A Comprehensive Symbolic Analysis of TLS 1.3

@article{Cremers2017ACS,
  title={A Comprehensive Symbolic Analysis of TLS 1.3},
  author={Cas J. F. Cremers and Marko Horvat and John S. Hoyland and Samuel Scott and Thyla van der Merwe},
  journal={Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
  year={2017}
}
The TLS protocol is intended to enable secure end-to-end communication over insecure networks, including the Internet. [] Key Result We anticipate this model artifact to be of great benefit to the academic community and the TLS Working Group alike.

Figures and Tables from this paper

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model.
Formal Analysis of 5G EAP-TLS Authentication Protocol Using Proverif
TLDR
This work builds the first formal model of the 5G EAP-TLS authentication protocol in the applied pi calculus, and performs an automated security analysis of the formal protocol model by using the ProVerif model checker.
Formal Verification of 5G-EAP-TLS Authentication Protocol
TLDR
This work provides the first formal model of 5G-EAP-TLS protocol and conducts a thorough analysis based on Scyther model checker, which identifies several design flaws in the protocol which may jeopardize the security goals and result in severe security vulnerabilities when implemented in real systems.
Selfie: reflections on TLS 1.3 with PSK
TLDR
The root cause of this TLS 1.3 vulnerability is explained, a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and a proposed mitigation is proposed.
A Formal Analysis of 5G Authentication
TLDR
This work provides the first comprehensive formal model of a protocol from the AKA family: 5G AKA, and finds that some critical security goals are not met, except under additional assumptions missing from the standard.
A Formal Analysis of 5 G Authentication
TLDR
This work provides the first comprehensive formal model of a protocol from the AKA family: 5GAKA, and identifies critical security goals that are not met, except under additional assumptions missing from the standard.
University of Dundee A Formal Analysis of 5 G Authentication Basin
TLDR
This work provides the first comprehensive formal model of a protocol from the AKA family: 5G AKA, and finds that some critical security goals are not met, except under additional assumptions missing from the standard.
Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) vs. QUIC
TLDR
This work is the first to thoroughly compare the security and availability properties of TLS 1.3, QUIC, and TFO over UDP, and develops novel security models that permit “layered” security analysis.
The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods
TLDR
This study conducts the first study of TLS 1.3 deployment and use since its standardization by the IETF and establishes and investigates the critical contribution that hosting services and CDNs make to the fast, initial uptake of the protocol.
Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion
TLDR
Fine-grained formal analysis of 5G’s main authentication and key agreement protocol (AKA) is performed, and the first models to explicitly consider all parties defined by the protocol specification are provided, demonstrating the fragility and subtle trust assumptions of the 5G-AKA protocol.
...
...

References

SHOWING 1-10 OF 54 REFERENCES
Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate
TLDR
A methodology for developing verified symbolic and computational models of TLS 1.3 hand-in-hand with a high-assurance reference implementation of the protocol, and presents a computational CryptoVerif model for TLS1.3 Draft-18 and proves its security.
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model.
The OPTLS Protocol and TLS 1.3
  • H. Krawczyk, H. Wee
  • Computer Science
    2016 IEEE European Symposium on Security and Privacy (EuroS&P)
  • 2016
TLDR
The OPTLS key-exchange protocol is presented, its design, rationale and cryptographic analysis, and a simple design framework that supports all the above requirements from the protocol with a uniform and modular logic that helps in the specification, analysis, performance optimization, and future maintenance of the protocol.
Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication
TLDR
This work model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols, and shows the strict necessity of recent suggestions to include more information in the protocol's signature contents.
(De-)Constructing TLS
TLDR
A modular security analysis of the handshake in TLS version 1.3 is provided and new insights into the intrinsic problems incurred by a non-modular protocol design such as that of TLS are suggested.
A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol
TLDR
It is shown that the full (EC)DHE Diffie–Hellman-based handshake of draft-10 is also secure in the multi-stage key exchange framework of Fischlin and Gunther which captures classical Bellare–Rogaway key secrecy for key exchange protocols that derive multiple keys.
Formal analysis of modern security protocols in current standards
TLDR
The threat of Actor Key Compromise (AKC) is introduced and formalise, and how this threat can and cannot be avoided in the protocol design stage, and a proposal for its extension is analysed and a flaw in it is uncovered.
Implementing and Proving the TLS 1.3 Record Layer
TLDR
It is concluded that the new TLS record layer (as described in RFCs and cryptographic standards) is provably secure, and the first verified implementation of the record layer in F*, a dependently typed language is provided.
On the Security of the Pre-shared Key Ciphersuites of TLS
TLDR
This work introduces a new and strong definition of ACCE security that covers protocols with pre-shared keys and proves that all ciphersuite families of TLS-PSK meet the strong notion ofACCE security.
Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
TLDR
This paper presents distinguishing and plaintext recovery attacks against TLS and DTLS, based on a delicate timing analysis of decryption processing in the two protocols.
...
...