Paper 2013/339

On the Security of the TLS Protocol: A Systematic Analysis

Hugo Krawczyk, Kenneth G. Paterson, and Hoeteck Wee

Abstract

TLS is the most widely-used cryptographic protocol on the Internet. It comprises the TLS Handshake Protocol, responsible for authentication and key establishment, and the TLS Record Protocol, which takes care of subsequent use of those keys to protect bulk data. TLS has proved remarkably stubborn to analysis using the tools of modern cryptography. This is due in part to its complexity and its flexibility. In this paper, we present the most complete analysis to date of the TLS Handshake protocol and its application to data encryption (in the Record Protocol). We show how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. The security notion we achieve is a variant of the ACCE notion recently introduced by Jager et al. (Crypto ’12). Our approach enables us to analyse multiple different key establishment methods in a modular fashion, including the first proof of the most common deployment mode that is based on RSA PKCS #1v1.5 encryption, as well as Diffie-Hellman modes. Our results can be applied to settings where mutual authentication is provided and to the more common situation where only server authentication is applied.

Note: Preliminary full version of a CRYPTO 2013 paper.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Preliminary full version of a CRYPTO 2013 paper.
Contact author(s)
hoeteck @ alum mit edu
History
2014-02-09: last of 2 revisions
2013-06-07: received
See all versions
Short URL
https://ia.cr/2013/339
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/339,
      author = {Hugo Krawczyk and Kenneth G.  Paterson and Hoeteck Wee},
      title = {On the Security of the TLS Protocol: A Systematic Analysis},
      howpublished = {Cryptology ePrint Archive, Paper 2013/339},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/339}},
      url = {https://eprint.iacr.org/2013/339}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.