A messy state of the union: Taming the composite state machines of TLS

Proceedings - IEEE Symposium on Security and Privacy

Volumn 2015-July, Issue , 2015, Pages 535-552

  Beurdouche, Benjamin ^a   Bhargavan, Karthikeyan ^a   Delignat Lavaud, Antoine ^a   Fournet, Cédric ^b   Kohlweiss, Markulf ^b   Pironti, Alfredo ^a   Strub, Pierre Yves ^c   Zinzindohoue, Jean Karim ^a,d  

^a INRIA ROCQUENCOURT   (France)

^b MICROSOFT RESEARCH   (United States)

^c IMDEA SOFTWARE INSTITUTE   (Spain)

^d UNIVERSITÉ PARIS EST   (France)

Author keywords

cryptographic protocols; formal methods; man in the middle attacks; software verification; Transport Layer Security

Indexed keywords

CRYPTOGRAPHY; FORMAL METHODS; FORMAL VERIFICATION; LIBRARIES; NETWORK SECURITY; OPEN SOURCE SOFTWARE; OPEN SYSTEMS; TRANSPORT LAYER;

CRYPTOGRAPHIC PROTOCOLS; DIFFERENT PROTOCOLS; MAN IN THE MIDDLE ATTACKS; MESSAGE SEQUENCES; SECURITY VULNERABILITIES; SOFTWARE VERIFICATION; TRANSPORT LAYER SECURITY; TRANSPORT LAYER SECURITY PROTOCOLS;

SEEBECK EFFECT;

EID: 84940995903     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2015.39     Document Type: Conference Paper

References (38)

1. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2," IETF RFC 5246, 2008.
2. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk, "On the security of TLS-DHE in the standard model," in CRYPTO, 2012.
3. H. Krawczyk, K. G. Paterson, and H. Wee, "On the security of the TLS protocol: A systematic analysis," in CRYPTO, 2013.
4. Y. Li, S. Schäge, Z. Yang, F. Kohlar, and J. Schwenk, "On the security of the pre-shared key ciphersuites of TLS," in Public-Key Cryptography, 2014.
5. K. G. Paterson, T. Ristenpart, and T. Shrimpton, "Tag size does matter: Attacks and proofs for the TLS record protocol," in ASIACRYPT, 2011.
6. T. Dierks and C. Allen, "The TLS protocol version 1.0," IETF RFC 2246, 1999.
7. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1," IETF RFC 4346, 2006.
8. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P. Strub, "Implementing TLS with verified cryptographic security," in IEEE S&P (Oakland), 2013.
9. P. Cuoq, F. Kirchner, N. Kosmatov, V. Prevosto, J. Sig-noles, and B. Yakobowski, "Frama-C," in Software Engineering and Formal Methods, 2012.
10. J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig, "TLS session resumption without server-side state," IETF RFC 5077, 2008.
11. N. M. Langley, A. and B. Moeller, "Transport Layer Security (TLS) False Start," Internet Draft, 2010.
12. K. Bhargavan, A. D. Lavaud, C. Fournet, A. Pironti, and P.-Y. Strub, "Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS," in IEEE S&P (Oakland), 2014.
13. C. Soghoian and S. Stamm, "Certified lies: Detecting and defeating government interception attacks against SSL," in Financial Cryptography, 2012.
14. S. Cavallar, B. Dodson, A. Lenstra, W. Lioen, P. Montgomery, B. Murphy, H. te Riele, K. Aardal, J. Gilchrist, G. Guillerm, P. Leyland, J. Marchand, F. Morain, A. Muf-fett, C. Putnam, and P. Zimmermann, "Factorization of a 512-bit rsa modulus," in EUROCRYPT, 2000.
15. Z. Durumeric, E. Wustrow, and J. A. Halderman, "ZMap: Fast Internet-wide scanning and its security applications," in USENIX Security, 2013.
16. F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, and D. Stebila, "Multi-ciphersuite security of the Secure Shell (SSH) protocol," in ACM CCS, 2014.
17. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel, "A cross-protocol attack on the TLS protocol," in ACM CCS, 2012.
18. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.3," Internet Draft, 2014.
19. K. Bhargavan, A. Delignat-Lavaud, A. Pironti, A. Lan-gley, and M. Ray, "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension," IETF Internet Draft, 2014.
20. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and S. Zanella-Béguelin, "Proving the TLS handshake secure (as it is)," in CRYPTO, 2014.
21. J. B. Almeida, M. Barbosa, G. Barthe, and F. Dupressoir, "Certified computer-aided cryptography: efficient prov-ably secure machine code from high-level implementations," in ACM CCS, 2013.
22. C. Meyer and J. Schwenk, "Lessons learned from previous SSL/TLS attacks-A brief chronology of attacks and weaknesses," IACR Cryptology ePrint Archive, Report 2013/049, 2013.
23. D. Wagner and B. Schneier, "Analysis of the SSL 3.0 protocol," in USENIX Electronic Commerce, 1996.
24. M. Ray and S. Dispensa, "Renegotiating TLS," 2009.
25. E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "TLS renegotiation indication extension," IETF RFC 5746, 2010.
26. D. Bleichenbacher, "Chosen ciphertext attacks against protocols based on RSA encryption standard PKCS #1," in CRYPTO, 1998.
27. V. Klima, O. Pokorny, and T. Rosa, "Attacking RSA-based sessions in SSL/TLS," in CHES, 2003.
28. C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, and E. Tews, "Revisiting SSL/TLS implementations: New bleichenbacher side channels and attacks," in USENIX Security, 2014.
29. S. Vaudenay, "Security flaws induced by CBC padding-applications to SSL, IPSEC, WTLS." in EUROCRYPT, 2002.
30. N. J. AlFardan and K. G. Paterson, "Lucky thirteen: breaking the TLS and DTLS record protocols," in IEEE S&P (Oakland), 2013.
31. T. Jager, K. G. Paterson, and J. Somorovsky, "One bad apple: Backwards compatibility attacks on state-of-the-art cryptography," in NDSS, 2013.
32. K. Bhargavan, C. Fournet, R. Corin, and E. Zəlinescu, "Verified Cryptographic Implementations for TLS," ACM TISSEC, vol. 15, no. 1, pp. 1-32, 2012.
33. S. Chaki and A. Datta, "ASPIER: An automated framework for verifying security protocol implementations," in IEEE CSF, 2009.
34. J. Jürjens, "Security analysis of crypto-based java programs using automated theorem provers," in Automated Software Engineering, 2006.
35. M. Avalle, A. Pironti, D. Pozza, and R. Sisto, "JavaSPI: A framework for security protocol implementation," International Journal of Secure Software Engineering, vol. 2, p. 34-48, 2011.
36. J. Goubault-Larrecq and F. Parrennes, "Cryptographic protocol analysis on real C code," in Verification, Model Checking, and Abstract Interpretation, 2005.
37. F. Dupressoir, A. D. Gordon, J. Jürjens, and D. A. Naumann, "Guiding a general-purpose C verifier to prove cryptographic protocols," Journal of Computer Security, vol. 22, no. 5, pp. 823-866, 2014.
38. J. Lawall, B. Laurie, R. R. Hansen, N. Palix, and G. Muller, "Finding error handling bugs in OpenSSL using Coccinelle," in European Dependable Computing Conference, 2010.