On the Security of TLS-DHE in the Standard Model

  • Tibor Jager
  • Florian Kohlar
  • Sven Schäge
  • Jörg Schwenk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)

Abstract

TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral Diffie-Hellman key exchange (TLS-DHE), which include the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove security of the TLS Handshake protocol in any classical key-indistinguishability-based security model (like for instance the Bellare-Rogaway or the Canetti-Krawczyk model), due to subtle issues with the encryption of the final Finished messages. Therefore we start with proving the security of a truncated version of the TLS-DHE Handshake protocol, which has been considered in previous works on TLS. Then we define the notion of authenticated and confidential channel establishment (ACCE) as a new security model which captures precisely the security properties expected from TLS in practice, and show that the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model.

Keywords

authenticated key exchange SSL TLS provable security ephemeral Diffie-Hellman 

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  • Tibor Jager
    • 1
  • Florian Kohlar
    • 2
  • Sven Schäge
    • 3
  • Jörg Schwenk
    • 2
  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Horst Görtz Institute for IT SecurityRuhr-University BochumBochumGermany
  3. 3.University College LondonLondonUK

Personalised recommendations