Reactive and proactive standardisation of TLS

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 10074 LNCS, Issue , 2016, Pages 160-186

  Paterson, Kenneth G ^a   van der Merwe, Thyla ^a  

^a UNIVERSITY OF LONDON   (United Kingdom)

Author keywords

Security; Standardisation; TLS

Indexed keywords

SEEBECK EFFECT; THALLIUM;

COMPARATIVE ANALYSIS; DESIGN PHILOSOPHY; PROTOCOL ANALYSIS; SECURITY; SHARP CONTRAST; WORKING GROUPS;

STANDARDIZATION;

EID: 85007090129     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-319-49100-4_7     Document Type: Conference Paper

References (88)

1. FlexTLS: A Tool for Testing TLS Implementations. https://mitls.org/pages/flextls
2. Getting Started in the IETF. https://www.ietf.org/newcomers.html. Accessed 06 Aug 2016
3. miTLS: A Verified Reference Implementation of TLS. https://mitls.org/
4. ProVerif: Cryptographic protocol verifier in the formal model. http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
5. TLS 1.3 Security Properties. https://github.com/tls13properties/tls13-properties
6. Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Béguelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In Ray et al. [76], pp. 5–17
7. Albrecht, M.R., Paterson, K.G.: Lucky Microseconds: A timing attack on amazon’s s2n implementation of TLS. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 622–643. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_24
8. AlFardan, N., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Sommer, R. (ed.) Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P 2013) (2013)
9. AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22nd USENIX Security Symposium, Washington D.C., August 2013, pp. 305–320. USENIX (2013)
10. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 163–184. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_9
11. Apecechea, G.I., Inci, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Bao, F., Miller, S., Zhou, J., Ahn, G.-J. (eds.) Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, Singapore, 14–17 April 2015, pp. 85–96. ACM (2015)
12. Arai, K.: Formal Verification of TLS 1.3 Full Handshake Protocol Using Proverif. Technical report, Cryptographic protocol Evaluation toward Long- Lived Outstanding Security Consortium (CELLOS), February 2016. https://www. cellos-consortium.org/studygroup/TLS1.3-fullhandshake-draft11.pv
13. Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., Käsper, E., Cohney, S., Engels, S., Paar, C., Shavitt, Y.: DROWN: breaking TLS using SSLv2. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, 10–12 August 2016, pp. 689–706. USENIX Association (2016)
14. Bard, G.V.: A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In: Malek, M., Fernández-Medina, E., Hernando, J. (eds.) SECRYPT, pp. 99–109. INSTICC Press (2006)
15. Berners-Lee, T., Fielding, R., Frystyk, H.: The Hypertext Transfer Protocol HTTP/1.0. RFC 1945 (Informational), May 1996
16. Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Ishtiaq, S., Kohlweiss, M., Protzenko, J., Swamy, N., Zanella-Bguelin, S., Zinzindohou, J.K.: Towards a Provably Secure Implementation of TLS 1.3. Presented at TRON 1.0, San Diego, 21 February 2016
17. Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, 17–21 May 2015, pp. 535–552. IEEE Computer Society (2015)
18. Bhargavan, K., Kobeissi, N., Blanchet, B.: ProScript T.L.S.: Building a TLS 1.3 Implementation with a Verifiable Protocol Model. Presented at TRON 1.0, San Diego, 21 February 2016
19. Bhargavan, K., Brzuska, C., Fournet, C., Green, M., Kohlweiss, M., Zanella-Bèguellin, S.: Downgrade resilience in key-exchange protocols. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
20. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes, cookie cutters: breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, 18–21 May 2014, pp. 98–113. IEEE Computer Society (2014)
21. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y., Handshakes, T., Cutters, C.: Breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, 18–21 May 2014, pp. 98–113 (2014)
22. Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y.: Implementing TLS with verified cryptographic security. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, 19–22 May 2013, pp. 445–459. IEEE Computer Society (2013)
23. Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella- Béguelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44381-1_14
24. Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, 21–24 February 2016
25. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11–13 June 2001, Cape Breton, pp. 82–96 (2001)
26. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). doi:10.1007/BFb0055716
27. Bricout, R., Murphy, S., Paterson, K.G., Van der Merwe, T.: Analysing and exploiting the Mantin biases in RC4. IACR Cryptology ePrint Archive, 2016:63 (2016)
28. Canvel, B., Hiltgen, A., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_34
29. Chauhan, S., Sobti, R., Geetha, G., Anand, S.: Cryptanalysis of SHA-3 candidates: a survey. Res. J. Inf. Technol. 5, 149–159 (2013)
30. Chen, L., Mitchell, C. (eds.): SSR 2014. Security and Cryptology. LNCS, vol. 8893. Springer (2014)
31. Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
32. Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, Internet Engineering Task Force, January 1999
33. Dierks, T., Allen, C.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, Internet Engineering Task Force, April 2006
34. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, Internet Engineering Task Force, August 2008
35. Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In Ray et al. [76], pp. 1197–1210
36. Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081 (2016). http://eprint.iacr.org/
37. Dowling, B., Stebila, D.: Modelling ciphersuite and version negotiation in the TLS protocol. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 270–288. Springer, Heidelberg (2015). doi:10.1007/978-3-319-19962-7_16
38. Duong, T., Rizzo, J.: Here come the ? Ninjas. Unpublished manuscript (2011)
39. Dworkin, M.J.: SHA-3 Standard: permutation-based hash and extendable-output functions. FIPS 202, August 2015
40. Dworkin, M.J., Barker, E.B., Nechvatal, J.R., Foti, J., Bassham, L.E., Roback, E., Dray, Jr., J.F.: Announcing the Advanced Encryption Standard (AES). FIPS PUB 197, November 2001
41. Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, pp. 1193–1204, 3–7 November 2014
42. Fischlin, M., Günther, F., Schmidt, B., Warinschi, B.: Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
43. Freier, A., Karlton, P.: The Secure Sockets Layer (SSL) Protocol Version 3.0. RFC 6101 (Historic Document), August 2011
44. Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88733-1_22
45. Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: password recovery attacks against RC4 in TLS. In Jung and Holz [53], pp. 113–128
46. Garret, D.: Banning SHA-1 in TLS 1.3, a new attempt. TLS mailing list post, October 2015. http://www.ietf.org/mail-archive/web/tls/current/msg17956.html
47. Garret, D.: MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms). TLS mailing list post, January 2016. http://www.ietf.org/mail-archive/web/tls/current/msg18977.html
48. Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, 4–8 November 2013, pp. 387–398. ACM (2013)
49. Griffin, P.H.: Standardization transparency - an out of body experience. In: Chen and Mitchell [30], pp. 57–68
50. Guttman, J.D., Liskov, M.D., Rowe, P.D.: Security goals and evolving standards. In: Chen and Mitchell [30], pp. 93–110
51. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_17
52. Jager, T., Schwenk, J., Somorovsky, J.: On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, 12–16 October 2015, pp. 1185–1196 (2015)
53. Jung, J., Holz, T., (eds.): 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., 12–14 August 2015. USENIX Association (2015)
54. Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263–276. Springer, Heidelberg (2002). doi:10.1007/3-540-45661-9_21
55. Klíma, V., Pokorńy, O., Rosa, T.: Attacking RSA-based sessions in SSL/TLS. In: Walter, C.D., Koç, C¸.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 426–440. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45238-6_33
56. Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. IACR Cryptology ePrint Archive, 2013:367 (2013)
57. Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)constructing TLS. IACR Cryptology ePrint Archive, 2014:20 (2014)
58. Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_19
59. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_34
60. Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_24
61. Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. IACR Cryptology ePrint Archive, 2015:978 (2015)
62. Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, 21–24 March 2016, pp. 81–96. IEEE (2016)
63. Langley, A., Chang, W.: QUIC Crypto, June 2013. https://docs.google.com/document/d/1g5nIXAIkN Y-7XJW5K45IblHd L2f5LTaDUDwvZ5L6g/
64. Li, X., Xu, J., Zhang, Z., Feng, D., Hu, H.: Multiple handshakes security of TLS 1.3 candidates. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23–25 May 2016
65. Li, Y., Schäge, S., Yang, Z., Kohlar, F., Schwenk, J.: On the security of the preshared key ciphersuites of TLS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 669–684. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_38
66. Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002). doi:10.1007/3-540-45473-X_13
67. Matsuo, S.: Formal verification of TLS 1.3 full handshake protocol using ProVerif (Draft-11). TLS mailing list post, February 2016. https://www.ietf.org/mail-archive/web/tls/current/msg19339.html
68. Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneela, B.: A crossprotocol attack on the TLS protocol. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, pp. 62–72. ACM Press, October 2012
69. Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., Tews, E.: Revisiting, SSL/TLS implementations: new Bleichenbacher side channels and attacks. In: Fu, K., Jung, J., (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, 20–22 August 2014, pp. 733–748. USENIX Association (2014)
70. Moeller, B.: Security of CBC ciphersuites in SSL/TLS: problems andcountermeasures. Unpublished manuscript, May 2004. http://www.openssl.org/~bodo/tls-cbc.txt
71. Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback, September 2014
72. Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: a modular analysis. J. Cryptol. 23(2), 187–223 (2010)
73. Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size Does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_20
74. Popov, A.: Prohibiting RC4 Cipher Suites. RFC 7465 (Proposed Standard), February 2015
75. Postel, J.: Internet Protocol. RFC 791, Internet Engineering Task Force, September 1981
76. Ray, I., Li, N., Kruegel, C., (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, 12–6 October 2015. ACM (2015)
77. Federal Register. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA 3) Family. Federal Register, November 2007
78. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3, Draft 15. Internet draft, Internet Engineering Task Force, August 2016
79. Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard), February 2010
80. Rogaway, P.: Problems with proposed IP cryptography. Unpublished manuscript (1995). http://www.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipseccomments- 00.txt
81. Roskind, J.: QUIC: Quick UDP Internet Connections, April 2012. https://docs.google.com/document/d/1RNHkx VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD 34/edit?pref=2&pli=1
82. Sarkar, P.G., Fitzgerald, S.: Attacks on SSL - a comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky 13 and RC4 biases, August 2013
83. Tamarin prover GitHub repository (develop branch) (2015). https://github.com/tamarin-prover/tamarin-prover
84. Turner, S., Polk, T.: Prohibiting Secure Sockets Layer (SSL) Version 2.0. RFC 6176 (Proposed Standard), March 2011
85. Vanhoef, M., Piessens, F.: All your biases belong to us: breaking RC4 in WPATKIP and TLS. In Jung and Holz [53], pp. 97–112
86. Vaudenay, S.: Security flaws induced by CBC padding — applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_35
87. Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: USENIX Electronic Commerce (1996)
88. Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). doi:10.1007/11426639_2