×

Modelling ciphersuite and version negotiation in the TLS protocol. (English) Zbl 1368.94096

Foo, Ernest (ed.) et al., Information security and privacy. 20th Australasian conference, ACISP 2015, Brisbane, QLD, Australia, June 29 – July 1, 2015. Proceedings. Cham: Springer (ISBN 978-3-319-19961-0/pbk; 978-3-319-19962-7/ebook). Lecture Notes in Computer Science 9144, 270-288 (2015).
Summary: Real-world cryptographic protocols such as the widely used Transport Layer Security (TLS) protocol support many different combinations of cryptographic algorithms (called ciphersuites) and simultaneously support different versions. Recent advances in provable security have shown that most modern TLS ciphersuites are secure authenticated and confidential channel establishment (ACCE) protocols, but these analyses generally focus on single ciphersuites in isolation. In this paper we extend the ACCE model to cover protocols with many different sub-protocols, capturing both multiple ciphersuites and multiple versions, and define a security notion for secure negotiation of the optimal sub-protocol. We give a generic theorem that shows how secure negotiation follows, with some additional conditions, from the authentication property of secure ACCE protocols. Using this framework, we analyse the security of ciphersuite and three variants of version negotiation in TLS, including a recently proposed mechanism for detecting fallback attacks.
For the entire collection see [Zbl 1314.94007].

MSC:

94A60 Cryptography
68M12 Network protocols
PDFBibTeX XMLCite
Full Text: DOI Link

References:

[1] Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246 (1999)
[2] Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.1. RFC 4346 (2006)
[3] Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. RFC 5246 (2008)
[4] Freier, A.O., Karlton, P., Kocher, P.C.: The Secure Sockets Layer (SSL) protocol version 3.0. RFC 6101 (2011). Republication of original SSL 3.0 specification by Netscape of November 18, 1996
[5] Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proc. 2nd USENIX Workshop on Electronic Commerce (1996)
[6] Hickman, K.E.B.: The SSL protocol (version 0.2) (1995). http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[7] Jonsson, J.; Kaliski, BS Jr.; Yung, M., On the security of RSA encryption in TLS, Advances in Cryptology - CRYPTO 2002, 127-142 (2002), Heidelberg: Springer, Heidelberg · Zbl 1026.94530 · doi:10.1007/3-540-45708-9_9
[8] Morrissey, P.; Smart, NP; Warinschi, B.; Pieprzyk, J., A modular security analysis of the TLS handshake protocol, Advances in Cryptology - ASIACRYPT 2008, 55-73 (2008), Heidelberg: Springer, Heidelberg · Zbl 1206.94082 · doi:10.1007/978-3-540-89255-7_5
[9] Krawczyk, H.; Kilian, J., The order of encryption and authentication for protecting communications (or: How Secure Is SSL?), Advances in Cryptology - CRYPTO 2001, 310 (2001), Heidelberg: Springer, Heidelberg · Zbl 1002.94529 · doi:10.1007/3-540-44647-8_19
[10] Paterson, KG; Ristenpart, T.; Shrimpton, T.; Lee, DH; Wang, X., Tag size does matter: attacks and proofs for the TLS record protocol, Advances in Cryptology - ASIACRYPT 2011, 372-389 (2011), Heidelberg: Springer, Heidelberg · Zbl 1227.94060 · doi:10.1007/978-3-642-25385-0_20
[11] Jager, T.; Kohlar, F.; Schäge, S.; Schwenk, J.; Safavi-Naini, R.; Canetti, R., On the security of TLS-DHE in the standard model, Advances in Cryptology - CRYPTO 2012, 273-293 (2012), Heidelberg: Springer, Heidelberg · Zbl 1296.94121 · doi:10.1007/978-3-642-32009-5_17
[12] Krawczyk, H.; Paterson, KG; Wee, H.; Canetti, R.; Garay, JA, On the security of the TLS protocol: a systematic analysis, Advances in Cryptology - CRYPTO 2013, 429-448 (2013), Heidelberg: Springer, Heidelberg · Zbl 1310.94158 · doi:10.1007/978-3-642-40041-4_24
[13] Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367 (2013). http://eprint.iacr.org/2013/367 · Zbl 1296.94121
[14] Li, Y.; Schäge, S.; Yang, Z.; Kohlar, F.; Schwenk, J.; Krawczyk, H., On the security of the pre-shared key ciphersuites of TLS, Public-Key Cryptography - PKC 2014, 669-684 (2014), Heidelberg: Springer, Heidelberg · Zbl 1335.94065 · doi:10.1007/978-3-642-54631-0_38
[15] Brzuska, C.; Fischlin, M.; Smart, NP; Warinschi, B.; Williams, SC, Less is more: Relaxed yet composable security notions for key exchange, International Journal of Information Security, 12, 267-297 (2013) · doi:10.1007/s10207-013-0192-y
[16] Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.Y.: Implementing TLS with verified cryptographic security. In: 2013 IEEE Symposium on Security and Privacy, pp. 445-459. IEEE Computer Society Press (2013)
[17] Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 387-398. ACM Press (2013)
[18] Ray, M., Dispensa, S.: Renegotiating TLS (2009) http://extendedsubset.com/Renegotiating_TLS.pdf
[19] Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneel, B.: A cross-protocol attack on the TLS protocol. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, pp. 62-72. ACM Press (2012)
[20] Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J., Stebila, D.: Multi-ciphersuite security of the secure shell (SSH) protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 369-381. ACM Press (2014)
[21] Bhargavan, K.; Fournet, C.; Kohlweiss, M.; Pironti, A.; Strub, P-Y; Zanella-Béguelin, S.; Garay, JA; Gennaro, R., Proving the TLS handshake secure (As It Is), Advances in Cryptology - CRYPTO 2014, 235-255 (2014), Heidelberg: Springer, Heidelberg · Zbl 1334.94060
[22] Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) renegotiation indication extension. RFC 5746 (2010)
[23] Möller, B., Langley, A.G.: TLS fallback Signaling Cipher Suite Value (SCSV) for preventing protocol downgrade attacks (2015). https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05. Internet-Draft -05
[24] Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. Cryptology ePrint Archive, Report 2011/219 (2011). http://eprint.iacr.org/2011/219 · Zbl 1296.94121
[25] Bellare, M.; Rogaway, P.; Stinson, DR, Entity authentication and key distribution, Advances in Cryptology - CRYPTO ’93, 232-249 (1994), Heidelberg: Springer, Heidelberg · Zbl 0870.94019 · doi:10.1007/3-540-48329-2_21
[26] Dowling, B., Stebila, D.: Modelling ciphersuite and version negotiation in the TLS protocol (full version). Cryptology ePrint Archive (2015) · Zbl 1368.94096
[27] Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.3 (2015). https://tools.ietf.org/html/draft-ietf-tls-tls13-05. Internet-Draft -05
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.