2012
DOI: 10.1007/978-3-642-32009-5_17
|View full text |Cite
|
Sign up to set email alerts
|

On the Security of TLS-DHE in the Standard Model

Abstract: TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral Diffie-Hellman key exchange (TLS-DHE), which include the cipher suite TLS DHE DSS WITH 3DES EDE CBC SHA mandatory in TLS 1.0 and TLS 1.1.It is impossible to prove security of the TLS Handshake in any classical key-indistinguishabili… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

2
218
0

Year Published

2013
2013
2022
2022

Publication Types

Select...
5
2
1

Relationship

1
7

Authors

Journals

citations
Cited by 162 publications
(220 citation statements)
references
References 40 publications
2
218
0
Order By: Relevance
“…In this section, we present an extension of the formal security model for two party authenticated and confidential channel establishment (ACCE) protocols introduced by JKSS [17] to also cover scenarios with pre-shared, symmetric keys. Additionally, we extend the model to also address PKI-related attacks that exploit that the adversary does not have to prove knowledge of the secret key when registering a new public key [5].…”
Section: Acce Protocolsmentioning
confidence: 99%
See 1 more Smart Citation
“…In this section, we present an extension of the formal security model for two party authenticated and confidential channel establishment (ACCE) protocols introduced by JKSS [17] to also cover scenarios with pre-shared, symmetric keys. Additionally, we extend the model to also address PKI-related attacks that exploit that the adversary does not have to prove knowledge of the secret key when registering a new public key [5].…”
Section: Acce Protocolsmentioning
confidence: 99%
“…For better comparison with JKSS we will subsequently use boxes to highlight state variables that are essentially new in our model. In this model, while emulating the real-world capabilities of an active adversary, we provide an 'execution environment' for adversaries following the tradition of the seminal work of Bellare and Rogaway [3] and its extensions [4,8,21,23,17]. Let K 0 = {0, 1} κ be the key space of the session key and K 1 = {0, 1} κ be the key space of the pre-shared keys.…”
Section: Acce Protocolsmentioning
confidence: 99%
“…In concurrent work, Jager et al [32] aim to analyze the security of the TLS protocol for the case when the underlying key-exchange is based on a DH exchange. The authors convincingly argue that in order to investigate the security of TLS, they have to select one of two paths: either consider a modified version of the TLS key exchange step (as for example done in [37]) or define a new model of security for the whole TLS stack, and analyze the protocol with respect to this model.…”
Section: Usabilitymentioning
confidence: 99%
“…The security analysis of Jager et al in [32] is for the case when the key-exchange protocol is based on a Diffie-Hellman exchange. As explained above, if one were to now consider the case where the key-exchange is implemented via RSA-based key transport, one would have to redo the whole proof from scratch.…”
Section: Usabilitymentioning
confidence: 99%
“…Theoretically, key agreement protocols based on signed DH are well understood and allow for relatively straightforward proofs of the classical security properties and forward secrecy [28,42]. In practice, their usage in real-world protocols poses additional problems and there is a large body of work on analyzing the security of the combined channel establishment protocol [67,72,33].…”
Section: Modular Machine-checked Proofs Of One-round Key Exchange Promentioning
confidence: 99%