Journal of Cryptology

, Volume 23, Issue 2, pp 187–223

The TLS Handshake Protocol: A Modular Analysis



We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher-level applications are obtained from a master key, which in turn is derived through interaction from a pre-master key.

We define models (following well-established paradigms) that clarify the security level enjoyed by each of these types of keys. We capture the realistic setting where only one of the two parties involved in the execution of the protocol (namely the server) has a certified public key, and where the same master key is used to generate multiple application keys.

The main contribution of the paper is a modular and generic proof of security for a slightly modified version of TLS. Our proofs shows that the protocol is secure even if the pre-master and the master keys only satisfy only weak security requirements. Our proofs make crucial use of modelling the key derivation function of TLS as a random oracle.


Provable security TLS SSL 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    M. Abdalla, O. Chevassut, D. Pointcheval, One-time verifier-based encrypted key exchange, in Public Key Cryptography—PKC 2005. LNCS, vol. 386 (Springer, Berlin, 2005), pp. 47–64 Google Scholar
  2. [2]
    J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in Advances in Cryptology—EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 83–107 CrossRefGoogle Scholar
  3. [3]
    M. Bellare, R. Canetti, H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, in 30th Symposium on Theory of Computing—STOC 1998 (ACM, New York, 1998), pp. 419–428 Google Scholar
  4. [4]
    M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology—ASIACRYPT 2000. LNCS, vol. 1976 (Springer, Berlin, 2000), pp. 531–545 CrossRefGoogle Scholar
  5. [5]
    M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchange secure against dictionary attacks, in Advances in Cryptology—EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Berlin, 2000), pp. 139–155 CrossRefGoogle Scholar
  6. [6]
    M. Bellare, P. Rogaway, Entity authentication and key distribution, in Advances in Cryptology—CRYPTO ’93. LNCS, vol. 773 (Springer, Berlin, 1994), pp. 232–249 Google Scholar
  7. [7]
    M. Bellare, P. Rogaway, Optimal asymmetric encryption, in Advances in Cryptology—EUROCRYPT 1994 (1994), pp. 92–111 Google Scholar
  8. [8]
    M. Bellare, P. Rogaway, Provably secure session key distribution: The three party case, in 27th Symposium on Theory of Computing—STOC 1995 (ACM, New York, 1995), pp. 57–66 Google Scholar
  9. [9]
    K. Bhargavan, R. Corin, C. Fournet, E. Zalinescu, Cryptographically verified implementations for TLS, in Conference on Computer and Communication Security—CCS 2008 (ACM, New York, 2008), pp. 459–468 Google Scholar
  10. [10]
    R. Bird, I.S. Gopal, A. Herzberg, P.A. Janson, S. Kutten, R. Molva, M. Yung, Systematic design of two-party authentication protocols, in Advances in Cryptology—CRYPTO ’91. LNCS, vol. 576 (Springer, Berlin, 1991), pp. 44–61 Google Scholar
  11. [11]
    S. Blake-Wilson, D. Johnson, A.J. Menezes, Key agreement protocols and their security analysis, in Cryptography and Coding. LNCS, vol. 1355 (Springer, Berlin, 1997), pp. 30–45 Google Scholar
  12. [12]
    S. Blake-Wilson, A.J. Menezes, Entity authentication and authenticated key transport protocols employing asymmetric techniques, in IWSP. LNCS, vol. 1361 (Springer, Berlin, 1998), pp. 137–158 Google Scholar
  13. [13]
    D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology—CRYPTO ’98. LNCS, vol. 1462 (Springer, Berlin, 1998), pp. 1–12 CrossRefGoogle Scholar
  14. [14]
    E. Bresson, O. Chevassut, D. Pointcheval, Provably authenticated group Diffie–Hellman key exchange—The dynamic case, in Advances in Cryptology—ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Berlin, 2001), pp. 290–309 CrossRefGoogle Scholar
  15. [15]
    R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001. LNCS, vol. 2045 (Springer, Berlin, 2001), pp. 453–474 CrossRefGoogle Scholar
  16. [16]
    R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels, in Advances in Cryptology—EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 337–351 CrossRefGoogle Scholar
  17. [17]
    R. Canetti, H. Krawczyk, Security analysis of IKE’s signature-based key-exchange protocol, in Advances in Cryptology—CRYPTO 2002. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 143–161 CrossRefGoogle Scholar
  18. [18]
    K.-K.R. Choo, C. Boyd, Y. Hitchcock, Examining indistinguishability-based proof models for key establishment protocols, in Advances in Cryptology—ASIACRYPT 2005. LNCS, vol. 3788 (Springer, Berlin, 2005), pp. 585–604 CrossRefGoogle Scholar
  19. [19]
    R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003) MATHCrossRefMathSciNetGoogle Scholar
  20. [20]
    T. Dierks, C. Allen, The TLS Protocol Version 1.0. RFC 2246, January 1999 Google Scholar
  21. [21]
    T. Dierks, C. Allen, The TLS Protocol Version 1.2. RFC 4346, April 2006 Google Scholar
  22. [22]
    W. Diffie, P.C. van Oorschot, M.J. Weiner, Authentication and authenticated key exchange. Des. Codes Cryptogr. 2, 107–125 (1992) CrossRefMathSciNetGoogle Scholar
  23. [23]
    A.O. Freier, P. Karlton, P.C. Kocher, The SSL Protocol Version 3.0. Internet Draft, 1996 Google Scholar
  24. [24]
    P.-A. Fouque, D. Pointcheval, S. Zimmer, HMAC is a randomness extractor and applications to TLS, in AsiaCCS 2008 (ACM Press, New York, 2008), pp. 21–32 CrossRefGoogle Scholar
  25. [25]
    S. Gajek, M. Manulis, O. Pereira, A. Sadeghi, J. Schwenk, Universally composable security analysis of TLS, in Provable Security—ProvSec 2008. LNCS, vol. 5324 (Springer, Berlin, 2008), pp. 313–327 CrossRefGoogle Scholar
  26. [26]
    H. Krawczyk, SKEME: a versatile secure key exchange mechanism for Internet, in Proceedings of the 1996 Symposium of Network and Distributed System Security (SNDSS’96) (IEEE Computer Society, Los Alamitos, 1996), p. 114 CrossRefGoogle Scholar
  27. [27]
    A. Herzberg, I. Yoffe, The layered games framework for specifications and analysis of security, in LNCS, vol. 4948 (Springer, Berlin, 2008), pp. 125–141 Google Scholar
  28. [28]
    K.E.B. Hickman, The SSL Protocol Version 2.0. Internet Draft, 1994 Google Scholar
  29. [29]
    J. Jonsson, B. Kaliski Jr., On the security of RSA encryption in TLS, in Advances in Cryptology—CRYPTO 2002. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 127–142 CrossRefGoogle Scholar
  30. [30]
    H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology—CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 310–331 CrossRefGoogle Scholar
  31. [31]
    C. Kudla, Special signature schemes and key agreement protocols. PhD Thesis, Royal Holloway University of London, 2006 Google Scholar
  32. [32]
    C. Kudla, K. Paterson, Modular security proofs for key agreement protocols, in Advances in Cryptology—ASIACRYPT 2005. LNCS, vol. 3788 (Springer, Berlin, 2005), pp. 549–565 CrossRefGoogle Scholar
  33. [33]
    J.C. Mitchell, V. Shmatikov, U. Stern, Finite-state analysis of SSL 3.0, in USENIX Security Symposium—SSYM 1998, 1998 Google Scholar
  34. [34]
    L. Paulson, Inductive analysis of the Internet protocol TLS. ACM Trans. Inf. Syst. Secur. 2(3), 332–351 (1999) CrossRefGoogle Scholar
  35. [35]
    V. Shoup, On formal models for secure key exchange (version 4). Preprint, 1999 Google Scholar
  36. [36]
    D. Wagner, B. Schneier, Analysis of the SSL 3.0 protocol, in 2nd USENIX Workshop on Electronic Commerce, 1996 Google Scholar
  37. [37]
    S. Williams, The security of signcryption as a key agreement protocol. BSc Dissertation, University of Bristol, 2008 Google Scholar

Copyright information

© International Association for Cryptologic Research 2009

Authors and Affiliations

  1. 1.Department Computer ScienceUniversity of BristolBristolUK

Personalised recommendations