Implementing TLS with verified cryptographic security

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2013, Pages 445-459

  Bhargavan, Karthikeyan ^a   Fournet, Cédric ^b   Kohlweiss, Markulf ^b   Pironti, Alfredo ^a   Strub, Pierre Yves ^c  

^a INRIA ROCQUENCOURT   (France)

^b MICROSOFT RESEARCH   (United States)

^c MDEA Software ^*  (United States)

Author keywords

Formal Verification; Provable Security; Security Protocol Implementation; Transport Layer Security

Indexed keywords

COMPUTATIONAL ASSUMPTIONS; CRYPTOGRAPHIC ALGORITHMS; CRYPTOGRAPHIC PRIMITIVES; FORMAL VERIFICATIONS; PROVABLE SECURITY; REFERENCE IMPLEMENTATION; SECURITY PROTOCOLS; TRANSPORT LAYER SECURITY;

AUTHENTICATION; CRYPTOGRAPHY; INTERNET PROTOCOLS;

SEEBECK EFFECT;

EID: 84881234333     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2013.37     Document Type: Conference Paper

References (57)

1. T. Acar, M. Belenkiy, M. Bellare, and D. Cash. Cryptographic agility and its relation to circular encryption. In EUROCRYPT, pages 403-422, 2010.
2. A. Askarov, D. Zhang, and A. C. Myers. Predictive black-box mitigation of timing channels. In CCS, pages 297-307, 2010.
3. M. Avalle, A. Pironti, D. Pozza, and R. Sisto. JavaSPI: A framework for security protocol implementation. International J. of Secure Software Engineering, 2:34-48, 2011.
4. M. Backes and B. Pfitzmann. Symmetric Encryption in a Simulatable Dolev-Yao Style Cryptographic Library. In CSFW, pages 204-218, 2004.
5. M. Backes, C. Hritcu, M. Maffei, and T. Tarrach. Type-checking implementations of protocols based on zero-knowledge proofs. In FCS, 2009.
6. M. Backes, M. Maffei, and D. Unruh. Computational sound verification of source code. In CCS, 2010.
7. M. Backes, C. Hriţcu, and M. Maffei. Union and intersection types for secure protocol implementations. In TOSCA'11, pages 1-28, 2012.
8. M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. In FOCS, pages 394-403, 1997.
9. J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secure implementations. ACM TOPLAS, 33(2):8, 2011.
10. K. Bhargavan, C. Fournet, and A. D. Gordon. Modular verification of security protocol code by typing. In POPL, pages 445-456, 2010.
11. K. Bhargavan, C. Fournet, R. Corin, and E. Zǎlinescu. Verified Cryptographic Implementations for TLS. ACM TISSEC, 15(1):1-32, 2012.
12. B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In CSFW, pages 82-96, 2001.
13. B. Blanchet. A computationally sound mechanized prover for security protocols. In IEEE S&P, pages 140-154, 2006.
14. D. Bleichenbacher. Chosen ciphertext attacks against protocols based on RSA encryption standard PKCS #1. In CRYPTO'98, pages 1-12, 1998.
15. B. Brumley, M. Barbosa, D. Page, and F. Vercauteren. Practical realisation and elimination of an ECC-related software bug attack. In CT-RSA, 2011.
16. D. Brumley and D. Boneh. Remote timing attacks are practical. In USENIX Security, pages 1-14, 2003.
17. B. Canvel, A. P. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password interception in a ssl/tls channel. In CRYPTO, pages 583-599, 2003.
18. S. Chaki and A. Datta. ASPIER: An automated framework for verifying security protocol implementations. In CSF 2009, pages 172-185, 2009.
19. L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, volume 4963, 2008.
20. G. Díaz, F. Curtero, V. Valero, and F. Pelayo. Automatic verification of the TLS handshake protocol. In SAC, pages 789-794, 2004.
21. T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246, 1999.
22. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, 2006.
23. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, 2008.
24. T. Duong and J. Rizzo. The CRIME attack. 2012. Ekoparty.
25. K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail. In IEEE S&P, pages 332-346, 2012.
26. P.-A. Fouque, D. Pointcheval, and S. Zimmer. Hmac is a randomness extractor and applications to tls. In ASIACCS, pages 21-32, 2008.
27. C. Fournet, M. Kohlweiss, and P.-Y. Strub. Modular code-based cryptographic verification. In ACM CCS, pages 341-350, 2011.
28. A. Freier, P. Karlton, and P. Kocher. The secure sockets layer (SSL) protocol version 3.0 - 1996. RFC 6101, 2011.
29. S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, and J. Schwenk. Universally composable security analysis of TLS. In ProvSec, pages 313-327, 2008.
30. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In CCS, pages 38-49, 2012.
31. S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput., 17(2):281-308, 1988.
32. C. He, M. Sundararajan, A. Datta, A. Derek, and J. C. Mitchell. A modular correctness proof of IEEE 802.11i and TLS. In CCS'05, pages 2-15, 2005.
33. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO, pages 273-293, 2012.
34. J. Jonsson and J. B. S. Kaliski. On the security of RSA encryption in TLS. In CRYPTO, pages 127-142, 2002.
35. J. Jürjens. Security analysis of crypto-based java programs using automated theorem provers. In ASE'06, pages 167-176, 2006.
36. A. Kamil and G. Lowe. Analysing TLS in the strand spaces model. Technical report, Oxford University Computing Laboratory, 2008.
37. J. Kelsey. Compression and information leakage of plaintext. In Fast Software Encryption, pages 95-102. IACR, 2002.
38. V. Klima, O. Pokorny, and T. Rosa. Attacking RSA-based sessions in SSL/TLS. In CHES, pages 426-440, 2003.
39. H. Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is SSL?). In CRYPTO'01, 2001.
40. R. Küsters and M. Tuengerthal. Universally composable symmetric encryption. In CSF, 2009.
41. R. Küsters, T. Truderung, and J. Graf. A framework for the cryptographic verification of java-like programs. In CSF, pages 198-212, 2012.
42. A. Langley. Unfortunate current practices for HTTP over TLS, 2011. http://www.ietf.org/mail-archive/web/tls/current/msg07281.html.
43. N. M. Langley, A. and B. Moeller. Transport Layer Security (TLS) False Start. Internet Draft, 2010.
44. J. Lawall, B. Laurie, R. R. Hansen, N. Palix, and G. Muller. Finding error handling bugs in OpenSSL using coccinelle. In EDCC'10, 2010.
45. N. Mavrogiannopoulos and S. Josefsson. GnuTLS documentation on record padding, 2011. http://www.gnutls.org/manual.
46. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the tls protocol. In CCS, pages 62-72, 2012.
47. B. Moeller. Security of CBC ciphersuites in SSL/TLS: Problems and countermeasures. http://www.openssl.org/~bodo/tls-cbc.txt, 2004.
48. P. Morrissey, N. Smart, and B. Warinschi. A modular security analysis of the TLS handshake protocol. In ASIACRYPT'08, pages 55-73, 2008.
49. K. Ogata and K. Futatsugi. Equational approach to formal analysis of TLS. In ICSCS, pages 795-804, 2005.
50. K. G. Paterson, T. Ristenpart, and T. Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In ASIACRYPT 2011, pages 372-389, 2011.
51. L. C. Paulson. Inductive analysis of the Internet protocol TLS. ACM TISSEC, 2(3):332-351, 1999.
52. M. Ray. Authentication gap in TLS renegotiation. http://extendedsubset. com/Renegotiating-TLS.pdf, 2009.
53. E. Rescorla, M. Ray, S. Dispensa, and N. Oskov. TLS renegotiation indication extension. RFC 5746, 2010.
54. N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP, pages 266-278, 2011.
55. S. Turner and T. Polk. Prohibiting secure sockets layer (SSL) version 2.0. RFC 6176, 2011.
56. S. Vaudenay. Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS ... In L. R. Knudsen, editor, EUROCRYPT, pages 534-546, 2002.
57. A. K. L. Yau, K. G. Paterson, and C. J. Mitchell. Padding oracle attacks on CBC-mode encryption with secret and random IVs. In FSE, pages 299-319, 2005.