A comprehensive symbolic analysis of TLS 1.3
Proceedings of the 2017 ACM SIGSAC conference on computer and communications …, 2017•dl.acm.org
The TLS protocol is intended to enable secure end-to-end communication over insecure
networks, including the Internet. Unfortunately, this goal has been thwarted a number of
times throughout the protocol's tumultuous lifetime, resulting in the need for a new version of
the protocol, namely TLS 1.3. Over the past three years, in an unprecedented joint design
effort with the academic community, the TLS Working Group has been working tirelessly to
enhance the security of TLS. We further this effort by constructing the most comprehensive …
networks, including the Internet. Unfortunately, this goal has been thwarted a number of
times throughout the protocol's tumultuous lifetime, resulting in the need for a new version of
the protocol, namely TLS 1.3. Over the past three years, in an unprecedented joint design
effort with the academic community, the TLS Working Group has been working tirelessly to
enhance the security of TLS. We further this effort by constructing the most comprehensive …
The TLS protocol is intended to enable secure end-to-end communication over insecure networks, including the Internet. Unfortunately, this goal has been thwarted a number of times throughout the protocol's tumultuous lifetime, resulting in the need for a new version of the protocol, namely TLS 1.3. Over the past three years, in an unprecedented joint design effort with the academic community, the TLS Working Group has been working tirelessly to enhance the security of TLS.
We further this effort by constructing the most comprehensive, faithful, and modular symbolic model of the TLS~1.3 draft 21 release candidate, and use the TAMARIN prover to verify the claimed TLS~1.3 security requirements, as laid out in draft 21 of the specification. In particular, our model covers all handshake modes of TLS 1.3.
Our analysis reveals an unexpected behaviour, which we expect will inhibit strong authentication guarantees in some implementations of the protocol. In contrast to previous models, we provide a novel way of making the relation between the TLS specification and our model explicit: we provide a fully annotated version of the specification that clarifies what protocol elements we modelled, and precisely how we modelled these elements. We anticipate this model artifact to be of great benefit to the academic community and the TLS Working Group alike.
ACM Digital Library