The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. This is even more important as there are two related, yet slightly different, candidates in discussion for TLS 1.3, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based.ududWe give a cryptographic analysis of the primary ephemeral Diffie–Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare–Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange.ududAn important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption.ududWe include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.
展开▼
机译:Internet工程任务组(IETF)当前正在开发传输层安全性(TLS)协议的下一个版本1.3版。该标准化过程的透明性允许在采用之前对协议进行全面的密码分析,而以前的TLS版本仅在标准化之后才在密码文献中进行了审查。这一点尤为重要,因为在TLS 1.3的讨论中有两个相关但略有不同的候选者,分别称为草稿-ietf-tls-tls13-05和草稿-ietf-tls-tls13-dh-基于。 ud ud对基于临时Diffie-Hellman的主要握手协议进行的加密分析,该协议对两个TLS 1.3候选者进行身份验证并建立加密密钥。我们证明,这两个候选握手均达到了根据Bellare-Rogaway模型的增强型多阶段版本提供安全的经过身份验证的密钥交换的主要目标。这种多阶段方法便于分析候选者的设计,因为它们在交换过程中会建立多个会话密钥。 ud ud我们分析中的重要步骤是考虑组合安全性保证。我们证明,由于我们的多级密钥交换安全性概念可与任意对称密钥协议组合,因此在记录层协议中使用会话密钥是安全的。此外,由于我们也可以将缩写的TLS恢复过程也视为对称密钥协议,因此我们的成分分析使我们可以直接推断出具有会话恢复功能的组合握手的安全性。 ud ud我们将讨论TLS的一些设计特征1.3基于我们分析中的观察意见的草稿。
展开▼