Abstract
In the development of TLS 1.3, the IETF TLS Working Group has adopted an “analysis-prior-to-deployment” design philosophy. This is in sharp contrast to all previous versions of the protocol. We present an account of the TLS standardisation narrative, examining the differences between the reactive standardisation process for TLS 1.2 and below, and the more proactive standardisation process for TLS 1.3. We explore the possible factors that have contributed to the shift in the TLS WG’s design mindset, considering the protocol analysis tools available, the levels of academic involvement and the incentives governing relevant stakeholders at the time of standardisation. In an attempt to place TLS within the broader realm of standardisation, we perform a comparative analysis of standardisation models and discuss the standardisation of TLS within this context.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Designed by Netscape Communications in the 1990s.
- 3.
At the time of writing, 7 % of the roughly 150 k servers surveyed by SSL pulse still do.
- 4.
See http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html for a description of the attack.
- 5.
Browser Exploit Against SSL/TLS.
- 6.
Compression-Ratio Info-leak Made Easy.
- 7.
- 8.
See the TLS WG charter at https://datatracker.ietf.org/wg/tls/charter/ for further details.
- 9.
See https://www.mitls.org/tron2/ for details.
- 10.
Other ISO subcommittees also standardise security mechanisms, such as SC17 which focuses on cards and personal identification but we focus our discussion here on SC27.
References
FlexTLS: A Tool for Testing TLS Implementations. https://mitls.org/pages/flextls
Getting Started in the IETF. https://www.ietf.org/newcomers.html. Accessed 06 Aug 2016
miTLS: A Verified Reference Implementation of TLS. https://mitls.org/
ProVerif: Cryptographic protocol verifier in the formal model. http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
TLS 1.3 Security Properties. https://github.com/tls13properties/tls13-properties
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Béguelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In Ray et al. [76], pp. 5–17
Albrecht, M.R., Paterson, K.G.: Lucky Microseconds: A timing attack on amazon’s s2n implementation of TLS. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 622–643. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_24
AlFardan, N., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Sommer, R. (ed.) Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P 2013) (2013)
AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22nd USENIX Security Symposium, Washington D.C., August 2013, pp. 305–320. USENIX (2013)
Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 163–184. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_9
Apecechea, G.I., Inci, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Bao, F., Miller, S., Zhou, J., Ahn, G.-J. (eds.) Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, Singapore, 14–17 April 2015, pp. 85–96. ACM (2015)
Arai, K.: Formal Verification of TLS 1.3 Full Handshake Protocol Using Proverif. Technical report, Cryptographic protocol Evaluation toward Long-Lived Outstanding Security Consortium (CELLOS), February 2016. https://www.cellos-consortium.org/studygroup/TLS1.3-fullhandshake-draft11.pv
Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., Käsper, E., Cohney, S., Engels, S., Paar, C., Shavitt, Y.: DROWN: breaking TLS using SSLv2. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, 10–12 August 2016, pp. 689–706. USENIX Association (2016)
Bard, G.V.: A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In: Malek, M., Fernández-Medina, E., Hernando, J. (eds.) SECRYPT, pp. 99–109. INSTICC Press (2006)
Berners-Lee, T., Fielding, R., Frystyk, H.: The Hypertext Transfer Protocol HTTP/1.0. RFC 1945 (Informational), May 1996
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Ishtiaq, S., Kohlweiss, M., Protzenko, J., Swamy, N., Zanella-Bguelin, S., Zinzindohou, J.K.: Towards a Provably Secure Implementation of TLS 1.3. Presented at TRON 1.0, San Diego, 21 February 2016
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, 17–21 May 2015, pp. 535–552. IEEE Computer Society (2015)
Bhargavan, K., Kobeissi, N., Blanchet, B.: ProScript T.L.S.: Building a TLS 1.3 Implementation with a Verifiable Protocol Model. Presented at TRON 1.0, San Diego, 21 February 2016
Bhargavan, K., Brzuska, C., Fournet, C., Green, M., Kohlweiss, M., Zanella-Bèguellin, S.: Downgrade resilience in key-exchange protocols. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes, cookie cutters: breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, 18–21 May 2014, pp. 98–113. IEEE Computer Society (2014)
Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y., Handshakes, T., Cutters, C.: Breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, 18–21 May 2014, pp. 98–113 (2014)
Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y.: Implementing TLS with verified cryptographic security. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, 19–22 May 2013, pp. 445–459. IEEE Computer Society (2013)
Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44381-1_14
Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, 21–24 February 2016
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11–13 June 2001, Cape Breton, pp. 82–96 (2001)
Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). doi:10.1007/BFb0055716
Bricout, R., Murphy, S., Paterson, K.G., Van der Merwe, T.: Analysing and exploiting the Mantin biases in RC4. IACR Cryptology ePrint Archive, 2016:63 (2016)
Canvel, B., Hiltgen, A., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_34
Chauhan, S., Sobti, R., Geetha, G., Anand, S.: Cryptanalysis of SHA-3 candidates: a survey. Res. J. Inf. Technol. 5, 149–159 (2013)
Chen, L., Mitchell, C. (eds.): SSR 2014. Security and Cryptology. LNCS, vol. 8893. Springer (2014)
Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, Internet Engineering Task Force, January 1999
Dierks, T., Allen, C.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, Internet Engineering Task Force, April 2006
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, Internet Engineering Task Force, August 2008
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In Ray et al. [76], pp. 1197–1210
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081 (2016). http://eprint.iacr.org/
Dowling, B., Stebila, D.: Modelling ciphersuite and version negotiation in the TLS protocol. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 270–288. Springer, Heidelberg (2015). doi:10.1007/978-3-319-19962-7_16
Duong, T., Rizzo, J.: Here come the \(\oplus \) Ninjas. Unpublished manuscript (2011)
Dworkin, M.J.: SHA-3 Standard: permutation-based hash and extendable-output functions. FIPS 202, August 2015
Dworkin, M.J., Barker, E.B., Nechvatal, J.R., Foti, J., Bassham, L.E., Roback, E., Dray, Jr., J.F.: Announcing the Advanced Encryption Standard (AES). FIPS PUB 197, November 2001
Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, pp. 1193–1204, 3–7 November 2014
Fischlin, M., Günther, F., Schmidt, B., Warinschi, B.: Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
Freier, A., Karlton, P.: The Secure Sockets Layer (SSL) Protocol Version 3.0. RFC 6101 (Historic Document), August 2011
Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88733-1_22
Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: password recovery attacks against RC4 in TLS. In Jung and Holz [53], pp. 113–128
Garret, D.: Banning SHA-1 in TLS 1.3, a new attempt. TLS mailing list post, October 2015. http://www.ietf.org/mail-archive/web/tls/current/msg17956.html
Garret, D.: MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms). TLS mailing list post, January 2016. http://www.ietf.org/mail-archive/web/tls/current/msg18977.html
Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, 4–8 November 2013, pp. 387–398. ACM (2013)
Griffin, P.H.: Standardization transparency - an out of body experience. In: Chen and Mitchell [30], pp. 57–68
Guttman, J.D., Liskov, M.D., Rowe, P.D.: Security goals and evolving standards. In: Chen and Mitchell [30], pp. 93–110
Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_17
Jager, T., Schwenk, J., Somorovsky, J.: On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, 12–16 October 2015, pp. 1185–1196 (2015)
Jung, J., Holz, T., (eds.): 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., 12–14 August 2015. USENIX Association (2015)
Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263–276. Springer, Heidelberg (2002). doi:10.1007/3-540-45661-9_21
Klíma, V., Pokorný, O., Rosa, T.: Attacking RSA-based sessions in SSL/TLS. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 426–440. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45238-6_33
Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. IACR Cryptology ePrint Archive, 2013:367 (2013)
Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)constructing TLS. IACR Cryptology ePrint Archive, 2014:20 (2014)
Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_19
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_34
Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_24
Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. IACR Cryptology ePrint Archive, 2015:978 (2015)
Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, 21–24 March 2016, pp. 81–96. IEEE (2016)
Langley, A., Chang, W.: QUIC Crypto, June 2013. https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/
Li, X., Xu, J., Zhang, Z., Feng, D., Hu, H.: Multiple handshakes security of TLS 1.3 candidates. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
Li, Y., Schäge, S., Yang, Z., Kohlar, F., Schwenk, J.: On the security of the pre-shared key ciphersuites of TLS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 669–684. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_38
Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002). doi:10.1007/3-540-45473-X_13
Matsuo, S.: Formal verification of TLS 1.3 full handshake protocol using ProVerif (Draft-11). TLS mailing list post, February 2016. https://www.ietf.org/mail-archive/web/tls/current/msg19339.html
Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneela, B.: A cross-protocol attack on the TLS protocol. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, pp. 62–72. ACM Press, October 2012
Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., Tews, E.: Revisiting, SSL/TLS implementations: new Bleichenbacher side channels and attacks. In: Fu, K., Jung, J., (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, 20–22 August 2014, pp. 733–748. USENIX Association (2014)
Moeller, B.: Security of CBC ciphersuites in SSL/TLS: problems andcountermeasures. Unpublished manuscript, May 2004. http://www.openssl.org/~bodo/tls-cbc.txt
Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback, September 2014
Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: a modular analysis. J. Cryptol. 23(2), 187–223 (2010)
Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size Does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_20
Popov, A.: Prohibiting RC4 Cipher Suites. RFC 7465 (Proposed Standard), February 2015
Postel, J.: Internet Protocol. RFC 791, Internet Engineering Task Force, September 1981
Ray, I., Li, N., Kruegel, C., (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, 12–6 October 2015. ACM (2015)
Federal Register. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA 3) Family. Federal Register, November 2007
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3, Draft 15. Internet draft, Internet Engineering Task Force, August 2016
Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard), February 2010
Rogaway, P.: Problems with proposed IP cryptography. Unpublished manuscript (1995). http://www.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt
Roskind, J.: QUIC: Quick UDP Internet Connections, April 2012. https://docs.google.com/document/d/1RNHkx_VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD34/edit?pref=2&pli=1
Sarkar, P.G., Fitzgerald, S.: Attacks on SSL - a comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky 13 and RC4 biases, August 2013
Tamarin prover GitHub repository (develop branch) (2015). https://github.com/tamarin-prover/tamarin-prover
Turner, S., Polk, T.: Prohibiting Secure Sockets Layer (SSL) Version 2.0. RFC 6176 (Proposed Standard), March 2011
Vanhoef, M., Piessens, F.: All your biases belong to us: breaking RC4 in WPA-TKIP and TLS. In Jung and Holz [53], pp. 97–112
Vaudenay, S.: Security flaws induced by CBC padding — applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_35
Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: USENIX Electronic Commerce (1996)
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). doi:10.1007/11426639_2
Acknowledgements
Paterson was supported in part by a research programme funded by Huawei Technologies and delivered through the Institute for Cyber Security Innovation at Royal Holloway, University of London, and in part by EPSRC grant EP/M013472/1. Van der Merwe was supported by the EPSRC as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London. We thank Eric Rescorla and the anonymous reviewers of SSR 2016 for their valuable feedback on the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Paterson, K.G., van der Merwe, T. (2016). Reactive and Proactive Standardisation of TLS. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-49100-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49099-1
Online ISBN: 978-3-319-49100-4
eBook Packages: Computer ScienceComputer Science (R0)