It is impossible to prove security of the TLS Handshake in any classical key-indistinguishability-based security model (like e.g. the Bellare-Rogaway or the Canetti-Krawczyk model), due to subtle issues with the encryption of the final Finished messages of the TLS Handshake. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS.
Then we define the notion of authenticated and confidential channel establishment (ACCE) as a new security model which captures precisely the security properties expected from TLS in practice, and show that the combination of the TLS Handshake protocol with the TLS Record Layer can be proven secure in this model.Category / Keywords: cryptographic protocols / Authenticated key agreement, SSL, TLS, provable security, ephemeral Diffie-Hellman Publication Info: Crypto 2012 Date: received 6 May 2011, last revised 20 Feb 2013 Contact author: tibor jager at rub de Available format(s): PDF | BibTeX Citation Note: Fixed a notational issue concerning the encryption of the Finished messages. Version: 20130220:184408 (All versions of this report) Short URL: ia.cr/2011/219 Discussion forum: Show discussion | Start new discussion