Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2017, Pages 483-502

  Bhargavan, Karthikeyan ^a   Blanchet, Bruno ^a   Kobeissi, Nadim ^a  

^a INRIA   (France)

Author keywords

[No Author keywords available]

Indexed keywords

CRYPTOGRAPHY;

COMPREHENSIVE ANALYSIS; COMPUTATIONAL MODEL; COMPUTATIONAL SECURITY; CRYPTOGRAPHIC PRIMITIVES; HIGH ASSURANCE; REFERENCE IMPLEMENTATION; TRANSPORT LAYER SECURITY PROTOCOLS; WORKING GROUPS;

SEEBECK EFFECT;

EID: 85024490593     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2017.26     Document Type: Conference Paper

References (73)

1. D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta et al., "Imperfect forward secrecy: How Diffie-Hellman fails in practice, " in ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015, pp. 5-17.
2. M. R. Albrecht and K. G. Paterson, "Lucky microseconds: A timing attack on Amazon's S2N implementation of TLS, " in EUROCRYPT, 2016, pp. 622-643.
3. N. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. Schuldt, "On the security of RC4 in TLS, " in USENIX Security Symposium, 2013, pp. 305-320.
4. N. J. AlFardan and K. G. Paterson, "Lucky thirteen: Breaking the TLS and DTLS record protocols, " in 2013 IEEE Symposium on Security and Privacy (SP 2013), 2013, pp. 526-540.
5. J. B. Almeida, M. Barbosa, G. Barthe, and F. Dupressoir, "Verifiable Side-Channel Security of Cryptographic Implementations: Constant-Time MEE-CBC, " in Fast Software Encryption (FSE), 2016, pp. 163-184.
6. M. Avalle, A. Pironti, R. Sisto, and D. Pozza, "The Java SPI framework for security protocol implementation, " in Availability, Reliability and Security (ARES), 2011 Sixth International Conference on, Aug 2011, pp. 746-751.
7. N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. A. Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, and Y. Shavitt, "DROWN: breaking TLS using SSLv2, " in USENIX Security Symposium, 2016, pp. 689-706.
8. G. Barthe, F. Dupressoir, B. Grégoire, C. Kunz, B. Schmidt, and P.-Y. Strub, "EasyCrypt: A tutorial, " in Foundations of Security Analysis and Design VII (FOSAD), ser. Lecture Notes in Computer Science. Springer, 2014, vol. 8604, pp. 146-166.
9. M. Bellare, "New proofs for NMAC and HMAC: Security without collision-resistance, " in Advances in Cryptology (CRYPTO), 2006, pp. 602-619.
10. M. Bellare, J. Kilian, and P. Rogaway, "The security of the cipher block chaining message authentication code, " Journal of Computer and System Sciences, vol. 61, no. 3, pp. 362-399, Dec. 2000.
11. M. Bellare and C. Namprempre, "Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, " in Advances in Cryptology-ASIACRYPT'00, 2000, pp. 531-545.
12. B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue, "A messy state of the union: Taming the composite state machines of TLS, " in IEEE Symposium on Security & Privacy (Oakland), 2015.
13. K. Bhargavan, B. Blanchet, and N. Kobeissi, "Verified models and reference implementations for the TLS 1. 3 standard candidate, " Inria, Research report RR-9040, 2017.
14. K. Bhargavan, C. Brzuska, C. Fournet, M. Green, M. Kohlweiss, and S. Z. Béguelin, "Downgrade resilience in key-exchange protocols, " in IEEE Symposium on Security and Privacy (Oakland), 2016, pp. 506-525.
15. K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, and P.-Y. Strub, "Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS, " in IEEE Symposium on Security & Privacy (Oakland), 2014, pp. 98-113.
16. K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis, "Language-based defenses against untrusted browser origins, " in USENIX Security Symposium, 2013, pp. 653-670.
17. K. Bhargavan, A. Delignat-Lavaud, and A. Pironti, "Verified contributive channel bindings for compound authentication, " in Network and Distributed System Security Symposium (NDSS '15), 2015.
18. K. Bhargavan, C. Fournet, R. Corin, and E. Z?alinescu, "Verified cryptographic implementations for TLS, " ACM TOPLAS, vol. 15, no. 1, pp. 3:1-3:32, 2012.
19. K. Bhargavan, C. Fournet, and A. D. Gordon, "Modular verification of security protocol code by typing, " in ACM Symposium on Principles of Programming Languages (POPL), 2010, pp. 445-456.
20. K. Bhargavan, C. Fournet, A. D. Gordon, and S. Tse, "Verified interoperable implementations of security protocols, " ACM Transactions on Programming Languages and Systems, vol. 31, no. 1, 2008.
21. K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, and P.-Y. Strub, "Implementing TLS with verified cryptographic security, " in IEEE Symposium on Security & Privacy (Oakland), 2013. [Online]. Available: pubs/implementing-tls-with-verified-cryptographic-security-sp13. pdf
22. K. Bhargavan and G. Leurent, "On the practical (in-)security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN, " in ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016, pp. 456-467.
23. -, "Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH, " in ISOC Network and Distributed System Security Symposium (NDSS), 2016.
24. B. Blanchet, "A computationally sound mechanized prover for security protocols, " IEEE Transactions on Dependable and Secure Computing, vol. 5, no. 4, pp. 193-207, 2008.
25. -, "Automatic verification of correspondences for security protocols, " Journal of Computer Security, vol. 17, no. 4, pp. 363-434, 2009.
26. -, "Security protocol verification: Symbolic and computational models, " in Principles of Security and Trust (POST), 2012, pp. 3-29.
27. -, "Modeling and verifying security protocols with the applied pi calculus and ProVerif, " Foundations and Trends in Privacy and Security, vol. 1, no. 1-2, pp. 1-135, Oct. 2016.
28. D. Bleichenbacher, "Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1, " in Annual International Cryptology Conference, ser. Lecture Notes in Computer Science, vol. 1462. Springer, 1998, pp. 1-12.
29. M. Bodin, A. Charguéraud, D. Filaretti, P. Gardner, S. Maffeis, D. Naudziuniene, A. Schmitt, and G. Smith, "A trusted mechanised javascript specification, " in ACM Symposium on the Principles of Programming Languages (POPL), 2014, pp. 87-100.
30. D. Cadé and B. Blanchet, "Proved generation of implementations from computationally secure protocol specifications, " Journal of Computer Security, vol. 23, no. 3, pp. 331-402, 2015.
31. S. Chaki and A. Datta, "Aspier: An automated framework for verifying security protocol implementations, " in 2009 22nd IEEE Computer Security Foundations Symposium. IEEE, 2009, pp. 172-185.
32. A. Chaudhuri, "Flow: Abstract interpretation of javascript for type checking and beyond, " in ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2016.
33. J.-S. Coron, Y. Dodis, C. Malinaud, and P. Puniya, "Merkle-Damg?ard revisited: How to construct a hash function, " in Advances in Cryptology (CRYPTO), 2005, pp. 430-448.
34. V. Cortier, S. Kremer, and B. Warinschi, "A survey of symbolic methods in computational analysis of cryptographic systems, " Journal of Automated Reasoning, vol. 46, no. 3-4, pp. 225-259, 2011.
35. C. Cremers, M. Horvat, S. Scott, and T. van der Merwe, "Automated analysis and verification of TLS 1. 3: 0-RTT, resumption and delayed authentication, " in IEEE Symposium on Security and Privacy (Oakland), 2016, pp. 470-485.
36. I. B. Damg?ard, "A design principle for hash functions, " in Advances in Cryptology-CRYPTO89, 1989, pp. 416-427.
37. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1. 2, " IETF RFC 5246, 2008.
38. Y. Dodis, T. Ristenpart, J. Steinberger, and S. Tessaro, "To hash or not to hash again? (In)differentiability results for H2 and HMAC, " in Advances in Cryptology (Crypto), 2012, pp. 348-366.
39. D. Dolev and A. C. Yao, "On the security of public key protocols, " IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198-207, 1983.
40. B. Dowling, M. Fischlin, F. Günther, and D. Stebila, "A cryptographic analysis of the TLS 1. 3 handshake protocol candidates, " in ACM Conference on Computer and Communications Security (CCS), 2015, pp. 1197-1210.
41. M. Fischlin, F. Günther, B. Schmidt, and B. Warinschi, "Key confirmation in key exchange: A formal treatment and implications for TLS 1. 3, " in IEEE Symposium on Security and Privacy (Oakland), 2016, pp. 452-469.
42. M. Fischlin and F. Günther, "Multi-stage key exchange and the case of Google's QUIC protocol, " in ACM SIGSAC Conference on Computer and Communications Security (CCS), 2014, pp. 1193-1204.
43. S. Goldwasser, S. Micali, and R. Rivest, "A digital signature scheme secure against adaptive chosen-message attacks, " SIAM Journal of Computing, vol. 17, no. 2, pp. 281-308, April 1988.
44. R. Hamilton, J. Iyengar, I. Swett, and A. Wilk, "QUIC: A UDP-based multiplexed and secure transport, " 2016, IETF Internet Draft.
45. K. E. Hickman, "The SSL protocol, " 1995, IETF Internet Draft, https: //tools. ietf. org/html/draft-hickman-netscape-ssl-00.
46. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk, "On the security of TLS-DHE in the standard model, " in CRYPTO 2012, 2012, pp. 273-293.
47. T. Jager, J. Schwenk, and J. Somorovsky, "On the security of TLS 1. 3 and QUIC against weaknesses in PKCS#1 v1. 5 encryption, " in ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015, pp. 1185-1196.
48. N. Kobeissi, K. Bhargavan, and B. Blanchet, "Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach, " in IEEE European Symposium on Security and Privacy (EuroS&P), 2017.
49. H. Krawczyk, "Cryptographic extraction and key derivation: The HKDF scheme, " in Advances in Cryptology (CRYPTO), 2010, pp. 631-648.
50. -, "A unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in tls 1. 3), " in ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016, pp. 1438-1450.
51. H. Krawczyk, K. G. Paterson, and H. Wee, "On the security of the TLS protocol: A systematic analysis, " in CRYPTO 2013, 2013, pp. 429-448.
52. H. Krawczyk and H. Wee, "The OPTLS protocol and TLS 1. 3, " in IEEE European Symposium on Security & Privacy (Euro S&P), 2016, cryptology ePrint Archive, Report 2015/978.
53. R. Küsters, T. Truderung, and J. Graf, "A framework for the cryptographic verification of Java-like programs, " in IEEE Computer Security Foundations Symposium (CSF), 2012, pp. 198-212.
54. A. Langley, M. Hamburg, and S. Turner, "Elliptic curves for security, " IRTF RFC 7748 https://tools. ietf. org/html/rfc7748, Jan. 2016.
55. X. Li, J. Xu, Z. Zhang, D. Feng, and H. Hu, "Multiple handshakes security of TLS 1. 3 candidates, " in IEEE Symposium on Security and Privacy (Oakland), 2016, pp. 486-505.
56. R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru, "How secure and quick is QUIC? provable security and performance analyses, " in IEEE Symposium on Security & Privacy (Oakland), 2015, pp. 214-231.
57. U. Maurer and B. Tackmann, "On the soundness of authenticate-thenencrypt: formalizing the malleability of symmetric encryption, " in ACM SIGSAC Conference on Computer and Communications Security (CCS), 2010, pp. 505-515.
58. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel, "A cross-protocol attack on the TLS protocol, " in ACM CCS, 2012.
59. C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, and E. Tews, "Revisiting SSL/TLS implementations: New Bleichenbacher side channels and attacks, " in 23rd USENIX Security Symposium. USENIX Association, 2014, pp. 733-748.
60. B. Möller, T. Duong, and K. Kotowicz, "This POODLE bites: exploiting the SSL 3. 0 fallback, " https://www. openssl. org/?bodo/ssl-poodle. pdf, 2014.
61. T. Okamoto and D. Pointcheval, "The gap-problems: A new class of problems for the security of cryptographic schemes, " in Practice and Theory in Public Key Cryptography (PKC), 2001, pp. 104-118.
62. K. G. Paterson, T. Ristenpart, and T. Shrimpton, "Tag size does matter: Attacks and proofs for the TLS record protocol, " in ASIACRYPT, 2011, pp. 372-389.
63. K. G. Paterson and T. van der Merwe, "Reactive and proactive standardisation of TLS, " in Security Standardisation Research (SSR), 2016, pp. 160-186.
64. M. Ray, A. Pironti, A. Langley, K. Bhargavan, and A. Delignat-Lavaud, "Transport Layer Security (TLS) session hash and extended master secret extension, " 2015, IETF RFC 7627.
65. E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "TLS renegotiation indication extension, " IETF RFC 5746, 2010.
66. E. Rescorla, "0-RTT and Anti-Replay, " https://www. ietf. org/ mail-archive/web/tls/current/msg15594. html, Mar. 2015.
67. -, "[TLS] PR#875: Additional Derive-Secret stage, " https://www. ietf. org/mail-archive/web/tls/current/msg22373. html, Feb. 2017.
68. B. Schmidt, S. Meier, C. Cremers, and D. Basin, "Automated analysis of Diffie-Hellman protocols and advanced security properties, " in IEEE Computer Security Foundations Symposium (CSF), 2012, pp. 78-94.
69. D. Stefan, "Espectro project description, " 2016, https://cseweb. ucsd. edu/?dstefan/#projects.
70. N. Swamy, C. Hritçu, C. Keller, A. Rastogi, A. Delignat-Lavaud, S. Forest, K. Bhargavan, C. Fournet, P.-Y. Strub, M. Kohlweiss, J.-K. Zinzindohoue, and S. Zanella-Béguelin, "Dependent types and multi-monadic effects in F, " in ACM Symposium on Principles of Programming Languages (POPL), 2016, pp. 256-270.
71. M. Vanhoef and F. Piessens, "All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS, " in USENIX Security Symposium, 2015, pp. 97-112.
72. D. Wagner and B. Schneier, "Analysis of the SSL 3. 0 protocol, " in USENIX Electronic Commerce, 1996.
73. J. K. Zinzindohoue, E. Bartzia, and K. Bhargavan, "A verified extensible library of elliptic curves, " in IEEE Computer Security Foundations Symposium (CSF), 2016, pp. 296-309.