Journal of Cryptology

, Volume 30, Issue 4, pp 1276–1324 | Cite as

Authenticated Confidential Channel Establishment and the Security of TLS-DHE

  • Tibor Jager
  • Florian Kohlar
  • Sven Schäge
  • Jörg Schwenk
Article

Abstract

Transport Layer Security (TLS) is the most important cryptographic protocol in use today. However, finding a cryptographic security proof for the complete, unaltered protocol has proven to be a challenging task. We give the first such proof in the standard model for the core cryptographic protocol underlying TLS cipher suites based on ephemeral Diffie–Hellman key exchange (TLS-DHE). This includes the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, which is mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove the TLS Handshake secure in the classical security models of Bellare–Rogaway and Canetti–Krawczyk. The reason for this is that the final Finished messages of the TLS Handshake are encrypted with the session key, which provides an opportunity to distinguish real keys from random values. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS, and give the first proof of this variant in the standard model. Then we define the new notion of authenticated and confidential channel establishment (ACCE), which allows the monolithic analysis of protocols for which a modular security proof is not possible. We show that the combination of the TLS-DHE Handshake protocol and the TLS Record Layer encryption is secure in this model. Since the conference publication of this paper, the notion of ACCE has found many further applications, for example to the analysis of further TLS cipher suites (Krawczyk et al., Crypto 2013; Li et al., PKC 2014), advanced mechanisms like secure renegotiation of TLS session keys (Giesen et al., CCS 2013), and other practical protocols like EMV channel establishment (Brzuska et al., CCS 2013), SSH (Bergsma et al., CCS 2014), and QUIC (Lychev et al., S&P 2015).

Keywords

Authenticated key exchange Authenticated confidential channel establishment (ACCE) SSL TLS 

References

  1. 1.
    M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in Topics in Cryptology—CT-RSA 2001, volume 2020 of Lecture Notes in Computer Science, San Francisco, CA, USA, ed. by D. Naccache (Springer, Berlin, Germany, April 8–12, 2001), pp. 143–158Google Scholar
  2. 2.
    M.R. Albrecht, K.G. Paterson, Lucky microseconds: a timing attack on Amazon’s s2n implementation of TLS, in EUROCRYPT (1) (2016), pp. 622–643Google Scholar
  3. 3.
    N.J. AlFardan, K.G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May 19–22, 2013 (IEEE Computer Society Press, 2013), pp. 526–540Google Scholar
  4. 4.
    N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. Alex Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, Y. Shavitt, DROWN: breaking TLS using sslv2, in 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10–12, 2016 (2016), pp. 689–706Google Scholar
  5. 5.
    G. V. Bard, The vulnerability of SSL to chosen plaintext attack, in Cryptology ePrint Archive, Report 2004/111 (2004), http://eprint.iacr.org/
  6. 6.
    G.V. Bard, A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL, in SECRYPT, ed. by M. Malek, E. Fernández-Medina, J. Hernando (INSTICC Press, 2006), pp. 99–109Google Scholar
  7. 7.
    B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, J.K. Zinzindohoue, A messy state of the union: taming the composite state machines of TLS, in 2015 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2015), pp. 535–552Google Scholar
  8. 8.
    K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, P.-Y. Strub, Triple handshakes and cookie cutters: breaking and fixing authentication over TLS, in 2014 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2014), pp. 98–113Google Scholar
  9. 9.
    F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, D. Stebila, Multi-ciphersuite security of the secure shell (SSH) protocol, in ACM CCS 14: 21st Conference on Computer and Communications Security (ACM Press, 2014), pp. 369–381Google Scholar
  10. 10.
    M. Bellare, New proofs for NMAC and HMAC: security without collision-resistance, in Advances in Cryptology—CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by C. Dwork (Springer, Berlin, Germany, August 20–24, 2006), pp. 602–619Google Scholar
  11. 11.
    K. Bhargavan, C. Fournet, R. Corin, E. Zalinescu, Cryptographically verified implementations for TLS, in ACM CCS 08: 15th Conference on Computer and Communications Security, Alexandria, Virginia, USA, ed. by P. Ning, P.F. Syverson, S. Jha (ACM Press, October 27–31, 2008), pp. 459–468Google Scholar
  12. 12.
    K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, Implementing TLS with verified cryptographic security, in IEEE S&P (2013), pp. 445–459Google Scholar
  13. 13.
    K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, S.Z. Béguelin, Proving the TLS handshake secure (as it is), in Advances in Cryptology—CRYPTO 2014, Part II, volume 8617 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by J.A. Garay, R. Gennaro (Springer, Berlin, Germany, August 17–21, 2014), pp. 235–255Google Scholar
  14. 14.
    C. Brzuska, M. Fischlin, N.P. Smart, B. Warinschi, S.C. Williams, Less is more: relaxed yet composable security notions for key exchange, Int. J. Inf. Sec., 12(4):267–297, 2013Google Scholar
  15. 15.
    G. Barthe, B. Grégoire, S. Heraud, S.Z. Béguelin, Computer-aided security proofs for the working cryptographer, in Advances in Cryptology—CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by P. Rogaway (Springer, Berlin, Germany, August 14–18, 2011), pp. 71–90Google Scholar
  16. 16.
    C. Brzuska, H. Jacobsen, D. Stebila, Safely exporting keys from secure channels: on the security of EAP-TLS and TLS key exporters, in EUROCRYPT (1) 2016, pp. 670–698Google Scholar
  17. 17.
    M. Bellare, T. Kohno, C. Namprempre, Authenticated encryption in SSH: provably fixing the SSH binary packet protocol, in ACM CCS 02: 9th Conference on Computer and Communications Security, Washington D.C., USA, ed. by V. Atluri (ACM Press, November 18–22, 2002), pp. 1–11Google Scholar
  18. 18.
    M. Bellare, T. Kohno, C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the encode-then-encrypt-and-mac paradigm, ACM Trans. Inf. Syst. Secur., 7:206–241, May 2004CrossRefMATHGoogle Scholar
  19. 19.
    D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology—CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by H. Krawczyk (Springer, Berlin, Germany, August 23–27, 1998), pp. 1–12Google Scholar
  20. 20.
    B. Barak, Y. Lindell, T. Rabin, Protocol Initialization for the Framework of Universal Composability, Cryptology ePrint Archive, Report 2004/006 (2004). http://eprint.iacr.org/
  21. 21.
    C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment. Information Security and Cryptography (Springer, Berlin, 2003)CrossRefMATHGoogle Scholar
  22. 22.
    C. Badertscher, C. Matt, U. Maurer, P. Rogaway, B. Tackmann, Augmented secure channels and the goal of the TLS 1.3 record layer, in ProvSec 2015: 9th International Conference on Provable Security, Lecture Notes in Computer Science (Springer, Berlin, 2015), pp. 85–104Google Scholar
  23. 23.
    M. Bellare, C. Namprempre, Authenticated encryption: relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, Kyoto, Japan, ed. by T. Okamoto (Springer, Berlin, Germany, December 3–7, 2000), pp. 531–545Google Scholar
  24. 24.
    M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology, 21(4):469–491, 2008MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    M. Bellare, D. Pointcheval, P. Rogaway, in Authenticated Key Exchange Secure Against Dictionary Attacks, in Advances in Cryptology—EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, Bruges, Belgium, ed. by B. Preneel (Springer, Berlin, Germany, May 14–18, 2000), pp. 139–155Google Scholar
  26. 26.
    M. Bellare, P. Rogaway, Entity authentication and key distribution, in Advances in Cryptology—CRYPTO’93, volume 773 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by D.R. Stinson (Springer, Berlin, Germany, August 22–26, 1994), pp. 232–249Google Scholar
  27. 27.
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, St. Petersburg, Russia, ed. by S. Vaudenay (Springer, Berlin, Germany, May 28–June 1, 2006), pp. 409–426Google Scholar
  28. 28.
    C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson, An Analysis of the EMV Channel Establishment Protocol, in ACM CCS 13: 20th Conference on Computer and Communications Security, ed. by A.-R. Sadeghi, V. D. Gligor, M. Yung (ACM Press, Berlin, Germany, November 4–8, 2013), pp. 373–386Google Scholar
  29. 29.
    M. Bellare, B. Tackmann, The multi-user security of authenticated encryption: AES-GCM in TLS 1.3, in Advances in Cryptology—CRYPTO 2016, Part I, Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Berlin, Germany, August 2016), pp. 247–276Google Scholar
  30. 30.
    S. Blake-Wilson, D. Johnson, A. Menezes, Key agreement protocols and their security analysis, in 6th IMA International Conference on Cryptography and Coding, volume 1355 of Lecture Notes in Computer Science, Cirencester, UK, ed. by M. Darnell (Springer, Berlin, Germany, December 17–19, 1997), pp. 30–45Google Scholar
  31. 31.
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada, USA (IEEE Computer Society Press, October 14–17, 2001), pp. 136–145Google Scholar
  32. 32.
    K.K.R. Choo, C. Boyd, Y. Hitchcock, Examining indistinguishability-based proof models for key establishment protocols, in Advances in Cryptology—ASIACRYPT 2005, volume 3788 of Lecture Notes in Computer Science, Chennai, India, ed. by B.K. Roy (Springer, Berlin, Germany, December 4–8, 2005), pp. 585–604Google Scholar
  33. 33.
    S. Chaki, A. Datta, Aspier: an automated framework for verifying security protocol implementations, in Computer Security Foundations Symposium, 2009. CSF ’09. 22nd IEEE, (July 2009), pp. 172 –185Google Scholar
  34. 34.
    J.-S. Coron, M. Joye, D. Naccache, P. Paillier, in New attacks on PKCS#1 v1.5 encryption (In Preneel [84]), pp. 369–381Google Scholar
  35. 35.
    R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, Innsbruck, Austria, ed. by B. Pfitzmann (Springer, Berlin, Germany, May 6–10, 2001), pp. 453–474Google Scholar
  36. 36.
    R. Canetti, H. Krawczyk, Security analysis of IKE’s signature-based key-exchange protocol, in Advances in Cryptology—CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by M. Yung (Springer, Berlin, Germany, August 18–22, 2002), pp. 143–161. http://eprint.iacr.org/2002/120/
  37. 37.
    C.J.F. Cremers, Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol, in ACNS 09: 7th International Conference on Applied Cryptography and Network Security, volume 5536 of Lecture Notes in Computer Science, Paris-Rocquencourt, France, ed. by M. Abdalla, D. Pointcheval, P.-A. Fouque, D. Vergnaud (Springer, Berlin, Germany, June 2–5, 2009), pp. 20–33Google Scholar
  38. 38.
    T. Dierks, C. Allen, The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), Obsoleted by RFC 4346, updated by RFCs 3546, 5746 (January 1999)Google Scholar
  39. 39.
    B. Dowling, M. Fischlin, F. Günther, D. Stebila, A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates, in ACM CCS 15: 22nd Conference on Computer and Communications Security (ACM Press, New York, 2015)Google Scholar
  40. 40.
    B. Dowling, M. Fischlin, F. Günther, D. Stebila, in A Cryptographic Analysis of the TLS 1.3 Draft-10 Full and Pre-shared Key Handshake Protocol. Cryptology ePrint Archive, Report 2016/081 (2016). http://eprint.iacr.org/2016/081
  41. 41.
    T. Dierks, E. Rescorla, in The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard). Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746 (April 2006)Google Scholar
  42. 42.
    T. Dierks, E. Rescorla, in The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008), Updated by RFCs 5746, 5878Google Scholar
  43. 43.
  44. 44.
    Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198–207, 1983.MathSciNetCrossRefMATHGoogle Scholar
  45. 45.
    D. Eastlake III, T. Hansen, in US Secure Hash Algorithms (SHA and HMAC-SHA), RFC 4634 (Informational) (July 2006)Google Scholar
  46. 46.
    D. Eastlake III, P. Jones, in US Secure Hash Algorithm 1 (SHA1). RFC 3174 (Informational), Updated by RFC 4634 (September 2001)Google Scholar
  47. 47.
    M. Fischlin, A. Lehmann, D. Wagner, Hash function combiners in TLS and SSL, in Topics in Cryptology—CT-RSA 2010, volume 5985 of Lecture Notes in Computer Science, San Francisco, CA, USA, ed. by J. Pieprzyk (Springer, Berlin, Germany, March 1–5, 2010), pp. 268–283Google Scholar
  48. 48.
    P.-A. Fouque, D. Pointcheval, S. Zimmer, HMAC is a randomness extractor and applications to TLS, in ASIACCS 08: 3rd Conference on Computer and Communications Security, Tokyo, Japan, ed. by M. Abe, V. Gligor (ACM Press, March 18–20, 2008), pp. 21–32Google Scholar
  49. 49.
    F. Giesen, F. Kohlar, D. Stebila, On the security of TLS renegotiation, in ACM Conference on Computer and Communications Security 2013, pp. 387–398Google Scholar
  50. 50.
    S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, J. Schwenk, in Universally composable security analysis of TLS ProvSec, volume 5324 of LNCS, ed. by J. Baek, F. Bao, K. Chen, X. Lai (Springer, 2008), pp. 313–327Google Scholar
  51. 51.
    J. Jonsson, B.S. Kaliski Jr, On the security of RSA encryption in TLS, in Advances in Cryptology—CRYPTO 2002, pp. 127–142Google Scholar
  52. 52.
    T. Jager, F. Kohlar, S. Schäge, J. Schwenk, On the security of TLS-DHE in the standard model, in Advances in Cryptology—CRYPTO 2012, volume 7417 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by R. Safavi-Naini, R. Canetti (Springer, Berlin, Germany, August 19–23, 2012), pp. 273–293Google Scholar
  53. 53.
    D. Johnson, A. Menezes, S. Vanstone, The Elliptic Curve Digital Signature Algorithm (ECDSA), Int. J. Inf. Secur., 1(1):36–63, August 2001CrossRefGoogle Scholar
  54. 54.
    T. Jager, J. Schwenk, J. Somorovsky, Practical invalid curve attacks on TLSECDH, in ACM CCS 15: 22nd Conference on Computer and Communications Security (ACM Press, New York, 2015), pp. 407–425Google Scholar
  55. 55.
    T. Jager, J. Schwenk, J. Somorovsky, in On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS #1 v1.5 Encryption (ACM CCS 2015), pp. 1185–1196Google Scholar
  56. 56.
    B. Kaliski, PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational), Obsoleted by RFC 2437 (March 1998)Google Scholar
  57. 57.
    M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, D. Venturi, in (De-)Constructing TLS. Cryptology ePrint Archive, Report 2014/020 (2014). http://eprint.iacr.org/
  58. 58.
    M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, D. Venturi, (De-)constructing TLS 1.3, in Progress in Cryptology—INDOCRYPT 2015: 16th International Conference in Cryptology in India, Lecture Notes in Computer Science (Springer, Berlin, Germany, 2015), pp. 85–102Google Scholar
  59. 59.
    E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in Advances in Cryptology—CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by T. Rabin (Springer, Berlin, Germany, August 15–19, 2010), pp. 295–313Google Scholar
  60. 60.
    E. Kiltz, K. Pietrzak, On the security of padding-based encryption schemes—or—why we cannot prove OAEP secure in the standard model, in Advances in Cryptology—EUROCRYPT 2009, volume 5479 of Lecture Notes in Computer Science, Cologne, Germany, (Springer, Berlin, Germany, April 26–30, 2009), pp. 389–406Google Scholar
  61. 61.
    H. Krawczyk, K.G. Paterson, H. Wee, On the security of the TLS protocol: a systematic analysis, in Advances in Cryptology—CRYPTO 2013, Part I, volume 8042 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by R. Canetti, J.A. Garay, (Springer, Berlin, Germany, August 18–22, 2013), pp. 429–448Google Scholar
  62. 62.
    H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology—CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by J. Kilian, (Springer, Berlin, Germany, August 19–23, 2001), pp. 310–331Google Scholar
  63. 63.
    H. Krawczyk, HMQV: a high-performance secure Diffie-Hellman protocol, in Advances in Cryptology—CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by V. Shoup (Springer, Berlin, Germany, August 14–18, 2005), pp. 546–566Google Scholar
  64. 64.
    F. Kohlar, S. Schäge, J. Schwenk, in On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367 (2013). http://eprint.iacr.org/
  65. 65.
    R. Küsters, M. Tuengerthal, Composition theorems without pre-established session identifiers, in ACM CCS 11: 18th Conference on Computer and Communications Security, Chicago, Illinois, USA, ed. by Y. Chen, G. Danezis, V. Shmatikov (ACM Press, October 17–21, 2011), pp. 41–50Google Scholar
  66. 66.
    H. Krawczyk, H. Wee, The OPTLS protocol and TLS 1.3, in IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany (March 21–24, 2016), pp. 81–96Google Scholar
  67. 67.
    G. Locke, P. Gallagher, in FIPS PUB 186-3 Federal Information Processing Standards Publication Digital Signature Standard (DSS) (2009)Google Scholar
  68. 68.
    Y. Li, Personal Communication (2012)Google Scholar
  69. 69.
    R. Lychev, S. Jero, A. Boldyreva, C. Nita-Rotaru, How secure and quick is QUIC? Provable security and performance analyses, in IEEE S&P (2015 [53]), pp. 214–231Google Scholar
  70. 70.
    R. Lychev, S. Jero, A. Boldyreva, C. Nita-Rotaru, How secure and quick is QUIC? Provable security and performance analyses, in Cryptology ePrint Archive, Report 2015/582 (2015). http://eprint.iacr.org/
  71. 71.
    B.A. LaMacchia, K. Lauter, A. Mityagin, Stronger security of authenticated key exchange, in ProvSec, volume 4784 of LNCS, ed. by W. Susilo, J.K. Liu, Y. Mu (Springer, 2007), pp. 1–16Google Scholar
  72. 72.
    Y. Li, S. Schäge, Z. Yang, F. Kohlar, J. Schwenk, On the security of the pre-shared key ciphersuites of TLS, in PKC 2014: 17th International Workshop on Theory and Practice in Public Key Cryptography, volume 8383 of Lecture Notes in Computer Science, Buenos Aires, Argentina, ed. by H. Krawczyk (Springer, Berlin, Germany, March 26–28, 2014), pp. 669–684Google Scholar
  73. 73.
    B. Möller, T. Duong, K. Kotowicz, This Poodle Bites: Exploiting the ssl 3.0 fallback, PDF online (2014)Google Scholar
  74. 74.
    J.C. Mitchell, Finite-state analysis of security protocols, in CAV, volume 1427 of LNCS, ed. by A.J. Hu, M.Y. Vardi (Springer, 1998), pp. 71–76Google Scholar
  75. 75.
    P. Morrissey, N.P. Smart, B. Warinschi, A modular security analysis of the TLS handshake protocol, in Advances in Cryptology—ASIACRYPT 2008, volume 5350 of Lecture Notes in Computer Science, Melbourne, Australia, ed. by J. Pieprzyk (Springer, Berlin, Germany, December 7–11, 2008), pp. 55–73Google Scholar
  76. 76.
    P. Morrissey, N.P. Smart, B. Warinschi, The TLS handshake protocol: A modular analysis, J. Cryptol., 23(2):187–223, April 2010MathSciNetCrossRefMATHGoogle Scholar
  77. 77.
    U. Maurer, B. Tackmann, On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption, in ACM CCS 10: 17th Conference on Computer and Communications Security, Chicago, Illinois, USA, ed. by E. Al-Shaer, A.D. Keromytis, V. Shmatikov (ACM Press, October 4–8, 2010), pp 505–515Google Scholar
  78. 78.
    N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, B. Preneel, A cross-protocol attack on the TLS protocol, in ACM CCS 12: 19th Conference on Computer and Communications Security, Raleigh, NC, USA, ed. by T. Yu, G. Danezis, V.D. Gligor (ACM Press, October 16–18, 2012), pp. 62–72Google Scholar
  79. 79.
    K. Ogata, K. Futatsugi, in Equational Approach to Formal Analysis of TLS, ICDCS (IEEE Computer Society, 2005), pp. 795–804Google Scholar
  80. 80.
    Lawrence C. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Trans. Inf. Syst. Secur., 2(3):332–351, 1999.CrossRefGoogle Scholar
  81. 81.
    K.G. Paterson, T. Ristenpart, T. Shrimpton, Tag size does matter: attacks and proofs for the TLS record protocol, in Advances in Cryptology—ASIACRYPT 2011, volume 7073 of Lecture Notes in Computer Science, Seoul, South Korea, ed. by D.H. Lee, X. Wang (Springer, Berlin, Germany, December 4–8, 2011), pp. 372–389Google Scholar
  82. 82.
    D. Pointcheval, S. Vaudenay, in On Provable Security for Digital Signature Algorithms, Technical report, Ecole Normale Superieure (1996)Google Scholar
  83. 83.
    M. Ray, S. Dispensa, in Renegotiating TLS (2009). http://extendedsubset.com/Renegotiating_TLS
  84. 84.
    R. Rivest, in The MD5 Message-Digest Algorithm. RFC 1321 (Informational) (April 1992)Google Scholar
  85. 85.
    Q. Sun, D.R. Simon, Y.-M. Wang, W. Russell, V.N. Padmanabhan, L. Qiu, Statistical identification of encrypted web browsing traffic, in IEEE Symposium on Security and Privacy (2002), pp. 19–30Google Scholar
  86. 86.
    J.M. Schanck, W. Whyte, Z. Zhang, Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world, Proc. Priv. Enhancing Technol., 4:219–236, 2016Google Scholar
  87. 87.
    S. Vaudenay, The security of DSA and ECDSA, in Public Key Cryptography—PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, volume 2567 of LNCS (2003), pp. 309–323Google Scholar
  88. 88.
    C.V. Wright, L. Ballard, S.E. Coull, F. Monrose, G.M. Masson, Spot me if you can: uncovering spoken phrases in encrypted voip conversations, in IEEE Symposium on Security and Privacy (IEEE Computer Society, 2008), pp. 35–49Google Scholar
  89. 89.
    D. Wagner, B. Schneier, Analysis of the SSL 3.0 protocol, in Proceedings of the Second USENIX Workshop on Electronic Commerce (USENIX Association, 1996), pp. 29–40Google Scholar
  90. 90.
    W. Zeller, E.W. Felten, in Cross-Site Request Forgeries: Exploitation and Prevention. Technical report (October 2008). Available at http://from.bz/public/documents/publications/csrf

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Tibor Jager
    • 1
  • Florian Kohlar
    • 2
  • Sven Schäge
    • 2
  • Jörg Schwenk
    • 2
  1. 1.Department of Computer SciencePaderborn UniversityPaderbornGermany
  2. 2.Horst Görtz Institute for IT SecurityRuhr-University BochumBochumGermany

Personalised recommendations