(De-)Constructing TLS 1.3

SSL/TLS is one of the most widely deployed cryptographic protocols on the Internet. It is used to protect the confidentiality and integrity of transmitted data in various client-server applications. The currently specified version is TLSi?ź1.2, and its security has been analyzed extensively in the cryptographic literature. The IETF working group is actively developing a new version, TLSi?ź1.3, which is designed to address several flaws inherent to previous versions. In this paper, we analyze the security of a slightly modified version of the current TLS 1.3 draft. We do not encrypt the server's certificate. Our security analysis is performed in the constructive cryptography framework. This ensures that the resulting security guarantees are composable and can readily be used in subsequent protocol steps, such as password-based user authentication over a TLS-based communication channel in which only the server is authenticated. Most steps of our proof hold in the standard model, with the sole exception that the key derivation function HKDF is used in a way that has a proof only in the random-oracle model. Beyond the technical results on TLSi?ź1.3, this work also exemplifies a novel approach towards proving the security of complex protocols by a modular, step-by-step decomposition, in which smaller sub-steps are proved in isolation and then the security of the protocol follows by the composition theorem.

[1]  Ueli Maurer,et al.  (De-)Constructing TLS , 2014, IACR Cryptol. ePrint Arch..

[2]  Dipl . Math,et al.  A Theory of Secure Communication , 2014 .

[3]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[4]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[5]  Ueli Maurer,et al.  Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer , 2015, ProvSec.

[6]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[7]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[8]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[10]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[11]  Marc Fischlin,et al.  Less is more: relaxed yet composable security notions for key exchange , 2013, International Journal of Information Security.

[12]  Ran Canetti,et al.  Universally Composable Authentication and Key-Exchange with Global PKI , 2016, Public Key Cryptography.

[13]  Ueli Maurer,et al.  Key Exchange with Unilateral Authentication: Composable Security Definition and Modular Protocol Design , 2013, IACR Cryptol. ePrint Arch..

[14]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Ueli Maurer,et al.  Abstract Cryptography , 2011, ICS.

[16]  Ran Canetti,et al.  Composable Authentication with Global PKI , 2014, IACR Cryptol. ePrint Arch..

[17]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[18]  Daniel Jost,et al.  A Constructive Analysis of IPsec , 2014 .

[19]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[20]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[21]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[22]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[23]  Ueli Maurer,et al.  Constructive Cryptography - A New Paradigm for Security Definitions and Proofs , 2011, TOSCA.

[24]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.