Cryptology ePrint Archive: Report 2018/634

Partially specified channels: The TLS 1.3 record layer without elision

Christopher Patton and Thomas Shrimpton

Abstract: We advance the study of secure stream-based channels (Fischlin et al., CRYPTO 15) by considering the multiplexing of many data streams over a single channel, an essential feature of real world protocols such as TLS. Our treatment adopts the definitional perspective of Rogaway and Stegers (CSF 09), which offers an elegant way to reason about what standardizing documents actually provide: a partial specification of a protocol that admits a collection of compliant, fully realized implementations. We formalize partially specified channels as the component algorithms of two parties communicating over a channel. Each algorithm has an oracle that provides specification details; the algorithms abstract the things that must be explicitly specified, while the oracle abstracts the things that need not be. Our security notions, which capture a variety of privacy and integrity goals, allow the adversary to respond to these oracle queries; security relative to these notions implies that the channel withstands attacks in the presence of worst-case (i.e., adversarial) realizations of the specification details. We apply this framework to a formal treatment of the TLS 1.3 record and, in doing so, show that its security hinges crucially upon details left unspecified by the standard.

Category / Keywords: provable security, cryptographic standards, TLS 1.3, stream-based 91 channels, partially specified protocols

Original Publication (with minor differences): 10.1145/3243734.3243789

Date: received 26 Jun 2018, last revised 18 Aug 2018

Contact author: cjpatton at ufl edu

Available format(s): PDF | BibTeX Citation

Note: This version reflects revisions made for publication at CCS 2018.

Version: 20180818:064156 (All versions of this report)

Short URL: ia.cr/2018/634


[ Cryptology ePrint archive ]