Universally Composable Security Analysis of TLS

  • Sebastian Gajek
  • Mark Manulis
  • Olivier Pereira
  • Ahmad-Reza Sadeghi
  • Jörg Schwenk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5324)


We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the Diffie-Hellman and key transport suites in the uni-directional and bi-directional models of authentication, securely emulates secure communication sessions.


Universal Composability TLS/SSL key exchange secure sessions 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.1. RFC 4346, IETF (2006); Proposed StandardGoogle Scholar
  2. 2.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: FOCS, pp. 136–145. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  3. 3.
    Canetti, R., Fischlin, M.: Universally Composable Commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.D.: Universally Composable Password-Based Key Exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Hofheinz, D., Müller-Quade, J., Steinwandt, R.: Initiator-Resilient Universally Composable Key Exchange. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 61–84. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Katz, J.: Universally Composable Multi-Party Computation Using Tamper-Proof Hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Canetti, R., Krawczyk, H., Nielsen, J.: Relaxing Chosen-Ciphertext Security. Cryptology ePrint Archive, Report 2003/174 (2003)Google Scholar
  8. 8.
    Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally Composable Two-Party and Multi-Party Secure Computation. In: STOC 2002, pp. 494–503. ACM, New York (2002)Google Scholar
  9. 9.
    Kidron, D., Lindell, Y.: Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs. Cryptology ePrint Archive, Report 2007/478 (2007)Google Scholar
  10. 10.
    Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-Based Key-Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Canetti, R., Krawczyk, H.: Universally Composable Notions of Key Exchange and Secure Channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Schneier, B., Wagner, D.: Analysis of the SSL 3.0 Protocol. In: Proceedings of the 2nd USENIX Workshop on Electronic Commerce (1996)Google Scholar
  13. 13.
    Bleichenbacher, D.: Chosen Ciphertext Attacks against Protocols based on the RSA Encryption Standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  14. 14.
    Jonsson, J., Kaliski, B.: On the Security of RSA Encryption in TLS. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 127–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (or: How Secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Paulson, L.C.: Inductive Analysis of the Internet Protocol TLS. ACM Transactions on Computer and System Security 2(3), 332–351 (1999)CrossRefGoogle Scholar
  17. 17.
    Mitchell, J.C., Shmatikov, V., Stern, U.: Finite-State Analysis of SSL 3.0. In: Proceedings of the 7th Conference on USENIX Security Symposium, p. 16 (1998)Google Scholar
  18. 18.
    Ogata, K., Futatsugi, K.: Equational Approach to Formal Analysis of TLS. In: ICDCS 2005, pp. 795–804. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  19. 19.
    He, C., Sundararajan, M., Datta, A., Derek, A., Mitchell, J.C.: A Modular Correctness Proof of IEEE 802.11i and TLS. In: ACM Conference on Computer and Communications Security CCS 2005, pp. 2–15. ACM, New York (2005)Google Scholar
  20. 20.
    Dolev, D., Yao, A.C.C.: On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29(2), 198–207 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Morrissey, P., Smart, N.P., Warinschi, B.: A Modular Security Analysis of the TLS Handshake Protocol. Cryptology ePrint Archive, Report 2008/236 (2008)Google Scholar
  22. 22.
    Jonsson, J.: Security Proofs for the RSA-PSS Signature Scheme and Its Variants. Cryptology ePrint Archive, Report 2001/053 (2001)Google Scholar
  23. 23.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  24. 24.
    Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Fouque, P.A., Pointcheval, D., Zimmer, S.: HMAC is a Randomness Extractor and Applications to TLS. In: AsiaCCS 2008, pp. 21–32. ACM Press, New York (2008)Google Scholar
  26. 26.
    Canetti, R.: Universally Composable Signature, Certification, and Authentication. In: CSFW 2004, pp. 219–233. IEEE CS, Los Alamitos (2004), Google Scholar
  27. 27.
    Canetti, R., Herzog, J.: Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 380–403. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Canetti, R., Rabin, T.: Universal Composition with Joint State. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  29. 29.
    Hansen, S., Skriver, J., Nielson, H.: Using Static Analysis to Validate the SAML Single Sign-On Protocol. In: Proceedings of the 2005 Workshop on Issues in the Theory of Security (2005)Google Scholar
  30. 30.
    Groß, T., Pfitzmann, B., Sadeghi, A.R.: Browser Model for Security Analysis of Browser-Based Protocols. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  31. 31.
    Groß, T., Pfitzmann, B., Sadeghi, A.R.: Proving a WS-Federation Passive Requestor Profile with a Browser Model. In: Workshop on Secure Web Services. ACM Press, New York (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sebastian Gajek
    • 1
  • Mark Manulis
    • 2
  • Olivier Pereira
    • 2
  • Ahmad-Reza Sadeghi
    • 1
  • Jörg Schwenk
    • 1
  1. 1.Ruhr University BochumGermany
  2. 2.Université Catholique de LouvainBelgium

Personalised recommendations