Paper 2008/236

A Modular Security Analysis of the TLS Handshake Protocol

P. Morrissey, N. P. Smart, and B. Warinschi


We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the {\em application keys} offered to higher level applications are obtained from a {\em master key}, which in turn is derived, through interaction, from a {\em pre-master key}. Our first contribution consists of formal models that clarify the security level enjoyed by each of these types of keys. The models that we provide fall under well established paradigms in defining execution, and security notions. We capture the realistic setting where only one of the two parties involved in the execution of the protocol (namely the server) has a certified public key, and where the same master key is used to generate multiple application keys. The main contribution of the paper is a modular and generic proof of security for the application keys established through the TLS protocol. We show that the transformation used by TLS to derive master keys essentially transforms an {\em arbitrary} secure pre-master key agreement protocol into a secure master-key agreement protocol. Similarly, the transformation used to derive application keys works when applied to an arbitrary secure master-key agreement protocol. These results are in the random oracle model. The security of the overall protocol then follows from proofs of security for the basic pre-master key generation protocols employed by TLS.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Key Agreement
Contact author(s)
nigel @ cs bris ac uk
2008-06-02: last of 2 revisions
2008-05-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {P.  Morrissey and N. P. Smart and B.  Warinschi},
      title = {A Modular Security Analysis of the TLS Handshake Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2008/236},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.