A Modular Security Analysis of the TLS Handshake Protocol

Paul Morrissey, Nigel Smart, Bogdan Warinschi

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

39 Citations (Scopus)


We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher level applications are obtained from a master key, which in turn is derived, through interaction, from a pre-master key. Our first contribution consists of formal models that clarify the security level enjoyed by each of these types of keys. The models that we provide fall under well established paradigms in defining execution, and security notions. We capture the realistic setting where only one of the two parties involved in the execution of the protocol (namely the server) has a certified public key, and where the same master key is used to generate multiple application keys. The main contribution of the paper is a modular and generic proof of security for the application keys established through the TLS protocol. We show that the transformation used by TLS to derive master keys essentially transforms an arbitrary secure pre-master key agreement protocol into a secure master-key agreement protocol. Similarly, the transformation used to derive application keys works when applied to an arbitrary secure master-key agreement protocol. These results are in the random oracle model. The security of the overall protocol then follows from proofs of security for the basic pre-master key generation protocols employed by TLS.
Translated title of the contributionA Modular Security Analysis of the TLS Handshake Protocol
Original languageEnglish
Title of host publicationAdvances in Cryptology - Asiacrypt 2008
PublisherSpringer Berlin Heidelberg
Publication statusPublished - 2008

Bibliographical note

Other page information: 55-73
Conference Proceedings/Title of Journal: Advances in Cryptology - AsiaCrypt 2008
Other identifier: 2000943


Dive into the research topics of 'A Modular Security Analysis of the TLS Handshake Protocol'. Together they form a unique fingerprint.

Cite this