## CryptoDB

### Paper: Key-schedule Security for the TLS 1.3 Standard

Authors: Chris Brzuska , Aalto University Antoine Delignat-Lavaud , Microsoft Research Cambridge, UK Christoph Egger , IRIF, Université Paris Cité Cédric Fournet , Microsoft Research Cambridge, UK Konrad Kohbrok , Aalto University Markulf Kohlweiss , University of Edinburgh, UK Search ePrint Search Google Slides ASIACRYPT 2022 Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt '18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently %by Brzuska, Cornelissen and Kohbrok to analyse the key schedule of Draft 11 of the MLS protocol (S&P'22) and to propose improvements.
##### BibTeX
@inproceedings{asiacrypt-2022-32508,
title={Key-schedule Security for the TLS 1.3 Standard},
publisher={Springer-Verlag},
author={Chris Brzuska and Antoine Delignat-Lavaud and Christoph Egger and Cédric Fournet and Konrad Kohbrok and Markulf Kohlweiss},
year=2022
}