: A Vulnerability-Tolerant Communication Protocol Andr´ e Joaquim INESC-ID Instituto Superior T´ ecnico, Universidade de Lisboa Lisbon, Portugal andre.joaquim@tecnico.ulisboa.pt Abstract—We present VTTLS, a vulnerability-tolerant com- munication protocol based on diversity and redundancy. There are often concerns about the strength of some of the encryption mechanisms used in SSL/TLS channels, with some regarded as insecure at some point in time. VTTLS is our solution to mitigate the problem of secure communication channels being vulnerable to attacks due to unexpected vulnerabilities in encryption mech- anisms. It is based on diversity and redundancy of cryptographic mechanisms and certificates to provide a secure communication channel even when one or more mechanisms are vulnerable. VTTLS relies on a combination of k cipher suites. Even if k - 1 cipher suites are insecure or vulnerable, VTTLS relies on the remaining cipher suite to maintain the channel secure. We evaluated the performance of VTTLS by comparing it to an OpenSSL channel. Keywords—network protocol, secure communication channels, diversity, redundancy, vulnerability-tolerance. I. I NTRODUCTION Secure communication protocols are fundamental building blocks of the current digital economy. Transport Layer Security (TLS) alone is responsible for protecting most economic transactions done using the web, with a value so high that it is hard to estimate. These protocols allow entities to exchange messages or data over a secure channel in the Internet. A secure communication channel has three properties: authenticity, confidentiality, and integrity. Regarding authenticity, in an authenticated channel no one can impersonate the sender. Regarding confidentiality, in a confidential channel only the receiver of the message is able to read that message. Regarding integrity, the messages can not be modified without the receiver detecting it. Several secure communication channel protocols exist no- wadays, with different purposes but with the same goal of securing communication. TLS is a secure communication protocol widely used. TLS 1.0, developed after SSL 3.0, introduced the support for extensions in the Client and Server Hello messages. TLS 1.1 and TLS 1.2 upgraded TLS 1.0 by providing mitigation of cipher block chaining (CBC) attacks and supporting more block cipher modes to use with AES. Such a secure communication protocol becomes insecure when a vulnerability is discovered. Vulnerabilities may con- cern the protocol’s specification, the cryptographic mecha- nisms used, or specific implementations of the protocol. Many vulnerabilities have been discovered in SSL/TLS originating new versions of the protocol with new security features such as deprecating cryptographic mechanisms or enforcing security measures. Concrete implementations of SSL/ TLS have been also found vulnerable due to implementation bugs, causing security breaches and affecting devices worldwide. VTTLS is a protocol that provides vulnerability-tolerant communication channels. These channels are characterized by not relying on individual cryptographic mechanisms, so that if one is found vulnerable (or possibly a few of them) the channels remain secure. The idea is to leverage diversity and redundancy of cryptographic mechanisms and keys, i.e., the use respectively of different and more than one set of mechanisms/keys. More clearly, diversity is employed in the following aspects: pair certificate/private key, key exchange mechanism, authentication mechanism, encryption mechanism and MAC. This use of diversity and redundancy is inspired by previ- ous works on computer immunology [1], diversity in security [2], [3], and moving-target defenses [4]. In the context of VTTLS, diversity and redundancy consist on using two or more different mechanisms with the same objective. For example, SHA-1 and SHA-3 are both hash functions that may be used to generate message digests. If used in combination and SHA-1 eventually becomes insecure, VTTLS would rely upon SHA-3 to keep the communication secure. VTTLS is configured with a parameter k, the diversity factor (k> 1). This parameter indicates the number of differ- ent cipher suites and different mechanisms for key exchange, authentication, encryption, and signing. This parameter means also that VTTLS remains secure as long as k vulnerabilities exist. As vulnerabilities and, more importantly, zero-day vul- nerabilities that cannot be removed as they are unknown [5], do not appear in large numbers in the same components, we expect k to be usually small, e.g., k =2 or k =3. Although TLS supports strong encryption mechanisms such as AES and RSA, there are factors beyond mathematical complexity that can contribute to vulnerabilities. Diversify- ing encryption mechanisms includes diversifying certificates and consequently keys (public, private, shared). Diversity of certificates is a direct consequence of diversifying encryption mechanisms due to the fact that each certificate is related to an authentication and key exchange mechanism. The main contribution of this paper is VTTLS, a new protocol for secure communication channels that uses diversity and redundancy to tolerate vulnerabilities in cryptographic mechanisms. It also presents and experimental evaluation of the protocol and shows that it has an acceptable overhead in relation to the TLS implementation in which our prototype is based, OpenSSL v1.0.2g [6].