Paper 2021/467
Key-schedule Security for the TLS 1.3 Standard
Chris Brzuska, Antoine Delignat-Lavaud, Christoph Egger, Cédric Fournet, Konrad Kohbrok, and Markulf Kohlweiss
Abstract
We analyze the security of the TLS 1.3 key establishment protocol, as specified at the end of its rigorous standardization process. We define a core key-schedule and reduce its security to concrete assumptions against an adversary that controls client and server configurations and adaptively chooses some of their keys. Our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. We show that the output keys are secure as soon as any of their input key materials are. Our compositional, code-based proof makes use of state separation to yield concrete reductions despite the complexity of the key schedule. We also discuss (late) changes to the standard that would improve its robustness and simplify its analysis.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Preprint. MINOR revision.
- Keywords
- TLSkey scheduleconcrete securityagilitykey exchangeexpandextractstate separationcomposable securityreal world protocolsprotocolsprotocol analysis
- Contact author(s)
-
chris brzuska @ aalto fi
antdl @ microsoft com
christoph egger @ fau de
fournet @ microsoft com
mkohlwei @ ed ac uk
konrad kohbrok @ aalto fi - History
- 2021-04-12: received
- Short URL
- https://ia.cr/2021/467
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/467,
author = {Chris Brzuska and Antoine Delignat-Lavaud and Christoph Egger and Cédric Fournet and Konrad Kohbrok and Markulf Kohlweiss},
title = {Key-schedule Security for the {TLS} 1.3 Standard},
howpublished = {Cryptology {ePrint} Archive, Paper 2021/467},
year = {2021},
url = {https://eprint.iacr.org/2021/467}
}
