(De-)Constructing TLS 1.3
SSL/TLS is one of the most widely deployed cryptographic protocols on the Internet. It is used to protect the confidentiality and integrity of transmitted data in various client-server applications. The currently specified version is TLS 1.2, and its security has been analyzed extensively in the cryptographic literature. The IETF working group is actively developing a new version, TLS 1.3, which is designed to address several flaws inherent to previous versions.
In this paper, we analyze the security of a slightly modified version of the current TLS 1.3 draft. (We do not encrypt the server’s certificate.) Our security analysis is performed in the constructive cryptography framework. This ensures that the resulting security guarantees are composable and can readily be used in subsequent protocol steps, such as password-based user authentication over a TLS-based communication channel in which only the server is authenticated. Most steps of our proof hold in the standard model, with the sole exception that the key derivation function HKDF is used in a way that has a proof only in the random-oracle model. Beyond the technical results on TLS 1.3, this work also exemplifies a novel approach towards proving the security of complex protocols by a modular, step-by-step decomposition, in which smaller sub-steps are proved in isolation and then the security of the protocol follows by the composition theorem.
KeywordsSecure Channel Cryptographic Protocol Honest Party Composition Theorem Collision Resistance
Ueli Maurer was supported by the Swiss National Science Foundation (SNF), project no. 200020-132794. Björn Tackmann was supported by the Swiss National Science Foundation (SNF) via Fellowship no. P2EZP2_155566 and the NSF grants CNS-1228890 and CNS-1116800. Daniele Venturi acknowledges support by the European Commission (Directorate General Home Affairs) under the GAINS project HOME/2013/CIPS/AG/4000005057, and by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644666.
- 1.Badertscher, C., Matt, C., Maurer, U., Rogaway, P., Tackmann, B.: Augmented secure channels as the goal of the TLS record layer. In: Au, M.H., Miyaji, A. (eds.) Provable Security. LNCS, vol. 9451. Springer, Heidelberg (2015)Google Scholar
- 5.Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (SP’14). IEEE (2014)Google Scholar
- 7.Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, July 2013Google Scholar
- 11.Canetti, R., Shahaf, D., Vald, M.: Universally composable authentication and key-exchange with global PKI. Cryptology ePrint Archive Report 2014/432, October 2014Google Scholar
- 12.Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, August 2008. http://www.ietf.org/rfc/rfc5246.txt
- 13.Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC draft, April 2015. http://tlswg.github.io/tls13-spec/
- 14.Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: ACM Conference on Computer and Communications Security 2015 (2015)Google Scholar
- 15.Hickman, K.: The SSL protocol, February 1995. https://tools.ietf.org/html/draft-hickman-netscape-ssl-00 (internet draft)
- 16.Jost, D.: A Constructive Analysis of IPSec. Master’s thesis, ETH Zürich, April 2014Google Scholar
- 17.Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)constructing TLS. Cryptology ePrint Archive, Report 020/2014 (2014)Google Scholar
- 19.Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. Manuscript, September 2015Google Scholar
- 21.Maurer, U., Renner, R.: Abstract cryptography. In: Innovations in Computer Science. Tsinghua University Press (2011)Google Scholar
- 22.Maurer, U., Tackmann, B., Coretti, S.: Key exchange with unilateral authentication: Composable security definition and modular protocol design. Cryptology ePrint Archive, Report 2013/555 (2013)Google Scholar
- 23.Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 184–200. IEEE (2001)Google Scholar
- 24.Tackmann, B.: A Theory of Secure Communication. Ph.D. thesis, ETH Zürich (2014)Google Scholar