nach oben

Journal of Cryptology

Erschienen in:

18.01.2017

Authenticated Confidential Channel Establishment and the Security of TLS-DHE

verfasst von: Tibor Jager, Florian Kohlar, Sven Schäge, Jörg Schwenk

Erschienen in: Journal of Cryptology | Ausgabe 4/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Transport Layer Security (TLS) is the most important cryptographic protocol in use today. However, finding a cryptographic security proof for the complete, unaltered protocol has proven to be a challenging task. We give the first such proof in the standard model for the core cryptographic protocol underlying TLS cipher suites based on ephemeral Diffie–Hellman key exchange (TLS-DHE). This includes the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, which is mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove the TLS Handshake secure in the classical security models of Bellare–Rogaway and Canetti–Krawczyk. The reason for this is that the final Finished messages of the TLS Handshake are encrypted with the session key, which provides an opportunity to distinguish real keys from random values. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS, and give the first proof of this variant in the standard model. Then we define the new notion of authenticated and confidential channel establishment (ACCE), which allows the monolithic analysis of protocols for which a modular security proof is not possible. We show that the combination of the TLS-DHE Handshake protocol and the TLS Record Layer encryption is secure in this model. Since the conference publication of this paper, the notion of ACCE has found many further applications, for example to the analysis of further TLS cipher suites (Krawczyk et al., Crypto 2013; Li et al., PKC 2014), advanced mechanisms like secure renegotiation of TLS session keys (Giesen et al., CCS 2013), and other practical protocols like EMV channel establishment (Brzuska et al., CCS 2013), SSH (Bergsma et al., CCS 2014), and QUIC (Lychev et al., S&P 2015).

Vorheriger Artikel Efficient Authentication from Hard Learning Problems

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

SSL Pulse at https://trustworthyinternet.org, retrieved September 2016.

To our best knowledge, there is no security proof for the currently used schemes, but also no result contradicting this assumption.

The proceedings version of [81] contains only a proof of stateless LHAE security. However, as also noted in [81], it is straightforward to adopt the results to the stateful setting.

For instance, if the output length \(\mathsf {len}\) is smaller than the length of message m.

Note that we have \(k_\mathsf {enc}^\mathsf {Server} = k_\mathsf {dec}^\mathsf {Client} \) and \(k_\mathsf {dec}^\mathsf {Server} = k_\mathsf {enc}^\mathsf {Client} \).

We assume that each party \(P_i\) is uniquely identified by its public key \(pk_i\). In practice, several keys may be assigned to one identity. Furthermore, there may be other ways to determine identities, for instance by using certificates. However, this is out of scope of this paper.

Note that we do not include the identity of the (intended) communication partner in the \(\mathsf {Send}\)-query. Instead, we assume that the exchange of identities of communication partners (which is necessary to determine the public key used to perform authentication) is part of the protocol.

Note that the adversary does not ‘take control’ of oracles corresponding to a corrupted party. But he learns the long-term secret key and can henceforth simulate these oracles. Still, corrupted oracles remain functional, which is necessary to capture security against KCI attacks.

We do not demand that partner ids \(\Pi \) are mutually matching. However, this is required by the security definition.

That is, \(P_j\) is not corrupted when \(\pi _i^s\) ‘accepts’. Recall that uncorrupted parties are \(\tau \)-corrupted with \(\tau =\infty \).

This models that an adversary may trick one party into sending some adversarially chosen data. A practical example for this attack scenario is cross-site request forgeries [90] on web servers, or Bard’s chosen-plaintext attacks on SSL3.0 [5, 6].

If there is more than one such oracle, the first in lexicographical order is chosen.

M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in Topics in Cryptology—CT-RSA 2001, volume 2020 of Lecture Notes in Computer Science, San Francisco, CA, USA, ed. by D. Naccache (Springer, Berlin, Germany, April 8–12, 2001), pp. 143–158

M.R. Albrecht, K.G. Paterson, Lucky microseconds: a timing attack on Amazon’s s2n implementation of TLS, in EUROCRYPT (1) (2016), pp. 622–643

N.J. AlFardan, K.G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May 19–22, 2013 (IEEE Computer Society Press, 2013), pp. 526–540

N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J. Alex Halderman, V. Dukhovni, E. Käsper, S. Cohney, S. Engels, C. Paar, Y. Shavitt, DROWN: breaking TLS using sslv2, in 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10–12, 2016 (2016), pp. 689–706

G. V. Bard, The vulnerability of SSL to chosen plaintext attack, in Cryptology ePrint Archive, Report 2004/111 (2004), http://eprint.iacr.org/

G.V. Bard, A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL, in SECRYPT, ed. by M. Malek, E. Fernández-Medina, J. Hernando (INSTICC Press, 2006), pp. 99–109

B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, J.K. Zinzindohoue, A messy state of the union: taming the composite state machines of TLS, in 2015 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2015), pp. 535–552

K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, P.-Y. Strub, Triple handshakes and cookie cutters: breaking and fixing authentication over TLS, in 2014 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2014), pp. 98–113

F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, D. Stebila, Multi-ciphersuite security of the secure shell (SSH) protocol, in ACM CCS 14: 21st Conference on Computer and Communications Security (ACM Press, 2014), pp. 369–381

10.

M. Bellare, New proofs for NMAC and HMAC: security without collision-resistance, in Advances in Cryptology—CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by C. Dwork (Springer, Berlin, Germany, August 20–24, 2006), pp. 602–619

11.

K. Bhargavan, C. Fournet, R. Corin, E. Zalinescu, Cryptographically verified implementations for TLS, in ACM CCS 08: 15th Conference on Computer and Communications Security, Alexandria, Virginia, USA, ed. by P. Ning, P.F. Syverson, S. Jha (ACM Press, October 27–31, 2008), pp. 459–468

12.

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, Implementing TLS with verified cryptographic security, in IEEE S&P (2013), pp. 445–459

13.

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, S.Z. Béguelin, Proving the TLS handshake secure (as it is), in Advances in Cryptology—CRYPTO 2014, Part II, volume 8617 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by J.A. Garay, R. Gennaro (Springer, Berlin, Germany, August 17–21, 2014), pp. 235–255

14.

C. Brzuska, M. Fischlin, N.P. Smart, B. Warinschi, S.C. Williams, Less is more: relaxed yet composable security notions for key exchange, Int. J. Inf. Sec., 12(4):267–297, 2013

15.

G. Barthe, B. Grégoire, S. Heraud, S.Z. Béguelin, Computer-aided security proofs for the working cryptographer, in Advances in Cryptology—CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by P. Rogaway (Springer, Berlin, Germany, August 14–18, 2011), pp. 71–90

16.

C. Brzuska, H. Jacobsen, D. Stebila, Safely exporting keys from secure channels: on the security of EAP-TLS and TLS key exporters, in EUROCRYPT (1) 2016, pp. 670–698

17.

M. Bellare, T. Kohno, C. Namprempre, Authenticated encryption in SSH: provably fixing the SSH binary packet protocol, in ACM CCS 02: 9th Conference on Computer and Communications Security, Washington D.C., USA, ed. by V. Atluri (ACM Press, November 18–22, 2002), pp. 1–11

18.

M. Bellare, T. Kohno, C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the encode-then-encrypt-and-mac paradigm, ACM Trans. Inf. Syst. Secur., 7:206–241, May 2004CrossRefMATH

19.

D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology—CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by H. Krawczyk (Springer, Berlin, Germany, August 23–27, 1998), pp. 1–12

20.

B. Barak, Y. Lindell, T. Rabin, Protocol Initialization for the Framework of Universal Composability, Cryptology ePrint Archive, Report 2004/006 (2004). http://eprint.iacr.org/

21.

C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment. Information Security and Cryptography (Springer, Berlin, 2003)CrossRefMATH

22.

C. Badertscher, C. Matt, U. Maurer, P. Rogaway, B. Tackmann, Augmented secure channels and the goal of the TLS 1.3 record layer, in ProvSec 2015: 9th International Conference on Provable Security, Lecture Notes in Computer Science (Springer, Berlin, 2015), pp. 85–104

23.

M. Bellare, C. Namprempre, Authenticated encryption: relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology—ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, Kyoto, Japan, ed. by T. Okamoto (Springer, Berlin, Germany, December 3–7, 2000), pp. 531–545

24.

M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology, 21(4):469–491, 2008MathSciNetCrossRefMATH

25.

M. Bellare, D. Pointcheval, P. Rogaway, in Authenticated Key Exchange Secure Against Dictionary Attacks, in Advances in Cryptology—EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, Bruges, Belgium, ed. by B. Preneel (Springer, Berlin, Germany, May 14–18, 2000), pp. 139–155

26.

M. Bellare, P. Rogaway, Entity authentication and key distribution, in Advances in Cryptology—CRYPTO’93, volume 773 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by D.R. Stinson (Springer, Berlin, Germany, August 22–26, 1994), pp. 232–249

27.

M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, St. Petersburg, Russia, ed. by S. Vaudenay (Springer, Berlin, Germany, May 28–June 1, 2006), pp. 409–426

28.

C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson, An Analysis of the EMV Channel Establishment Protocol, in ACM CCS 13: 20th Conference on Computer and Communications Security, ed. by A.-R. Sadeghi, V. D. Gligor, M. Yung (ACM Press, Berlin, Germany, November 4–8, 2013), pp. 373–386

29.

M. Bellare, B. Tackmann, The multi-user security of authenticated encryption: AES-GCM in TLS 1.3, in Advances in Cryptology—CRYPTO 2016, Part I, Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Berlin, Germany, August 2016), pp. 247–276

30.

S. Blake-Wilson, D. Johnson, A. Menezes, Key agreement protocols and their security analysis, in 6th IMA International Conference on Cryptography and Coding, volume 1355 of Lecture Notes in Computer Science, Cirencester, UK, ed. by M. Darnell (Springer, Berlin, Germany, December 17–19, 1997), pp. 30–45

31.

R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada, USA (IEEE Computer Society Press, October 14–17, 2001), pp. 136–145

32.

K.K.R. Choo, C. Boyd, Y. Hitchcock, Examining indistinguishability-based proof models for key establishment protocols, in Advances in Cryptology—ASIACRYPT 2005, volume 3788 of Lecture Notes in Computer Science, Chennai, India, ed. by B.K. Roy (Springer, Berlin, Germany, December 4–8, 2005), pp. 585–604

33.

S. Chaki, A. Datta, Aspier: an automated framework for verifying security protocol implementations, in Computer Security Foundations Symposium, 2009. CSF ’09. 22nd IEEE, (July 2009), pp. 172 –185

34.

J.-S. Coron, M. Joye, D. Naccache, P. Paillier, in New attacks on PKCS#1 v1.5 encryption (In Preneel [84]), pp. 369–381

35.

R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, Innsbruck, Austria, ed. by B. Pfitzmann (Springer, Berlin, Germany, May 6–10, 2001), pp. 453–474

36.

R. Canetti, H. Krawczyk, Security analysis of IKE’s signature-based key-exchange protocol, in Advances in Cryptology—CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by M. Yung (Springer, Berlin, Germany, August 18–22, 2002), pp. 143–161. http://eprint.iacr.org/2002/120/

37.

C.J.F. Cremers, Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol, in ACNS 09: 7th International Conference on Applied Cryptography and Network Security, volume 5536 of Lecture Notes in Computer Science, Paris-Rocquencourt, France, ed. by M. Abdalla, D. Pointcheval, P.-A. Fouque, D. Vergnaud (Springer, Berlin, Germany, June 2–5, 2009), pp. 20–33

38.

T. Dierks, C. Allen, The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), Obsoleted by RFC 4346, updated by RFCs 3546, 5746 (January 1999)

39.

B. Dowling, M. Fischlin, F. Günther, D. Stebila, A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates, in ACM CCS 15: 22nd Conference on Computer and Communications Security (ACM Press, New York, 2015)

40.

B. Dowling, M. Fischlin, F. Günther, D. Stebila, in A Cryptographic Analysis of the TLS 1.3 Draft-10 Full and Pre-shared Key Handshake Protocol. Cryptology ePrint Archive, Report 2016/081 (2016). http://eprint.iacr.org/2016/081

41.

T. Dierks, E. Rescorla, in The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard). Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746 (April 2006)

42.

T. Dierks, E. Rescorla, in The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008), Updated by RFCs 5746, 5878

43.

T. Duong, J. Rizzo, in The Crime Attack. https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/ (2012)

44.

Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198–207, 1983.MathSciNetCrossRefMATH

45.

D. Eastlake III, T. Hansen, in US Secure Hash Algorithms (SHA and HMAC-SHA), RFC 4634 (Informational) (July 2006)

46.

D. Eastlake III, P. Jones, in US Secure Hash Algorithm 1 (SHA1). RFC 3174 (Informational), Updated by RFC 4634 (September 2001)

47.

M. Fischlin, A. Lehmann, D. Wagner, Hash function combiners in TLS and SSL, in Topics in Cryptology—CT-RSA 2010, volume 5985 of Lecture Notes in Computer Science, San Francisco, CA, USA, ed. by J. Pieprzyk (Springer, Berlin, Germany, March 1–5, 2010), pp. 268–283

48.

P.-A. Fouque, D. Pointcheval, S. Zimmer, HMAC is a randomness extractor and applications to TLS, in ASIACCS 08: 3rd Conference on Computer and Communications Security, Tokyo, Japan, ed. by M. Abe, V. Gligor (ACM Press, March 18–20, 2008), pp. 21–32

49.

F. Giesen, F. Kohlar, D. Stebila, On the security of TLS renegotiation, in ACM Conference on Computer and Communications Security 2013, pp. 387–398

50.

S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, J. Schwenk, in Universally composable security analysis of TLS ProvSec, volume 5324 of LNCS, ed. by J. Baek, F. Bao, K. Chen, X. Lai (Springer, 2008), pp. 313–327

51.

J. Jonsson, B.S. Kaliski Jr, On the security of RSA encryption in TLS, in Advances in Cryptology—CRYPTO 2002, pp. 127–142

52.

T. Jager, F. Kohlar, S. Schäge, J. Schwenk, On the security of TLS-DHE in the standard model, in Advances in Cryptology—CRYPTO 2012, volume 7417 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by R. Safavi-Naini, R. Canetti (Springer, Berlin, Germany, August 19–23, 2012), pp. 273–293

53.

D. Johnson, A. Menezes, S. Vanstone, The Elliptic Curve Digital Signature Algorithm (ECDSA), Int. J. Inf. Secur., 1(1):36–63, August 2001CrossRef

54.

T. Jager, J. Schwenk, J. Somorovsky, Practical invalid curve attacks on TLSECDH, in ACM CCS 15: 22nd Conference on Computer and Communications Security (ACM Press, New York, 2015), pp. 407–425

55.

T. Jager, J. Schwenk, J. Somorovsky, in On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS #1 v1.5 Encryption (ACM CCS 2015), pp. 1185–1196

56.

B. Kaliski, PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational), Obsoleted by RFC 2437 (March 1998)

57.

M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, D. Venturi, in (De-)Constructing TLS. Cryptology ePrint Archive, Report 2014/020 (2014). http://eprint.iacr.org/

58.

M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, D. Venturi, (De-)constructing TLS 1.3, in Progress in Cryptology—INDOCRYPT 2015: 16th International Conference in Cryptology in India, Lecture Notes in Computer Science (Springer, Berlin, Germany, 2015), pp. 85–102

59.

E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in Advances in Cryptology—CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by T. Rabin (Springer, Berlin, Germany, August 15–19, 2010), pp. 295–313

60.

E. Kiltz, K. Pietrzak, On the security of padding-based encryption schemes—or—why we cannot prove OAEP secure in the standard model, in Advances in Cryptology—EUROCRYPT 2009, volume 5479 of Lecture Notes in Computer Science, Cologne, Germany, (Springer, Berlin, Germany, April 26–30, 2009), pp. 389–406

61.

H. Krawczyk, K.G. Paterson, H. Wee, On the security of the TLS protocol: a systematic analysis, in Advances in Cryptology—CRYPTO 2013, Part I, volume 8042 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by R. Canetti, J.A. Garay, (Springer, Berlin, Germany, August 18–22, 2013), pp. 429–448

62.

H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology—CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by J. Kilian, (Springer, Berlin, Germany, August 19–23, 2001), pp. 310–331

63.

H. Krawczyk, HMQV: a high-performance secure Diffie-Hellman protocol, in Advances in Cryptology—CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by V. Shoup (Springer, Berlin, Germany, August 14–18, 2005), pp. 546–566

64.

F. Kohlar, S. Schäge, J. Schwenk, in On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367 (2013). http://eprint.iacr.org/

65.

R. Küsters, M. Tuengerthal, Composition theorems without pre-established session identifiers, in ACM CCS 11: 18th Conference on Computer and Communications Security, Chicago, Illinois, USA, ed. by Y. Chen, G. Danezis, V. Shmatikov (ACM Press, October 17–21, 2011), pp. 41–50

66.

H. Krawczyk, H. Wee, The OPTLS protocol and TLS 1.3, in IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany (March 21–24, 2016), pp. 81–96

67.

G. Locke, P. Gallagher, in FIPS PUB 186-3 Federal Information Processing Standards Publication Digital Signature Standard (DSS) (2009)

68.

Y. Li, Personal Communication (2012)

69.

R. Lychev, S. Jero, A. Boldyreva, C. Nita-Rotaru, How secure and quick is QUIC? Provable security and performance analyses, in IEEE S&P (2015 [53]), pp. 214–231

70.

R. Lychev, S. Jero, A. Boldyreva, C. Nita-Rotaru, How secure and quick is QUIC? Provable security and performance analyses, in Cryptology ePrint Archive, Report 2015/582 (2015). http://eprint.iacr.org/

71.

B.A. LaMacchia, K. Lauter, A. Mityagin, Stronger security of authenticated key exchange, in ProvSec, volume 4784 of LNCS, ed. by W. Susilo, J.K. Liu, Y. Mu (Springer, 2007), pp. 1–16

72.

Y. Li, S. Schäge, Z. Yang, F. Kohlar, J. Schwenk, On the security of the pre-shared key ciphersuites of TLS, in PKC 2014: 17th International Workshop on Theory and Practice in Public Key Cryptography, volume 8383 of Lecture Notes in Computer Science, Buenos Aires, Argentina, ed. by H. Krawczyk (Springer, Berlin, Germany, March 26–28, 2014), pp. 669–684

73.

B. Möller, T. Duong, K. Kotowicz, This Poodle Bites: Exploiting the ssl 3.0 fallback, PDF online (2014)

74.

J.C. Mitchell, Finite-state analysis of security protocols, in CAV, volume 1427 of LNCS, ed. by A.J. Hu, M.Y. Vardi (Springer, 1998), pp. 71–76

75.

P. Morrissey, N.P. Smart, B. Warinschi, A modular security analysis of the TLS handshake protocol, in Advances in Cryptology—ASIACRYPT 2008, volume 5350 of Lecture Notes in Computer Science, Melbourne, Australia, ed. by J. Pieprzyk (Springer, Berlin, Germany, December 7–11, 2008), pp. 55–73

76.

P. Morrissey, N.P. Smart, B. Warinschi, The TLS handshake protocol: A modular analysis, J. Cryptol., 23(2):187–223, April 2010MathSciNetCrossRefMATH

77.

U. Maurer, B. Tackmann, On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption, in ACM CCS 10: 17th Conference on Computer and Communications Security, Chicago, Illinois, USA, ed. by E. Al-Shaer, A.D. Keromytis, V. Shmatikov (ACM Press, October 4–8, 2010), pp 505–515

78.

N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, B. Preneel, A cross-protocol attack on the TLS protocol, in ACM CCS 12: 19th Conference on Computer and Communications Security, Raleigh, NC, USA, ed. by T. Yu, G. Danezis, V.D. Gligor (ACM Press, October 16–18, 2012), pp. 62–72

79.

K. Ogata, K. Futatsugi, in Equational Approach to Formal Analysis of TLS, ICDCS (IEEE Computer Society, 2005), pp. 795–804

80.

Lawrence C. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Trans. Inf. Syst. Secur., 2(3):332–351, 1999.CrossRef

81.

K.G. Paterson, T. Ristenpart, T. Shrimpton, Tag size does matter: attacks and proofs for the TLS record protocol, in Advances in Cryptology—ASIACRYPT 2011, volume 7073 of Lecture Notes in Computer Science, Seoul, South Korea, ed. by D.H. Lee, X. Wang (Springer, Berlin, Germany, December 4–8, 2011), pp. 372–389

82.

D. Pointcheval, S. Vaudenay, in On Provable Security for Digital Signature Algorithms, Technical report, Ecole Normale Superieure (1996)

83.

M. Ray, S. Dispensa, in Renegotiating TLS (2009). http://extendedsubset.com/Renegotiating_TLS

84.

R. Rivest, in The MD5 Message-Digest Algorithm. RFC 1321 (Informational) (April 1992)

85.

Q. Sun, D.R. Simon, Y.-M. Wang, W. Russell, V.N. Padmanabhan, L. Qiu, Statistical identification of encrypted web browsing traffic, in IEEE Symposium on Security and Privacy (2002), pp. 19–30

86.

J.M. Schanck, W. Whyte, Z. Zhang, Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world, Proc. Priv. Enhancing Technol., 4:219–236, 2016

87.

S. Vaudenay, The security of DSA and ECDSA, in Public Key Cryptography—PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, volume 2567 of LNCS (2003), pp. 309–323

88.

C.V. Wright, L. Ballard, S.E. Coull, F. Monrose, G.M. Masson, Spot me if you can: uncovering spoken phrases in encrypted voip conversations, in IEEE Symposium on Security and Privacy (IEEE Computer Society, 2008), pp. 35–49

89.

D. Wagner, B. Schneier, Analysis of the SSL 3.0 protocol, in Proceedings of the Second USENIX Workshop on Electronic Commerce (USENIX Association, 1996), pp. 29–40

90.

W. Zeller, E.W. Felten, in Cross-Site Request Forgeries: Exploitation and Prevention. Technical report (October 2008). Available at http://from.bz/public/documents/publications/csrf

Titel: Authenticated Confidential Channel Establishment and the Security of TLS-DHE
verfasst von: Tibor Jager
Florian Kohlar
Sven Schäge
Jörg Schwenk
Publikationsdatum: 18.01.2017
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 4/2017
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-016-9248-2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2017

Reproducible Circularly Secure Bit Encryption: Applications and Realizations

Efficient Authentication from Hard Learning Problems

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Information Theoretical Cryptogenography

From Private Simultaneous Messages to Zero-Information Arthur–Merlin Protocols and Back

The Hunting of the SNARK

Premium Partner