Composition theorems without pre-established session identifiers

Küsters, Ralf; Tuengerthal, Max

doi:10.1145/2046707.2046715

Cited by 30 publications

(40 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Küsters and Tuengerthal [41] claim to prove composable security for TLS assuming only local session identifiers, but leave out all details of the proof and only point to [33].…”

Section: Related Workmentioning

confidence: 99%

On the Security of TLS-DHE in the Standard Model

Jager

Kohlar

Schäge

et al. 2012

Lecture Notes in Computer Science

162

216

View full text Add to dashboard Cite

TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral Diffie-Hellman key exchange (TLS-DHE), which include the cipher suite TLS DHE DSS WITH 3DES EDE CBC SHA mandatory in TLS 1.0 and TLS 1.1.It is impossible to prove security of the TLS Handshake in any classical key-indistinguishabilitybased security model (like e.g. the Bellare-Rogaway or the Canetti-Krawczyk model), due to subtle issues with the encryption of the final Finished messages of the TLS Handshake. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS.Then we define the notion of authenticated and confidential channel establishment (ACCE) as a new security model which captures precisely the security properties expected from TLS in practice, and show that the combination of the TLS Handshake protocol with the TLS Record Layer can be proven secure in this model.

show abstract

“…Küsters and Tuengerthal [41] claim to prove composable security for TLS assuming only local session identifiers, but leave out all details of the proof and only point to [33].…”

Section: Related Workmentioning

confidence: 99%

On the Security of TLS-DHE in the Standard Model

Jager

Kohlar

Schäge

et al. 2012

Lecture Notes in Computer Science

162

216

View full text Add to dashboard Cite

show abstract

“…Gajek et al [25] outline a proof of security of TLS in the simulation-based model of [14]. However, Küsters and Tuengerthal [42] correctly note that their (ab)use of a crucial theorem to obtain multi-session security relies on pre-established identifiers not available in TLS, and suggest a framework for overcoming this limitation.…”

Section: Prior Security Results On the Tls Handshakementioning

confidence: 99%

Proving the TLS Handshake Secure (As It Is)

Bhargavan

Fournet

Kohlweiss

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The TLS Internet Standard features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now well-understood in isolation, their composition remains problematic, and yet it is critical to obtain practical security guarantees for TLS. We experimentally confirm that all mainstream implementations of TLS share key materials between different algorithms, some of them of dubious strength. We outline attacks in their handling of resumption and renegotiation, stressing the need to model multiple related instances of the handshake.We study the provable security of the TLS handshake, as it is implemented and deployed. To capture the details of the standard and its main extensions, we rely on miTLS, a verified reference implementation of the protocol. miTLS inter-operates with mainstream browsers and servers for many protocol versions, configurations, and ciphersuites; and it provides application-level, provable security for some.We propose new agile security definitions and assumptions for the signatures, key encapsulation mechanisms (KEM), and key derivation algorithms used by the TLS handshake. By necessity, our definitions are stronger than those expected with simple modern protocols. To validate our model of key encapsulation, we prove that both RSA and Diffie-Hellman ciphersuites satisfy our definition for the KEM. In particular, we formalize the use of PKCS#1v1.5 encryption in TLS, including recommended countermeasures against Bleichenbacher attacks, and build a 3,000-line EasyCrypt proof of the security of the resulting master secret KEM against replayable chosen-ciphertext attacks under the assumption that ciphertexts are hard to re-randomize.Based on our new agile definitions, we construct a modular proof of security for the miTLS reference implementation of the handshake, including ciphersuite negotiation, key exchange, renegotiation, and resumption, treated as a detailed 3,600-line executable model. We present our main definitions, constructions, and proofs for an abstract model of the protocol, featuring series of related runs of the handshake with different ciphersuites. We also describe its refinement to account for the whole reference implementation, based on automated verification tools.

show abstract

“…Universal composability (UC) [17,18,20,32] is a framework that allows to compose protocols. However, proving UC-security requires stronger properties than the game-based framework that we use ( [16, Appendix A] details limitations of the UC framework).…”

Section: Rr N°9171mentioning

confidence: 99%

Composition Theorems for CryptoVerif and Application to TLS 1.3

Blanchet

2018

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

We present composition theorems for security protocols, to compose a key exchange protocol and a symmetric-key protocol that uses the exchanged key. Our results rely on the computational model of cryptography and are stated in the framework of the tool CryptoVerif. They support key exchange protocols that guarantee injective or non-injective authentication. They also allow random oracles shared between the composed protocols. To our knowledge, they are the first composition theorems for key exchange stated for a computational protocol verification tool, and also the first to allow such flexibility. As a case study, we apply our composition theorems to a proof of TLS 1.3 Draft-18. This work fills a gap in a previous paper that informally claims a compositional proof of TLS 1.3, without formally justifying it.

show abstract

Composition theorems without pre-established session identifiers

Cited by 30 publications

References 26 publications

On the Security of TLS-DHE in the Standard Model

On the Security of TLS-DHE in the Standard Model

Proving the TLS Handshake Secure (As It Is)

Composition Theorems for CryptoVerif and Application to TLS 1.3

Contact Info

Product

Resources

About