Paper 2013/339

On the Security of the TLS Protocol: A Systematic Analysis

Hugo Krawczyk, Kenneth G. Paterson, and Hoeteck Wee


TLS is the most widely-used cryptographic protocol on the Internet. It comprises the TLS Handshake Protocol, responsible for authentication and key establishment, and the TLS Record Protocol, which takes care of subsequent use of those keys to protect bulk data. TLS has proved remarkably stubborn to analysis using the tools of modern cryptography. This is due in part to its complexity and its flexibility. In this paper, we present the most complete analysis to date of the TLS Handshake protocol and its application to data encryption (in the Record Protocol). We show how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. The security notion we achieve is a variant of the ACCE notion recently introduced by Jager et al. (Crypto ’12). Our approach enables us to analyse multiple different key establishment methods in a modular fashion, including the first proof of the most common deployment mode that is based on RSA PKCS #1v1.5 encryption, as well as Diffie-Hellman modes. Our results can be applied to settings where mutual authentication is provided and to the more common situation where only server authentication is applied.

Note: Preliminary full version of a CRYPTO 2013 paper.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Preliminary full version of a CRYPTO 2013 paper.
Contact author(s)
hoeteck @ alum mit edu
2014-02-09: last of 2 revisions
2013-06-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hugo Krawczyk and Kenneth G.  Paterson and Hoeteck Wee},
      title = {On the Security of the {TLS} Protocol: A Systematic Analysis},
      howpublished = {Cryptology ePrint Archive, Paper 2013/339},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.