Reactive and Proactive Standardisation of TLS

@inproceedings{Paterson2016ReactiveAP,
  title={Reactive and Proactive Standardisation of TLS},
  author={Kenneth G. Paterson and Thyla van der Merwe},
  booktitle={SSR},
  year={2016}
}
In the development of TLS 1.3, the IETF TLS Working Group has adopted an “analysis-prior-to-deployment” design philosophy. This is in sharp contrast to all previous versions of the protocol. We present an account of the TLS standardisation narrative, examining the differences between the reactive standardisation process for TLS 1.2 and below, and the more proactive standardisation process for TLS 1.3. We explore the possible factors that have contributed to the shift in the TLS WG’s design… 
Introduction to the Special Issue on TLS 1.3
  • C. Boyd
  • Computer Science
    J. Cryptol.
  • 2021
TLDR
Three of the five papers in this special issue on TLS 1.3 are concerned with security analysis of the published standard, with a driving goal to improve efficiency of the protocol in a number of ways.
A Comprehensive Symbolic Analysis of TLS 1.3
TLDR
The most comprehensive, faithful, and modular symbolic model of the TLS~1.3 draft 21 release candidate is constructed, and an unexpected behaviour is revealed, which is expected to inhibit strong authentication guarantees in some implementations of the protocol.
Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate
TLDR
A methodology for developing verified symbolic and computational models of TLS 1.3 hand-in-hand with a high-assurance reference implementation of the protocol, and presents a computational CryptoVerif model for TLS1.3 Draft-18 and proves its security.
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model.
Using a Dual-Layer Specification to Offer Selective Interoperability for Uptane
This work introduces the concept of a dual-layer specification structure for standards that separates interoperability functions, such as backwards compatibility, localization, and deployment, from
Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion
TLDR
Fine-grained formal analysis of 5G’s main authentication and key agreement protocol (AKA) is performed, and the first models to explicitly consider all parties defined by the protocol specification are provided, demonstrating the fragility and subtle trust assumptions of the 5G-AKA protocol.
Towards Securing the Internet of Things with QUIC
  • L. Eggert
  • Computer Science
    Proceedings 2020 Workshop on Decentralized IoT Systems and Security
  • 2020
TLDR
The storage, compute, memory and energy requirements of the Quant QUIC stack on two different IoT platforms are evaluated, finding that a minimal standards-compliant QUIC client currently requires approximately 58 to 63KB ofash and can retrieve 5KB of data in 4.2 to 5.1s.
Continuous Verification for Cryptographic Protocol Development
TLDR
The power of continuous verification is illustrated by discovering flaws in the protocols using the Cryptographic Protocol Shapes Analyzer, identifying the corresponding fixes based on the feedback provided by CPSA, and demonstrating that verifiable models can be intuitive, concise and suitable for inclusion in standards to enable third-party verification and future modifications.
Secure authentication in the grid: A formal analysis of DNP3 SAv5
TLDR
This work provides the first security analysis of the complete DNP3: SAv5 protocol and formally model and analyse the complex composition of the protocol’s sub-protocols, leading to several concrete recommendations for improving future versions of the standard.
Secure Authentication in the Grid: A Formal Analysis of DNP3: SAv5
TLDR
This work provides the first security analysis of the complete DNP3: SAv5 protocol and formally model and analyse the complex composition of the protocol’s three sub-protocols, using the Tamarin prover for the symbolic analysis of security protocols.
...
...

References

SHOWING 1-10 OF 84 REFERENCES
The OPTLS Protocol and TLS 1.3
  • H. Krawczyk, H. Wee
  • Computer Science
    2016 IEEE European Symposium on Security and Privacy (EuroS&P)
  • 2016
TLDR
The OPTLS key-exchange protocol is presented, its design, rationale and cryptographic analysis, and a simple design framework that supports all the above requirements from the protocol with a uniform and modular logic that helps in the specification, analysis, performance optimization, and future maintenance of the protocol.
Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication
TLDR
This work model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols, and shows the strict necessity of recent suggestions to include more information in the protocol's signature contents.
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model.
Multiple Handshakes Security of TLS 1.3 Candidates
TLDR
This paper presents the first formal treatment of multiple handshakes protocols of TLS 1.3 draft, and introduces a multi-level&stage security model, an adaptation of the Bellare-Rogaway authenticated key exchange model, covering all kinds of compositional interactions between different TLS handshake modes and providing reasonably strong security guarantees.
The TLS Handshake Protocol: A Modular Analysis
TLDR
The main contribution of the paper is a modular and generic proof of security for a slightly modified version of TLS that shows that the protocol is secure even if the pre-master and the master keys only satisfy only weak security requirements.
On the Security of the TLS Protocol: A Systematic Analysis
TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol.
Standardization Transparency - An Out of Body Experience
TLDR
Recommendations are pro- posed on actions standards setting organizations can take to broaden participation in the selection of techniques for standardization and to strengthen commu- nications between standards developers and the research community.
Downgrade Resilience in Key-Exchange Protocols
TLDR
The causes of downgrade attacks are studied by dissecting and classifying known and novel attacks against widely used protocols, and patterns that guarantee downgrade security by design are discussed, and how to use them to strengthen the security of existing protocols.
(De-)Constructing TLS
TLDR
A modular security analysis of the handshake in TLS version 1.3 is provided and new insights into the intrinsic problems incurred by a non-modular protocol design such as that of TLS are suggested.
FLEXTLS: A Tool for Testing TLS Implementations
TLDR
FLEXTLS was used to discover recent attacks on TLS implementations, such as SKIP and FREAK, as well as to program the first proof-of-concept demos for FREAK and Logjam and to experiment with proposed designs of the upcoming version 1.3 of TLS.
...
...