[TLS] A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates

Felix Günther <guenther@cs.tu-darmstadt.de> Wed, 23 September 2015 07:38 UTC

Return-Path: <guenther@cs.tu-darmstadt.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EDDB1A7001 for <tls@ietfa.amsl.com>; Wed, 23 Sep 2015 00:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.639
X-Spam-Level:
X-Spam-Status: No, score=0.639 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAY_5zV40mSu for <tls@ietfa.amsl.com>; Wed, 23 Sep 2015 00:38:37 -0700 (PDT)
Received: from lnx503.hrz.tu-darmstadt.de (mail-relay07.hrz.tu-darmstadt.de [130.83.156.231]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75F7D1A6F8E for <tls@ietf.org>; Wed, 23 Sep 2015 00:38:37 -0700 (PDT)
Received: from smtp.tu-darmstadt.de (lnx505.hrz.tu-darmstadt.de [130.83.156.234]) by lnx503.hrz.tu-darmstadt.de (8.14.4/8.14.4/HRZ/PMX) with ESMTP id t8N7cXhp003505; Wed, 23 Sep 2015 09:38:34 +0200 (envelope-from guenther@cs.tu-darmstadt.de)
Received: from [130.83.239.22] by smtp.tu-darmstadt.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <guenther@cs.tu-darmstadt.de>) id 1ZeedN-0000Yu-Rr; Wed, 23 Sep 2015 09:38:33 +0200
To: tls@ietf.org
From: Felix Günther <guenther@cs.tu-darmstadt.de>
Openpgp: id=2BAE4A6F7946461B700161B352AF0200D3F1700E; url=http://www.felixguenther.info/publickey.asc
X-Enigmail-Draft-Status: N1010
Message-ID: <560256F9.6060107@cs.tu-darmstadt.de>
Date: Wed, 23 Sep 2015 09:38:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-PMX-TU: seen v1.2 by 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2015.9.23.73017
X-PMX-RELAY: outgoing
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cgc7cqEYvZJjw56WSr8_xP9gDIM>
Subject: [TLS] A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 07:38:40 -0000

Dear all,

In a recent work, we analyzed the ephemeral Diffie--Hellman-based
handshake protocol in two drafts of TLS 1.3 which were available at the
time of our research project in May: draft-ietf-tls-tls13-05 as well as
the variant proposal draft-ietf-tls-tls13-dh-based
(https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-tls13-dh-based.txt)
 At this point in time, these have been integrated into the latest draft
08.

Our research paper will be published at the ACM Conference on Computer
and Communications Security (CCS 2015) in October; a full version is now
available in the IACR Cryptology ePrint Archive
(https://eprint.iacr.org/2015/914) We show that, for both drafts, the
full and resumption handshakes achieve the main goal of providing secure
authenticated key exchange in a "multi-stage" setting using a game-based
approach toward provable security (in the style of Bellare and Rogaway).

On a high level, this means that the handshakes establish record layer
keys, resumption keys, and exporter keys that look random to an
adversary. This holds with sessions that run concurrently and if the
adversary controls the whole network, is able to corrupt the long-term
secret keys of other parties, and allowed to reveal keys established in
other sessions, thus providing quite strong security guarantees for
practice. Moreover, we show that even leakage of record layer or
exporter keys in the same handshake session do not compromise each
other's security.
Our results hold based on standard cryptographic assumptions, namely
collision resistance of hash functions, unforgeability of signatures,
pseudorandomness of the key derivation function, and the Decisional
Diffie--Hellman assumption, and without resorting to an idealized model
such as the random oracle model.

Before sharing some technical insights and comments arising from our
work, let us shortly state precisely the scope of our work:
 * TLS 1.3 of course is still a work in progress, hence our analysis is
inevitably limited to the draft specifications at the time of writing
and should hence be considered as a contribution to the ongoing
discussion rather than a definitive analysis of TLS 1.3.
 * Our work focuses on the full and resumption handshakes, but does not
capture 0-RTT handshakes which were still un(der)specified at the time
of writing.
 * We do not analyze the record layer protocol (which is outside of the
scope of this work, and has been worked on by others), but rather follow
a compositional approach by showing that the full handshake securely
composes with any symmetric-key protocol. Extending this result to
encompass also the (non-forward-secret) resumption handshake is left for
future work due to a technicality in the compositional framework that
depends on forward secrecy.

Our main comments can be summarized as follows (see Section 3 of our
paper for a more detailed version):

 1. Soundness of key separation
    Using separate keys for the encryption of handshake messages and
application data (compared with previous versions of TLS that encrypted
the Finished messages using the session key) allows the protocol to
achieve standard key secrecy/indistinguishability notions using standard
cryptographic assumptions (i.e., DDH rather than PRF-ODH).

 2. Key independence
    The key schedule which derives each output key (in particular the
two traffic keys) through an application of the key derivation function
with a unique label/info input allows us to prove that these keys are
computationally independent: neither is affected by the other's
compromise. This in particular contributes to the compositional approach
of treating the (security of the) handshake and record layer separately.

 3. Session hash in online signatures
    Including the full transcript/session hash in the CertificateVerify
signature makes the security proof easier and contributes to
establishing security based on standard assumptions.

 4. Encryption of handshake messages
    The handshake traffic key is secure against passive adversaries and
hence encryption within the handshake can indeed increase privacy. We
confirm that this approach does not have negative effects on the main
key secrecy/indistinguishability goal of the key exchange.


While our paper addresses older drafts (draft-05 and draft-dh), we
expect that our analysis of the full handshake in draft-dh can be
adapted to cover the full handshake in the latest draft-08 version. As
the handshake stabilizes, we hope to update our work. At this point in
time, we hope that our analysis can provide some cryptographic insights
for the so-far achieved and further development of TLS 1.3.

We welcome your comments and suggestions.

Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila
(Queensland University of Technology and Technische Universität Darmstadt)