Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

TLS 1.3 is the next version of the Transport Layer Security (TLS) protocol. Its clean-slate design is a reaction both to the increasing demand for low-latency HTTPS connections and to a series of recent high-profile attacks on TLS. The hope is that a fresh protocol with modern cryptography will prevent legacy problems, the danger is that it will expose new kinds of attacks, or reintroduce old flaws that were fixed in previous versions of TLS. After 18 drafts, the protocol is nearing completion, and the working group has appealed to researchers to analyze the protocol before publication. This paper responds by presenting a comprehensive analysis of the TLS 1.3 Draft-18 protocol. We seek to answer three questions that have not been fully addressed in previous work on TLS 1.3: (1) Does TLS 1.3 prevent well-known attacks on TLS 1.2, such as Logjam or the Triple Handshake, even if it is run in parallel with TLS 1.2? (2) Can we mechanically verify the computational security of TLS 1.3 under standard (strong) assumptions on its cryptographic primitives? (3) How can we extend the guarantees of the TLS 1.3 protocol to the details of its implementations?To answer these questions, we propose a methodology for developing verified symbolic and computational models of TLS 1.3 hand-in-hand with a high-assurance reference implementation of the protocol. We present symbolic ProVerif models for various intermediate versions of TLS 1.3 and evaluate them against a rich class of attacks to reconstruct both known and previously unpublished vulnerabilities that influenced the current design of the protocol. We present a computational CryptoVerif model for TLS 1.3 Draft-18 and prove its security. We present RefTLS, an interoperable implementation of TLS 1.0-1.3 and automatically analyze its protocol core by extracting a ProVerif model from its typed JavaScript code.

[1]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[2]  Marc Fischlin,et al.  Key Confirmation in Key Exchange: A Formal Treatment and Implications for TLS 1.3 , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[3]  P. Cogn,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2009 .

[4]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[5]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[6]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[7]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[8]  Alfredo Pironti,et al.  Verified Contributive Channel Bindings for Compound Authentication , 2015, NDSS.

[9]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[10]  Véronique Cortier,et al.  A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems , 2011, Journal of Automated Reasoning.

[11]  Eric Rescorla,et al.  Transport Layer Security (TLS) Renegotiation Indication Extension , 2010, RFC.

[12]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[13]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[14]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[15]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[16]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[17]  Bruno. Blanchet,et al.  Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif , 2016, Found. Trends Priv. Secur..

[18]  Karthikeyan Bhargavan,et al.  On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN , 2016, CCS.

[19]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[20]  Hugo Krawczyk,et al.  A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3) , 2016, CCS.

[21]  Benjamin Grégoire,et al.  EasyCrypt: A Tutorial , 2013, FOSAD.

[22]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[23]  Cas J. F. Cremers,et al.  Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[24]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[25]  Karthikeyan Bhargavan,et al.  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[26]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[27]  Bruno Blanchet,et al.  Proved generation of implementations from computationally secure protocol specifications , 2015, J. Comput. Secur..

[28]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[29]  Kenneth G. Paterson,et al.  Reactive and Proactive Standardisation of TLS , 2016, SSR.

[30]  Ueli Maurer,et al.  On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption , 2010, CCS '10.

[31]  Karthikeyan Bhargavan,et al.  Language-based Defenses Against Untrusted Browser Origins , 2013, USENIX Security Symposium.

[32]  Cédric Fournet,et al.  Verified Cryptographic Implementations for TLS , 2012, TSEC.

[33]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[34]  John P. Steinberger,et al.  To Hash or Not to Hash Again? (In)differentiability Results for H2 and HMAC , 2012, IACR Cryptol. ePrint Arch..

[35]  Bruno Blanchet,et al.  Security Protocol Verification: Symbolic and Computational Models , 2012, POST.

[36]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[37]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[38]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[39]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[40]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[41]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[42]  Matthew Green,et al.  Downgrade Resilience in Key-Exchange Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[43]  Alfredo Pironti,et al.  The Java SPI Framework for Security Protocol Implementation , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[44]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[45]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[46]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[47]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[48]  Kenneth G. Paterson,et al.  Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS , 2016, EUROCRYPT.

[49]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[50]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[51]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[52]  Arthur Charguéraud,et al.  A trusted mechanised JavaScript specification , 2014, POPL.

[53]  Karthikeyan Bhargavan,et al.  A Verified Extensible Library of Elliptic Curves , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[54]  Avik Chaudhuri Flow: Abstract Interpretation of JavaScript for Type Checking and Beyond , 2016, PLAS@CCS.

[55]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[56]  Karthikeyan Bhargavan,et al.  Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH , 2016, NDSS.

[57]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[58]  Adam Langley,et al.  Elliptic Curves for Security , 2016, RFC.

[59]  Gilles Barthe,et al.  Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC , 2016, IACR Cryptol. ePrint Arch..

[60]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[61]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[62]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[63]  Ralf Küsters,et al.  A Framework for the Cryptographic Verification of Java-Like Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[64]  권태경,et al.  SSL Protocol 기반의 서버인증 , 2003 .

[65]  Alfredo Pironti,et al.  Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension , 2015, RFC.

[66]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[67]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[68]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.