The TLS Handshake Protocol: A Modular Analysis
- First Online:
- 271 Downloads
We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher-level applications are obtained from a master key, which in turn is derived through interaction from a pre-master key.
We define models (following well-established paradigms) that clarify the security level enjoyed by each of these types of keys. We capture the realistic setting where only one of the two parties involved in the execution of the protocol (namely the server) has a certified public key, and where the same master key is used to generate multiple application keys.
The main contribution of the paper is a modular and generic proof of security for a slightly modified version of TLS. Our proofs shows that the protocol is secure even if the pre-master and the master keys only satisfy only weak security requirements. Our proofs make crucial use of modelling the key derivation function of TLS as a random oracle.
KeywordsProvable security TLS SSL
Unable to display preview. Download preview PDF.
- M. Abdalla, O. Chevassut, D. Pointcheval, One-time verifier-based encrypted key exchange, in Public Key Cryptography—PKC 2005. LNCS, vol. 386 (Springer, Berlin, 2005), pp. 47–64 Google Scholar
- M. Bellare, R. Canetti, H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, in 30th Symposium on Theory of Computing—STOC 1998 (ACM, New York, 1998), pp. 419–428 Google Scholar
- M. Bellare, P. Rogaway, Entity authentication and key distribution, in Advances in Cryptology—CRYPTO ’93. LNCS, vol. 773 (Springer, Berlin, 1994), pp. 232–249 Google Scholar
- M. Bellare, P. Rogaway, Optimal asymmetric encryption, in Advances in Cryptology—EUROCRYPT 1994 (1994), pp. 92–111 Google Scholar
- M. Bellare, P. Rogaway, Provably secure session key distribution: The three party case, in 27th Symposium on Theory of Computing—STOC 1995 (ACM, New York, 1995), pp. 57–66 Google Scholar
- K. Bhargavan, R. Corin, C. Fournet, E. Zalinescu, Cryptographically verified implementations for TLS, in Conference on Computer and Communication Security—CCS 2008 (ACM, New York, 2008), pp. 459–468 Google Scholar
- R. Bird, I.S. Gopal, A. Herzberg, P.A. Janson, S. Kutten, R. Molva, M. Yung, Systematic design of two-party authentication protocols, in Advances in Cryptology—CRYPTO ’91. LNCS, vol. 576 (Springer, Berlin, 1991), pp. 44–61 Google Scholar
- S. Blake-Wilson, D. Johnson, A.J. Menezes, Key agreement protocols and their security analysis, in Cryptography and Coding. LNCS, vol. 1355 (Springer, Berlin, 1997), pp. 30–45 Google Scholar
- S. Blake-Wilson, A.J. Menezes, Entity authentication and authenticated key transport protocols employing asymmetric techniques, in IWSP. LNCS, vol. 1361 (Springer, Berlin, 1998), pp. 137–158 Google Scholar
- T. Dierks, C. Allen, The TLS Protocol Version 1.0. RFC 2246, January 1999 Google Scholar
- T. Dierks, C. Allen, The TLS Protocol Version 1.2. RFC 4346, April 2006 Google Scholar
- A.O. Freier, P. Karlton, P.C. Kocher, The SSL Protocol Version 3.0. Internet Draft, 1996 Google Scholar
- A. Herzberg, I. Yoffe, The layered games framework for specifications and analysis of security, in LNCS, vol. 4948 (Springer, Berlin, 2008), pp. 125–141 Google Scholar
- K.E.B. Hickman, The SSL Protocol Version 2.0. Internet Draft, 1994 Google Scholar
- C. Kudla, Special signature schemes and key agreement protocols. PhD Thesis, Royal Holloway University of London, 2006 Google Scholar
- J.C. Mitchell, V. Shmatikov, U. Stern, Finite-state analysis of SSL 3.0, in USENIX Security Symposium—SSYM 1998, 1998 Google Scholar
- V. Shoup, On formal models for secure key exchange (version 4). Preprint, 1999 Google Scholar
- D. Wagner, B. Schneier, Analysis of the SSL 3.0 protocol, in 2nd USENIX Workshop on Electronic Commerce, 1996 Google Scholar
- S. Williams, The security of signcryption as a key agreement protocol. BSc Dissertation, University of Bristol, 2008 Google Scholar