Authentication and authenticated key exchanges
Designs, Codes and Cryptography
Entity authentication and key distribution
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Provably secure session key distribution: the three party case
STOC '95 Proceedings of the twenty-seventh annual ACM symposium on Theory of computing
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Inductive analysis of the Internet protocol TLS
ACM Transactions on Information and System Security (TISSEC)
The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
On the Security of RSA Encryption in TLS
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Systematic Design of Two-Party Authentication Protocols
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
On the Security of Joint Signature and Encryption
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Universally Composable Notions of Key Exchange and Secure Channels
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques
Proceedings of the 5th International Workshop on Security Protocols
Key Agreement Protocols and Their Security Analysis
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Analysis of the SSL 3.0 protocol
WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
Finite-state analysis of SSL 3.0
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
HMAC is a randomness extractor and applications to TLS
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Authenticated key exchange secure against dictionary attacks
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Modular security proofs for key agreement protocols
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Examining indistinguishability-based proof models for key establishment protocols
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
One-Time verifier-based encrypted key exchange
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Cryptographically verified implementations for TLS
Proceedings of the 15th ACM conference on Computer and communications security
Models and Proofs of Protocol Security: A Progress Report
CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
A secure decentralized data-centric information infrastructure for smart grid
IEEE Communications Magazine
Principles, Systems and Applications of IP Telecommunications
Ideal key derivation and encryption in simulation-based security
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Hash function combiners in TLS and SSL
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Anonymity and one-way authentication in key exchange protocols
Designs, Codes and Cryptography
On the security of TLS renegotiation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
| Hi-index | 0.00 |
We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher level applications are obtained from a master key , which in turn is derived, through interaction, from a pre-master key . Our first contribution consists of formal models that clarify the security level enjoyed by each of these types of keys. The models that we provide fall under well established paradigms in defining execution, and security notions. We capture the realistic setting where only one of the two parties involved in the execution of the protocol (namely the server) has a certified public key, and where the same master key is used to generate multiple application keys. The main contribution of the paper is a modular and generic proof of security for the application keys established through the TLS protocol. We show that the transformation used by TLS to derive master keys essentially transforms an arbitrary secure pre-master key agreement protocol into a secure master-key agreement protocol. Similarly, the transformation used to derive application keys works when applied to an arbitrary secure master-key agreement protocol. These results are in the random oracle model. The security of the overall protocol then follows from proofs of security for the basic pre-master key generation protocols employed by TLS.