International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Key-schedule Security for the TLS 1.3 Standard

Chris Brzuska , Aalto University
Antoine Delignat-Lavaud , Microsoft Research Cambridge, UK
Christoph Egger , IRIF, Université Paris Cité
Cédric Fournet , Microsoft Research Cambridge, UK
Konrad Kohbrok , Aalto University
Markulf Kohlweiss , University of Edinburgh, UK
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2022
Abstract: Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt '18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently %by Brzuska, Cornelissen and Kohbrok to analyse the key schedule of Draft 11 of the MLS protocol (S&P'22) and to propose improvements.
Video from ASIACRYPT 2022
  title={Key-schedule Security for the TLS 1.3 Standard},
  author={Chris Brzuska and Antoine Delignat-Lavaud and Christoph Egger and Cédric Fournet and Konrad Kohbrok and Markulf Kohlweiss},