On the Se­cu­ri­ty of TLS-DHE in the Stan­dard Model

Tibor Jager, Flo­ri­an Kohlar, Sven Schä­ge, Jörg Schwenk

In Ad­van­ces in Cryp­to­lo­gy – CRYP­TO 2012, Lec­tu­re Notes in Com­pu­ter Sci­ence, 2012, Vo­lu­me 7417/2012, 273-293, DOI: 10.​1007/​978-3-642-32009-5_​17

Ab­stract

TLS is the most im­portant cryp­to­gra­phic pro­to­col in use today. Howe­ver, up to now there is no com- plete cryp­to­gra­phic se­cu­ri­ty proof in the stan­dard model, nor in any other model. We give the first such proof for the core cryp­to­gra­phic pro­to­col of TLS ciph­er­sui­tes based on ephe­me­ral Dif­fie-Hell­man key ex­chan­ge (TLS-DHE), which in­clu­de the ci­pher suite TLS DHE DSS WITH 3DES EDE CBC SHA man­d­ato­ry in TLS 1.0 and TLS 1.1.

It is im­pos­si­ble to prove se­cu­ri­ty of the TLS Hand­shake in any clas­si­cal key-in­dis­tin­gu­is­ha­bi­li­ty- based se­cu­ri­ty model (like e.g. the Bel­la­re-Ro­ga­way or the Ca­net­ti-Kraw­czyk model), due to subt­le is­su­es with the en­cryp­ti­on of the final Fi­nis­hed mes­sa­ges of the TLS Hand­shake. The­re­fo­re we start with pro­ving the se­cu­ri­ty of a trun­ca­ted ver­si­on of the TLS Hand­shake pro­to­col, which has also been con­s­i­de­red in pre­vious work on TLS.

Then we de­fi­ne the no­ti­on of au­then­ti­ca­ted and con­fi­den­ti­al chan­nel es­ta­blish­ment (ACCE) as a new se­cu­ri­ty model which cap­tu­res pre­cise­ly the se­cu­ri­ty pro­per­ties ex­pec­ted from TLS in prac­tice, and show that the com­bi­na­ti­on of the TLS Hand­shake pro­to­col with the TLS Re­cord Layer can be pro­ven se­cu­re in this model.

Tags: TLS