1. bookVolume 2019 (2019): Issue 4 (October 2019)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

The privacy of the TLS 1.3 protocol

Published Online: 30 Jul 2019
Page range: 190 - 210
Received: 28 Feb 2019
Accepted: 16 Jun 2019
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

TLS (Transport Layer Security) is a widely deployed protocol that plays a vital role in securing Internet traffic. Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them. In August 2018, a new version of the protocol, TLS 1.3, was standardized by the IETF (Internet Engineering Task Force). TLS 1.3 not only benefits from stronger security guarantees, but aims to protect the identities of the server and client by encrypting messages as soon as possible during the authentication. In this paper, we model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS. We build our privacy models on top of the one defined by Hermans et al. for RFIDs (Radio Frequency Identification Devices) that mostly targets authentication protocols. The enhanced models share similarities to the Bellare-Rogaway AKE (Authenticated Key Exchange) security model and consider adversaries that can compromise both types of participants in the protocol. In particular, modeling session resumption is non-trivial, given that session resumption tickets are essentially a state transmitted from one session to another and such link reveals information on the parties. On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones.

Keywords

[1] David Adrian, Kartihkeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella Béguelin, and Paul Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of ACM CCS 2015, pages 5–17. IEEE, 2015.10.1145/2810103.2813707Search in Google Scholar

[2] Nadhem J. AlFardan, Daniel J. Bernstein, Kenneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. On the security of RC4 in TLS and WPA. In USENIX Security Symposium, 2013.Search in Google Scholar

[3] Nadhem J. AlFardan and Kenneth G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy (SP’13), 2013.10.1109/SP.2013.42Search in Google Scholar

[4] Antoine Delignat-Lavaud and Kartihkeyan Bhargavan. Network-based origin confusion attacks against HTTPS virtual hosting. In Proceedings of WWW’15, pages 227–237. Springer, 2015.10.1145/2736277.2741089Search in Google Scholar

[5] Ghada Arfaoui, Xavier Bultel, Pierre-Alain Fouque, Adina Nedelcu, and Cristina Onete. The privacy of the tls 1.3 protocol. Cryptology ePrint Archive, Report 2019/749, 2019. https://eprint.iacr.org/2019/749.10.2478/popets-2019-0065Search in Google Scholar

[6] Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt. Drown: Breaking TLS using SSLv2. https://drownattack.com, 2016.Search in Google Scholar

[7] Michael Backes, Aniket Kate, Praveen Manoharan, Sebastian Meiser, and Esfandiar Mohammadi. Anoa: A framework for analyzing anonymous communication protocols. In Proceedings of CSF. IEEE, 2013.10.1109/CSF.2013.18Search in Google Scholar

[8] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In CRYPTO, pages 232–249, 1993.10.1007/3-540-48329-2_21Search in Google Scholar

[9] Benjamin Berdouche, Kartikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre Yves Strub, and Jean Karim Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of IEEE S&P 2015, pages 535–552. IEEE, 2015.10.1109/SP.2015.39Search in Google Scholar

[10] Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of IEEE S&P 2015, pages 535–552. IEEE, 2015.10.1109/SP.2015.39Search in Google Scholar

[11] Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti, and Pierre-Yves Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In Proceedings of IEEE S&P 2014, pages 98–113. IEEE, 2014.10.1109/SP.2014.14Search in Google Scholar

[12] Karthikeyan Bhargavan and Gaetan Leurent. Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH. In Accepted at NDSS 2016, to appear, 2016.10.14722/ndss.2016.23418Search in Google Scholar

[13] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard pkcs #1. In Proceedings of (CRYPTO’98), volume 1462 of LNCS, pages 1–12, 1998.10.1007/BFb0055716Search in Google Scholar

[14] Tim Dierks and Eric Rescorla. The transport layer security (TLS) protocol version 1.2. RFC 5246, August 2008.10.17487/rfc5246Search in Google Scholar

[15] Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In ACM CCS, pages 1197–1210, 2015.10.1145/2810103.2813653Search in Google Scholar

[16] Nir Drucker and Shay Gueron. Selfie: reflections on tls 1.3 with psk. Cryptology ePrint Archive, Report 2019/347, 2019. https://eprint.iacr.org/2019/347.Search in Google Scholar

[17] EU. General Data Protection Regulation - GDPR.Search in Google Scholar

[18] EU. Regulation on Privacy and Electronic Communications.Search in Google Scholar

[19] Marc Fischlin and Felix Günther. Multi-stage key exchange and the case of google’s QUIC protocol. In ACM CCS, pages 1193–1204, 2014.10.1145/2660267.2660308Search in Google Scholar

[20] Pierre-Alain Fouque, Cristina Onete, and Benjamin Richard. Achieving better privacy for the 3gpp aka protocol. In Proceedings of PETS (PoPETS), volume 4, 2016.10.1515/popets-2016-0039Search in Google Scholar

[21] Christina Garman, Kenneth G. Paterson, and Thyla Van der Merwe. Attacks only get better: Password recovery attacks against RC4 in TLS. In Proceedings of USENIX 2015, pages 113–128. USENIX Association, 2015.Search in Google Scholar

[22] Alejandro Hevia and Daniele Micciancio. An indistinguishability-based characterization of anonymous channels. In Proceedings of PETS, volume 5134 of LNCS, pages 24–43. Springer, 2008.10.1007/978-3-540-70630-4_3Search in Google Scholar

[23] Jens Hermans and Andreas Pashalidis and Frederik Vercauteren and Bart Preneel. A New RFID Privacy Model. In Computer Security - ESORICS 2011 - 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14, 2011. Proceedings, 2011.10.1007/978-3-642-23822-2_31Search in Google Scholar

[24] Markulf Kohlweiss, Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi. (de-)constructing TLS 1.3. In Progress in Cryptology - INDOCRYPT 2015 - 16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, pages 85–102, 2015.10.1007/978-3-319-26617-6_5Search in Google Scholar

[25] Hugo Krawczyk. SIGMA: the ‘sign-and-mac’ approach to authenticated diffie-hellman and its use in the ike-protocols. In Advances in Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 2003, Proceedings, pages 400–425, 2003.10.1007/978-3-540-45146-4_24Search in Google Scholar

[26] Hugo Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In Advances in Cryptology — CRYPTO 2010, volume 6223 of LNCS. Springer, 2010.10.1007/978-3-642-14623-7_34Search in Google Scholar

[27] Kenneth G. Paterson, Thomas Ristenpart, and Thomas Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In Advances in Cryptology — ASIACRYPT 2011, volume 7073 of LNCS, pages 372–389. Springer-Verlag, 2011.10.1007/978-3-642-25385-0_20Search in Google Scholar

[28] Angelo Prado, Neal Harris, and Yoel Gluck. SSL, gone in 30 seconds: A BREACH beyond CRIME. Black Hat 2013, 2013.Search in Google Scholar

[29] Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018.10.17487/RFC8446Search in Google Scholar

[30] Juliano Rizzo and Thai Duong. The CRIME attack. Ekoparty 2012, 2012.Search in Google Scholar

[31] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler. SIP: Session Initiation Protocol. RFC 3261, June 2002.10.17487/rfc3261Search in Google Scholar

[32] Serge Vaudenay. Security flaws induced by CBC padding – applications to SSL, IPSEC, WTLS. In Proceedings of EUROCRYPT 2002, volume 2332 of LNCS, pages 534–545, 2002.10.1007/3-540-46035-7_35Search in Google Scholar

[33] Serge Vaudenay. On privacy models for RFID. In Advances in cryptology – ASIACRYPT, volume 4833 of LNCS, pages 68–87. Springer, 2007.10.1007/978-3-540-76900-2_5Search in Google Scholar

[34] Wikipedia. Global surveillance disclosures (2013–present).Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo