Key-Schedule Security for the TLS 1.3 Standard

Chris Brzuska; Antoine Delignat-Lavaud; Christoph Egger; Cédric Fournet; Konrad Kohbrok; Markulf Kohlweiss

doi:10.1007/978-3-031-22963-3_21

Key-Schedule Security for the TLS 1.3 Standard

Chris Brzuska^*, Antoine Delignat-Lavaud, Christoph Egger, Cédric Fournet, Konrad Kohbrok, Markulf Kohlweiss

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

Abstract

Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt ’18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently to analyse the key schedule of Draft 11 of the MLS protocol (S &P ’22) and to propose improvements.

Original language	English
Title of host publication	Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings
Editors	Shweta Agrawal, Dongdai Lin
Publisher	Springer
Pages	621-650
Number of pages	30
ISBN (Print)	978-3-031-22962-6
DOIs	https://doi.org/10.1007/978-3-031-22963-3_21
Publication status	Published - 2022
MoE publication type	A4 Conference publication
Event	International Conference on the Theory and Application of Cryptology and Information Security - Taipei, Taiwan, Republic of China Duration: 5 Dec 2022 → 9 Dec 2022 Conference number: 28

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13791 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	International Conference on the Theory and Application of Cryptology and Information Security
Abbreviated title	ASIACRYPT
Country/Territory	Taiwan, Republic of China
City	Taipei
Period	05/12/2022 → 09/12/2022

Keywords

Key schedule
Protocol analysis
State-separating proofs
TLS 1.3

Access to Document

10.1007/978-3-031-22963-3_21

https://eprint.iacr.org/2021/467

OpenUrl availability

Full text

Cite this

Brzuska, C., Delignat-Lavaud, A., Egger, C., Fournet, C., Kohbrok, K., & Kohlweiss, M. (2022). Key-Schedule Security for the TLS 1.3 Standard. In S. Agrawal, & D. Lin (Eds.), Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings (pp. 621-650). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13791 LNCS). Springer. https://doi.org/10.1007/978-3-031-22963-3_21

Brzuska, Chris ; Delignat-Lavaud, Antoine ; Egger, Christoph et al. / Key-Schedule Security for the TLS 1.3 Standard. Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. editor / Shweta Agrawal ; Dongdai Lin. Springer, 2022. pp. 621-650 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{fce4ddb2d9dc4b78897072e52bae0d96,

title = "Key-Schedule Security for the TLS 1.3 Standard",

abstract = "Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt {\textquoteright}18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently to analyse the key schedule of Draft 11 of the MLS protocol (S &P {\textquoteright}22) and to propose improvements.",

keywords = "Key schedule, Protocol analysis, State-separating proofs, TLS 1.3",

author = "Chris Brzuska and Antoine Delignat-Lavaud and Christoph Egger and C{\'e}dric Fournet and Konrad Kohbrok and Markulf Kohlweiss",

note = "Publisher Copyright: {\textcopyright} 2022, International Association for Cryptologic Research.; International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT ; Conference date: 05-12-2022 Through 09-12-2022",

year = "2022",

doi = "10.1007/978-3-031-22963-3_21",

language = "English",

isbn = "978-3-031-22962-6",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "621--650",

editor = "Shweta Agrawal and Dongdai Lin",

booktitle = "Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings",

address = "Germany",

}

Brzuska, C, Delignat-Lavaud, A, Egger, C, Fournet, C, Kohbrok, K & Kohlweiss, M 2022, Key-Schedule Security for the TLS 1.3 Standard. in S Agrawal & D Lin (eds), Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13791 LNCS, Springer, pp. 621-650, International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, Republic of China, 05/12/2022. https://doi.org/10.1007/978-3-031-22963-3_21

Key-Schedule Security for the TLS 1.3 Standard. / Brzuska, Chris; Delignat-Lavaud, Antoine; Egger, Christoph et al.
Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. ed. / Shweta Agrawal; Dongdai Lin. Springer, 2022. p. 621-650 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13791 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Key-Schedule Security for the TLS 1.3 Standard

AU - Brzuska, Chris

AU - Delignat-Lavaud, Antoine

AU - Egger, Christoph

AU - Fournet, Cédric

AU - Kohbrok, Konrad

AU - Kohlweiss, Markulf

N1 - Conference code: 28

PY - 2022

Y1 - 2022

N2 - Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt ’18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently to analyse the key schedule of Draft 11 of the MLS protocol (S &P ’22) and to propose improvements.

AB - Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt ’18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently to analyse the key schedule of Draft 11 of the MLS protocol (S &P ’22) and to propose improvements.

KW - Key schedule

KW - Protocol analysis

KW - State-separating proofs

KW - TLS 1.3

UR - http://www.scopus.com/inward/record.url?scp=85149649639&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-22963-3_21

DO - 10.1007/978-3-031-22963-3_21

M3 - Conference contribution

AN - SCOPUS:85149649639

SN - 978-3-031-22962-6

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 621

EP - 650

BT - Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings

A2 - Agrawal, Shweta

A2 - Lin, Dongdai

PB - Springer

T2 - International Conference on the Theory and Application of Cryptology and Information Security

Y2 - 5 December 2022 through 9 December 2022

ER -

Brzuska C, Delignat-Lavaud A, Egger C, Fournet C, Kohbrok K, Kohlweiss M. Key-Schedule Security for the TLS 1.3 Standard. In Agrawal S, Lin D, editors, Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. Springer. 2022. p. 621-650. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-22963-3_21