Reactive and Proactive Standardisation of TLS

In the development of TLS 1.3, the IETF TLS Working Group has adopted an “analysis-prior-to-deployment” design philosophy. This is in sharp contrast to all previous versions of the protocol. We present an account of the TLS standardisation narrative, examining the differences between the reactive standardisation process for TLS 1.2 and below, and the more proactive standardisation process for TLS 1.3. We explore the possible factors that have contributed to the shift in the TLS WG’s design mindset, considering the protocol analysis tools available, the levels of academic involvement and the incentives governing relevant stakeholders at the time of standardisation. In an attempt to place TLS within the broader realm of standardisation, we perform a comparative analysis of standardisation models and discuss the standardisation of TLS within this context.

[1]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[2]  Zheng Yang,et al.  On the Security of the Pre-shared Key Ciphersuites of TLS , 2014, Public Key Cryptography.

[3]  Kenneth G. Paterson,et al.  Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS , 2016, EUROCRYPT.

[4]  Bogdan Warinschi,et al.  The TLS Handshake Protocol: A Modular Analysis , 2010, Journal of Cryptology.

[5]  Ueli Maurer,et al.  (De-)Constructing TLS , 2014, IACR Cryptol. ePrint Arch..

[6]  Gilles Barthe,et al.  Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC , 2016, IACR Cryptol. ePrint Arch..

[7]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[8]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[9]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[10]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[11]  James F. Dray,et al.  Advanced Encryption Standard (AES) , 2001 .

[12]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[13]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[14]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[15]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[16]  Kenneth G. Paterson,et al.  Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS , 2015, USENIX Security Symposium.

[17]  Alfredo Pironti,et al.  FLEXTLS: A Tool for Testing TLS Implementations , 2015, WOOT.

[18]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[19]  Phillip H. Griffin Standardization Transparency - An Out of Body Experience , 2014, SSR.

[20]  Jörg Schwenk,et al.  On the Security of TLS-DH and TLS-RSA in the Standard Model , 2013, IACR Cryptol. ePrint Arch..

[21]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[22]  Duong,et al.  Here Come The ⊕ Ninjas Thai , 2011 .

[23]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[24]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[25]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[26]  Timothy Stapko CHAPTER 4 – The Secure Sockets Layer , 2008 .

[27]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[28]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[29]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[30]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[31]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol , 2016, IACR Cryptol. ePrint Arch..

[32]  Matthew Green,et al.  Downgrade Resilience in Key-Exchange Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[34]  Douglas Stebila,et al.  Modelling Ciphersuite and Version Negotiation in the TLS Protocol , 2015, ACISP.

[35]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[36]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..

[37]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[38]  Moni Naor,et al.  Security Standardisation Research , 2016, Lecture Notes in Computer Science.

[39]  Douglas Stebila,et al.  On the security of TLS renegotiation , 2013, IACR Cryptol. ePrint Arch..

[40]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[41]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[42]  Cas J. F. Cremers,et al.  Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[43]  Sami Anand,et al.  Cryptanalysis of SHA-3 Candidates: A Survey , 2013 .

[44]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[45]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[47]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[48]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[49]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[50]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[51]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[52]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[53]  Kenneth G. Paterson,et al.  Analysing and exploiting the Mantin biases in RC4 , 2017, Designs, Codes and Cryptography.

[54]  Karthikeyan Bhargavan,et al.  Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH , 2016, NDSS.

[55]  Joshua D. Guttman,et al.  Security Goals and Evolving Standards , 2014, SSR.

[56]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[57]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[58]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[59]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.

[60]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[61]  Eric Rescorla,et al.  Transport Layer Security (TLS) Renegotiation Indication Extension , 2010, RFC.

[62]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[63]  Gorka Irazoqui Apecechea,et al.  Lucky 13 Strikes Back , 2015, AsiaCCS.

[64]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[65]  Sean Turner,et al.  Prohibiting Secure Sockets Layer (SSL) Version 2.0 , 2011, RFC.

[66]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[67]  Marc Fischlin,et al.  Key Confirmation in Key Exchange: A Formal Treatment and Implications for TLS 1.3 , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[68]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[69]  Gregory V. Bard,et al.  A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL , 2006, SECRYPT.