Reactive and Proactive Standardisation of TLS
@inproceedings{Paterson2016ReactiveAP, title={Reactive and Proactive Standardisation of TLS}, author={Kenneth G. Paterson and Thyla van der Merwe}, booktitle={SSR}, year={2016} }
In the development of TLS 1.3, the IETF TLS Working Group has adopted an “analysis-prior-to-deployment” design philosophy. This is in sharp contrast to all previous versions of the protocol. We present an account of the TLS standardisation narrative, examining the differences between the reactive standardisation process for TLS 1.2 and below, and the more proactive standardisation process for TLS 1.3. We explore the possible factors that have contributed to the shift in the TLS WG’s design…
26 Citations
A Comprehensive Symbolic Analysis of TLS 1.3
- Computer ScienceCCS
- 2017
The most comprehensive, faithful, and modular symbolic model of the TLS~1.3 draft 21 release candidate is constructed, and an unexpected behaviour is revealed, which is expected to inhibit strong authentication guarantees in some implementations of the protocol.
Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate
- Computer Science, Mathematics2017 IEEE Symposium on Security and Privacy (SP)
- 2017
A methodology for developing verified symbolic and computational models of TLS 1.3 hand-in-hand with a high-assurance reference implementation of the protocol, and presents a computational CryptoVerif model for TLS1.3 Draft-18 and proves its security.
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model.
Using a Dual-Layer Specification to Offer Selective Interoperability for Uptane
- Computer Science
- 2020
This work introduces the concept of a dual-layer specification structure for standards that separates interoperability functions, such as backwards compatibility, localization, and deployment, from…
Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion
- Computer ScienceNDSS
- 2019
Fine-grained formal analysis of 5G’s main authentication and key agreement protocol (AKA) is performed, and the first models to explicitly consider all parties defined by the protocol specification are provided, demonstrating the fragility and subtle trust assumptions of the 5G-AKA protocol.
Towards Securing the Internet of Things with QUIC
- Computer Science
- 2020
This paper is the first to evaluate the feasibility of deploying QUIC, a new UDP-based transport protocol currently undergoing IETF standardization, directly on resourceconstrained IoT devices and finds that a minimal standardscompliant QUIC client currently requires approximately 58 to 63 KB of flash.
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol
- Computer Science, Mathematics
- 2020
This analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties to establish session keys with their desired security properties under standard cryptographic assumptions.
Continuous Verification for Cryptographic Protocol Development
- Computer Science, MathematicsSafeThings@SenSys
- 2017
The power of continuous verification is illustrated by discovering flaws in the protocols using the Cryptographic Protocol Shapes Analyzer, identifying the corresponding fixes based on the feedback provided by CPSA, and demonstrating that verifiable models can be intuitive, concise and suitable for inclusion in standards to enable third-party verification and future modifications.
Secure authentication in the grid: A formal analysis of DNP3 SAv5
- Computer ScienceJ. Comput. Secur.
- 2019
This work provides the first security analysis of the complete DNP3: SAv5 protocol and formally model and analyse the complex composition of the protocol’s sub-protocols, leading to several concrete recommendations for improving future versions of the standard.
Secure Authentication in the Grid: A Formal Analysis of DNP3: SAv5
- Computer ScienceESORICS
- 2017
This work provides the first security analysis of the complete DNP3: SAv5 protocol and formally model and analyse the complex composition of the protocol’s three sub-protocols, using the Tamarin prover for the symbolic analysis of security protocols.
References
SHOWING 1-10 OF 85 REFERENCES
The OPTLS Protocol and TLS 1.3
- Computer Science2016 IEEE European Symposium on Security and Privacy (EuroS&P)
- 2016
The OPTLS key-exchange protocol is presented, its design, rationale and cryptographic analysis, and a simple design framework that supports all the above requirements from the protocol with a uniform and modular logic that helps in the specification, analysis, performance optimization, and future maintenance of the protocol.
Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication
- Computer Science2016 IEEE Symposium on Security and Privacy (SP)
- 2016
This work model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols, and shows the strict necessity of recent suggestions to include more information in the protocol's signature contents.
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model.
Multiple Handshakes Security of TLS 1.3 Candidates
- Computer Science2016 IEEE Symposium on Security and Privacy (SP)
- 2016
This paper presents the first formal treatment of multiple handshakes protocols of TLS 1.3 draft, and introduces a multi-level&stage security model, an adaptation of the Bellare-Rogaway authenticated key exchange model, covering all kinds of compositional interactions between different TLS handshake modes and providing reasonably strong security guarantees.
The TLS Handshake Protocol: A Modular Analysis
- Computer Science, MathematicsJournal of Cryptology
- 2009
The main contribution of the paper is a modular and generic proof of security for a slightly modified version of TLS that shows that the protocol is secure even if the pre-master and the master keys only satisfy only weak security requirements.
On the Security of the TLS Protocol: A Systematic Analysis
- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol.
Standardization Transparency - An Out of Body Experience
- Computer ScienceSSR
- 2014
Recommendations are pro- posed on actions standards setting organizations can take to broaden participation in the selection of techniques for standardization and to strengthen commu- nications between standards developers and the research community.
Downgrade Resilience in Key-Exchange Protocols
- Computer Science, Mathematics2016 IEEE Symposium on Security and Privacy (SP)
- 2016
The causes of downgrade attacks are studied by dissecting and classifying known and novel attacks against widely used protocols, and patterns that guarantee downgrade security by design are discussed, and how to use them to strengthen the security of existing protocols.
(De-)Constructing TLS
- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2014
A modular security analysis of the handshake in TLS version 1.3 is provided and new insights into the intrinsic problems incurred by a non-modular protocol design such as that of TLS are suggested.
FLEXTLS: A Tool for Testing TLS Implementations
- Computer ScienceWOOT
- 2015
FLEXTLS was used to discover recent attacks on TLS implementations, such as SKIP and FREAK, as well as to program the first proof-of-concept demos for FREAK and Logjam and to experiment with proposed designs of the upcoming version 1.3 of TLS.