Implementing and Proving the TLS 1.3 Record Layer

@article{Bhargavan2017ImplementingAP,
  title={Implementing and Proving the TLS 1.3 Record Layer},
  author={K. Bhargavan and Antoine Delignat-Lavaud and C. Fournet and Markulf Kohlweiss and Jianyang Pan and Jonathan Protzenko and Aseem Rastogi and N. Swamy and Santiago Zanella B{\'e}guelin and J. Zinzindohou{\'e}},
  journal={2017 IEEE Symposium on Security and Privacy (SP)},
  year={2017},
  pages={463-482}
}
The record layer is the main bridge between TLS applications and internal sub-protocols. Its core functionality is an elaborate form of authenticated encryption: streams of messages for each sub-protocol (handshake, alert, and application data) are fragmented, multiplexed, and encrypted with optional padding to hide their lengths. Conversely, the sub-protocols may provide fresh keys or signal stream termination to the record layer. Compared to prior versions, TLS 1.3 discards obsolete schemes… Expand
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Expand
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol
TLDR
This analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties to establish session keys with their desired security properties under standard cryptographic assumptions. Expand
A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer
TLDR
It is shown that QUIC uses an instance of a generic construction parameterized by a standard AEAD-secure scheme and a PRF-secure cipher, and a provably-safe implementation of the rest of the QUIC protocol is developed, which achieves nearly 2 GB/s throughput. Expand
Partially Specified Channels: The TLS 1.3 Record Layer without Elision
TLDR
This treatment adopts the definitional perspective of Rogaway and Stegers and formalizes partially specified channels as the component algorithms of two parties communicating over a channel, showing that its security hinges crucially upon details left unspecified by the standard. Expand
Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) vs. QUIC
TLDR
This work is the first to thoroughly compare the security and availability properties of TLS 1.3, QUIC, and TFO over UDP, and develops novel security models that permit “layered” security analysis. Expand
A Comprehensive Symbolic Analysis of TLS 1.3
TLDR
The most comprehensive, faithful, and modular symbolic model of the TLS~1.3 draft 21 release candidate is constructed, and an unexpected behaviour is revealed, which is expected to inhibit strong authentication guarantees in some implementations of the protocol. Expand
On post-handshake authentication and external PSKs in TLS 1.3
TLDR
This work considers the restriction on the usage of post-handshake authentication in connections established with external PSK and shows that some vulnerability appears in the case of psk_ke mode (PSK-only key establishment) if more than one pair of entities can possess the same PSK. Expand
The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods
TLDR
This study conducts the first study of TLS 1.3 deployment and use since its standardization by the IETF and establishes and investigates the critical contribution that hosting services and CDNs make to the fast, initial uptake of the protocol. Expand
Data Is a Stream: Security of Stream-Based Channels
TLDR
This work presents notions of confidentiality and integrity for such channels, akin to the notions for atomic channels, but taking the peculiarities of streams into account, and gives an AEAD-based construction that achieves the notion of a secure stream-based channel. Expand
A Formal Treatment of Multi-key Channels
TLDR
This design aims at achieving forward security, protecting prior communication after long-term key corruption, as well as security of individual channel phases even if the key in other phases is leaked (a property the authors denote as phase-key insulation). Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 60 REFERENCES
(De-)Constructing TLS 1.3
TLDR
This work exemplifies a novel approach towards proving the security of complex protocols by a modular, step-by-step decomposition, in which smaller sub-steps are proved in isolation and then theSecurity of the protocol follows by the composition theorem. Expand
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Expand
On the Security of the TLS Protocol: A Systematic Analysis
TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. Expand
Implementing TLS with Verified Cryptographic Security
TLDR
A verified reference implementation of TLS 1.2 is developed, including security specifications for its main components, such as authenticated stream encryption for the record layer and key establishment for the handshake, and typecheck the protocol state machine. Expand
On the security of TLS renegotiation
TLDR
It is shown generically that the proposed fixes for TLS offer good protection against renegotiation attacks, and a simple new countermeasure is given that provides renegotiation security for TLS even in the face of stronger adversaries. Expand
The OPTLS Protocol and TLS 1.3
  • H. Krawczyk, H. Wee
  • Computer Science
  • 2016 IEEE European Symposium on Security and Privacy (EuroS&P)
  • 2016
TLDR
The OPTLS key-exchange protocol is presented, its design, rationale and cryptographic analysis, and a simple design framework that supports all the above requirements from the protocol with a uniform and modular logic that helps in the specification, analysis, performance optimization, and future maintenance of the protocol. Expand
On the Security of TLS-DHE in the Standard Model
TLDR
The notion of authenticated and confidential channel establishment ACCE is defined as a new security model which captures precisely the security properties expected from TLS in practice, and the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model. Expand
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
TLDR
Two attacks which transfer the potential weakness of prior TLS versions to two recently proposed protocols that do not even support PKCS#1 v1.5 are described, namely Google's QUIC protocol and TLS~1.3. Expand
Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol
TLDR
It is shown that when tags are longer, the TLS Record Protocol meets a new length-hiding authenticated encryption security notion that is stronger than IND-CCA. Expand
From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS
TLDR
This work shows generically how to construct higher level schemes from a basic scheme and appropriate use of sequence numbers, and applies that to close the gap in the analysis of TLS record layer encryption. Expand
...
1
2
3
4
5
...