Benjamin Dowling
Douglas Stebila
ABSTRACT
The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. This is even more important as there are two related, yet slightly different, candidates in discussion for TLS 1.3, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based. We give a cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange.
An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption.
We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.
- D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In ACM CCS 15, 2015. Google Scholar
Digital Library
- N. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt. On the security of RC4 in TLS. In Proc. 22nd USENIX Security Symposium, pages 305--320, 2013. Google ScholarDigital Library
- N. J. AlFardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In 2013 IEEE Symposium on Security and Privacy, pages 526--540, 2013. Google ScholarDigital Library
- J. Altman, N. Williams, and L. Zhu. Channel Bindings for TLS. RFC 5929 (Proposed Standard), 2010.Google Scholar
- C. Badertscher, C. Matt, U. Maurer, P. Rogaway, and B. Tackmann. Augmented secure channels and the goal of the TLS 1.3 record layer. Cryptology ePrint Archive, Report 2015/394, 2015. http://eprint.iacr.org/2015/394.Google Scholar
- M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO'93, pages 232--249, 1994. Google ScholarDigital Library
- B. Beurdouche, K. Bhargavan, A. Delignat-Levaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proc. IEEE Symp. on Security & Privacy (S&P) 2015, pages 535--552, 2015.Google ScholarDigital Library
- K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P.-Y. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, pages 98--113, 2014. Google ScholarDigital Library
- K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In 2013 IEEE Symposium on Security and Privacy, pages 445--459, 2013. Google ScholarDigital Library
- K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and S. Zanella Béguelin. Proving the TLS handshake secure (as it is). In CRYPTO 2014, Part II, pages 235--255, 2014.Google ScholarCross Ref
- C. Brzuska. On the Foundations of Key Exchange. PhD thesis, Technische Universitat Darmstadt, Darmstadt, Germany, 2013. http://tuprints.ulb.tu-darmstadt.de/3414/.Google Scholar
- C. Brzuska, M. Fischlin, B. Warinschi, and S. C. Williams. Composability of Bellare-Rogaway key exchange protocols. In ACM CCS 11, pages 51--62, 2011. Google ScholarDigital Library
- R. Canetti and H. Krawczyk. Security analysis of IKE's signature-based key-exchange protocol. In CRYPTO 2002, pages 143--161, 2002. http://eprint.iacr.org/2002/120/. Google ScholarDigital Library
- Codenomicon. The Heartbleed bug. http://heartbleed.com, 2014.Google Scholar
- B. Dowling, M. Fischlin, F. G\" unther, and D. Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates (full version). Cryptology ePrint Archive, 2015. http://eprint.iacr.org/. Google ScholarDigital Library
- T. Duong. BEAST. http://vnhacker.blogspot.com.au/2011/09/beast.html, 2011.Google Scholar
- M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google's QUIC protocol. In ACM CCS 14, pages 1193--1204, 2014. Google ScholarDigital Library
- C. Fournet, M. Kohlweiss, and P.-Y. Strub. Modular code-based cryptographic verification. In ACM CCS 11, pages 341--350, 2011. Google ScholarDigital Library
- T. Jager, F. Kohlar, S. Schage, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO 2012, pages 273--293, 2012.Google ScholarDigital Library
- S. Josefsson. Channel bindings for TLS based on the PRF. https://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-03, 2015.Google Scholar
- M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (de-)constructing TLS. Cryptology ePrint Archive, Report 2014/020, 2014. http://eprint.iacr.org/2014/020.Google Scholar
- H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In CRYPTO 2010, pages 631--648, 2010. Google ScholarDigital Library
- H. Krawczyk, K. G. Paterson, and H. Wee. On the security of the TLS protocol: A systematic analysis. In CRYPTO 2013, Part I, pages 429--448, 2013.Google ScholarCross Ref
- B. Moller, T. Duong, and K. Kotowicz. This POODLE bites: Exploiting the SSL 3.0 fallback. https://www.openssl.org/ bodo/ssl-poodle.pdf, 2014.Google Scholar
- E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 -- draft-ietf-tls-tls13-05. https://tools.ietf.org/html/draft-ietf-tls-tls13-05, 2015.Google Scholar
- E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 -- draft-ietf-tls-tls13-07. https://tools.ietf.org/html/draft-ietf-tls-tls13-07, 2015.Google Scholar
- E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 -- draft-ietf-tls-tls13-dh-based. https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-%tls13-dh-based.txt, 2015.Google Scholar
Index Terms
- A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
Recommendations
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol
AbstractWe analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ...
Multi-Stage Key Exchange and the Case of Google's QUIC Protocol
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityThe traditional approach to build a secure connection is to run a key exchange protocol and, once the key has been established, to use this key afterwards in a secure channel protocol. The security of key exchange and channel protocols, and to some ...
Key-Schedule Security for the TLS 1.3 Standard
Advances in Cryptology – ASIACRYPT 2022AbstractTransport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the ...
Comments