### On the Security of TLS-DHE in the Standard Model

Tibor Jager, Florian Kohlar, Sven Schäge, and Jörg Schwenk

##### Abstract

TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral Diffie-Hellman key exchange (TLS-DHE), which include the cipher suite TLS DHE DSS WITH 3DES EDE CBC SHA mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove security of the TLS Handshake in any classical key-indistinguishability-based security model (like e.g. the Bellare-Rogaway or the Canetti-Krawczyk model), due to subtle issues with the encryption of the final Finished messages of the TLS Handshake. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS. Then we define the notion of authenticated and confidential channel establishment (ACCE) as a new security model which captures precisely the security properties expected from TLS in practice, and show that the combination of the TLS Handshake protocol with the TLS Record Layer can be proven secure in this model.

Note: Fixed a notational issue concerning the encryption of the Finished messages.

Available format(s)
Category
Cryptographic protocols
Publication info
Published elsewhere. Crypto 2012
Keywords
Authenticated key agreementSSLTLSprovable securityephemeral Diffie-Hellman
Contact author(s)
tibor jager @ rub de
History
2013-02-20: last of 19 revisions
See all versions
Short URL
https://ia.cr/2011/219

CC BY

BibTeX

@misc{cryptoeprint:2011/219,
author = {Tibor Jager and Florian Kohlar and Sven Schäge and Jörg Schwenk},
title = {On the Security of TLS-DHE in the Standard Model},
howpublished = {Cryptology ePrint Archive, Paper 2011/219},
year = {2011},
note = {\url{https://eprint.iacr.org/2011/219}},
url = {https://eprint.iacr.org/2011/219}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.