research-article

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates

Authors:

Benjamin Dowling,

Felix Günther,

Douglas StebilaAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 1197 - 1210

https://doi.org/10.1145/2810103.2813653

Published: 12 October 2015 Publication History

Abstract

The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. This is even more important as there are two related, yet slightly different, candidates in discussion for TLS 1.3, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based. We give a cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange.

An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption.

We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.

References

[1]

D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Béguelin, and P. Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In ACM CCS 15, 2015.

Digital Library

[2]

N. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt. On the security of RC4 in TLS. In Proc. 22nd USENIX Security Symposium, pages 305--320, 2013.

Digital Library

[3]

N. J. AlFardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In 2013 IEEE Symposium on Security and Privacy, pages 526--540, 2013.

Digital Library

[4]

J. Altman, N. Williams, and L. Zhu. Channel Bindings for TLS. RFC 5929 (Proposed Standard), 2010.

[5]

C. Badertscher, C. Matt, U. Maurer, P. Rogaway, and B. Tackmann. Augmented secure channels and the goal of the TLS 1.3 record layer. Cryptology ePrint Archive, Report 2015/394, 2015. http://eprint.iacr.org/2015/394.

[6]

M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO'93, pages 232--249, 1994.

Digital Library

[7]

B. Beurdouche, K. Bhargavan, A. Delignat-Levaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proc. IEEE Symp. on Security & Privacy (S&P) 2015, pages 535--552, 2015.

Digital Library

[8]

K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P.-Y. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, pages 98--113, 2014.

Digital Library

[9]

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In 2013 IEEE Symposium on Security and Privacy, pages 445--459, 2013.

Digital Library

[10]

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and S. Zanella Béguelin. Proving the TLS handshake secure (as it is). In CRYPTO 2014, Part II, pages 235--255, 2014.

[11]

C. Brzuska. On the Foundations of Key Exchange. PhD thesis, Technische Universitat Darmstadt, Darmstadt, Germany, 2013. http://tuprints.ulb.tu-darmstadt.de/3414/.

[12]

C. Brzuska, M. Fischlin, B. Warinschi, and S. C. Williams. Composability of Bellare-Rogaway key exchange protocols. In ACM CCS 11, pages 51--62, 2011.

Digital Library

[13]

R. Canetti and H. Krawczyk. Security analysis of IKE's signature-based key-exchange protocol. In CRYPTO 2002, pages 143--161, 2002. http://eprint.iacr.org/2002/120/.

Digital Library

[14]

Codenomicon. The Heartbleed bug. http://heartbleed.com, 2014.

[15]

B. Dowling, M. Fischlin, F. G\" unther, and D. Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates (full version). Cryptology ePrint Archive, 2015. http://eprint.iacr.org/.

Digital Library

[16]

T. Duong. BEAST. http://vnhacker.blogspot.com.au/2011/09/beast.html, 2011.

[17]

M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google's QUIC protocol. In ACM CCS 14, pages 1193--1204, 2014.

Digital Library

[18]

C. Fournet, M. Kohlweiss, and P.-Y. Strub. Modular code-based cryptographic verification. In ACM CCS 11, pages 341--350, 2011.

Digital Library

[19]

T. Jager, F. Kohlar, S. Schage, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO 2012, pages 273--293, 2012.

Digital Library

[20]

S. Josefsson. Channel bindings for TLS based on the PRF. https://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-03, 2015.

[21]

M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (de-)constructing TLS. Cryptology ePrint Archive, Report 2014/020, 2014. http://eprint.iacr.org/2014/020.

[22]

H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In CRYPTO 2010, pages 631--648, 2010.

Digital Library

[23]

H. Krawczyk, K. G. Paterson, and H. Wee. On the security of the TLS protocol: A systematic analysis. In CRYPTO 2013, Part I, pages 429--448, 2013.

[24]

B. Moller, T. Duong, and K. Kotowicz. This POODLE bites: Exploiting the SSL 3.0 fallback. https://www.openssl.org/ bodo/ssl-poodle.pdf, 2014.

[25]

E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 -- draft-ietf-tls-tls13-05. https://tools.ietf.org/html/draft-ietf-tls-tls13-05, 2015.

[26]

E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 -- draft-ietf-tls-tls13-07. https://tools.ietf.org/html/draft-ietf-tls-tls13-07, 2015.

[27]

E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 -- draft-ietf-tls-tls13-dh-based. https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-%tls13-dh-based.txt, 2015.

Cited By

Alnahawi NMüller JOupický JWiesmaier A(2024)A Comprehensive Survey on Post-Quantum TLSIACR Communications in Cryptology10.62056/ahee0iucOnline publication date: 8-Jul-2024
https://doi.org/10.62056/ahee0iuc
Xie YFan QZhang CWu TZhou YHe DZhu L(2024)Accountable and Secure Threshold EdDSA Signature and Its ApplicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.342884819(7033-7046)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3428848
Cao XYang ZNing JJin CLu RLiu ZZhou J(2024)Dynamic Group Time-Based One-Time PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.338635019(4897-4913)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3386350
Show More Cited By

Index Terms

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
1. Security and privacy
  1. Network security

Recommendations

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol
Abstract
We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ...
Multi-Stage Key Exchange and the Case of Google's QUIC Protocol
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

The traditional approach to build a secure connection is to run a key exchange protocol and, once the key has been established, to use this key afterwards in a secure channel protocol. The security of key exchange and channel protocols, and to some ...
Key-Schedule Security for the TLS 1.3 Standard
Advances in Cryptology – ASIACRYPT 2022
Abstract
Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

88
Total Citations
View Citations
1,277
Total Downloads

Downloads (Last 12 months)168
Downloads (Last 6 weeks)3

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alnahawi NMüller JOupický JWiesmaier A(2024)A Comprehensive Survey on Post-Quantum TLSIACR Communications in Cryptology10.62056/ahee0iucOnline publication date: 8-Jul-2024
https://doi.org/10.62056/ahee0iuc
Xie YFan QZhang CWu TZhou YHe DZhu L(2024)Accountable and Secure Threshold EdDSA Signature and Its ApplicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.342884819(7033-7046)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3428848
Cao XYang ZNing JJin CLu RLiu ZZhou J(2024)Dynamic Group Time-Based One-Time PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.338635019(4897-4913)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3386350
Cremers CDax ANaska ACalandrino JTroncoso C(2023)Formal analysis of SPDMProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620607(6611-6628)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620607
Kim JOh JSon DKwon HAstillo PYou I(2023)APSec1.0: Innovative Security Protocol Design with Formal Security Analysis for the Artificial Pancreas SystemSensors10.3390/s2312550123:12(5501)Online publication date: 11-Jun-2023
https://doi.org/10.3390/s23125501
Fischlin MMeng WJensen CCremers CKirda E(2023)Stealth Key Exchange and Confined Access to the Record Protocol Data in TLS 1.3Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623099(2901-2914)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623099
Tan SChen WDeng RPopa R(2023)MPCAuth: Multi-factor Authentication for Distributed-trust Systems2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179481(829-847)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179481
Chang MTalanov VSnuverink JKiselev D(2023)Developing Real-Time Services with High Performance and Cloud Security Enabled Framework via Adjusted TLS v1.3 for On-Demand HIPA Activity Calculations2023 10th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud58648.2023.00052(306-311)Online publication date: 14-Aug-2023
https://doi.org/10.1109/FiCloud58648.2023.00052
Günther FTshibumbu Mukendi M(2023)Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00051(773-796)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00051
Wang YWang RLiu XLiu DZhang HMa LZhang FSun LLi Z(2023)A Framework for TLS Implementation Vulnerability Testing in 5GApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_16(284-298)Online publication date: 4-Oct-2023
https://doi.org/10.1007/978-3-031-41181-6_16
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents