Abstract
We study the security of the widely deployed Secure Session
Layer/Transport Layer Security (TLS) key agreement protocol. Our
analysis identifies, justifies, and exploits the modularity present in the
design of the protocol: the application keys offered to higher level applications
are obtained from a master key, which in turn is derived, through
interaction, from a pre-master key.
Our first contribution consists of formal models that clarify the security
level enjoyed by each of these types of keys. The models that we
provide fall under well established paradigms in defining execution, and
security notions. We capture the realistic setting where only one of the
two parties involved in the execution of the protocol (namely the server)
has a certified public key, and where the same master key is used to
generate multiple application keys.
The main contribution of the paper is a modular and generic proof
of security for the application keys established through the TLS protocol.
We show that the transformation used by TLS to derive master
keys essentially transforms an arbitrary secure pre-master key agreement
protocol into a secure master-key agreement protocol. Similarly,
the transformation used to derive application keys works when applied
to an arbitrary secure master-key agreement protocol. These results are
in the random oracle model. The security of the overall protocol then
follows from proofs of security for the basic pre-master key generation
protocols employed by TLS.
Translated title of the contribution | A Modular Security Analysis of the TLS Handshake Protocol |
---|---|
Original language | English |
Title of host publication | Advances in Cryptology - Asiacrypt 2008 |
Publisher | Springer Berlin Heidelberg |
Pages | 55-73 |
Volume | 5350 |
Publication status | Published - 2008 |
Bibliographical note
Other page information: 55-73Conference Proceedings/Title of Journal: Advances in Cryptology - AsiaCrypt 2008
Other identifier: 2000943