Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer

Motivated by the wide adoption of authenticated encryption and TLS, we suggest a basic channel abstraction, an augmented secure channeli¾?ASC, that allows a sender to send a receiver messages consisting of two parts, where one is privacy-protected and both are authenticity-protected. Working in the tradition of constructive cryptography, we formalize this idea and provide a construction of this kind of channel using the lower-level tool authenticated-encryption. We look at recent proposals on TLSi¾?1.3 and suggest that the criterion by which their security can be judged is quite simple: do they construct an ASC? Due to this precisely defined goal, we are able to give a natural construction that comes with a rigorous security proof and directly leads to a proposal on TLSi¾?1.3 that is provably secure.

[1]  Charanjit S. Jutla,et al.  Encryption Modes with Almost Free Message Integrity , 2001, Journal of Cryptology.

[2]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[3]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  Ueli Maurer,et al.  Confidentiality and Integrity: A Constructive Perspective , 2012, TCC.

[5]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[6]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[7]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[8]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[9]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[10]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[11]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[12]  John C. Mitchell,et al.  A modular correctness proof of IEEE 802.11i and TLS , 2005, CCS '05.

[13]  Ueli Maurer,et al.  Abstract Cryptography , 2011, ICS.

[14]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[15]  Ueli Maurer,et al.  Constructing Confidential Channels from Authenticated Channels - Public-Key Encryption Revisited , 2013, IACR Cryptol. ePrint Arch..

[16]  Kenneth G. Paterson,et al.  Data Is a Stream: Security of Stream-Based Channels , 2015, CRYPTO.

[17]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[18]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[19]  Bogdan Warinschi,et al.  A Modular Security Analysis of the TLS Handshake Protocol , 2008, ASIACRYPT.

[20]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[21]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[22]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[23]  Ueli Maurer,et al.  (De-)Constructing TLS , 2014, IACR Cryptol. ePrint Arch..

[24]  Ueli Maurer,et al.  Constructive Cryptography - A New Paradigm for Security Definitions and Proofs , 2011, TOSCA.

[25]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[26]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.