**On the Security of TLS-DHE
in the Standard Model **

Tibor Jager (Ruhr-University,
Germany)

Florian Kohlar (Ruhr-University,
Germany)

Sven Schäge (University
College London, UK)

Jörg Schwenk (Ruhr-University,
Germany)

**Abstract:**

TLS is the most important cryptographic protocol in use today. However, up to
now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for
the core cryptographic protocol of TLS ciphersuites
based on ephemeral Diffie-Hellman key exchange
(TLS-DHE), which include the cipher suite
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory in TLS 1.0 and TLS
1.1. It is impossible to prove security of the TLS Handshake protocol in any
classical key-indistinguishability-based security
model (like for instance the Bellare-Rogaway or the
Canetti-Krawczyk model), due to subtle issues with
the encryption of the final Finished messages. Therefore we start with
proving the security of a truncated version of the TLS-DHE Handshake
protocol, which has been considered in previous works on TLS. Then we define
the notion of authenticated and confidential channel establishment (ACCE) as
a new security model which captures precisely the security properties
expected from TLS in practice, and show that the combination of the TLS
Handshake with data encryption in the TLS Record Layer can be proven secure
in this model.

Back to
Conference Program