[TLS] A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
Felix Günther <guenther@cs.tu-darmstadt.de> Wed, 23 September 2015 07:38 UTC
Return-Path: <guenther@cs.tu-darmstadt.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EDDB1A7001 for <tls@ietfa.amsl.com>; Wed, 23 Sep 2015 00:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.639
X-Spam-Level:
X-Spam-Status: No, score=0.639 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAY_5zV40mSu for <tls@ietfa.amsl.com>; Wed, 23 Sep 2015 00:38:37 -0700 (PDT)
Received: from lnx503.hrz.tu-darmstadt.de (mail-relay07.hrz.tu-darmstadt.de [130.83.156.231]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75F7D1A6F8E for <tls@ietf.org>; Wed, 23 Sep 2015 00:38:37 -0700 (PDT)
Received: from smtp.tu-darmstadt.de (lnx505.hrz.tu-darmstadt.de [130.83.156.234]) by lnx503.hrz.tu-darmstadt.de (8.14.4/8.14.4/HRZ/PMX) with ESMTP id t8N7cXhp003505; Wed, 23 Sep 2015 09:38:34 +0200 (envelope-from guenther@cs.tu-darmstadt.de)
Received: from [130.83.239.22] by smtp.tu-darmstadt.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <guenther@cs.tu-darmstadt.de>) id 1ZeedN-0000Yu-Rr; Wed, 23 Sep 2015 09:38:33 +0200
To: tls@ietf.org
From: Felix Günther <guenther@cs.tu-darmstadt.de>
Openpgp: id=2BAE4A6F7946461B700161B352AF0200D3F1700E; url=http://www.felixguenther.info/publickey.asc
X-Enigmail-Draft-Status: N1010
Message-ID: <560256F9.6060107@cs.tu-darmstadt.de>
Date: Wed, 23 Sep 2015 09:38:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-PMX-TU: seen v1.2 by 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2015.9.23.73017
X-PMX-RELAY: outgoing
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cgc7cqEYvZJjw56WSr8_xP9gDIM>
Subject: [TLS] A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 07:38:40 -0000
Dear all, In a recent work, we analyzed the ephemeral Diffie--Hellman-based handshake protocol in two drafts of TLS 1.3 which were available at the time of our research project in May: draft-ietf-tls-tls13-05 as well as the variant proposal draft-ietf-tls-tls13-dh-based (https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-tls13-dh-based.txt). At this point in time, these have been integrated into the latest draft 08. Our research paper will be published at the ACM Conference on Computer and Communications Security (CCS 2015) in October; a full version is now available in the IACR Cryptology ePrint Archive (https://eprint.iacr.org/2015/914). We show that, for both drafts, the full and resumption handshakes achieve the main goal of providing secure authenticated key exchange in a "multi-stage" setting using a game-based approach toward provable security (in the style of Bellare and Rogaway). On a high level, this means that the handshakes establish record layer keys, resumption keys, and exporter keys that look random to an adversary. This holds with sessions that run concurrently and if the adversary controls the whole network, is able to corrupt the long-term secret keys of other parties, and allowed to reveal keys established in other sessions, thus providing quite strong security guarantees for practice. Moreover, we show that even leakage of record layer or exporter keys in the same handshake session do not compromise each other's security. Our results hold based on standard cryptographic assumptions, namely collision resistance of hash functions, unforgeability of signatures, pseudorandomness of the key derivation function, and the Decisional Diffie--Hellman assumption, and without resorting to an idealized model such as the random oracle model. Before sharing some technical insights and comments arising from our work, let us shortly state precisely the scope of our work: * TLS 1.3 of course is still a work in progress, hence our analysis is inevitably limited to the draft specifications at the time of writing and should hence be considered as a contribution to the ongoing discussion rather than a definitive analysis of TLS 1.3. * Our work focuses on the full and resumption handshakes, but does not capture 0-RTT handshakes which were still un(der)specified at the time of writing. * We do not analyze the record layer protocol (which is outside of the scope of this work, and has been worked on by others), but rather follow a compositional approach by showing that the full handshake securely composes with any symmetric-key protocol. Extending this result to encompass also the (non-forward-secret) resumption handshake is left for future work due to a technicality in the compositional framework that depends on forward secrecy. Our main comments can be summarized as follows (see Section 3 of our paper for a more detailed version): 1. Soundness of key separation Using separate keys for the encryption of handshake messages and application data (compared with previous versions of TLS that encrypted the Finished messages using the session key) allows the protocol to achieve standard key secrecy/indistinguishability notions using standard cryptographic assumptions (i.e., DDH rather than PRF-ODH). 2. Key independence The key schedule which derives each output key (in particular the two traffic keys) through an application of the key derivation function with a unique label/info input allows us to prove that these keys are computationally independent: neither is affected by the other's compromise. This in particular contributes to the compositional approach of treating the (security of the) handshake and record layer separately. 3. Session hash in online signatures Including the full transcript/session hash in the CertificateVerify signature makes the security proof easier and contributes to establishing security based on standard assumptions. 4. Encryption of handshake messages The handshake traffic key is secure against passive adversaries and hence encryption within the handshake can indeed increase privacy. We confirm that this approach does not have negative effects on the main key secrecy/indistinguishability goal of the key exchange. While our paper addresses older drafts (draft-05 and draft-dh), we expect that our analysis of the full handshake in draft-dh can be adapted to cover the full handshake in the latest draft-08 version. As the handshake stabilizes, we hope to update our work. At this point in time, we hope that our analysis can provide some cryptographic insights for the so-far achieved and further development of TLS 1.3. We welcome your comments and suggestions. Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila (Queensland University of Technology and Technische Universität Darmstadt)
- [TLS] A Cryptographic Analysis of the TLS 1.3 Han… Felix Günther