On the Security of TLS-DHE in the Standard Model

@inproceedings{Jager2012OnTS,
  title={On the Security of TLS-DHE in the Standard Model},
  author={Tibor Jager and Florian Kohlar and Sven Sch{\"a}ge and J{\"o}rg Schwenk},
  booktitle={CRYPTO},
  year={2012}
}
TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral Diffie-Hellman key exchange TLS-DHE, which include the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove security of the TLS Handshake protocol in any… Expand
On the Security of TLS-DH and TLS-RSA in the Standard Model
TLDR
It is shown that if TLS-RSA is instantiated with a CCA secure public key cryptosystem and TLS-DH is used in scenarios where a) the knowledge of secret key assumption holds or b) the adversary may not register new public keys at all, both ciphersuites can be proven secure in the standard model under standard security assumptions. Expand
Authenticated Confidential Channel Establishment and the Security of TLS-DHE
TLDR
It is shown that the combination of the TLS-DHE Handshake protocol and the TLS Record Layer encryption is secure in this model, and the new notion of authenticated and confidential channel establishment (ACCE), which allows the monolithic analysis of protocols for which a modular security proof is not possible. Expand
On the Security of the TLS Protocol: A Systematic Analysis
TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. Expand
On the security of TLS renegotiation
TLDR
It is shown generically that the proposed fixes for TLS offer good protection against renegotiation attacks, and a simple new countermeasure is given that provides renegotiation security for TLS even in the face of stronger adversaries. Expand
On the Security of TLS Renegotiation ( full version )
TLDR
It is shown generically that the proposed fixes for TLS offer good protection against renegotiation attacks, and a simple new countermeasure is given that provides renegotiation security for TLS even in the face of stronger adversaries. Expand
On the Security of the Pre-shared Key Ciphersuites of TLS
TLDR
This work introduces a new and strong definition of ACCE security that covers protocols with pre-shared keys and proves that all ciphersuite families of TLS-PSK meet the strong notion ofACCE security. Expand
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Expand
(De-)Constructing TLS
TLDR
A modular security analysis of the handshake in TLS version 1.3 is provided and new insights into the intrinsic problems incurred by a non-modular protocol design such as that of TLS are suggested. Expand
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol
TLDR
This analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties to establish session keys with their desired security properties under standard cryptographic assumptions. Expand
On the security of TLS resumption and renegotiation
TLDR
A new definition of "uniqueness" is introduced and a renegotiable & resumable ACCE security model is presented, which identifies the triple handshake attack within the new model, and it is shown TLS with the proposed fix can be proven secure in this model. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 78 REFERENCES
HMQV: A High-Performance Secure Diffie-Hellman Protocol
TLDR
HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption. Expand
The TLS Handshake Protocol: A Modular Analysis
TLDR
The main contribution of the paper is a modular and generic proof of security for a slightly modified version of TLS that shows that the protocol is secure even if the pre-master and the master keys only satisfy only weak security requirements. Expand
A Modular Security Analysis of the TLS Handshake Protocol
TLDR
The main contribution of the paper is a modular and generic proof of security for the application keys established through the TLS protocol, showing that the transformation used by TLS to derive master keys essentially transforms an arbitrary secure pre-master key agreement protocol into a secure master-key agreement protocol. Expand
HMAC is a randomness extractor and applications to TLS
TLDR
This paper shows that when the shared secret is put in the key space of the Hmac function, there are two cases to consider depending on whether the key is larger than the block-length of the hash function or not, and provides a formal proof that the output is pseudo-random, but under different assumptions. Expand
A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL
TLDR
A chosen-plaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols is introduced which enables recovery of low entropy strings such as can be guessed from a likely set of 2–1000 options. Expand
The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES
TLDR
In this paper, natural assumptions under which DHIES achieves security under chosen-ciphertext attack are found and the assumptions made about the Diffie-Hellman problem are investigated, and they provide security lower bounds. Expand
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
TLDR
A formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that allows for simple modular proofs of security is presented. Expand
Universally Composable Security Analysis of TLS
TLDR
This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Expand
The Vulnerability of SSL to Chosen Plaintext Attack
  • G. Bard
  • Computer Science
  • IACR Cryptol. ePrint Arch.
  • 2004
TLDR
It is argued that the open nature of web browsers provides a feasible “point of entry” for this attack via a corrupted plug-in; thus, implementing the attack is likely to be much easier than, say, installing a Trojan Horse for “keyboard sniffing”. Expand
Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol
TLDR
It is shown that when tags are longer, the TLS Record Protocol meets a new length-hiding authenticated encryption security notion that is stronger than IND-CCA. Expand
...
1
2
3
4
5
...