A unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in TLS 1.3)

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 24-28-October-2016, Issue , 2016, Pages 1438-1450

  Krawczy, Hugo ^a  

^a IBM RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

PROGRAM COMPILERS;

CLIENT AUTHENTICATION; KEY EXCHANGE; KEY EXCHANGE PROTOCOLS; MA MODEL; MUTUAL AUTHENTICATION;

AUTHENTICATION;

EID: 84995394445     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2976749.2978325     Document Type: Conference Paper

References (34)

1. M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 232-249. Springer, 1993. ISBN 3-540-57766-1.
2. M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In 30th ACM STOC, pages 419-428. ACM Press, May 1998.
3. B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy, 2015.
4. K. Bhargavan and G. Leurent. Transcript collision attacks: Breaking authentication in tls, IKE and SSH. In 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Society, 2016. URL http://www.internetsociety.org/events/ndss-symposium-2016.
5. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub. Implementing TLS with verified cryptographic security. In IEEE Symposium on Security and Privacy, 2013. URL http://mitls.rocq.inria.fr/.
6. K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, SP, pages 98-113, 2014.
7. K. Bhargavan, A. Delignat-Lavaud, and A. Pironti. Verified contributive channel bindings for compound authentication. In NDSS, 2015.
8. C. Brzuska, M. Fischlin, N. P. Smart, B. Warinschi, and S. C. Williams. Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Sec., 12(4):267-297, 2013. Cryptology ePrint Archive, Report 2012/242.
9. R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In EUROCRYPT, pages 453-474, 2001. See also Cryptology ePrint Archive, Report 2001/040.
10. R. Canetti and H. Krawczyk. Universally composable notions of key exchange and secure channels. In EUROCRYPT, pages 337-351, 2002. See also Cryptology ePrint Archive, Report 2002/059.
11. C. Cremers, M. Horvat, S. Scott, and T. van der Merwe. Automated verification of TLS 1.3:0-RTT, resumption and delayed authentication. In IEEE S&P 2016., 2016.
12. B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In ACM CCS, 2015. Also, Cryptology ePrint Archive, Report 2015/914.
13. B. Dowling, M. Fischlin, F. Günther, and D. Stebila. A cryptographic analysis of the TLS 1.3 draft-10 full and preshared key handshake protocol. Cryptology ePrint Archive, Report 2016/081, 2016.
14. M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google's QUIC protocol. In ACM CCS, 2014.
15. M. Fischlin, F. Günther, G. A. Marson, and K. G. Paterson. Data is a stream: Security of stream-based channels. In R. Gennaro and M. J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pages 545-564. Springer, Heidelberg, Aug. 2015..
16. I. Goldberg, D. Stebila, and B. Ustaoglu. Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptography, 67(2):245-269, 2013.. URL http://dx.doi.org/10.1007/s10623-011-9604-z.
17. S. Halevi and H. Krawczyk. Public-key cryptography and password protocols. ACM Transactions on Information and System Security, 2(3):230-268, Aug. 1999.
18. S. Halevi and H. Krawczyk. One-pass HMQV and asymmetric key-wrapping. In PKC 2011, pages 317-334, 2011.
19. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk. Generic compilers for authenticated key exchange. In M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 232-249. Springer, Heidelberg, Dec. 2010.
20. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO, pages 273-293, 2012. Also Cryptology ePrint Archive, Report 2011/219.
21. F. Kohlar, S. Schäge, and J. Schwenk. On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367, 2013. http://eprint.iacr.org/.
22. M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (De-) constructing TLS. Cryptology ePrint Archive, Report 2014/020, 2014. revised Apr. 2015.
23. M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, and D. Venturi. (de-) constructing TLS 1.3. In Progress in Cryptology - INDOCRYPT 2015-16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, pages 85-102, 2015.
24. H. Krawczyk. SIGMA: The "SIGn-and-MAc" approach to authenticated Diffie-Hellman and its use in the IKE protocols. In CRYPTO, pages 400-425, 2003.
25. H. Krawczyk and H. Wee. The OPTLS protocol and TLS 1.3. In EuroS&P, 2016.
26. H. Krawczyk, K. G. Paterson, and H. Wee. On the security of the TLS protocol: A systematic analysis. In CRYPTO (1), pages 429-448, 2013. Also, Cryptology ePrint Archive, Report 2013/339.
27. A. Langley and W.-T. Chang. QUIC crypto, 2013. URL http://tinyurl.com/lrrjyjs.
28. R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru. How secure and quick is QUIC? Provable security and performance analyses. In IEEE Symposium on Security and Privacy, pages 214-231, 2015.
29. U. Maurer, B. Tackmann, and S. Coretti. Key exchange with unilateral authentication: Composable security definition and modular protocol design. IACR Cryptology ePrint Archive, 2013:555, 2013. URL http://eprint.iacr.org/2013/555.
30. P. Morrissey, N. P. Smart, and B. Warinschi. A modular security analysis of the TLS handshake protocol. In ASI-ACRYPT, pages 55-73, 2008.
31. K. G. Paterson, T. Ristenpart, and T. Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In ASIACRYPT, pages 372-389, 2011.
32. M. D. Raimondo, R. Gennaro, and H. Krawczyk. Deniable authentication and key exchange. In ACM CCS, 2006.
33. E. Rescorla. The transport layer security (TLS) protocol version 1.3(draft 13), Dec. 2015. URL https://tools.ietf.org/html/draft-ietf-tls-tls13-13.
34. V. Shoup. On formal models for secure key exchange. Cryptology ePrint Archive, Report 1999/012, 1999.