A Comprehensive Symbolic Analysis of TLS 1.3

Cremers, Cas; Horvat, Marko; Hoyland, Jonathan; Scott, Sam; Merwe, Thyla van der

doi:10.1145/3133956.3134063

Cited by 147 publications

(88 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Tamarin is a state-of-the-art protocol verification tool for the symbolic model, which supports stateful protocols, a high level of automation, and equivalence properties [10], which are necessary to model privacy properties such as unlinkability. It has previously been applied to real-world protocols with complex state machines, numerous messages, and complex security properties such as TLS 1.3 [18]. Moreover, it was recently extended with support for XOR [22], a key ingredient for faithfully analyzing 5G AKA.…”

Section: The Tamarin Provermentioning

confidence: 99%

A Formal Analysis of 5G Authentication

Basin

Dreier

Hirschi

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

297

207

View full text Add to dashboard Cite

Mobile communication networks connect much of the world's population. The security of users' calls, SMSs, and mobile data depends on the guarantees provided by the Authenticated Key Exchange protocols used. For the next-generation network (5G), the 3GPP group has standardized the 5G AKA protocol for this purpose.We provide the first comprehensive formal model of a protocol from the AKA family: 5G AKA. We also extract precise requirements from the 3GPP standards defining 5G and we identify missing security goals. Using the security protocol verification tool Tamarin, we conduct a full, systematic, security evaluation of the model with respect to the 5G security goals. Our automated analysis identifies the minimal security assumptions required for each security goal and we find that some critical security goals are not met, except under additional assumptions missing from the standard. Finally, we make explicit recommendations with provably secure fixes for the attacks and weaknesses we found.

show abstract

Section: The Tamarin Provermentioning

confidence: 99%

A Formal Analysis of 5G Authentication

Basin

Dreier

Hirschi

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

297

207

View full text Add to dashboard Cite

show abstract

“…Methodology Our work aims to provide rigorous formal analysis and to improve the security of the 5G-AKA standard. Our approach uses formal symbolic modeling with the TAMARIN prover [21], which has been successfully used during the development of major protocols such as TLS 1.3 [16].…”

Section: Introductionmentioning

confidence: 99%

Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion

Cremers

Dehnel-Wild

2019

Proceedings 2019 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

The 5G mobile telephony standards are nearing completion; upon adoption these will be used by billions across the globe. Ensuring the security of 5G communication is of the utmost importance, building trust in a critical component of everyday life and national infrastructure. We perform fine-grained formal analysis of 5G's main authentication and key agreement protocol (AKA), and provide the first models to explicitly consider all parties defined by the protocol specification. Our analysis reveals that the security of 5G-AKA critically relies on unstated assumptions on the inner workings of the underlying channels. In practice this means that following the 5G-AKA specification, a provider can easily and 'correctly' implement the standard insecurely, leaving the protocol vulnerable to a security-critical race condition. We provide the first models and analysis considering component and channel compromise in 5G, whose results further demonstrate the fragility and subtle trust assumptions of the 5G-AKA protocol. We propose formally verified fixes to the encountered issues, and have worked with 3GPP to ensure these fixes are adopted. Køien [19] proposes improvements to 4G's AKA, achieving full mutual online authentication. Previous AKA protocols delegate authority from the home network to a serving network by forwarding up to 5 irrevocable authentication vectors, allowing the home network to be offline during the challengeresponse phase of the protocol: this requires too high a level of trust between network operators, hence they propose a modified protocol which is fully online for all parties. 5G-AKA now only forwards one authentication vector at a time. Arapinis et al. [9] analyse 3G's authentication protocols, discovering attacks against the privacy and linkability of subscriber

show abstract

“…The core protocol in TLS 1.2 was also vulnerable to a similar attack, but since the protocol itself is hidden within layers of packet formats and C-like pseudocode, it was difficult for the attack to be detected. However, upon automated symbolic verification [4,5], the attack quickly appeared not just in TLS, but also in variants of SSH and IPsec. Flaws underlying more recent attacks such as Logjam [6] were known for years before they were observed when the vulnerable protocol was analyzed.…”

Section: Introductionmentioning

confidence: 99%

Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols

Kobeissi

Nicolas

Bhargavan

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

The Noise Protocol Framework, introduced recently, allows for the design and construction of secure channel protocols by describing them through a simple, restricted language from which complex key derivation and local state transitions are automatically inferred. Noise "Handshake Patterns" can support mutual authentication, forward secrecy, zero round-trip encryption, identity hiding and other advanced features. Since the framework's release, Noise-based protocols have been adopted by WhatsApp, WireGuard and other high-profile applications. We present Noise Explorer, an online engine for designing, reasoning about, formally verifying and implementing arbitrary Noise Handshake Patterns. Based on our formal treatment of the Noise Protocol Framework, Noise Explorer can validate any Noise Handshake Pattern and then translate it into a model ready for automated verification and also into a production-ready software implementation written in Go or in Rust. We use Noise Explorer to analyze more than 57 handshake patterns. We confirm the stated security goals for 12 fundamental patterns and provide precise properties for the rest. We also analyze unsafe handshake patterns and document weaknesses that occur when validity rules are not followed. All of this work is consolidated into a usable online tool that presents a compendium of results and can parse formal verification results to generate detailed-but-pedagogical reports regarding the exact security goals of each message of a Noise Handshake Pattern with respect to each party, under an active attacker and including malicious principals. Noise Explorer evolves alongside the standard Noise Protocol Framework, having already contributed new security goal verification results and stronger definitions for pattern validation and security parameters.

show abstract

A Comprehensive Symbolic Analysis of TLS 1.3

Cited by 147 publications

References 20 publications

A Formal Analysis of 5G Authentication

A Formal Analysis of 5G Authentication

Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion

Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols

Contact Info

Product

Resources

About