Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

@article{Bhargavan2017VerifiedMA,
  title={Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate},
  author={Karthikeyan Bhargavan and Bruno Blanchet and Nadim Kobeissi},
  journal={2017 IEEE Symposium on Security and Privacy (SP)},
  year={2017},
  pages={483-502}
}
TLS 1.3 is the next version of the Transport Layer Security (TLS) protocol. Its clean-slate design is a reaction both to the increasing demand for low-latency HTTPS connections and to a series of recent high-profile attacks on TLS. The hope is that a fresh protocol with modern cryptography will prevent legacy problems, the danger is that it will expose new kinds of attacks, or reintroduce old flaws that were fixed in previous versions of TLS. After 18 drafts, the protocol is nearing completion… 

Figures from this paper

A Comprehensive Symbolic Analysis of TLS 1.3
TLDR
The most comprehensive, faithful, and modular symbolic model of the TLS~1.3 draft 21 release candidate is constructed, and an unexpected behaviour is revealed, which is expected to inhibit strong authentication guarantees in some implementations of the protocol.
The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods
TLDR
This study conducts the first study of TLS 1.3 deployment and use since its standardization by the IETF and establishes and investigates the critical contribution that hosting services and CDNs make to the fast, initial uptake of the protocol.
Tracking the deployment of TLS 1.3 on the web
TLDR
It is shown that Cloudflare alone brings deployment to sizable numbers and how actors like Facebook and Google use their control over both client and server endpoints to experiment with the protocol and ultimately deploy it at scale is described.
Formal Analysis of 5G EAP-TLS Authentication Protocol Using Proverif
TLDR
This work builds the first formal model of the 5G EAP-TLS authentication protocol in the applied pi calculus, and performs an automated security analysis of the formal protocol model by using the ProVerif model checker.
Selfie: reflections on TLS 1.3 with PSK
TLDR
The root cause of this TLS 1.3 vulnerability is explained, a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and a proposed mitigation is proposed.
A Formal Treatment of Accountable Proxying Over TLS
TLDR
A provably-secure alternative to soon-to-be-standardized mcTLS is proposed: a generic and modular protocol-design that care- fully composes generic secure channel-establishment protocols, which prove secure.
A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer
TLDR
It is shown that QUIC uses an instance of a generic construction parameterized by a standard AEAD-secure scheme and a PRF-secure cipher, and a provably-safe implementation of the rest of the QUIC protocol is developed, which achieves nearly 2 GB/s throughput.
Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC
TLDR
A detailed comparison of three low-latency layered protocols is provided, and it is shown that TFO’s cookie mechanism does provably achieve the security goal of IP spoofing prevention, and several new availability attacks that manipulate the early key exchange packets without being detected by the communicating parties are found.
A Formal Analysis of the FIDO UAF Protocol
TLDR
This paper presents a comprehensive and formal verification of the FIDO UAF protocol by formalizing its security assumptions and goals and modeling the protocol under different scenarios in ProVerif and identifies the minimal security assumptions required for each of the security goals of FIDo UAF to hold.
Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) vs. QUIC
TLDR
This work is the first to thoroughly compare the security and availability properties of TLS 1.3, QUIC, and TFO over UDP, and develops novel security models that permit “layered” security analysis.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 73 REFERENCES
The OPTLS Protocol and TLS 1.3
  • H. Krawczyk, H. Wee
  • Computer Science
    2016 IEEE European Symposium on Security and Privacy (EuroS&P)
  • 2016
TLDR
The OPTLS key-exchange protocol is presented, its design, rationale and cryptographic analysis, and a simple design framework that supports all the above requirements from the protocol with a uniform and modular logic that helps in the specification, analysis, performance optimization, and future maintenance of the protocol.
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
TLDR
A cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol of both TLS 1.3 candidates, which shows that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model.
Implementing TLS with Verified Cryptographic Security
TLDR
A verified reference implementation of TLS 1.2 is developed, including security specifications for its main components, such as authenticated stream encryption for the record layer and key establishment for the handshake, and typecheck the protocol state machine.
Multiple Handshakes Security of TLS 1.3 Candidates
TLDR
This paper presents the first formal treatment of multiple handshakes protocols of TLS 1.3 draft, and introduces a multi-level&stage security model, an adaptation of the Bellare-Rogaway authenticated key exchange model, covering all kinds of compositional interactions between different TLS handshake modes and providing reasonably strong security guarantees.
Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication
TLDR
This work model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols, and shows the strict necessity of recent suggestions to include more information in the protocol's signature contents.
A Messy State of the Union: Taming the Composite State Machines of TLS
TLDR
This work systematically test popular open-source TLS implementations for state machine bugs and discovers several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to the disclosures.
On the Security of TLS-DHE in the Standard Model
TLDR
The notion of authenticated and confidential channel establishment ACCE is defined as a new security model which captures precisely the security properties expected from TLS in practice, and the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model.
On the Security of the TLS Protocol: A Systematic Analysis
TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol.
Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
TLDR
This paper presents distinguishing and plaintext recovery attacks against TLS and DTLS, based on a delicate timing analysis of decryption processing in the two protocols.
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks
TLDR
Four new Bleichenbacher side channels are presented, and two of them provide the first timing-based BleichenBacher attacks on SSL/TLS described in the literature, with timing differences between 1 and 23 microseconds.
...
1
2
3
4
5
...