Modelling Ciphersuite and Version Negotiation in the TLS Protocol

  • Benjamin DowlingEmail author
  • Douglas Stebila
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9144)


Real-world cryptographic protocols such as the widely used Transport Layer Security (TLS) protocol support many different combinations of cryptographic algorithms (called ciphersuites) and simultaneously support different versions. Recent advances in provable security have shown that most modern TLS ciphersuites are secure authenticated and confidential channel establishment (ACCE) protocols, but these analyses generally focus on single ciphersuites in isolation. In this paper we extend the ACCE model to cover protocols with many different sub-protocols, capturing both multiple ciphersuites and multiple versions, and define a security notion for secure negotiation of the optimal sub-protocol. We give a generic theorem that shows how secure negotiation follows, with some additional conditions, from the authentication property of secure ACCE protocols. Using this framework, we analyse the security of ciphersuite and three variants of version negotiation in TLS, including a recently proposed mechanism for detecting fallback attacks.


Transport layer security (tls) Ciphersuite negotiation Version negotiation Downgrade attacks Cryptographic protocols 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246 (1999)Google Scholar
  2. 2.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.1. RFC 4346 (2006)Google Scholar
  3. 3.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. RFC 5246 (2008)Google Scholar
  4. 4.
    Freier, A.O., Karlton, P., Kocher, P.C.: The Secure Sockets Layer (SSL) protocol version 3.0. RFC 6101 (2011). Republication of original SSL 3.0 specification by Netscape of November 18, 1996Google Scholar
  5. 5.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proc. 2nd USENIX Workshop on Electronic Commerce (1996)Google Scholar
  6. 6.
    Hickman, K.E.B.: The SSL protocol (version 0.2) (1995).
  7. 7.
    Jonsson, J., Kaliski Jr., B.S.: On the security of RSA encryption in TLS. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 127–142. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  8. 8.
    Morrissey, P., Smart, N.P., Warinschi, B.: A modular security analysis of the TLS handshake protocol. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 55–73. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  9. 9.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 310. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  10. 10.
    Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  12. 12.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  13. 13.
    Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367 (2013).
  14. 14.
    Li, Y., Schäge, S., Yang, Z., Kohlar, F., Schwenk, J.: On the security of the pre-shared key ciphersuites of TLS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 669–684. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  15. 15.
    Brzuska, C., Fischlin, M., Smart, N.P., Warinschi, B., Williams, S.C.: Less is more: Relaxed yet composable security notions for key exchange. International Journal of Information Security 12, 267–297 (2013)CrossRefGoogle Scholar
  16. 16.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.Y.: Implementing TLS with verified cryptographic security. In: 2013 IEEE Symposium on Security and Privacy, pp. 445–459. IEEE Computer Society Press (2013)Google Scholar
  17. 17.
    Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 387–398. ACM Press (2013)Google Scholar
  18. 18.
    Ray, M., Dispensa, S.: Renegotiating TLS (2009)
  19. 19.
    Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneel, B.: A cross-protocol attack on the TLS protocol. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, pp. 62–72. ACM Press (2012)Google Scholar
  20. 20.
    Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J., Stebila, D.: Multi-ciphersuite security of the secure shell (SSH) protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 369–381. ACM Press (2014)Google Scholar
  21. 21.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (As It Is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014) Google Scholar
  22. 22.
    Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) renegotiation indication extension. RFC 5746 (2010)Google Scholar
  23. 23.
    Möller, B., Langley, A.G.: TLS fallback Signaling Cipher Suite Value (SCSV) for preventing protocol downgrade attacks (2015). Internet-Draft -05
  24. 24.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. Cryptology ePrint Archive, Report 2011/219 (2011).
  25. 25.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  26. 26.
    Dowling, B., Stebila, D.: Modelling ciphersuite and version negotiation in the TLS protocol (full version). Cryptology ePrint Archive (2015)Google Scholar
  27. 27.
    Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.3 (2015). Internet-Draft -05

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Queensland University of TechnologyBrisbaneAustralia

Personalised recommendations