A cryptographic analysis of the TLS 1.3 handshake protocol candidates

Dowling, Benjamin, Fischlin, Marc, Günther, Felix, & Stebila, Douglas (2015) A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, ACM, The Denver Marriot City Center, Denver, Colorado, pp. 1197-1210.

View at publisher


The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. This is even more important as there are two related, yet slightly different, candidates in discussion for TLS 1.3, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based.

We give a cryptographic analysis of the primary ephemeral Diffie–Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare–Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange.

An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption.

We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.

Impact and interest:

4 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

75 since deposited on 10 Dec 2015
65 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 91151
Item Type: Conference Paper
Refereed: Yes
Additional URLs:
Keywords: Transport Layer Security (TLS), key exchange, protocol analysis, composition
DOI: 10.1145/2810103.2813653
ISBN: 9781450338325
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Encryption (080402)
Divisions: Current > Schools > School of Electrical Engineering & Computer Science
Current > Institutes > Institute for Future Environments
Current > QUT Faculties and Divisions > Science & Engineering Faculty
Copyright Owner: Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Deposited On: 10 Dec 2015 04:53
Last Modified: 12 Dec 2015 15:20

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page