Tuesday afternoon began with the key exchange session where Hoeteck Wee gave the first talk "On the Security of the TLS Protocol: A Systematic Analysis" coauthored with Hugo Krawczyk and Kenny Paterson. TLS is the most important secure network protocol currently used on the Internet. The TLS protocol can be considered in two parts: the handshake protocol, responsible for key exchange and authentication, and the record layer which is responsible for the secure channel. The record layer has previously been studied by Krawczyk in 2001 and more recently by Paterson, Ristenpart and Shrimpton in 2011. In the work presented today the authors instead concentrate on the handshake protocol.
As with many deployed key-exchange protocols the handshake and record layer overlap. With the key confirmation or "finished" messages being sent over the established channel to preform the final steps of authentication. As a result the handshake protocol cannot be proved secure under standard notions of security for key-exchange like that of Bellare and Rogaway. Previous work has been performed on analysing the TLS handshake protocol; one of the first analyses was performed by Bristolians: Morrissey, Smart and Warinschi. In this work they considered a truncated version of TLS and were then able to prove this secure. The unfortunate problem with this approach is that it no longer accurately captures exactly how TLS operates in practice. More recently Jager et al. defined the notion of Authenticated and Confidential Channel Establishment (ACCE) and proved the security of one particular mode of the handshake protocol, namely TLS-DHE with mutual authentication. This configuration choice is not that commonly used in practice for TLS and leaves the security of many other more widely used versions of the handshake protocol to remain unproven.
The goal of the handshake protocol is to establish keys which will ensure data confidentiality and integrity plus additionally providing entity authentication. The key exchange protocol is either based on Diffie-Hellman or uses RSA to send an encrypted secret (from client to server) used to establish the application key. The authentication may either be server-only (more common) or mutual (where the client must additionally provide a certificate).
In Krawczyk et al.'s paper they look to prove security for all possible modes of the handshake protocol. In the talk Hoeteck provided a detailed description for the case of TLS-RSA. In summary the protocol in this case is as follows. The client will send a randomly chosen pre-master secret encrypted using PKCS#1v1.5 from which the server can derive the application key. This is then followed by the sending of the "finished" messages. By using PKCS#1v1.5 in this manner the handshake protocol would in fact be vulnerable to Bleichenbacher's attack, allowing an adversary to determine the pre-master secret and hence also the application keys used. To resist against this attack TLS performs an adhoc fix where decryption failures are suppressed (the attack relies on a ciphertext validity oracle). Since the underlying encryption scheme cannot be proved CCA secure the authors instead use the notion of constrained CCA introduced by Hofheinz and Kiltz. From this they can then prove the security of the entire handshake and TLS protocol for both the server only and mutual authentication cases. Their final security results are related to a version of the ACCE notion. In the paper they go on to prove (in a similar way) the security of TLS-DH, TLS-DHE and also TLS-CCA for CCA secure encryption schemes such as RSA-OAEP.
In their work the authors have provided a complete analysis of the core of TLS, capturing a wide class of attacks within their model. It should be noted though that they have omitted some aspects of TLS from their analysis such as ciphersuite negotiation, renegotiation and compression (CRIME attack). Heoteck finished by asking the question "Is TLS fundamentally flawed?". His answer to this was no, despite TLS violating some basic principles of how cryptography should be used and not moving to a CCA secure encryption scheme (as a reaction to Bleichenbacher's attack). The design of TLS-RSA is fragile but is shown to be provably secure, all be it accidentally.