Open access
Date
2021-07-30Type
- Journal Article
Abstract
We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption/“PSK” mode which uses a pre-shared key for authentication (with optional (EC)DHE key exchange and zero round-trip time key establishment). Our analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties (such as unauthenticated versus unilaterally authenticated versus mutually authenticated, whether it is intended to provide forward security, how it is used in the protocol, and whether the key is protected against replay attacks). We show that these TLS 1.3 handshake protocol modes establish session keys with their desired security properties under standard cryptographic assumptions. Show more
Permanent link
https://doi.org/10.3929/ethz-b-000438744Publication status
publishedExternal links
Journal / series
Journal of CryptologyVolume
Pages / Article No.
Publisher
SpringerSubject
Authenticated key exchange; Transport Layer Security (TLS); Handshake protocolOrganisational unit
09653 - Paterson, Kenneth / Paterson, Kenneth
More
Show all metadata