CryptoDB
Christoph Egger
Publications
Year
Venue
Title
2022
ASIACRYPT
Key-schedule Security for the TLS 1.3 Standard
📺
Abstract
Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet.
In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior
reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption
and omitted agile algorithms or vice versa.
This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous
standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces
output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions.
Technically, we rely on state-separating proofs (Asiacrypt '18) and introduce techniques to model
large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently %by Brzuska, Cornelissen and Kohbrok
to analyse the key schedule of Draft 11 of the MLS protocol (S&P'22) and to propose improvements.
Coauthors
- Chris Brzuska (1)
- Antoine Delignat-Lavaud (1)
- Cédric Fournet (1)
- Konrad Kohbrok (1)
- Markulf Kohlweiss (1)