(De-)Constructing TLS 1.3

  • Markulf Kohlweiss
  • Ueli Maurer
  • Cristina Onete
  • Björn Tackmann
  • Daniele Venturi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9462)


SSL/TLS is one of the most widely deployed cryptographic protocols on the Internet. It is used to protect the confidentiality and integrity of transmitted data in various client-server applications. The currently specified version is TLS 1.2, and its security has been analyzed extensively in the cryptographic literature. The IETF working group is actively developing a new version, TLS 1.3, which is designed to address several flaws inherent to previous versions.

In this paper, we analyze the security of a slightly modified version of the current TLS 1.3 draft. (We do not encrypt the server’s certificate.) Our security analysis is performed in the constructive cryptography framework. This ensures that the resulting security guarantees are composable and can readily be used in subsequent protocol steps, such as password-based user authentication over a TLS-based communication channel in which only the server is authenticated. Most steps of our proof hold in the standard model, with the sole exception that the key derivation function HKDF is used in a way that has a proof only in the random-oracle model. Beyond the technical results on TLS 1.3, this work also exemplifies a novel approach towards proving the security of complex protocols by a modular, step-by-step decomposition, in which smaller sub-steps are proved in isolation and then the security of the protocol follows by the composition theorem.


Secure Channel Cryptographic Protocol Honest Party Composition Theorem Collision Resistance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



Ueli Maurer was supported by the Swiss National Science Foundation (SNF), project no. 200020-132794. Björn Tackmann was supported by the Swiss National Science Foundation (SNF) via Fellowship no. P2EZP2_155566 and the NSF grants CNS-1228890 and CNS-1116800. Daniele Venturi acknowledges support by the European Commission (Directorate General Home Affairs) under the GAINS project HOME/2013/CIPS/AG/4000005057, and by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644666.


  1. 1.
    Badertscher, C., Matt, C., Maurer, U., Rogaway, P., Tackmann, B.: Augmented secure channels as the goal of the TLS record layer. In: Au, M.H., Miyaji, A. (eds.) Provable Security. LNCS, vol. 9451. Springer, Heidelberg (2015)Google Scholar
  2. 2.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(2), 206–241 (2004)zbMATHCrossRefGoogle Scholar
  3. 3.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  5. 5.
    Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (SP’14). IEEE (2014)Google Scholar
  6. 6.
    Brzuska, C., Fischlin, M., Smart, N., Warinschi, B., Williams, S.: Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Secur. 12(4), 267–297 (2013)CrossRefGoogle Scholar
  7. 7.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, July 2013Google Scholar
  8. 8.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  10. 10.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  11. 11.
    Canetti, R., Shahaf, D., Vald, M.: Universally composable authentication and key-exchange with global PKI. Cryptology ePrint Archive Report 2014/432, October 2014Google Scholar
  12. 12.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, August 2008.
  13. 13.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC draft, April 2015.
  14. 14.
    Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: ACM Conference on Computer and Communications Security 2015 (2015)Google Scholar
  15. 15.
    Hickman, K.: The SSL protocol, February 1995. (internet draft)
  16. 16.
    Jost, D.: A Constructive Analysis of IPSec. Master’s thesis, ETH Zürich, April 2014Google Scholar
  17. 17.
    Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)constructing TLS. Cryptology ePrint Archive, Report 020/2014 (2014)Google Scholar
  18. 18.
    Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  19. 19.
    Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. Manuscript, September 2015Google Scholar
  20. 20.
    Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  21. 21.
    Maurer, U., Renner, R.: Abstract cryptography. In: Innovations in Computer Science. Tsinghua University Press (2011)Google Scholar
  22. 22.
    Maurer, U., Tackmann, B., Coretti, S.: Key exchange with unilateral authentication: Composable security definition and modular protocol design. Cryptology ePrint Archive, Report 2013/555 (2013)Google Scholar
  23. 23.
    Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 184–200. IEEE (2001)Google Scholar
  24. 24.
    Tackmann, B.: A Theory of Secure Communication. Ph.D. thesis, ETH Zürich (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Markulf Kohlweiss
    • 1
  • Ueli Maurer
    • 2
  • Cristina Onete
    • 3
  • Björn Tackmann
    • 4
  • Daniele Venturi
    • 5
  1. 1.Microsoft ResearchCambridgeUK
  2. 2.Department of Computer ScienceETH ZürichZurichSwitzerland
  3. 3.INSA/IRISARennesFrance
  4. 4.Department of Computer Science and EngineeringUC San DiegoSan DiegoUSA
  5. 5.Sapienza University of RomeRomeItaly

Personalised recommendations