Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication

Cremers, Cas; Horvat, Marko; Scott, Sam; Merwe, Thyla van der

doi:10.1109/sp.2016.35

Cited by 81 publications

(56 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This attack was not discovered in previous analyses of TLS 1.3 since many of them did not consider client authentication; the prior Tamarin analysis [39] found a similar attack on 1-RTT client authentication but did not consider 0-RTT client authentication. The attacks described here and in [39] belong to a general class of compound authentication vulnerabilities that appear in protocols that compose multiple authentication credentials [19].…”

Section: Inriamentioning

confidence: 80%

“…This means that our analysis assumes that message serialization and parsing is correct; it won't find any attacks that rely on parsing ambiguities or bugs. This abstract treatment of protocol messages is typical of symbolic models; the same approach is taken by Tamarin [39]. In contrast, miTLS [23] includes a fully verified parser for TLS messages.…”

Section: Inriamentioning

confidence: 99%

“…An earlier analysis of Draft-10 in Tamarin [39] found a violation of the authentication goal because the 1-RTT client signature in Draft-10 did not include the server's Finished or any other value that was bound to the PSK. This flaw was fixed in Draft-11 and hence we are able to prove authentication for Draft-18.…”

Section: Inriamentioning

confidence: 99%

“…Cryptographic proofs were developed for Draft-5 [44], Draft-9 [58], and Draft-10 [61], which justified the core design of the protocol. A detailed symbolic model in Tamarin was developed for Draft-10 [39]. Other works studied specific aspects of TLS 1.3, such as key confirmation [46], client authentication [56], and downgrade resilience [16].…”

Section: Introductionmentioning

confidence: 99%

“…The Tamarin analysis [39] uncovered a potential attack on the composition of pre-shared keys and certificate-based authentication, and this attack was prevented in Draft-11. A version downgrade attack was found in Draft-12 and its countermeasure in Draft-13 was proved secure [16].…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Bhargavan

Blanchet

Kobeissi

2017

2017 IEEE Symposium on Security and Privacy (SP)

150

View full text Add to dashboard Cite

TLS 1.3 is the next version of the Transport Layer Security (TLS) protocol. Its clean-slate design is a reaction both to the increasing demand for low-latency HTTPS connections and to a series of recent high-profile attacks on TLS. The hope is that a fresh protocol with modern cryptography will prevent legacy problems; the danger is that it will expose new kinds of attacks, or reintroduce old flaws that were fixed in previous versions of TLS. After 18 drafts, the protocol is nearing completion, and the working group has appealed to researchers to analyze the protocol before publication. This paper responds by presenting a comprehensive analysis of the TLS 1.3 Draft-18 protocol. We seek to answer three questions that have not been fully addressed in previous work on TLS 1.3: (1) Does TLS 1.3 prevent well-known attacks on TLS 1.2, such as Logjam or the Triple Handshake, even if it is run in parallel with TLS 1.2? (2) Can we mechanically verify the computational security of TLS 1.3 under standard (strong) assumptions on its cryptographic primitives? (3) How can we extend the guarantees of the TLS 1.3 protocol to the details of its implementations? To answer these questions, we propose a methodology for developing verified symbolic and computational models of TLS 1.3 hand-in-hand with a high-assurance reference implementation of the protocol. We present symbolic ProVerif models for various intermediate versions of TLS 1.3 and evaluate them against a rich class of attacks to reconstruct both known and previously unpublished vulnerabilities that influenced the current design of the protocol. We present a computational CryptoVerif model for TLS 1.3 Draft-18 and prove its security. We present RefTLS, an interoperable implementation of TLS 1.0-1.3 and automatically analyze its protocol core by extracting a ProVerif model from its typed JavaScript code. Résumé : TLS 1.3 est la prochaine version du protocole TLS (Transport Layer Security). Sa conception à partir de zéro est une réaction à la fois à la demande croissante de connexions HTTPS à faible latence et à une série d'attaques récentes de haut niveau sur TLS. L'espoir est qu'un nouveau protocole avec de la cryptographie moderne éviterait d'hériter des problèmes des versions précédentes; le danger est que cela pourrait exposer à de nouveaux types d'attaques ou réintroduire d'anciens défauts corrigés dans les versions précédentes de TLS. Après 18 versions préliminaires, le protocole est presque terminé, et le groupe de travail a appelé les chercheurs à analyser le protocole avant publication. Cet article répond en présentant une analyse globale du protocole TLS 1.3 Draft-18.Nous cherchons à répondre à trois questions qui n'ont pas été entièrement traitées dans les travaux antérieurs sur TLS 1.3: (1) TLS 1.3 empêche-t-il les attaques connues sur TLS 1.2, comme Logjam ou Triple Handshake, même s'il est exécuté en parallèle avec TLS 1.2 ? (2) Peuton vérifier mécaniquement la sécurité calculatoire de TLS 1.3 sous des hypothèses standard (fortes) sur ses primitives...

show abstract

Section: Inriamentioning

confidence: 80%

Section: Inriamentioning

confidence: 99%

Section: Inriamentioning

confidence: 99%