An Analysis of the Transport Layer Security Protocol. / van der Merwe, Thyla.

2018. 229 p.

Research output: ThesisDoctoral Thesis

Unpublished

Documents

Abstract

The Transport Layer Security (TLS) protocol is the de facto means for securing communications on the World Wide Web. Originally developed by Netscape Communications, the protocol came under the auspices of the Internet Engineering Task Force (IETF) in the mid 1990s and today serves millions, if not billions, of users on a daily basis. The ubiquitous nature of the protocol has, especially in recent years, made the protocol an attractive target for security researchers. Since the release of TLS 1.2 in 2008, the protocol has suffered many high-profile, and increasingly practical, attacks. Coupled with pressure to improve the protocol's efficiency, this deluge of identified weaknesses prompted the IETF to develop a new version of the protocol, namely TLS 1.3.

In the development of the new version of the protocol, the IETF TLS Working Group has adopted an ``analysis-prior-to-deployment" design philosophy. This is in sharp contrast to all previous versions of the protocol. We present an account of the TLS standardisation narrative, commenting on the differences between the reactive development process for TLS 1.2 and below, and the more proactive design process for TLS 1.3. As part of this account, we present work that falls on both sides of this design transition. We contribute to the large body of work highlighting weaknesses in TLS 1.2 and below by presenting two classes of attacks against the RC4 stream cipher when used in TLS. Our attacks exploit statistical biases in the RC4 keystream to recover TLS-protected user passwords and cookies. Next we present a symbolic analysis of the TLS 1.3 draft specification, using the Tamarin prover, to show that TLS 1.3 meets the desired goals of authenticated key exchange, thus contributing to a concerted effort by the TLS community to ensure the protocol's robustness prior to its official release.
Original languageEnglish
QualificationPh.D.
Awarding Institution
Supervisors/Advisors
Thesis sponsors
  • Eng & Phys Sci Res Council EPSRC
Award date1 Jun 2018
Publication statusUnpublished - 2018
This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 29967197