On the security of TLS renegotiation

Giesen, Florian, Kohlar, Florian, & Stebila, Douglas (2013) On the security of TLS renegotiation. In Gligor, V. & Yung, M. (Eds.) Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013), ACM, Berlin Congress Centre, Berlin.

[img] Proceedings version (PDF 475kB)
Published Version.
Administrators only | Request a copy from author
Full version (PDF 705kB)
Supplemental Material.

View at publisher


The Transport Layer Security (TLS) protocol is the most widely used security protocol on the Internet. It supports negotiation of a wide variety of cryptographic primitives through different cipher suites, various modes of client authentication, and additional features such as renegotiation. Despite its widespread use, only recently has the full TLS protocol been proven secure, and only the core cryptographic protocol with no additional features. These additional features have been the cause of several practical attacks on TLS. In 2009, Ray and Dispensa demonstrated how TLS renegotiation allows an attacker to splice together its own session with that of a victim, resulting in a man-in-the-middle attack on TLS-reliant applications such as HTTP. TLS was subsequently patched with two defence mechanisms for protection against this attack.

We present the first formal treatment of renegotiation in secure channel establishment protocols. We add optional renegotiation to the authenticated and confidential channel establishment model of Jager et al., an adaptation of the Bellare--Rogaway authenticated key exchange model. We describe the attack of Ray and Dispensa on TLS within our model. We show generically that the proposed fixes for TLS offer good protection against renegotiation attacks, and give a simple new countermeasure that provides renegotiation security for TLS even in the face of stronger adversaries.

Impact and interest:

14 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

155 since deposited on 25 Aug 2013
22 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 62025
Item Type: Conference Paper
Refereed: Yes
Keywords: Transport Layer Security (TLS), renegotiation, security models, key exchange
DOI: 10.1145/2508859.2516694
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Encryption (080402)
Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DISTRIBUTED COMPUTING (080500) > Web Technologies (excl. Web Search) (080505)
Divisions: Current > Schools > School of Electrical Engineering & Computer Science
Current > Institutes > Institute for Future Environments
Current > QUT Faculties and Divisions > Science & Engineering Faculty
Copyright Owner: Copyright ACM, 2013.
Copyright Statement: This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013) http://dx.doi.org/10.1145/2508859.2516694.
Deposited On: 25 Aug 2013 23:09
Last Modified: 10 Oct 2016 11:27

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page