Cryptology ePrint Archive: Report 2016/081

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol

Benjamin Dowling and Marc Fischlin and Felix GŁnther and Douglas Stebila

Abstract: We analyze the handshake protocol of TLS 1.3 draft-ietf-tls-tls13-10 (published October 2015). This continues and extends our previous analysis (CCS 2015, Cryptology ePrint Archive 2015) of former TLS 1.3 drafts (draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based). Here we show that the full (EC)DHE Diffie-Hellman-based handshake of draft-10 is also secure in the multi-stage key exchange framework of Fischlin and GŁnther which captures classical Bellare-Rogaway key secrecy for key exchange protocols that derive multiple keys.

We also note that a recent protocol change---the introduction of a NewSessionTicket message for resumption, encrypted under the application traffic key---impairs the protocol modularity and hence our compositional guarantees that ideally would allow an independent analysis of the record protocol. We additionally analyze the pre-shared key modes (with and without ephemeral Diffie-Hellman key), and fit them into the composability framework, addressing composability with the input resumption secret from a previous handshake and of the output session keys.

Category / Keywords: cryptographic protocols / Transport Layer Security (TLS), key exchange, protocol analysis, composition

Date: received 29 Jan 2016, last revised 31 Jan 2017

Contact author: guenther at cs tu-darmstadt de

Available format(s): PDF | BibTeX Citation

Note: Corrected proofs using PRF-ODH assumption

Version: 20170131:130636 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]