Cryptology ePrint Archive: Report 2015/914

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates

Benjamin Dowling and Marc Fischlin and Felix Günther and Douglas Stebila

Abstract: The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. Here we look at two related, yet slightly different candidates which were in discussion for TLS 1.3 at the point of writing of the main part of the paper in May 2015, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based.

We give a cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange.

An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption.

We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.

Category / Keywords: cryptographic protocols / Transport Layer Security (TLS), key exchange, protocol analysis, composition

Original Publication (with major differences): 22nd ACM Conference on Computer and Communications Security (CCS 2015)

Date: received 20 Sep 2015, last revised 31 Jan 2017

Contact author: guenther at cs tu-darmstadt de

Available format(s): PDF | BibTeX Citation

Note: Corrected proofs using PRF-ODH assumption

Version: 20170131:130513 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]