Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication. / Cremers, Cas; Horvat, Marko; Scott, Samuel; Van Der Merwe, Thyla.

IEEE Symposium on Security and Privacy 2016. 2016. p. 470-485.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication. / Cremers, Cas; Horvat, Marko; Scott, Samuel; Van Der Merwe, Thyla.

IEEE Symposium on Security and Privacy 2016. 2016. p. 470-485.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

APA

Vancouver

Author

Cremers, Cas ; Horvat, Marko ; Scott, Samuel ; Van Der Merwe, Thyla. / Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication. IEEE Symposium on Security and Privacy 2016. 2016. pp. 470-485

BibTeX

@inproceedings{8f281a25a78448d7a7a8e779cc6c4a56,
title = "Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication",
abstract = "After a development process of many months, the TLS 1.3 specification is nearly complete. To prevent past mistakes, this crucial security protocol must be thoroughly scrutinised prior to deployment. In this work we model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols. We specify and analyse the interaction of various handshake modes for an unbounded number of concurrent TLS sessions. We show that revision 10 meets the goals of authenticated key exchange in both the unilateral and mutual authentication cases. We extend our model to incorporate the desired delayed client authentication mechanism, a feature that is likely to be included in the next revision of the specification, and uncover a potential attack in which an adversary is able to successfully impersonate a client during a PSK-resumption handshake. This observation was reported to, and confirmed by, the IETF TLS Working Group. Our work not only provides the first supporting evidence for the security of several complex protocol mode interactions in TLS 1.3, but also shows the strict necessity of recent suggestions to include more information in the protocol's signature contents.",
author = "Cas Cremers and Marko Horvat and Samuel Scott and {Van Der Merwe}, Thyla",
year = "2016",
month = aug,
day = "18",
doi = "10.1109/SP.2016.35",
language = "English",
isbn = "978-1-5090-0825-4",
pages = "470--485",
booktitle = "IEEE Symposium on Security and Privacy 2016",

}

RIS

TY - GEN

T1 - Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication

AU - Cremers, Cas

AU - Horvat, Marko

AU - Scott, Samuel

AU - Van Der Merwe, Thyla

PY - 2016/8/18

Y1 - 2016/8/18

N2 - After a development process of many months, the TLS 1.3 specification is nearly complete. To prevent past mistakes, this crucial security protocol must be thoroughly scrutinised prior to deployment. In this work we model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols. We specify and analyse the interaction of various handshake modes for an unbounded number of concurrent TLS sessions. We show that revision 10 meets the goals of authenticated key exchange in both the unilateral and mutual authentication cases. We extend our model to incorporate the desired delayed client authentication mechanism, a feature that is likely to be included in the next revision of the specification, and uncover a potential attack in which an adversary is able to successfully impersonate a client during a PSK-resumption handshake. This observation was reported to, and confirmed by, the IETF TLS Working Group. Our work not only provides the first supporting evidence for the security of several complex protocol mode interactions in TLS 1.3, but also shows the strict necessity of recent suggestions to include more information in the protocol's signature contents.

AB - After a development process of many months, the TLS 1.3 specification is nearly complete. To prevent past mistakes, this crucial security protocol must be thoroughly scrutinised prior to deployment. In this work we model and analyse revision 10 of the TLS 1.3 specification using the Tamarin prover, a tool for the automated analysis of security protocols. We specify and analyse the interaction of various handshake modes for an unbounded number of concurrent TLS sessions. We show that revision 10 meets the goals of authenticated key exchange in both the unilateral and mutual authentication cases. We extend our model to incorporate the desired delayed client authentication mechanism, a feature that is likely to be included in the next revision of the specification, and uncover a potential attack in which an adversary is able to successfully impersonate a client during a PSK-resumption handshake. This observation was reported to, and confirmed by, the IETF TLS Working Group. Our work not only provides the first supporting evidence for the security of several complex protocol mode interactions in TLS 1.3, but also shows the strict necessity of recent suggestions to include more information in the protocol's signature contents.

U2 - 10.1109/SP.2016.35

DO - 10.1109/SP.2016.35

M3 - Conference contribution

SN - 978-1-5090-0825-4

SP - 470

EP - 485

BT - IEEE Symposium on Security and Privacy 2016

ER -