A Cryptographic Analysis of the TLS 1.3 Handshake Protocol

@article{Dowling2020ACA,
  title={A Cryptographic Analysis of the TLS 1.3 Handshake Protocol},
  author={Benjamin Dowling and Marc Fischlin and Felix G{\"u}nther and D. Stebila},
  journal={Journal of Cryptology},
  year={2020}
}
We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption/“PSK” mode which uses a pre-shared key for authentication (with optional (EC)DHE key exchange and zero round-trip time key establishment). Our analysis in the reductionist security framework… Expand

Figures and Tables from this paper

Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) vs. QUIC
TLDR
This work is the first to thoroughly compare the security and availability properties of TLS 1.3, QUIC, and TFO over UDP, and develops novel security models that permit “layered” security analysis. Expand
KEMTLS with Delayed Forward Identity Protection in (Almost) a Single Round Trip
TLDR
This work proposes a variant of KEMTLS tailored to decrease handshake latency while protecting client identities, and combines medium-lived with long-term server public keys to enable a delayed form of forward secrecy even from the rst data ow on, and full forward secrecy upon the first round trip. Expand
Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT
The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in “0-RTT” (“zero round-trip time”), without the need for a prior interactive handshake. ThisExpand
Provable Security Analysis of FIDO2
TLDR
The first provable security analysis of the new FIDO2 protocols is carried out and a generic protocol is proposed called sPACA is proposed to withstand stronger yet realistic adversaries and prove its strong security. Expand
Oblivious TLS via Multi-Party Computation Full Version
In this paper, we describe Oblivious TLS: an MPC protocol that we prove UC secure against a majority of actively corrupted parties. The protocol securely implements TLS 1.3. Thus, any party P whoExpand
More efficient post-quantum KEMTLS with pre-distributed public keys
TLDR
Interestingly, using pre-distributed keys in KEMTLS-PDK changes the landscape on suitability of PQ algorithms: schemes where public keys are larger than ciphertexts/signatures can be viable, and the differences between some lattice-based schemes is reduced. Expand
Towards Post-Quantum Security for Signal's X3DH Handshake
TLDR
This paper introduces the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow and proposes split KEMs as a specific target for instantiation in future research. Expand
ASAP: Algorithm Substitution Attacks on Cryptographic Protocols
TLDR
This work shows that careful design of ASAs makes detection unlikely while leaking long-term secrets within a few messages in the case of TLS and WireGuard, allowing impersonation attacks and that Signal’s double-ratchet protocol shows high immunity to ASAs, as the leakage requires much more messages. Expand
Zero-Knowledge Middleboxes
This paper initiates research on zero-knowledge middleboxes (ZKMBs). A ZKMB is a network middlebox that enforces network usage policies on encrypted traffic. Clients send the middlebox zero-knowledgeExpand
Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols
TLDR
New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model. Expand
...
1
2
...

References

SHOWING 1-10 OF 95 REFERENCES
On the Security of the TLS Protocol: A Systematic Analysis
TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. Expand
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Expand
On the Security of TLS-DH and TLS-RSA in the Standard Model
TLDR
It is shown that if TLS-RSA is instantiated with a CCA secure public key cryptosystem and TLS-DH is used in scenarios where a) the knowledge of secret key assumption holds or b) the adversary may not register new public keys at all, both ciphersuites can be proven secure in the standard model under standard security assumptions. Expand
The privacy of the TLS 1.3 protocol
TLDR
This paper model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS, and prove that TLS1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1-2. Expand
(De-)Constructing TLS 1.3
TLDR
This work exemplifies a novel approach towards proving the security of complex protocols by a modular, step-by-step decomposition, in which smaller sub-steps are proved in isolation and then theSecurity of the protocol follows by the composition theorem. Expand
On the security of TLS renegotiation
TLDR
It is shown generically that the proposed fixes for TLS offer good protection against renegotiation attacks, and a simple new countermeasure is given that provides renegotiation security for TLS even in the face of stronger adversaries. Expand
A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol
TLDR
It is shown that the full (EC)DHE Diffie–Hellman-based handshake of draft-10 is also secure in the multi-stage key exchange framework of Fischlin and Gunther which captures classical Bellare–Rogaway key secrecy for key exchange protocols that derive multiple keys. Expand
On the Security of TLS-DHE in the Standard Model
TLDR
The notion of authenticated and confidential channel establishment ACCE is defined as a new security model which captures precisely the security properties expected from TLS in practice, and the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model. Expand
A Modular Security Analysis of the TLS Handshake Protocol
TLDR
The main contribution of the paper is a modular and generic proof of security for the application keys established through the TLS protocol, showing that the transformation used by TLS to derive master keys essentially transforms an arbitrary secure pre-master key agreement protocol into a secure master-key agreement protocol. Expand
Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates
TLDR
Previous security models for key exchange protocols supporting so-called zero round-trip time (0-RTT), enabling a client to establish a fresh provisional key without interaction, based only on cryptographic material obtained in previous connections, are extended to capture such cases. Expand
...
1
2
3
4
5
...