Advertisement

On the Security of TLS-DHE in the Standard Model

  • Tibor JagerEmail author
  • Florian Kohlar
  • Sven Schäge
  • Jörg Schwenk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)

Abstract

TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral Diffie-Hellman key exchange (TLS-DHE), which include the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove security of the TLS Handshake protocol in any classical key-indistinguishability-based security model (like for instance the Bellare-Rogaway or the Canetti-Krawczyk model), due to subtle issues with the encryption of the final Finished messages. Therefore we start with proving the security of a truncated version of the TLS-DHE Handshake protocol, which has been considered in previous works on TLS. Then we define the notion of authenticated and confidential channel establishment (ACCE) as a new security model which captures precisely the security properties expected from TLS in practice, and show that the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model.

Keywords

authenticated key exchange SSL TLS provable security ephemeral Diffie-Hellman 

References

  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Langley, A., Google Security Team: Protecting data for the long term with forward secrecy, http://googleonlinesecurity.blogspot.co.uk/2011/11/protecting-data-for-long-term-with.html
  3. 3.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key Agreement Protocols and their Security Analysis. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Bleichenbacher, D.: Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. 8.
    Brzuska, C., Fischlin, M., Smart, N.P., Warinschi, B., Williams, S.: Less is more: Relaxed yet composable security notions for key exchange. Cryptology ePrint Archive, Report 2012/242 (2012), http://eprint.iacr.org/
  9. 9.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, pp. 136–145. IEEE Computer Society Press (October 2001)Google Scholar
  10. 10.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-Based Key-Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002), http://eprint.iacr.org/2002/120/CrossRefGoogle Scholar
  12. 12.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining Indistinguishability-Based Proof Models for Key Establishment Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Cremers, C.J.F.: \({\sf Session-state~Reveal}\) Is Stronger Than \({\sf Ephemeral~Key~Reveal}\): Attacking the NAXOS Authenticated Key Exchange Protocol. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 20–33. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard) (January 1999); Obsoleted by RFC 4346, updated by RFCs 3546, 5746Google Scholar
  15. 15.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard) (April 2006); Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746Google Scholar
  16. 16.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008); Updated by RFCs 5746, 5878Google Scholar
  17. 17.
    Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally Composable Security Analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the Standard Model (full version). Cryptology ePrint Archive, Report 2011/219 (2011) (revised 2012), http://eprint.iacr.org/2011/219
  19. 19.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger Security of Authenticated Key Exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Morrissey, P., Smart, N.P., Warinschi, B.: A Modular Security Analysis of the TLS Handshake Protocol. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 55–73. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Morrissey, P., Smart, N.P.,Warinschi, B.: The TLS Handshake protocol: A modular analysis. Journal of Cryptology 23(2), 187–223 (2010)Google Scholar
  22. 22.
    Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  23. 23.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (November 2004)Google Scholar
  24. 24.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proceedings of the Second USENIX Workshop on Electronic Commerce, pp. 29–40. USENIX Association (1996)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  • Tibor Jager
    • 1
    Email author
  • Florian Kohlar
    • 2
  • Sven Schäge
    • 3
  • Jörg Schwenk
    • 2
  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Horst Görtz Institute for IT SecurityRuhr-University BochumBochumGermany
  3. 3.University College LondonLondonUK

Personalised recommendations