Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication

Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

Volumn , Issue , 2016, Pages 470-485

  Cremers, Cas ^a   Horvat, Marko ^a   Scott, Sam ^b   Merwe, Thyla Van Der ^b  

^a UNIVERSITY OF OXFORD   (United Kingdom)

^b UNIVERSITY OF LONDON   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; NETWORK SECURITY; SPECIFICATIONS;

AUTHENTICATED KEY EXCHANGE; AUTOMATED ANALYSIS; CLIENT AUTHENTICATION; COMPLEX PROTOCOLS; DEVELOPMENT PROCESS; MODE INTERACTIONS; MUTUAL AUTHENTICATION; SECURITY PROTOCOLS;

SEEBECK EFFECT;

EID: 84987660705     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2016.35     Document Type: Conference Paper

References (55)

1. Archive with TLS 1.3 Rev 10 models and property specifications for the Tamarin prover, 2015. http://tls13tamarin.github.io/ TLS13Tamarin
2. D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thom, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Bguelin, and P. Zimmermann. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, 2015. https://weakdh.org/imperfect-forward-secrecy.pdf
3. N. J. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt. On the Security of RC4 in TLS. In Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14-16, 2013, pages 305-320, 2013
4. N. J. AlFardan and K. G. Paterson. Plaintext-Recovery Attacks Against Datagram TLS. In 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, February 5-8, 2012, 2012
5. N. J. AlFardan and K. G. Paterson. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013, pages 526-540, 2013
6. G. V. Bard. The Vulnerability of SSL to Chosen Plaintext Attack. IACR Cryptology ePrint Archive, 2004:111, 2004
7. G. V. Bard. A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL. In SECRYPT 2006, Proceedings of the International Conference on Security and Cryptography, Setubal, Portugal, August 7-10, 2006, SECRYPT is part of ICETE-The International Joint Conference on e-Business and Telecommunications, pages 99-109, 2006
8. D. Basin, C. Cremers, and M. Horvat. Actor key compromise: Consequences and countermeasures. In Proc. of the 27th IEEE Computer Security Foundations Symposium (CSF), 2014
9. M. Bellare and C. Namprempre. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In T. Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 531-545. Springer Berlin Heidelberg, 2000
10. B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and J. K. Zinzindohoue. A Messy State of the Union: Taming the Composite State Machines of TLS. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015, pages 535-552, 2015
11. K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P. Strub. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18-21, 2014, pages 98-113, 2014
12. K. Bhargavan, C. Fournet, R. Corin, and E. Zalinescu. Verified Cryptographic Implementations for TLS. ACM Trans. Inf. Syst. Secur., 15(1):3, 2012
13. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P. Strub. Implementing TLS with Verified Cryptographic Security. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013, pages 445-459, 2013
14. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and S. Z. Beguelin. Proving the TLS Handshake Secure (as it is). IACR Cryptology ePrint Archive, 2014:182, 2014
15. D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In Advances in Cryptology-CRYPTO '98, 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 23-27, 1998, Proceedings, pages 1-12, 1998
16. B. Canvel, A. P. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password Interception in a SSL/TLS Channel. In Advances in Cryptology-CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 2003, Proceedings, pages 583-599, 2003
17. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Informational), August 2008
18. B. Dowling, M. Fischlin, F. Gunther, and D. Stebila. A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-6, 2015, pages 1197-1210, 2015
19. T. Duong and J. Rizzo. Here Come the Ninjas. Unpublished manuscript, May 2011
20. T. Duong and J. Rizzo. The CRIME Attack. Ekoparty Security Conference presentation, 2012
21. P. Eronen and H. Krawczyk. HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869 (Informational), May 2010
22. M. Fischlin and F. Gunther. Multi-stage key exchange and the case of google's QUIC protocol. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages 1193-1204, 2014
23. F. Giesen, F. Kohlar, and D. Stebila. On the security of TLS renegotiation. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4-8, 2013, pages 387-398, 2013
24. P. Gutmann. Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7366 (Informational), September 2014
25. International Organization for Standardization, Geneve, Switzerland. Information technology-Security techniques-Entity authentication-Part 2: Mechanisms using symmetric encipherment algorithms. ISO/IEC 9798-2:2008/Cor 3:2013, 2013
26. T. Jager, F. Kohlar, S. Schage, and J. Schwenk. A Standard-Model Security Analysis of TLS-DHE. IACR Cryptology ePrint Archive, 2011:219, 2011
27. T. Jager, J. Schwenk, and J. Somorovsky. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-6, 2015, pages 1185-1196, 2015
28. J. Jonsson and B. S. Kaliski Jr. On the Security of RSA Encryption in TLS. In Advances in Cryptology-CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 2002, Proceedings, pages 127-142, 2002
29. V. Klima, O. Pokorny, and T. Rosa. Attacking RSA-Based Sessions in SSL/TLS. In Cryptographic Hardware and Embedded Systems-CHES 2003, 5th International Workshop, Cologne, Germany, September 8-10, 2003, Proceedings, pages 426-440, 2003
30. M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (De-)Constructing TLS. IACR Cryptology ePrint Archive, 2014:20, 2014
31. H. Krawczyk. The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). In Advances in Cryptology-CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings, pages 310-331, 2001
32. H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In Advances in Cryptology-CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings, pages 631-648, 2010
33. H. Krawczyk. OPTLS: Signature-less TLS 1.3. TLS mailing list, November 2014. http://www.ietf.org/mail-archive/web/tls/current/ msg14385.html
34. H. Krawczyk, K. G. Paterson, and H. Wee. On the Security of the TLS Protocol: A Systematic Analysis. In Advances in Cryptology-CRYPTO 2013-33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, pages 429-448, 2013
35. H. Krawczyk and H. Wee. The OPTLS Protocol and TLS 1.3. IACR Cryptology ePrint Archive, 2015:978, 2015
36. A. Langley and W. Chang. QUIC Crypto, June 2013. Available at https://docs.google.com/document/d/1g5nIXAIkN Y-7XJW5K45IblHd L2f5LTaDUDwvZ5L6g
37. Y. Li, S. Schage, Z. Yang, F. Kohlar, and J. Schwenk. On the Security of the Pre-shared Key Ciphersuites of TLS. In Public-Key Cryptography-PKC 2014-17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26-28, 2014. Proceedings, pages 669-684, 2014
38. G. Lowe. A Hierarchy of Authentication Specifications. In Proceedings of the 10th IEEE Workshop on Computer Security Foundations, CSFW '97, pages 31-, Washington, DC, USA, 1997. IEEE Computer Society
39. R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru. How Secure and Quick is QUIC? Provable Security and Performance Analyses. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015, pages 214-231, 2015
40. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In the ACM Conference on Computer and Communications Security, CCS'12, Raleigh, NC, USA, October 16-18, 2012, pages 62-72, 2012
41. D. McGrew. An Interface and Algorithms for Authenticated Encryption. RFC 5116 (Informational), January 2008
42. S. Meier. Advancing automated security protocol verification, 2013. Doctoral thesis, ETH Zurich, Switzerland
43. P. Morrissey, N. P. Smart, and B. Warinschi. A Modular Security Analysis of the TLS Handshake Protocol. IACR Cryptology ePrint Archive, 2008:236, 2008
44. K. G. Paterson, T. Ristenpart, and T. Shrimpton. Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol. In Advances in Cryptology-ASIACRYPT 2011-17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, pages 372-389, 2011
45. L. C. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Trans. Inf. Syst. Secur., 2(3):332-351, 1999
46. A. Popov. TLS 1.3 client authentication. In Meeting proceedings of the IETF-93 Workshop, Prague. Retrieved from https://www.ietf.org/ proceedings/93/slides/slides-93-tls-2.pdf, 2015
47. E. Rescorla. TLS 1.3 specification pull request: Wip client auth revision #316. https://github.com/tlswg/tls13-spec/pull/316
48. E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 (draft, revision 10), October 2015. Available at https://tools.ietf. org/html/draft-ietf-tls-tls13-10
49. E. Rescorla. TLS 1.3 status. In Meeting proceedings of the IETF-93 Workshop, Prague. Retrieved from https://www.ietf.org/proceedings/ 93/slides/slides-93-tls-8.pdf, 2015
50. B. Schmidt. Formal analysis of key exchange protocols and physical protocols, 2012. Doctoral thesis, ETH Zurich, Switzerland
51. B. Schmidt, S. Meier, C. Cremers, and D. Basin. Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties. In S. Chong, editor, 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25-27, 2012, pages 78-94. IEEE, 2012
52. Tamarin prover GitHub repository (develop branch). https://github. com/tamarin-prover/tamarin-prover, 2015
53. Transport Layer Security Charter, February 2014. https://datatracker. ietf.org/wg/tls/charter
54. S. Vaudenay. Security Flaws Induced by CBC Padding-Applications to SSL, IPSEC, WTLS. In Advances in Cryptology-EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28-May 2, 2002, Proceedings, pages 534-546, 2002
55. D. Wagner and B. Schneier. Analysis of the SSL 3.0 Protocol. In In Proceedings of the Second UNIX Workshop on Electronic Commerce, pages 29-40. USENIX Association, 1996