Abstract
We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher-level applications are obtained from a master key, which in turn is derived through interaction from a pre-master key.
We define models (following well-established paradigms) that clarify the security level enjoyed by each of these types of keys. We capture the realistic setting where only one of the two parties involved in the execution of the protocol (namely the server) has a certified public key, and where the same master key is used to generate multiple application keys.
The main contribution of the paper is a modular and generic proof of security for a slightly modified version of TLS. Our proofs shows that the protocol is secure even if the pre-master and the master keys only satisfy only weak security requirements. Our proofs make crucial use of modelling the key derivation function of TLS as a random oracle.
Article PDF
Similar content being viewed by others
References
M. Abdalla, O. Chevassut, D. Pointcheval, One-time verifier-based encrypted key exchange, in Public Key Cryptography—PKC 2005. LNCS, vol. 386 (Springer, Berlin, 2005), pp. 47–64
J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in Advances in Cryptology—EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 83–107
M. Bellare, R. Canetti, H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, in 30th Symposium on Theory of Computing—STOC 1998 (ACM, New York, 1998), pp. 419–428
M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology—ASIACRYPT 2000. LNCS, vol. 1976 (Springer, Berlin, 2000), pp. 531–545
M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchange secure against dictionary attacks, in Advances in Cryptology—EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 139–155
M. Bellare, P. Rogaway, Entity authentication and key distribution, in Advances in Cryptology—CRYPTO ’93. LNCS, vol. 773 (Springer, Berlin, 1994), pp. 232–249
M. Bellare, P. Rogaway, Optimal asymmetric encryption, in Advances in Cryptology—EUROCRYPT 1994 (1994), pp. 92–111
M. Bellare, P. Rogaway, Provably secure session key distribution: The three party case, in 27th Symposium on Theory of Computing—STOC 1995 (ACM, New York, 1995), pp. 57–66
K. Bhargavan, R. Corin, C. Fournet, E. Zalinescu, Cryptographically verified implementations for TLS, in Conference on Computer and Communication Security—CCS 2008 (ACM, New York, 2008), pp. 459–468
R. Bird, I.S. Gopal, A. Herzberg, P.A. Janson, S. Kutten, R. Molva, M. Yung, Systematic design of two-party authentication protocols, in Advances in Cryptology—CRYPTO ’91. LNCS, vol. 576 (Springer, Berlin, 1991), pp. 44–61
S. Blake-Wilson, D. Johnson, A.J. Menezes, Key agreement protocols and their security analysis, in Cryptography and Coding. LNCS, vol. 1355 (Springer, Berlin, 1997), pp. 30–45
S. Blake-Wilson, A.J. Menezes, Entity authentication and authenticated key transport protocols employing asymmetric techniques, in IWSP. LNCS, vol. 1361 (Springer, Berlin, 1998), pp. 137–158
D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology—CRYPTO ’98. LNCS, vol. 1462 (Springer, Berlin, 1998), pp. 1–12
E. Bresson, O. Chevassut, D. Pointcheval, Provably authenticated group Diffie–Hellman key exchange—The dynamic case, in Advances in Cryptology—ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Berlin, 2001), pp. 290–309
R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001. LNCS, vol. 2045 (Springer, Berlin, 2001), pp. 453–474
R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels, in Advances in Cryptology—EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 337–351
R. Canetti, H. Krawczyk, Security analysis of IKE’s signature-based key-exchange protocol, in Advances in Cryptology—CRYPTO 2002. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 143–161
K.-K.R. Choo, C. Boyd, Y. Hitchcock, Examining indistinguishability-based proof models for key establishment protocols, in Advances in Cryptology—ASIACRYPT 2005. LNCS, vol. 3788 (Springer, Berlin, 2005), pp. 585–604
R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003)
T. Dierks, C. Allen, The TLS Protocol Version 1.0. RFC 2246, January 1999
T. Dierks, C. Allen, The TLS Protocol Version 1.2. RFC 4346, April 2006
W. Diffie, P.C. van Oorschot, M.J. Weiner, Authentication and authenticated key exchange. Des. Codes Cryptogr. 2, 107–125 (1992)
A.O. Freier, P. Karlton, P.C. Kocher, The SSL Protocol Version 3.0. Internet Draft, 1996
P.-A. Fouque, D. Pointcheval, S. Zimmer, HMAC is a randomness extractor and applications to TLS, in AsiaCCS 2008 (ACM Press, New York, 2008), pp. 21–32
S. Gajek, M. Manulis, O. Pereira, A. Sadeghi, J. Schwenk, Universally composable security analysis of TLS, in Provable Security—ProvSec 2008. LNCS, vol. 5324 (Springer, Berlin, 2008), pp. 313–327
H. Krawczyk, SKEME: a versatile secure key exchange mechanism for Internet, in Proceedings of the 1996 Symposium of Network and Distributed System Security (SNDSS’96) (IEEE Computer Society, Los Alamitos, 1996), p. 114
A. Herzberg, I. Yoffe, The layered games framework for specifications and analysis of security, in LNCS, vol. 4948 (Springer, Berlin, 2008), pp. 125–141
K.E.B. Hickman, The SSL Protocol Version 2.0. Internet Draft, 1994
J. Jonsson, B. Kaliski Jr., On the security of RSA encryption in TLS, in Advances in Cryptology—CRYPTO 2002. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 127–142
H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology—CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 310–331
C. Kudla, Special signature schemes and key agreement protocols. PhD Thesis, Royal Holloway University of London, 2006
C. Kudla, K. Paterson, Modular security proofs for key agreement protocols, in Advances in Cryptology—ASIACRYPT 2005. LNCS, vol. 3788 (Springer, Berlin, 2005), pp. 549–565
J.C. Mitchell, V. Shmatikov, U. Stern, Finite-state analysis of SSL 3.0, in USENIX Security Symposium—SSYM 1998, 1998
L. Paulson, Inductive analysis of the Internet protocol TLS. ACM Trans. Inf. Syst. Secur. 2(3), 332–351 (1999)
V. Shoup, On formal models for secure key exchange (version 4). Preprint, 1999
D. Wagner, B. Schneier, Analysis of the SSL 3.0 protocol, in 2nd USENIX Workshop on Electronic Commerce, 1996
S. Williams, The security of signcryption as a key agreement protocol. BSc Dissertation, University of Bristol, 2008
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Okamoto
This paper was solicited by the Editors-in-Chief as one of the best papers from ASIACRYPT 2008, based on the recommendation of the program committee.
Rights and permissions
About this article
Cite this article
Morrissey, P., Smart, N.P. & Warinschi, B. The TLS Handshake Protocol: A Modular Analysis. J Cryptol 23, 187–223 (2010). https://doi.org/10.1007/s00145-009-9052-3
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-009-9052-3