Cryptology ePrint Archive: Report 2016/1178

Implementing and Proving the TLS 1.3 Record Layer

Karthikeyan Bhargavan and Antoine Delignat-Lavaud and Cédric Fournet and Markulf Kohlweiss and Jianyang Pan and Jonathan Protzenko and Aseem Rastogi and Nikhil Swamy and Santiago Zanella-Béguelin and Jean Karim Zinzindohoué

Abstract: The record layer is the main bridge between TLS applications and internal sub-protocols. Its core functionality is an elaborate authenticated encryption: streams of messages for each sub-protocol (hand- shake, alert, and application data) are fragmented, multiplexed, and encrypted with optional padding to hide their lengths. Conversely, the sub-protocols may provide fresh keys or signal stream termination to the record layer.

Compared to prior versions, TLS 1.3 discards obsolete schemes in favor of a common construction for Authenticated Encryption with Associated Data (AEAD), instantiated with algorithms such as AES- GCM and ChaCha20-Poly1305. It differs from TLS 1.2 in its use of padding, associated data and nonces. It encrypts the content-type used to multiplex between sub-protocols. New protocol features such as early application data (0-RTT and 0.5-RTT) and late handshake messages require additional keys and a more general model of stateful encryption.

We build and verify a reference implementation of the TLS record layer and its cryptographic algorithms in F*, a dependently typed language where security and functional guarantees can be specified as pre- and post-conditions. We reduce the high-level security of the record layer to cryptographic assumptions on its ciphers. Each step in the reduction is verified by typing an F* module; when the step incurs a security loss, this module precisely captures the corresponding game-based security assumption.

We first verify the functional correctness and injectivity properties of our implementations of one- time MAC algorithms (Poly1305 and GHASH) and provide a generic proof of their security given these properties. We show the security of AEAD given any secure one-time MAC and PRF. We extend AEAD, first to stream encryption, then to length-hiding, multiplexed encryption. Finally, we build a security model of the record layer against an adversary that controls the TLS sub-protocols. We compute concrete security bounds for the AES-GCM and ChaCha20-Poly1305 ciphersuites, and derive recommended limits on sent data before re-keying. Combining our functional correctness and security results, we obtain the first verified implementations of the main TLS 1.3 record ciphers.

We plug our implementation of the record layer into an existing TLS library and confirm that the combination interoperates with Chrome and Firefox, and thus that experimentally the new TLS record layer (as described in RFCs and cryptographic standards) is provably secure.

Category / Keywords: cryptographic protocols / implementation, provable security, transport layer security

Date: received 23 Dec 2016, last revised 30 Dec 2016

Contact author: karthikeyan bhargavan at inria fr

Available format(s): PDF | BibTeX Citation

Version: 20161230:194418 (All versions of this report)

Short URL: ia.cr/2016/1178

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]