A Modular Security Analysis of the TLS Handshake Protocol

  • P. Morrissey
  • N. P. Smart
  • B. Warinschi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5350)


We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher level applications are obtained from a master key, which in turn is derived, through interaction, from a pre-master key.

Our first contribution consists of formal models that clarify the security level enjoyed by each of these types of keys. The models that we provide fall under well established paradigms in defining execution, and security notions. We capture the realistic setting where only one of the two parties involved in the execution of the protocol (namely the server) has a certified public key, and where the same master key is used to generate multiple application keys.

The main contribution of the paper is a modular and generic proof of security for the application keys established through the TLS protocol. We show that the transformation used by TLS to derive master keys essentially transforms an arbitrary secure pre-master key agreement protocol into a secure master-key agreement protocol. Similarly, the transformation used to derive application keys works when applied to an arbitrary secure master-key agreement protocol. These results are in the random oracle model. The security of the overall protocol then follows from proofs of security for the basic pre-master key generation protocols employed by TLS.


Encryption Scheme Random Oracle Security Model Random Oracle Model Honest Party 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Chevassut, O., Pointcheval, D.: One–Time Verifier–based Encrypted Key Exchange. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 47–64. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    An, J.H., Dodis, Y., Rabin, T.: On the Security of Joint Signature and Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocols. In: 30th Symposium on Theory of Computing – STOC 1998, pp. 419–428. ACM, New York (1998)Google Scholar
  4. 4.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: The three party case. In: 27th Symposium on Theory of Computing – STOC 1995, pp. 57–66. ACM, New York (1995)Google Scholar
  8. 8.
    Bird, R., Gopal, I.S., Herzberg, A., Janson, P.A., Kutten, S., Molva, R., Yung, M.: Systematic Design of Two-Party Authentication Protocols. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 44–61. Springer, Heidelberg (1992)Google Scholar
  9. 9.
    Blake–Wilson, S., Johnson, D., Menezes, A.J.: Key agreement protocols and their security analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Blake–Wilson, S., Menezes, A.: Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 137–158. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  12. 12.
    Bresson, E., Chevassut, O., Pointcheval, D.: Provably Authenticated Group Diffie–Hellman Key Exchange – The Dynamic Case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Canetti, R., Krawczyk, H.: Universally Composable Notions of Key Exchange and Secure Channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Canetti, R., Rabin, T.: Universal Composition with Joint State. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal of Computing 33, 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Diffie, W., van Oorschot, P.C., Weiner, M.J.: Authentication and authenticated key exchange. Designs, Codes and Cryptography 2, 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246 (January 1999)Google Scholar
  19. 19.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.2. RFC 4346 (April 2006)Google Scholar
  20. 20.
    Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol Version 3.0. Internet Draft (1996)Google Scholar
  21. 21.
    Fouque, P., Pointcheval, D., Zimmer, S.: HMAC is a Randomness Extractor and Applications to TLS. In: Symposium on Information, Computer and Communications Security, ASIACCS 2008 (2008)Google Scholar
  22. 22.
    Hickman, K.E.B.: The SSL Protocol Version 2.0. Internet Draft (1994)Google Scholar
  23. 23.
    Jonsson, J., Kaliski Jr., B.: On the Security of RSA Encryption in TLS. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 127–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining Indistinguishability-Based Proof Models for Key Establishment Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Kudla, C.: Special signature schemes and key agreement protocols. PhD Thesis, Royal Holloway University of London (2006)Google Scholar
  27. 27.
    Kudla, C., Paterson, K.: Modular security proofs for key agreement protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Mitchell, J.C., Shmatikov, V., Stern, U.: Finite-state analysis of SSL 3.0. In: SSYM 1998: Proceedings of the 7th conference on USENIX Security Symposium 1998 (1998)Google Scholar
  29. 29.
    Mazare, L., Warinschi, B.: On the security of encryption under adaptive corruptions (preprint, 2007)Google Scholar
  30. 30.
    Paulson, L.: Inductive analysis of the Internet protocol TLS. ACM Transations on Information and Systems Security 2(3), 332–351 (1999)CrossRefGoogle Scholar
  31. 31.
    Shoup, V.: On formal models for secure key exchange (version 4) (preprint, 1999)Google Scholar
  32. 32.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: 2nd USENIX Workshop on Electronic Commerce (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • P. Morrissey
    • 1
  • N. P. Smart
    • 1
  • B. Warinschi
    • 1
  1. 1.Department Computer ScienceUniversity of BristolBristolUnited Kingdom

Personalised recommendations