A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates

Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila

Abstract

The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. Here we look at two related, yet slightly different candidates which were in discussion for TLS 1.3 at the point of writing of the main part of the paper in May 2015, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based. We give a cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange. An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption. We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.

Note: Corrected proofs using PRF-ODH assumption

Available format(s)
Category
Cryptographic protocols
Publication info
Published elsewhere. MAJOR revision.22nd ACM Conference on Computer and Communications Security (CCS 2015)
DOI
10.1145/2810103.2813653
Keywords
Transport Layer Security (TLS)key exchangeprotocol analysiscomposition
Contact author(s)
History
2017-01-31: last of 2 revisions
See all versions
Short URL
https://ia.cr/2015/914

CC BY

BibTeX

@misc{cryptoeprint:2015/914,
author = {Benjamin Dowling and Marc Fischlin and Felix Günther and Douglas Stebila},
title = {A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates},
howpublished = {Cryptology ePrint Archive, Paper 2015/914},
year = {2015},
doi = {10.1145/2810103.2813653},
note = {\url{https://eprint.iacr.org/2015/914}},
url = {https://eprint.iacr.org/2015/914}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.