A Modular Security Analysis of the TLS Handshake Protocol (original) (raw)

The TLS Handshake Protocol: A Modular Analysis

Journal of Cryptology, 2010

We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher level applications are obtained from a master key, which in turn is derived, through interaction, from a pre-master key.

Universally Composable Security Analysis of TLS

Lecture Notes in Computer Science, 2008

We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the Diffie-Hellman and key transport suites in the uni-directional and bi-directional models of authentication, securely emulates secure communication sessions.

On the Security of the Pre-shared Key Ciphersuites of TLS

Lecture Notes in Computer Science, 2014

TLS is by far the most important protocol on the Internet for negotiating secure session keys and providing authentication. Only very recently, the standard ciphersuites of TLS have been shown to provide provably secure guarantees under a new notion called Authenticated and Confidential Channel Establishment (ACCE) introduced by Jager et al. at CRYPTO'12. In this work, we analyse the variants of TLS that make use of pre-shared keys (TLS-PSK). In various environments, TLS-PSK is an interesting alternative for remote authentication between servers and constrained clients like smart cards, for example for mobile phone authentication, EMV-based payment transactions or authentication via electronic ID cards. First, we introduce a new and strong definition of ACCE security that covers protocols with pre-shared keys. Next, we prove that all ciphersuite families of TLS-PSK meet our strong notion of ACCE security. Our results do not rely on random oracles nor on any non-standard assumption.

Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

Lecture Notes in Computer Science, 2001

We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques.

Strengthening the security of key exchange protocols

2014

Authenticated key exchange (AKE) protocols are central building blocks of security protocols such as TLS, IPsec, and SSH, that are used in modern distributed applications. The security of these protocols can however be affected by threats such as attacks on users' long-term secret keys, attacks based on malicious key registration, and attacks on the random number generator used by the protocol. The goal of this thesis is to model advanced security threats against authenticated key exchange protocols and to develop methods that strengthen the security of these protocols and make them secure against the considered threats. I would like to express my gratitude to my advisor David Basin for giving me the opportunity of pursuing research in the Institute of Information Security and for his support over the last years. I owe many thanks to my advisor Cas Cremers for his time, patience, and for the many helpful and productive discussions we had at ETH Zurich and at the University of Oxford. It was a great pleasure for me to work with Colin Boyd, Cas Cremers, Kenneth Paterson, Bertram Poettering, and Douglas Stebila on authenticated key exchange security incorporating certification systems. Thanks for the very efficient collaboration and for your support. Also, I would like to thank Marc Fischlin for his willingness to serve as a co-examiner. During my PhD, I have had many constructive discussions with other researchers, including

Authenticated Key Exchange and Key Encapsulation in the Standard Model

Lecture Notes in Computer Science

This paper 1 presents a new paradigm to realize cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman (DDH) assumption, target collision resistant (TCR) hash functions and a class of pseudo-random functions (PRFs), πPRFs, PRFs with pairwise-independent random sources. We propose a (PKI-based) two-pass authenticated key exchange (AKE) protocol that is comparably as efficient as the existing most efficient protocols like MQV and that is secure without random oracles (under these assumptions). Our protocol is shown to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and Mityagin. We also show that a variant of the Kurosawa-Desmedt key encapsulation mechanism (KEM) using a πPRF is CCA-secure under the three assumptions. This scheme is secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security, with using a generalized TCR (GTCR) hash function in place of a TCR hash function. The proposed schemes in this paper are validity-check-free and the implication is that combining them with validity-check-free symmetric encryption (DEM) will yield validity-check-free (e.g., MAC-free) CCA-secure hybrid encryption.

Security Enhancement and Modular Treatment towards Authenticated Key Exchange

Lecture Notes in Computer Science, 2010

We present an enhanced security model for the authenticated key exchange (AKE) protocols to capture the pre-master secret replication attack and to avoid the controversial random oracle assumption in the security proof. Our model treats the AKE protocol as two relatively independent modules, the secret exchange module and the key derivation module, and formalizes the adversarial capabilities and security properties for each of these modules. We prove that the proposed security model is stronger than the extended Canetti-Krawczyk model. Moreover, we introduce NACS, a two-pass AKE protocol which is secure in the enhanced model. NACS is practical and efficient, since it reqires less exponentiations, and, more important, admits a tight security reduction with weaker standard cryptographic assumptions. Finally, the compact and elegant security proof of NACS shows that our method is reasonable and effective.

A New Security Model for Authenticated Key Agreement

Security and Cryptography for Networks, 2010

The Canetti–Krawczyk (CK) and extended Canetti–Krawczyk (eCK) security models, are widely used to provide security arguments for key agreement protocols. We discuss security shades in the (e)CK models, and some practical attacks unconsidered in (e)CK–security arguments. We propose a strong security model which encompasses the eCK one. We also propose a new protocol, called Strengthened MQV (SMQV), which in addition

Key-Schedule Security for the TLS 1.3 Standard

Advances in Cryptology – ASIACRYPT 2022

Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt '18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently to analyse the key schedule of Draft 11 of the MLS protocol (S&P '22) and to propose improvements.