On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments

@article{Diemert2020OnTT,
  title={On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments},
  author={Denis Diemert and Tibor Jager},
  journal={Journal of Cryptology},
  year={2020},
  volume={34},
  pages={1-57}
}
We consider the theoretically sound selection of cryptographic parameters, such as the size of algebraic groups or RSA keys, for TLS 1.3 in practice. While prior works gave security proofs for TLS 1.3, their security loss is quadratic in the total number of sessions across all users, which due to the pervasive use of TLS is huge. Therefore, in order to deploy TLS 1.3 in a theoretically sound way, it would be necessary to compensate this loss with unreasonably large parameters that would be… Expand
Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols
TLDR
New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model. Expand
Authenticated Key Exchange and Signatures with Tight Security in the Standard Model
TLDR
This work identifies a subtle gap in the security proof of the only previously known efficient standard model scheme by Bader et al. (TCC 2015), and develops a new variant, which yields the currently most efficient signature scheme that achieves this strong security notion without random oracles and based on standard hardness assumptions. Expand
ASAP: Algorithm Substitution Attacks on Cryptographic Protocols
TLDR
This work shows that careful design of ASAs makes detection unlikely while leaking long-term secrets within a few messages in the case of TLS and WireGuard, allowing impersonation attacks and that Signal’s double-ratchet protocol shows high immunity to ASAs, as the leakage requires much more messages. Expand
Tightly-Secure Authenticated Key Exchange, Revisited
We introduce new tightly-secure authenticated key exchange (AKE) protocols that are extremely efficient, yet have only a constant security loss and can be instantiated in the random oracle model bothExpand
Construction and Security Analysis of 0-RTT Protocols
TLDR
This thesis presents the first 0-RTT session resumption protocol that indeed achieves forward security for all messages and shows that the protocol can be incorporated into the recently standardized TLS 1.3 handshake without modifications to client-side implementations. Expand
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol
TLDR
This analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties to establish session keys with their desired security properties under standard cryptographic assumptions. Expand
More Efficient Digital Signatures with Tight Multi-User Security
TLDR
This work constructs the currently most efficient signature schemes with tight multi-user security against adaptive corruptions and proposes a new variant of the generic construction of signatures from sequential OR-proofs, based on lossy identification schemes, to achieve strong existential unforgeability. Expand
Post-Quantum TLS Without Handshake Signatures
TLDR
KEMTLS is presented, an alternative to the TLS 1.3 handshake that uses key-encapsulation mechanisms (KEMs) instead of signatures for server authentication in post-quantum TLS, and achieves a speed-optimized instantiation that reduces the amount of server CPU cycles and communication size. Expand
Modeling advanced security aspects of key exchange and secure channel protocols
TLDR
This thesis introduces a new model for multi-stage key exchange to capture that recent designs for secure connections establish several cryptographic keys for various purposes and with differing levels of security, and introduces a formalism for key confirmation. Expand
Signed Diffie-Hellman Key Exchange with Tight Security
TLDR
The first tight security proof for the ordinary two-message signed Diffie-Hellman key exchange protocol in the random oracle model is proposed and the tightness result is proven in the “Single-BitGuess” model which the authors know can be tightly composed with symmetric cryptographic primitives to establish a secure channel. Expand
...
1
2
...

References

SHOWING 1-10 OF 73 REFERENCES
Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols
TLDR
New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model. Expand
On the Security of TLS-DHE in the Standard Model
TLDR
The notion of authenticated and confidential channel establishment ACCE is defined as a new security model which captures precisely the security properties expected from TLS in practice, and the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model. Expand
On the Security of the PKCS#1 v1.5 Signature Scheme
TLDR
This work introduces a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures and proves full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Expand
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
TLDR
Two attacks which transfer the potential weakness of prior TLS versions to two recently proposed protocols that do not even support PKCS#1 v1.5 are described, namely Google's QUIC protocol and TLS~1.3. Expand
miTLS: Verifying Protocol Implementations against Real-World Attacks
TLDR
The miTLS project intends to solve the apparent contradiction between published proofs and real-world attacks, which reveals a gap between TLS theory and practice and sheds light on recent attacks, yields security guarantees for typical TLS usages, and informs the design of the protocol's next version. Expand
On the Impossibility of Tight Cryptographic Reductions
TLDR
A new meta-reduction technique is described that enables interesting novel applications, including a formal proof that for certain cryptographic primitives, the security loss incurred when the primitive is transferred from an idealized single- user setting to the more realistic multi-user setting is impossible to avoid. Expand
The OPTLS Protocol and TLS 1.3
  • H. Krawczyk, H. Wee
  • Computer Science
  • 2016 IEEE European Symposium on Security and Privacy (EuroS&P)
  • 2016
TLDR
The OPTLS key-exchange protocol is presented, its design, rationale and cryptographic analysis, and a simple design framework that supports all the above requirements from the protocol with a uniform and modular logic that helps in the specification, analysis, performance optimization, and future maintenance of the protocol. Expand
Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates
TLDR
Previous security models for key exchange protocols supporting so-called zero round-trip time (0-RTT), enabling a client to establish a fresh provisional key without interaction, based only on cryptographic material obtained in previous connections, are extended to capture such cases. Expand
On the Security of the TLS Protocol: A Systematic Analysis
TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. Expand
The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization
TLDR
This paper revisits the mu security of GCM and provides new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying. Expand
...
1
2
3
4
5
...