Proving the TLS Handshake Secure (as it is)

Abstract : The TLS Internet Standard features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now well-understood in isolation, their composition remains problematic, and yet it is critical to obtain practical security guarantees for TLS, as all mainstream implementations support multiple related runs of the handshake and share keys between algorithms. We study the provable security of the TLS handshake, as it is implemented and deployed. To capture the details of the standard and its main extensions, we rely on miTLS, a verified reference implementation of the protocol. We propose new agile security definitions and assumptions for the signatures, key encapsulation mechanisms (KEM), and key derivation algorithms used by the TLS handshake. To validate our model of key encapsulation, we prove that both RSA and Diffie-Hellman ciphersuites satisfy our definition for the KEM. In particular, we formalize the use of PKCS#1v1.5 and build a 3,000-line EasyCrypt proof of the security of the resulting KEM against replayable chosen-ciphertext attacks under the assumption that ciphertexts are hard to re-randomize. Based on our new agile definitions, we construct a modular proof of security for the miTLS reference implementation of the handshake, including ciphersuite negotiation, key exchange, renegotiation, and resumption, treated as a detailed 3,600-line executable model. We present our main definitions, constructions, and proofs for an abstract model of the protocol, featuring series of related runs of the handshake with different ciphersuites. We also describe its refinement to account for the whole reference implementation, based on automated verification tools.
Type de document :
Communication dans un congrès
Juan A. Garay; Rosario Gennaro. CRYPTO 2014, Aug 2014, Santa Barbara, United States. Springer, 8617, pp.235-255, 2014, Lecture Notes in Computer Science. 〈10.1007/978-3-662-44381-1_14〉
Liste complète des métadonnées

Littérature citée [60 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01102229
Contributeur : Bruno Blanchet <>
Soumis le : vendredi 15 avril 2016 - 04:43:08
Dernière modification le : vendredi 25 mai 2018 - 12:02:06
Document(s) archivé(s) le : samedi 16 juillet 2016 - 10:45:44

Fichier

182.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Karthikeyan Bhargavan, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, et al.. Proving the TLS Handshake Secure (as it is). Juan A. Garay; Rosario Gennaro. CRYPTO 2014, Aug 2014, Santa Barbara, United States. Springer, 8617, pp.235-255, 2014, Lecture Notes in Computer Science. 〈10.1007/978-3-662-44381-1_14〉. 〈hal-01102229〉

Partager

Métriques

Consultations de la notice

402

Téléchargements de fichiers

321