Paper 2022/246

On the Concrete Security of TLS 1.3 PSK Mode

Hannah Davis, Denis Diemert, Felix Günther, and Tibor Jager

Abstract

The pre-shared key (PSK) handshake modes of TLS 1.3 allow for the performant, low-latency resumption of previous connections and are widely used on the Web and by resource-constrained devices, e.g., in the Internet of Things. Taking advantage of these performance benefits with optimal and theoretically-sound parameters requires tight security proofs. We give the first tight security proofs for the TLS 1.3 PSK handshake modes. Our main technical contribution is to address a gap in prior tight security proofs of TLS 1.3 which modeled either the entire key schedule or components thereof as independent random oracles to enable tight proof techniques. These approaches ignore existing interdependencies in TLS 1.3's key schedule, arising from the fact that the same cryptographic hash function is used in several components of the key schedule and the handshake more generally. We overcome this gap by proposing a new abstraction for the key schedule and carefully arguing its soundness via the indifferentiability framework. Interestingly, we observe that for one specific configuration, PSK-only mode with hash function SHA-384, it seems difficult to argue indifferentiability due to a lack of domain separation between the various hash function usages. We view this as an interesting insight for the design of protocols, such as future TLS versions. For all other configurations however, our proofs significantly tighten the security of the TLS 1.3 PSK modes, confirming standardized parameters (for which prior bounds provided subpar or even void guarantees) and enabling a theoretically-sound deployment.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in EUROCRYPT 2022
Keywords
key exchangeindifferentiabilitytightnessTransport Layer SecurityTLS 1.3
Contact author(s)
h3davis @ eng ucsd edu
denis diemert @ uni-wuppertal de
mail @ felixguenther info
tibor jager @ uni-wuppertal de
History
2022-03-02: received
Short URL
https://ia.cr/2022/246
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/246,
      author = {Hannah Davis and Denis Diemert and Felix Günther and Tibor Jager},
      title = {On the Concrete Security of TLS 1.3 PSK Mode},
      howpublished = {Cryptology ePrint Archive, Paper 2022/246},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/246}},
      url = {https://eprint.iacr.org/2022/246}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.