Investigating the Multi-Ciphersuite and Backwards-Compatibility Security of the Upcoming TLS 1.3

Transport Layer Security (TLS) is one of the most widely used Internet protocols for secure communications. TLS 1.3, the next-generation protocol, is currently under development, with the latest candidate being draft-18. For flexibility and compatibility, TLS supports various ciphersuites and offers configurable selection of multiple protocol versions, which unfortunately opens the door to practical attacks. For example, although TLS 1.3 is now proven secure separately, coexisting with previous versions may be subject to backwards compatibility attacks. In this paper, we present a formal treatment of the multi-ciphersuite and backwards-compatibility security of TLS 1.3 (specifically, draft-18). We introduce a multi-stage security model, covering all known kinds of compositional interactions (w.r.t. ciphersuites and protocol versions) and reasonably strong security notions. Then we dissect the cross-ciphersuite attack regarding TLS 1.2 in our model, and show that the TLS 1.3 handshake protocol satisfies the multi-ciphersuite security, highlighting the strict necessity of including more information in the signature. Furthermore, we demonstrate how the backwards compatibility attack by Jager et al. can be identified owing to our model, and prove that the handshake protocol can achieve our desired strong security if certain countermeasures are adopted. Our treatment is also applicable to analyzing other protocols.

[1]  Jean-Sébastien Coron,et al.  Universal Padding Schemes for RSA , 2002, CRYPTO.

[2]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[3]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[4]  Kenneth G. Paterson,et al.  Analysing and exploiting the Mantin biases in RC4 , 2017, Designs, Codes and Cryptography.

[5]  Karthikeyan Bhargavan,et al.  Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH , 2016, NDSS.

[6]  Renegotiating TLS , 2009 .

[7]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[8]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[9]  Benny Pinkas,et al.  Securely combining public-key cryptosystems , 2001, CCS '01.

[10]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[11]  Douglas Stebila,et al.  On the security of TLS renegotiation , 2013, IACR Cryptol. ePrint Arch..

[12]  Cas J. F. Cremers,et al.  Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[13]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[14]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[15]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature, Revisited , 2011, IACR Cryptol. ePrint Arch..

[16]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[17]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature in EMV , 2012, CT-RSA.

[18]  Kenneth G. Paterson,et al.  Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS , 2016, EUROCRYPT.

[19]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[20]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[21]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[22]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[23]  Yuichi Komano,et al.  Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation , 2003, CRYPTO.

[24]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[26]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol , 2016, IACR Cryptol. ePrint Arch..

[27]  Matthew Green,et al.  Downgrade Resilience in Key-Exchange Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[28]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[29]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[30]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[32]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[33]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[34]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[35]  Kenneth G. Paterson,et al.  One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography , 2013, NDSS.

[36]  Kenneth G. Paterson,et al.  Reactive and Proactive Standardisation of TLS , 2016, SSR.

[37]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[38]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[39]  Jörg Schwenk,et al.  Multi-Ciphersuite Security of the Secure Shell (SSH) Protocol , 2014, CCS.

[40]  Douglas Stebila,et al.  Modelling Ciphersuite and Version Negotiation in the TLS Protocol , 2015, ACISP.

[41]  Zheng Yang,et al.  On the Security of the Pre-shared Key Ciphersuites of TLS , 2014, Public Key Cryptography.

[42]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..