The OPTLS protocol and TLS 1.3

Proceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016

Volumn , Issue , 2016, Pages 81-96

  Krawczyk, Hugo ^a   Wee, Hoeteck ^b  

^a IBM RESEARCH   (United States)

^b ECOLE NORMALE SUPÉRIEURE   (France)

Author keywords

[No Author keywords available]

Indexed keywords

CRYPTOGRAPHY; DESIGN; SPECIFICATIONS;

DESIGN FRAMEWORKS; FUNCTIONAL FEATURES; HANDSHAKE PROTOCOL; KEY EXCHANGE PROTOCOLS; MANDATORY REQUIREMENT; PERFECT FORWARD SECRECY; PERFORMANCE OPTIMIZATIONS; ROUND-TRIP TIME;

SEEBECK EFFECT;

EID: 84978127426     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/EuroSP.2016.18     Document Type: Conference Paper

References (56)

1. M. Abdalla, M. Bellare, and P. Rogaway. The oracle Diffie-Hellman assumptions and an analysis of DHIES. In CT-RSA, pages 143-158, 2001
2. N. AlFardan and K. G. Paterson. Plaintext-recovery attacks against Datagram TLS. In Network and Distributed System Security Symposium (NDSS 2012), 2012
3. N. AlFardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy, 2013. URL www.isg.rhul.ac.uk/tls/Lucky13.html
4. N. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. Schuldt. On the security of RC4 in TLS and WPA. In USENIX Security Symposium, 2013. URL www.isg.rhul. ac.uk/tls
5. G. V. Bard. The vulnerability of SSL to chosen plaintext attack. IACR Cryptology ePrint Archive, 2004:111, 2004
6. G. V. Bard. A challenging but feasible blockwise-Adaptive chosen-plaintext attack on SSL. In SECRYPT, pages 99-109, 2006
7. M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 232-249. Springer, 1993. ISBN 3-540-57766-1
8. M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO, pages 232-249, 1993
9. M. Bellare, T. Kohno, and C. Namprempre. Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In ACM Conference on Computer and Communications Security, pages 1-11, 2002
10. B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy, 2015
11. K. Bhargavan, C. Fournet, R. Corin, and E. Zalinescu. Verified cryptographic implementations for TLS. ACM Trans. Inf. Syst. Secur., 15(1):3, 2012
12. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In IEEE Symposium on Security and Privacy, 2013. URL http://mitls.rocq.inria.fr/
13. K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, SP, pages 98-113, 2014
14. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and S. Z. Béguelin. Proving the TLS handshake secure (as it is). In CRYPTO II, pages 235-255, 2014
15. K. Bhargavan, A. Delignat-Lavaud, and A. Pironti. Verified contributive channel bindings for compound authentication. In NDSS, 2015
16. K. Bhargavan, A. Delignat-Lavaud, A. Pironti, A. Langley, and M. Ray. Transport layer security (TLS) session hash and extended master secret extension, Sept. 2015. URL http://www.rfc-editor.org/rfc/rfc7627.txt
17. D. Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In CRYPTO, pages 1-12, 1998
18. C. Brzuska, M. Fischlin, B. Warinschi, and S. C. Williams. Composability of Bellare-Rogaway key exchange protocols. In ACM Conference on Computer and Communications Security, pages 51-62, 2011
19. C. Brzuska, M. Fischlin, N. P. Smart, B. Warinschi, and S. C. Williams. Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Sec., 12(4):267-297, 2013. Cryptology ePrint Archive, Report 2012/242
20. R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In EUROCRYPT, pages 453-474, 2001. See also Cryptology ePrint Archive, Report 2001/040
21. R. Canetti and H. Krawczyk. Security analysis of IKE?s signature-based key-exchange protocol. In CRYPTO, pages 143-161, 2002. Also Cryptology ePrint Archive, Report 2002/120
22. R. Canetti and H. Krawczyk. Universally composable notions of key exchange and secure channels. In EUROCRYPT, pages 337-351, 2002. See also Cryptology ePrint Archive, Report 2002/059
23. B. Canvel, A. P. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password Interception in a SSL/TLS Channel. In CRYPTO, pages 583-599, 2003
24. C. Cremers, M. Horvat, S. Scott, and T. van der Merwe. Automated verification of TLS 1.3: 0-RTT, resumption and delayed authentication, 2016
25. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1, Apr. 2006. URL http://www. rfc-editor.org/rfc/rfc4346.txt
26. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2, Aug. 2008. URL http://www. rfc-editor.org/rfc/rfc5246.txt
27. B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In ACM CCS, 2015. Also, Cryptology ePrint Archive, Report 2015/914
28. T. Duong and J. Rizzo. Here come the Ninjas. Unpublished manuscript, 2011
29. T. Duong and J. Rizzo. The CRIME attack. Presentation at ekoparty Security Conference, 2012. URL http://www. ekoparty.org/eng/2012/juliano-rizzo.php
30. M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google?s QUIC protocol. In ACM CCS, pages 1193-1204, 2014
31. F. Giesen, F. Kohlar, and D. Stebila. On the security of TLS renegotiation. In ACM CCS, pages 387-398, 2013
32. S. Halevi and H. Krawczyk. One-pass HMQV and asymmetric key-wrapping. In PKC 2011, pages 317-334, 2011
33. C. He, M. Sundararajan, A. Datta, A. Derek, and J. C. Mitchell. A modular correctness proof of IEEE 802.11i and TLS. In ACM CCS, pages 2-15, 2005
34. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO, pages 273-293, 2012. Also Cryptology ePrint Archive, Report 2011/219
35. T. Jager, J. Schwenk, and J. Somorovsky. On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. In ACM CCS, 2015
36. J. Jonsson and B. S. Kaliski Jr. On the security of RSA encryption in TLS. In CRYPTO, pages 127-142, 2002
37. V. Klíma, O. Pokorný, and T. Rosa. Attacking RSA-based sessions in SSL/TLS. In CHES, pages 426-440, 2003
38. M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (De-)constructing TLS. Cryptology ePrint Archive, Report 2014/020, 2014. revised Apr 2015
39. H. Krawczyk. The order of encryption and authentication for protecting communications (or: How secure is SSL?). In CRYPTO, pages 310-331, 2001
40. H. Krawczyk. SIGMA: The SIGn-And-MAc approach to authenticated Diffie-Hellman and its use in the IKE protocols. In CRYPTO, pages 400-425, 2003
41. H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In CRYPTO, pages 631-648, 2010
42. H. Krawczyk and P. Eronen. HMAC-based extract-Andexpand key derivation function (HKDF), May 2010. URL http://www.rfc-editor.org/rfc/rfc5869.txt
43. H. Krawczyk, K. G. Paterson, and H. Wee. On the security of the TLS protocol: A systematic analysis. In CRYPTO (1), pages 429-448, 2013. Also, Cryptology ePrint Archive, Report 2013/339
44. A. Langley and W.-T. Chang. QUIC crypto, 2013. URL http://tinyurl.com/lrrjyjs
45. Y. Li, S. Schäge, Z. Yang, F. Kohlar, and J. Schwenk. On the security of the pre-shared key ciphersuites of TLS. In PKC, pages 669-684, 2014
46. R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru. How secure and quick is QUIC? provable security and performance analyses. In IEEE Symposium on Security and Privacy, pages 214-231, 2015
47. U. Maurer and B. Tackmann. On the soundness of authenticate-Then-encrypt: formalizing the malleability of symmetric encryption. In ACM CCS, pages 505-515, 2010
48. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In ACM CCS, pages 62-72, 2012
49. B. Moeller. Security of CBC ciphersuites in SSL/TLS: Problems and countermeasures. Unpublished manuscript, May 2004. http://www.openssl.org/bodo/tls-cbc.txt
50. P. Morrissey, N. P. Smart, and B. Warinschi. A modular security analysis of the TLS handshake protocol. In ASIACRYPT, pages 55-73, 2008
51. K. G. Paterson, T. Ristenpart, and T. Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In ASIACRYPT, pages 372-389, 2011
52. L. C. Paulson. Inductive analysis of the internet protocol TLS. ACM Trans. Inf. Syst. Secur., 2(3):332-351, 1999
53. E. Rescorla. The transport layer security (TLS) protocol version 1.3 (draft 09), Oct. 2015. URL https://tools.ietf.org/html/draft-ietf-Tls-Tls13-09
54. E. Rescorla. The transport layer security (TLS) protocol version 1.3 (draft 11), Dec. 2015. URL https://tools.ietf.org/html/draft-ietf-Tls-Tls13-11
55. S. Vaudenay. Security Flaws Induced by CBC Padding-Applications to SSL, IPSEC, WTLS . In EUROCRYPT, pages 534-546, 2002
56. D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In USENIX Workshop on Electronic Commerce, pages 29-40, 1996